ISP Planet - Technology - VPN RFP Lab Eval: Final Thoughts

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

VPN

VPN RFP Lab Eval: Final Thoughts —continued

by Lisa Phifer
VP Core Competence, Inc.
[January 4, 2002]

VPN Features
Ultimately, the focus of this series is Virtual Private Networking. To that end, here is a point-by-point comparison of the VPN features we found in these appliances:

VPN Features:	NetScreen	RapidStream	SonicWALL
Secure Tunneling Protocols	L2TP-over-IPsec IPsec ESP, AH	IPsec ESP, AH	IPsec ESP, AH
IPsec Encryption	Null, DES, 3DES	DES, 3DES	Null, DES, 3DES, ArcFour, CheckPoint DES
IPsec Message Integrity	HMAC-MD5, SHA-1	HMAC-MD5, SHA-1	HMAC-MD5, SHA-1
IPsec Modes	Tunnel, Transport	Tunnel, Transport	Tunnel
Selector Granularity	Subnet, IP, Service	Subnet, IP, Service	Subnet
Site-to-Site Topologies	Mesh, Hub-and-Spoke	Mesh, Hub-and-Spoke	Mesh, Hub-and-Spoke
IPsec with Manual Keys	Yes	Yes	Yes
IKE Authentication	Preshared Secret, Digital Certificates	Preshared Secret, Digital Certificates	Preshared Secret, Digital Certificates
IKE ID Types	IP, FQDN, User-FQDN	IP, DN, FQDN, User-FQDN	IP, FQDN
Diffie Helman Groups	1, 2, 5	1, 2	1
Certificate Authorities	Third-Party CA, including RSA Keon, Netscape, Baltimore, Entrust, Verisign, and Microsoft	Third-Party CA (no list provided, we used Microsoft)	VeriSign OnSite Subscription Service
CRL Refresh	HTTP or LDAP Server, Reject if unreachable	LDAP Server, Alarm if unreachable	VeriSign OnSite, Log if unreachable
RA VPN Clients	PGP IPsec (MacOS), L2TP-over-IPsec (W2K), SafeNet (Win32)	SafeNet (Win32)	SafeNet (Win32)
RA Dynamic IPs	L2TP (Static or Pool)	Mode-Config (Pool)	No
RA User Authentication	L2TP Local or RADIUS	XAUTH (Main Mode) Local or RADIUS	XAUTH (AG Mode) RADIUS
VPN Debugging Aids	Excellent	Good	Fair
VPN Certification	ICSA 1.0B VPNC Basic, Rekey, & Cert	VPNC Basic, Rekey, & Cert	Pending
Other VPN Features	Replay Protection, Tunnel Status Ping, Don't Fragment option, Commit Bit option	Replay Protection, RA Concurrency Limits, Relay L2TP, PPTP to VIP	Tunnel Keep-Alives, Allow Fragments, Block NetBIOS Broadcasts, Client Policy Generator

This chart is best viewed with specific security policies in mind. It really does not matter whether an appliance supports manual keys or IPsec AH if you never use them! Our RFP defined mandatory policy requirements: IPsec ESP, 3DES, SHA-1, Diffie Helman Group 2 (DH2), and IKE. This common policy is a subset of that certified by ICSA Labs. We also required IPsec for remote access, with optional legacy user authentication.

It was not until SonicWALLs reached our lab that we noticed they do not support DH2, required for ICSA IPsec certification. SonicWALL also makes simplifying assumptions like applying the same algorithms and lifetimes to IKE and IPsec and allowing any service through IPsec tunnels. These settings are typical in small VPNs and make tunnel configuration easier. While we would like to see DH2 and longer IKE lifetimes, many SMBs will not care. Larger or multi-vendor VPNs may find these details troublesome.

NetScreen and RapidStream have passed VPNC basic, rekey, and certificate tests. NetScreen is also ICSA-certified and supports DH5. RapidStream supports X.500 Distinguished Names and partial IKE IDs. All three vendors support full-mesh and hub-and-spoke site-to-site VPNs. Differences are most apparent when it comes to remote access:

SonicWALL and RapidStream both use XAUTH to permit legacy authentication by consulting a RADIUS server. RapidStream can also check a local user database, assign dynamic IPs from a pool, and enforce concurrency limits. By default, SonicWALL supports aggressive-mode XAUTH with a GroupVPN secret—easy to deploy, but less secure than other alternatives.
NetScreen offers two choices. "Vanilla" IPsec remote access is available without dynamic IP assignment or RADIUS user authentication. L2TP-over-IPsec remote access with dynamic IPs and RADIUS is available using NetScreen-Remote (SafeNet) or Windows 2000 Dial-Up Networking Clients.

Preshared secret and digital certificate authentication are supported by all; again, differences lie in the detail. SonicWALL sells Authentication Service upgrades that validate certificates issued by VeriSign's OnSite CA. NetScreen and RapidStream certificates are more flexible, but less turnkey: these appliances can be integrated with third-party CAs like Microsoft. Certificate Revocation Lists (CRLs) can be imported into either appliance, but when the CRL expires and the CA cannot be reached, different actions are taken.

Setting up a multi-vendor VPN between these products was not our series goal, but we tried it anyway. Basic site-to-site "any IP" tunnels with Preshared Secrets were no problem. More complex scenarios proved challenging. For example, service-specific IPsec tunnels worked in NetScreen and RapidStream pairs, but not between vendors. We could not try certificate authentication between SonicWALL and other-vendor appliances without more VeriSign certificates. VPN debugging aids, rarely needed when creating homogenous site-to-site tunnels, proved absolutely essential for remote access and multi-vendor VPN setup.

1. Introduction

4. Managing Large Networks and Firewall Features

2. Scenarios

5. VPN Features

3. Installation and Device Level Monitoring

>6. Support and Your Vote