VPN

VPN RFP Lab Eval: Final Thoughts —continued

by Lisa Phifer VP Core Competence, Inc. [January 4, 2002]

Installation and Provisioning
Many ISPs resell equipment to customers in return for a small piece of the pie. Offering managed security services has far greater potential to generate recurring revenue and differentiate an ISP's offerings. According to the Yankee Group, the managed security market will reach nearly $1.7 billion by 2005. But providers in this fast-changing market will tell you: cost-effective administration is essential if you hope to turn a profit. Let's start with the device-level interfaces to install and provision individual appliances:

To reduce the cost of provisioning, IPRVnet could drop-ship any of these units to a customer. SonicWALL's Install Wizard excels at "hand holding" newbies. RapidStream's Install Wizard requires more network know-how, but has a great discovery tool to avoid PC renumbering. By comparison, NetScreen's QuickStart is rather limited.

ISPs offering managed security services usually take responsibility for configuring firewall and VPN policies. Many even configure initial or "bootstrap" policies before units are supplied to customers. After the appliance is activated, secure remote management interfaces are essential for provisioning, monitoring, and installing upgrades.

NetScreen and RapidStream are easy to manage securely, supporting Telnet/SSH and HTTP/SSL from the LAN or WAN. SonicWALL's GUI is less secure: it is always listening for cleartext HTTP on the LAN, protected by a single admin login.

These appliances can all be administered securely over a VPN tunnel. Of course, you'll need to configure that VPN tunnel first—and avoid breaking it with later updates. We found NetScreen's and SonicWALL's checkboxes to enable admin over VPN more fumble-proof than RapidStream's explicit policy method.

When all else fails, serial ports come in handy to undo the damage. Using a serial port to access SonicWALL's CLI, one can do little more than import a previously-saved config. NetScreen and RapidStream CLIs are more full-featured; either can be used to tweak the existing config and view diagnostic logs.

Device-Level Monitoring
No matter how sophisticated your back-office surveillance system, remote monitoring depends on device-level interfaces. These appliances support the usual suspects—and a few unique features:

Beware of hidden gotchas when forwarding logs. For example, appending cleartext logs to e-mail can be a security risk. NetScreen can forward logs to multiple destinations; the others send to just one SYSLOG server. With RapidStream, sending to a SYSLOG prevents querying logs from the CLI or GUI. On the other hand, RSSA-2000 device logs persistent after reboot—most appliance logs do not.

In comparison, SonicWALL SNMP traps and e-mail notifications are basic. NetScreen and RapidStream support more extensive VPN monitoring MIBs, traps, and alerts that signal changes in tunnel status and traffic level. At the device level, RapidStream offers more customizable alarms—for example, each alarm type can be sent to a different destination. RapidStream offers the most detailed VPN tunnel and user status. NetScreen has the edge when it comes to CLI-level debugging.

1. Introduction	>4. Managing Large Networks and Firewall Features
2. Scenarios	5. VPN Features
3. Installation and Device Level Monitoring	6. Support and Your Vote