|
|
|
|
|
|
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
VPN Platforms for Internet Service Providers
This survey of VPN hardware suitable for ISP use lets you compare equipment across a number of significant variables.
by Lisa Phifer
[Lisa
Phifer will be demonstrating VPN products
at VPN @ TISC, a one-day
workshop to be held
October 11th at the World Trade Center, Boston.]
Platform selection is arguably the most strategic decision facing any service provider entering the VPN market today. One way to begin selection is by surveying commercially available networking products that offer VPN features. In this column, we do just that. (See chart, below.)
There are many variables in the service provider VPN equation. In this survey, we have identified a few key factors that differentiate one VPN product from another.
POP or CPE?
As with any service, deploying a VPN involves both Point-of-Presence (POP)
platforms and customer premise equipment (CPE). Products suitable for
POP usage must meet higher expectations for scalability, performance,
manageability, and integration—and typically come with a larger price
tag. CPE products are considerably more diverse, ranging from PC client
software to Internet appliances, VPN-enhanced routers, and specialized
gateways. The "CPE" products identified in our survey are actually marketed
for enterprise use. Some are more appropriate for small business or remote
offices, while others are hefty enough to serve as central site "CPE"
in a branch office VPN. One could argue that larger CPE is suitable for
POP usage; it really depends on the target environment.
Remote Access or Branch Office?
VPN products typically support remote access VPNs (enabling dial-up access
by individual clients) and/or branch-office VPNs (connecting networks,
such as remote office to central site). Remote-access VPNs often use protocols
like Point-to-Point Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP),
and Layer 2 Forwarding (L2F). These protocols are designed to authenticate
PPP-based access by individual users; POP products that support them may
include other features relevant to remote access such as high dial port
density and integration with RADIUS. Branch-office VPNs commonly employ
tunnels between security gateways that support IP security (IPsec) standards.
But IPsec can also be used for remote access VPNs when the security gateway
is paired with client-side software.
Connectivity and Scalability
This survey does not exhaustively explore the diverse connectivity offered
by VPN products. To give a rough idea of scalability, I have included
the number of simultaneous connections (calls or tunnels) quoted by each
vendor. It is important to realize that products often support many client-to-gateway
tunnels, but a much smaller number of gateway-to-gateway tunnels, so comparing
these numbers can be misleading. Perhaps
a more useful metric when comparing platforms for branch office VPNs is
aggregate throughput, although we don't show this here. Some products
offer integrated WAN interfaces, while others are intended to sit behind
an external WAN access switch or router. These dual-Ethernet products
can be paired with a wider range of WAN access solutions, but result in
a more complex network end-to-end.
A Role For Software
This survey focuses on hardware VPN products, but we've included a few
representative software products for comparison. Windows NT and Moreton
Bay PoPToP can be used to turn a general-purpose PC into a remote-access
VPN server; these solutions may be of interest for small-scale POP deployment.
Most IPsec remote-access products are paired with client software sold
by the same vendor. Layer 2 products utilize Windows PPTP clients or require
no client software at all. For further discussion of client-side issues,
see my column, Dial VPNs: Revenue Opportunity
or Headache?
Final Thoughts
The information included in this survey was drawn from product specs posted
on vendors' web sites. ISP usage and VPN application represent my own
impression, based on available product specs. In a few cases, I have included
two products sold by the same vendor to illustrate both smaller CPE and
larger solutions for enterprise central site or POP. This survey is intended
to be representative, not exhaustive. I hope you find it useful to see
"the lay of the land", and encourage you to contact vendors directly to
investigate all products of interest. And now on to . . .
