Maturity brings a new face to IPSec VPN products

Progress brings lower prices, deviation from standards, but still no centralized management.

By Joel Snyder, Network World Global Test Alliance, Network World, 10/28/02

Original Article on Network World Web Site

As the VPN market approaches maturity at a brisk pace, vendors have been forced to rethink the tradition identity of their IP Security-based technology for letting users securely access enterprise resources via the Internet.

During the last 18 months, vendors have pushed VPN technology into different devices, have lessened the distinction between VPN and firewall products, and have demonstrated a strong willingness to deviate from standardized technology to meet corporate remote access requirements (see product review). What remains lacking, though, are features that offer strong centralized VPN management.

VPN technology now is built into a variety of products at all prices. Linksys' line of EtherFast firewall/VPN routers, which includes software and hardware encryption models, ranges in price from $100 to $180. Only a year ago, products with this level of encryption acceleration were 10 to 50 times more expensive.

Likewise, at least a dozen companies sell VPN/firewall devices that are little more than Intel-based boxes running Linux, a freeware firewall, IPSec and a Web graphical user interface. These appliances are low-priced but lack security certification and offer little by way of quality control.

At the same time, the boundaries between firewall and VPN devices have merged, virtually eliminating the dedicated VPN device category of products. With the demise over the past two years of Nokia's CryptoCluster, Cisco's 5000 series and products from the now-defunct Radguard and Redcreek, the last pure VPN devices have left the marketplace.

One way to evaluate combined VPN/firewall devices, says Nokia engineer Dan McDonald, is to recognize that some are better firewalls than VPN servers and vice versa. An example of the "big F firewall, little V VPN" devices is Secure Computing's Sidewinder, which has a perfectly capable VPN stack inside, but lacks in the areas of VPN manageability and functionality, such as in creation and management of large-scale site-to-site VPNs or in policy creation and distribution in remote access VPNs.

In the "little F firewall, big V VPN" category is Avaya's VSU series. Its mediocre packet filter is incidental to its outstanding VPN features.

This merger of firewall and VPN technology is good news for corporate network professionals on two fronts. The first is a greater opportunity to deploy VPN technology without having to compromise on network design. The second is enormous price pressure on all parts of the market in the customers' favor.

Management is missing

Centralized VPN management is not a problem that vendors have been able to solve. Skeptics charge that vendors don't care to solve it either, as doing so could open the door to multivendor VPN deployments. As Network World has proven in lab tests, building interoperable VPNs is not impossible - one can make almost any two IPSec products communicate. But managing all these VPN devices from a single point of view is not possible at this point in time.

Very few manufacturers have even started to think about what it takes to configure and maintain a VPN network with more than a dozen of their own nodes that changes in topology more than once a year. Cisco limped along with its Cisco Secure Policy Manager for most of this year but has recently introduced a management platform called CiscoWorks VPN/Security Management Solution Version 2, which the company says makes inroads into centralized management. Likewise, Check Point Software is making headway with its inclusion of management in its Feature Pack 2 of its NG firewall released in April. But again, in both cases, the vendors have addressed only management of their own devices.

Third-party management vendors have not stepped up to the plate either. Some carrier-focused vendors, such as Orchestream, offer VPN management tools, but no significant effort has gone into giving corporate network managers a tool to link multiple VPN products into a single cohesive network.

Nonstandard standards

While IPSec is more widely used than Secure Sockets Layer (see story) for securing VPN connections, the standards are woefully inadequate for remote access. The political infighting within the Internet Engineering Task Force has resulted in a stunted specification that doesn't meet the needs of even modest remote access deployments in the areas of authentication, internal addressing, and Network Address Translation/Network Address and Port Translator traversal. More advanced requirements, including accounting and policy management, are ignored completely in the IPSec standards.

Even more disappointing is progress on Internet Key Exchange Version 2, the protocol used to set up IPSec security associations where issues such as authentication and address assignment are handled. While the IETF working group is arguing minute details such as whether two or three round trips are necessary to set up a security association, most of the remote access problems remain unaddressed.

Vendors have been forced to build nonstandard mechanisms to support secure remote access in large networks. The situation is exacerbated as the VPN market matures - what were minor proprietary extensions in the past are now wholesale departures from the standards as written.

Customers should be aware that the better the remote access product, the more likely they will be tied to a single-vendor solution. In our accompanying review, the best-scoring products were those that broke the IPSec standards with the greatest abandon - and those that have the least interoperability outside of the vendor-supplied client.

One key strategy to deploying remote access VPN technology is to separate it from site-to-site VPN deployments. Do not tie the remote access services to an existing firewall or VPN server. Feel free to jump ship to the most appropriate technology and server for your enterprise.