VPN

VPN RFP Lab Eval: SonicWALL Products As Tested The Platforms Building The Network Getting Started [Oct. 25, 2001] Part Two: SonicWALL VPN RFP Lab Eval

by Lisa Phifer VP Core Competence, Inc. [October 18, 2001]

Earlier this year, ISP-Planet launched a VPN Appliance Review Series, evaluating IPsec hardware devices suitable for ISP deployment to broadband-enabled businesses of 10 to 200 employees. We gathered four responses that appeared, at least on paper, to satisfy our RFP. Our next step—a lab evaluation. By digging into each vendor's proposed solution, we hoped to compare and contrast these offerings.

Here, we publish part one of the first set of results, describing our lab experience with SonicWALL PRO-VX, SOHO2, and TELE2 Internet appliances. These devices, designed for use in small-to-midsize networks, can be centrally provisioned through SGMS, SonicWALL's central policy manager.

The Platforms
The tested products represent SonicWALL's solution for RFP scenario #3: a distributed business with 200 employees (100 at headquarters, 4 branch offices, 50 mobile users). We evaluated the following configuration (below).

At our headquarters, we installed the SonicWALL PRO-VX ($4995). This rack-mountable unit includes a StrongARM / 233 Mhz CPU, VPN accelerator, 16 MB RAM, three 10/100 Ethernet ports, and a license for unlimited LAN IPs, 1001 IPsec security associations (SAs), and 50 VPN clients. Those needing less VPN should consider the basic PRO ($2995), limited to 101 SAs and a single VPN client.

At our branch office, we installed the SonicWALL SOHO2 ($495) with VPN upgrade ($495). This 8" x 6.5" x 2" plastic box contains a Toshiba 3927 HT / 133 Mhz CPU, 8 MB RAM, two 10/100 Ethernet ports, and a license for 10 LAN IPs, 11 IPsec SAs, and one VPN client. Larger branch offices like those in our RFP should purchase the SOHO2 with 50 LAN IPs ($995).

At our teleworker, we installed the SonicWALL TELE2 ($595, includes VPN). Physically similar to the SOHO2, this appliance is limited to 5 LAN IPs, 6 IPsec SAs, and no VPN clients.

According to SonicWALL, the PRO-VX can firewall 80 Mbps (cleartext) or 45 Mbps (3DES encrypted). The SOHO2 and TELE2 each handles 70 Mbps (cleartext) or 2.5 Mbps (3DES encrypted). Vendor specs are often achieved under optimal conditions, but real-world performance is affected by many factors. As a result, we recommend that specs only be used for rough sizing. If we're pushing 1.5 Mbps SDSL to branch offices, we'd consider the SOHO2. If we're selling ADSL 6 Mbps downstream, we'd consider a faster gateway like the PRO. However, encrypted throughput usually drops with smaller packets. Performance should always be verified in the target network, using actual customer workloads.

(Back to Top)

Building The Network
We started by connecting all "WAN" interfaces to a shared hub with Internet access, assigning each a static public IP. "LAN" interfaces were connected to non-overlapping private subnets, hidden behind NAT. Installation of color-coded cables is clearly illustrated in a 12-page QuickStart Guide.

To complete our network, we placed a web server on the HQ unit's DMZ. We tapped an Interlink AAA Engine on the HQ LAN for RADIUS authentication. Digital certificates were issued by SonicWALL's Certificate Authentication Service, operated by VeriSign. We had planned to use a private CA, but discovered we could not. SonicWALL's CA Service adds $145 (TELE2), $295 (SOHO2), $995 (PRO), and $1195 (VPN client 50-pack) to RFP scenario #3's bottom line.

On our "traveler" laptop, we installed the SonicWALL VPN Client v5.1.3 (an OEM of SafeNet's Win32 client). 51 client licenses were included with tested products, but client upgrades can be purchased for all three appliances. VPN clients were tested over Ethernet and v.90 dial, using preshared secrets and certificates, with and without extended RADIUS authentication.

On our "manager" station, we ran SonicWALL's Global Management System (SGMS v1.2), priced at $4995 for 25 devices, upgradable to 1000 devices. We first installed SGMS on an NT4 SP5 PC on our public LAN, then moved it to a Win2000 platform inside our HQ LAN. SGMS requires 128 MB RAM and 85 MB (WinNT/2000) or 115 MB (Solaris 8) disk, plus log storage. SGMS overwhelmed our P233 and was sluggish on our dual P500—we recommend using on a faster PC—and do it from the start, because re-installing SGMS requires a license reset.

(Back to Top)

Getting Started
Device installation starts by connecting a host to the unit's LAN port and opening a browser to a pre-configured address. After entering a default login/password, the Installation Wizard is launched.

Installations that use SGMS enter only addresses to "bootstrap" a VPN tunnel to the central manager. For standalone installations, the Wizard requires additional parameters. It does a reasonably good job of explaining options like NAT, PPPoE, and DHCP (right). Admins will complete the wizard in minutes; novices may proceed more cautiously but won't be overwhelmed.

A URL for device administration is displayed at the end of the dialog (left). Wizard-generated defaults are then refined using the Java-based GUI. Surprisingly, this GUI uses cleartext HTTP; the port number (80) cannot be changed or blocked on the LAN side. A VPN Client can (and should!) be used to secure GUI access on the WAN side.

SonicWALLs cannot be managed by SSH or Telnet. While this hardens against attack, it also prevents remote admin when the network goes awry. On the PRO-VX, a serial port makes basic console admin—restart, import/export, ping—accessible by modem. We'd to see a CLI on the SOHO2/TELE2 and the ability to set addresses through it.

On first login, the GUI suggests registering at SonicWALL's website. A device code, returned by email, must be entered into the GUI to complete registration. The GUI also advises whenever new firmware is available. We downloaded v6.0.1.1, then uploaded it to our SonicWALLs. One should always export settings and the administrator's certificate before loading firmware, because aborting corrupts older firmware and data. This happened to us more than once. Fortunately, reloading good firmware and exported settings is not difficult—press the reset button, browse the default IP—and follow instructions.

An ISP delivering managed services can offer onsite installation or drop-ship these units. The Wizard is simple enough for customer use, but firewall/VPN configuration requires security know-how. The GUI and SGMS enable central configuration, but only after network setup goes well. Given this, we'd opt to pre-configure network, firewall, and VPN settings, shipping "ready to use" units to customers. Once connected, the GUI's Status page (above, right) provides insight into network topology, identifying active ports, adjacent routers, etc.

—End Part One—