| Vendor | Product | ISP Use |
VPN Applications |
Tunnel Protocols | Concurrent Connexns | WAN Interfaces |
Own
Client? |
| 3Com | OfficeConnect
NETBuilder 10 |
CPE | Remote
Access, Branch Office |
PPTP, L2TP | 5 | ISDN | No |
| 3Com | Total
Control Multservice Access Platform |
POP | Remote Access | PPTP, IPsec | 336 | V.90, ISDN, T1, DSP | No |
| Altiga Networks | C50 VPN Concentrator | POP | Remote
Access, Branch Office |
PPTP, L2TP, IPsec | 5,000 | None | Yes |
| Ascend | Pipeline 200 | CPE | Branch Office | ATMP, PPTP, L2TP, IPsec | 32 | V.35, Frame, T1 | Yes |
| Ascend | MAX 6000 | POP | Remote Access | ATMP, PPTP, L2TP | 96 | ISDN, T1, Frame | No |
| Assured Digital | ADI-4500 | POP | Remote
Access, Branch Office |
IPsec | 96 | None | Yes |
| Assured Digital | ADI-1000 | CPE | Branch Office | IPsec | 400-1,000 | None | Yes |
| CheckPoint | VPN-1 | CPE | Remote
Access, Branch Office |
IPsec | Unavailable | N/A (software) | Yes |
| Cisco | 1600 | CPE | Branch Office | L2F, L2TP, IPsec | Unavailable | 56K, ISDN, T1 | No |
| Cisco | AS5300 | POP | Remote Access | L2F, L2TP, IPsec | 240 | V.90, ISDN, T1 | No |
| Compatible Systems | IntraPort Enterprise-8 | POP | Remote Access | IPsec, GRE | 40,000 | None | Yes |
| Compatible Systems | IntraPort 2 | CPE | Remote
Access, Branch Office |
IPsec, GRE | 64 | None | Yes |
| Extended Systems | ExtendNet VPN | CPE | Remote Access | PPTP | 50 | None | No |
| FreeGate | OneGate 1000 | CPE | Remote
Access, Branch Office |
PPTP, IPsec | 200 | 56K, Frame, DSL, T1 | No |
| IBM | 2210
Nways Multiprotocol Router |
CPE | Remote
Access, Branch Office |
PPTP, L2F, IPsec | Unavailable | V.34, Frame | No |
| Indus River | RiverWorks Tunnel Server | POP | Remote Access | PPTP, IPsec | 2,000 | None | Yes |
| Lucent | VPN Gateway | CPE | Branch Office | IPsec | Unavailable | None | Yes |
| Microsoft | Windows NT Server | CPE | Remote
Access, Branch Office |
PPTP | 256 | N/A (NT software) | Yes |
| Moreton Bay | PoPToP | POP | Remote Access | PPTP | 2,048 | N/A (Linux software) | No |
| NetScreen | NetScreen-10 | CPE | Branch Office | IPsec | Unavailable | None | Yes |
| Network TeleSystems | Tunnel Master | POP | Remote Access | PPTP, L2TP, NTS-TP | 1,000 | None | Yes |
| Nortel | Contivity
Extranet Switch 4500 |
POP | Remote Access | PPTP, L2TP, L2F, IPsec | 5,000 | T1, T3 | Yes |
| Nortel | Contivity
Extranet Switch 1500 |
CPE | Remote Access | PPTP, L2TP, L2F, IPsec | 100 | None | Yes |
| RADGUARD | cIPro-VPN | CPE | Remote
Access, Branch Office |
IPsec | Unavailable | None | Yes |
| RAScom | RAServer 2600 | POP | Remote Access | PPTP | 96 | V.90, ISDN, Frame, T1 | No |
| RedCreek | Ravlin 7100 | CPE | Remote
Access, Branch Office |
IPsec | Unavailable | None | Yes |
| RedCreek | Personal Ravlin | CPE | Branch Office | IPsec | 1 | None | No |
| Shiva | LanRover VPN Express | CPE | Remote
Access, Branch Office |
IPsec | 50 | None | Yes |
| Technologic | InstaGate | CPE | Remote
Access, Branch Office |
PPTP, IPsec | 256 | V.90, ISDN | No |
| TimeStep | PERMIT/Gate 1520 | CPE | Branch Office | IPsec | 25 | None | Yes |
| TimeStep | PERMIT/Gate 7520 | CPE | Remote
Access, Branch Office |
IPsec | 2,000 | None | Yes |
| VPNet | VPNware VSU-1100 | CPE | Remote
Access, Branch Office |
IPsec | 5,000 | None | Yes |
| Xedia | Access Point QVPN AP100 | POP | Remote
Access, Branch Office |
L2TP, IPsec | 4,000 | None | No |
| Xyplex | Edge Guardian | POP | Remote
Access, Branch Office |
IPsec | Unavailable | ISDN, Frame, T1 | Yes |
—End
read more by Lisa Phifer on VPNs
ISP-Planet's
RSS feed
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 