|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
VPN RFP Lab Eval: Final Thoughts —continued
VP Core Competence, Inc. [January 4, 2002] |
 |
Managing Large Networks
In large networks, distributed management systems are required to support scalable
policy administration and log aggregation from a NOC:
|
Central
Managers:
|
NetScreen
|
RapidStream
|
SonicWALL
|
| Current Product |
NetScreen-Global
PRO 3.0
|
Central
Policy Management System 3.0
|
SonicWall
Global Management System 2.1
|
| Versions and # of Nodes |
Express
(25 to 100 nodes) Standard (100 to thousands)
|
Standard
(10 to 1000 nodes)
|
Entry
Edition (2 to 20 nodes) or Standard (25 to thousands)
|
| List Prices |
From
$5995 (25 nodes) to $49,995 (1000 nodes), then $11,995 per 1000
|
From
$4995 (10 nodes) to $24,995 (1000 nodes)
|
From
$4995 (25 nodes)
|
Unfortunately, we could not evaluate the high-volume NetScreen and SonicWALL systems. Instead, we trialed smaller demo versions: NetScreen-Global Manager and SGMS 1.2. Although our test network was too small to fully-exercise these complex systems, we can offer a few observations:
- Using SonicWALL's GMS, it was easy to push immediate or scheduled changes,
made at a global or group level, to many appliances. An "A-to-B" configurator
made point-to-point VPN tunnel creation simple. Nonetheless, we found ourselves
using the device-level GUI cut-through for many tasks. Recently-integrated
ViewPoint offers extensive log-based reports, but SGMS really focuses on provisioning
rather than fault monitoring.
- Using RapidStream's CPM Policy Manager, we defined firewall/VPN/traffic
policies for the entire network, letting CPM derive objects and rules to implement
each device-level policy. Full-mesh and hub-and-spoke VPNs were easy to configure
and reusable objects helped promote consistency. However, derived policies
would be better if they could be fully viewed before deployment. CPM keep-alives
and alarm windows provide network-level surveillance, but CPM lacks persistent
storage for alarms and logs.
- Because NetScreen-Global PRO 3.0 is substantially different from the tested
NetScreen-Global Manager, we have no first-hand observations to share. According
to specs, PRO can push centrally-configured policies to many NetScreen appliances,
using role-based privileges to control what each operator can see or do. PRO
can also be integrated with Micromuse Netcool for fault management and root
cause analysis.
- Like SGMS and PRO, RapidStream CPM is a client/server system. But the CPM Server runs on Windows, managing up to 1000 nodes. NetScreen-Global PRO 3.0 and SGMS 2.1 scale to "thousands" of appliances, running on Solaris and Oracle database servers. PRO Express and SGMS Entry products use smaller platforms, but top out at just 100 and 25 nodes, respectively. For carriers, the choice is clear. For smaller regional ISPs, investment in big-league infrastructure can be harder to justify. Our advice: don't wait until you have 100 appliances in the field to consider the cost and power of these distributed management systems.
Network and Firewall Features
These appliances are all ICSA-certified stateful packet inspection firewalls.
Here is a thumbnail comparison of the network and firewall features we found:
|
Network/
Firewall Features:
|
NetScreen
|
RapidStream
|
SonicWALL
|
| DHCP, PPPoE on WAN |
NetScreen-5XP
|
RSSA-500
|
Yes
|
| DMZ Option |
NetScreen-50,
100
|
RSSA-2000
|
SonicWALL
PROs
|
| Bridge Mode |
Yes
|
No
|
No
|
| NAT/PAT Support |
Outbound
NAT/PAT,
Inbound 1-1 NAT, Inbound VIP, Policy-Based NAT/PAT |
Outbound
NAT/PAT,
Inbound 1-1 NAT, Inbound VIP, VPN PassThru, NAT on DMZ |
Outbound
NAT/PAT,
Inbound 1-1 NAT, Inbound VIP, VPN PassThru |
| Authenticate Users Against List or Server |
Apply
to Any Policy
Local, RADIUS, ACE, LDAP |
Apply
to Any Policy
Local, RADIUS |
Allow
Inbound Users, Bypass Outbound Filters, Local List
|
| Policy
Definition Aids |
Import
Config, Address/Group Objects,
Service/Group Objects, Built-In Services, Schedule Objects, Auto-Update Matching Policy |
Apply
Profile, Address/Group Objects, Service/Group Objects, Built-In Addresses and
Services, Schedule Objects, Policy Checker
|
Import
Config,
Network & Service Rules, Named Services, Built-In Services |
| Server Load Balancing |
NetScreen-100
|
Yes
|
No
|
| Traffic Shaping |
Bandwidth
per IF
Per Policy: Priority, ToS Bits, Guaranteed, Max Bandwidth |
Bandwidth
per IF
Per Policy: Priority, ToS Bits |
No
|
| VLAN Tags |
No
|
Yes
|
No
|
| Anti-Hacking Features |
Enable
Ports,
Ping per IF Detect scans, address sweeps, Ping of Death WinNuke, Land, and Tear Drop attacks, as well as ICMP, UDP, and TCP SYN floods, malicious URLs |
Enable
Ports,
Ping per IF Detect Ping of Death and IP Source Route attacks, as well as ICMP, UDP, and TCP SYN packet floods, threshold connect requests to one server or from one client |
Stealth
Mode on WAN IF
Detect scans, Ping of Death, Land, IP Spoof attacks, TCP SYN floods |
| Routing Protocols |
None
|
Listen
to RIP, OSPF
|
None
|
| Other LAN Services |
URL
Filtering Plug-In
DHCP Server DHCP Relay DNS Cache |
None
|
URL
Filtering,
AV Plug-Ins, DHCP Server, Forward to Web Cache, NetBIOS PassThru |
At the low-end of IPRVnet's market, firewalls must be dropped into LANs with minimal fuss. To facilitate this, these appliances include DHCP/PPPoE assigned WAN IPs and outgoing NAT/PAT. Other features that are attractive for small accounts: transparent bridging mode (NetScreen), serving DHCP to LAN hosts (SonicWALL, NetScreen), plug-in services like URL filtering, and VPN pass-throughs (RapidStream, SonicWALL).
Slightly larger SMB accounts will look for features like DMZ servers and inbound address translation (virtual IPs and/or 1-to-1 NAT). Server load balancing is available on the NetScreen-100, but RapidStream includes load balancing and VLAN tagging with all its appliances. Only RapidStream lets NAT be applied to DMZ policies. Only NetScreen supports policy-based NAT—a complex but valuable solution that enables tunneling between overlapping private subnets.
As Internet or site-to-site VPN use grows, SMBs often encounter stiff competition for WAN bandwidth. Traffic management can help customers understand and control their WAN use. NetScreen and RapidStream appliances can assign bandwidth to an interface and prioritize individual policies. NetScreen goes further by guaranteeing and capping bandwidth per policy, graphing results. These integrated RapidStream and NetScreen features cannot be separately activated or licensed. But they can help an ISP land or keep an account that's having trouble managing network utilization.
Policies that permit, deny, block, or authenticate sessions are the cornerstone of every stateful inspection firewall. Each vendor has a different policy GUI, making direct comparison difficult. Personal preference and level of expertise determines which is easiest to use, so there is little point naming our favorite. Instead, we've listed the policy definition aids that made our life easier during this eval. For example, RapidStream's built-in address objects ensured that affected policies were updated whenever an interface was renumbered. NetScreen's policies are uni-directional, but a matching reverse policy can be created or updated automatically. SonicWALL's service policies simply have fewer parameters.
|
4.
Managing Large Networks and Firewall Features
|
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||