VPN

VPN RFP Lab Eval: Final Thoughts —continued

by Lisa Phifer VP Core Competence, Inc. [January 4, 2002]

VPN Features
Ultimately, the focus of this series is Virtual Private Networking. To that end, here is a point-by-point comparison of the VPN features we found in these appliances:

This chart is best viewed with specific security policies in mind. It really does not matter whether an appliance supports manual keys or IPsec AH if you never use them! Our RFP defined mandatory policy requirements: IPsec ESP, 3DES, SHA-1, Diffie Helman Group 2 (DH2), and IKE. This common policy is a subset of that certified by ICSA Labs. We also required IPsec for remote access, with optional legacy user authentication.

It was not until SonicWALLs reached our lab that we noticed they do not support DH2, required for ICSA IPsec certification. SonicWALL also makes simplifying assumptions like applying the same algorithms and lifetimes to IKE and IPsec and allowing any service through IPsec tunnels. These settings are typical in small VPNs and make tunnel configuration easier. While we would like to see DH2 and longer IKE lifetimes, many SMBs will not care. Larger or multi-vendor VPNs may find these details troublesome.

NetScreen and RapidStream have passed VPNC basic, rekey, and certificate tests. NetScreen is also ICSA-certified and supports DH5. RapidStream supports X.500 Distinguished Names and partial IKE IDs. All three vendors support full-mesh and hub-and-spoke site-to-site VPNs. Differences are most apparent when it comes to remote access:

• SonicWALL and RapidStream both use XAUTH to permit legacy authentication by consulting a RADIUS server. RapidStream can also check a local user database, assign dynamic IPs from a pool, and enforce concurrency limits. By default, SonicWALL supports aggressive-mode XAUTH with a GroupVPN secret—easy to deploy, but less secure than other alternatives.
  
  
• NetScreen offers two choices. "Vanilla" IPsec remote access is available without dynamic IP assignment or RADIUS user authentication. L2TP-over-IPsec remote access with dynamic IPs and RADIUS is available using NetScreen-Remote (SafeNet) or Windows 2000 Dial-Up Networking Clients.

Preshared secret and digital certificate authentication are supported by all; again, differences lie in the detail. SonicWALL sells Authentication Service upgrades that validate certificates issued by VeriSign's OnSite CA. NetScreen and RapidStream certificates are more flexible, but less turnkey: these appliances can be integrated with third-party CAs like Microsoft. Certificate Revocation Lists (CRLs) can be imported into either appliance, but when the CRL expires and the CA cannot be reached, different actions are taken.

Setting up a multi-vendor VPN between these products was not our series goal, but we tried it anyway. Basic site-to-site "any IP" tunnels with Preshared Secrets were no problem. More complex scenarios proved challenging. For example, service-specific IPsec tunnels worked in NetScreen and RapidStream pairs, but not between vendors. We could not try certificate authentication between SonicWALL and other-vendor appliances without more VeriSign certificates. VPN debugging aids, rarely needed when creating homogenous site-to-site tunnels, proved absolutely essential for remote access and multi-vendor VPN setup.

 

1. Introduction	4. Managing Large Networks and Firewall Features
2. Scenarios	5. VPN Features
3. Installation and Device Level Monitoring	>6. Support and Your Vote