The VSU-10 unit is a dedicated standalone unit used for implementing virtual private
networks (VPNs) for interconnecting remote offices and remote users across any IP network.
The unit is a member of the VPNware System - a family of integrated VPN hardware,
software, and service packages.
Virtual Private Networks are becoming increasingly important in the networking arena,
which directly affects the markets of both CTI and Internet telephony. Applications such
as "remote voice" capabilities and the encrypting of voice packets for travel
over IP networks are gaining currency and are going to become essential in the near
future. TMC Labs is of the opinion that VPN technology will be increasingly used to ensure
private communications when implementing CTI and Internet telephony applications.
Supporting Triple DES encryption - the highest level of security available - at a full
8 Mbps rate while maintaining the full 10 Mbps wire speed throughput of non-VPN traffic
demonstrates the VSU-10's raw encryption power. The unit features real-time packet
compression, which certainly aids in achieving higher throughput on both the LAN and WAN.
Included with the VSU-10 is a browser-based administration software program called
VPNmanager. This software allows you to provide global-level, VPN-level, group-level,
client-level, and equipment-level monitoring and configuring capabilities. The VSU-10
supports from 25 to 100 remote access users and allows global roaming. The VSU-10 also
supports both "tunnel" and "transport" mode as well as the ability to
incorporate user-level authentication based on either multiuse (CHAP) passwords, or single
use (one-time) passwords.
DOCUMENTATION
The product's documentation is contained in several Adobe Acrobat PDFs, which we
printed out. They included a VSU-10 (hardware) user's guide, client software user's guide,
and the VPNmanager user's guide. The resulting printouts were quite lengthy, particularly
the VPNmanager manual, but they were all very descriptive, including diagrams and
illustrations. The table of contents and index were also very complete. However, when we
were setting up the VSU-10 for the first time, the documentation seemed to skip around
from one section to the next. In addition, when configuring the VSU-10, one section of the
VPNmanager manual seemed very unclear, requiring a technical support call. Though the
documentation goes to great lengths to explain the concepts of VPNs, security, and other
concepts and implications, we found it difficult in that some sections were explained in
detail, while other explanations were very unclear. Thus, we gave the documentation an
overall 3 rating.
FEATURES
For packet encryption, the VSU-10 supports DES encryption (56-bit key), as well as
Triple DES (EDE-CBC) encryption (three 56-bit independent keys, effective key length of
112 bit). Digital Certificates, supporting X.509v3, are utilized for managing the VSU-10.
The VSU-10 integrates well with firewalls, and includes a bypass mode for non-VPN traffic
as well as reverse address translation for DHCP clients.
Packet Authentication
- ISAKMP: HMAC-MD5 and HMAC SHA-1, AH Message Digest Algorithm.
- SKIP: Keyed MD5 AH Message Digest Algorithm.
User Authentication
- RADIUS servers (Ascend Access Control, Security Dynamics ACE/Server Access Manager,
BaySecure Access Control, Funk Steel Belted RADIUS Server).
- CHAP and SecurID tokens.
Key Management
- ISAKMP/Oakley.
- SKIP.
- All packet, traffic, and authenticating keys automatically generated.
Encryption/authentication key updated automatically every 30 seconds.
Network Address Translation (NAT)
- Supports static, dynamic, and port mapping.
System Management
- Configuration via Java-based VPNmanager Tool Suite Version 2.3, VPNmanager MultiSite
Version 2.3, and VPNmanager SOHO Version 2.3.
- Monitoring from any application with SNMPv1 via VSU-1010 MIB.
- Configuration traffic secured through SSL.
- Secure software download for upgrades.
Compatibility
- Fully compatible with VSU-1000 VPN Service Unit (using transport mode), VSU-1010 VPN
Service Unit (using transport or tunnel mode), and VPNremote Client Software for Windows
Version 2.1 (using transport or tunnel mode).
Protocol Support
- IEEE 802.3, Ethernet.
- Full IPSec compliance: RFC 1825, RFC 1826, RFC 1827, RFC 1828, RFC 1829, RFC 1851, IPSec
Key Management using SKIP or ISAKMP/Oakley.
- Tunnel and transport modes supported.
OPERATIONAL TESTING
We downloaded the advanced firmware, which adds support for ISAKMP key management and
advanced network address translation (NAT). We needed to use this advanced firmware since
we weren't going to use a WINS server in our testing environment. Uploading the firmware
was a simple process. Once this was done, we set about to configure the VSU-10.
We liked the fact that the VPNmanager is managed through a Web browser using a mix of
HTML and Java, rather than using a "not so user friendly" console with a Command
Line Interface (CLI). One of the initial things we had to do in setting up the VSU-10 was
to connect to the VSU-10 from a Java-enabled browser, and then accept the certificate,
which pops up immediately after connecting to the VSU-10's IP address. This certificate
will then be used for future administration of the VSU-10. One important fact is that only
the machine on which the certificate is installed will be able to administer the VSU-10.
While this is a great security measure, we'd certainly like the ability to administer the
VSU-10 from multiple locations.
Secure Socket Layer (SSL) is used to keep configuration traffic between the VPNmanager
and the VSU-10 private. Also, X.509 certificates are used both by the VSU-10 and the
Java-compatible browser running VPNmanager. These provide authentication capabilities to
ensure that only authorized personnel can change the VSU-10 settings.
VPNmanager keeps you informed of the VSU status by polling the VSUs for status messages
and configuration changes. In the event that you lose contact with the VSU, you can ping
from VPNmanager and initiate a proxy ping from one VSU to another. In addition, VPNmanager
includes a method of updating the entire configuration in the event that the configuration
changes fail. The Web-based configuration screen is very user friendly.
After setting up the basic configuration on the VSU, such as IP addresses, clients, and
groups, we tested connectivity between the VPNmanager server and the VSU-10, using the
VPNmanager's ping capabilities. After verifying connectivity, we set up one client machine
on a Windows 95 laptop. We ran the setup file and then added the VPNremote Adapter to the
list of networking items listed under Windows 95's Network Control Panel applet.
Previously we had exported a ".VPN" configuration file from the VPNmanager
software, which we copied to the client machine. This file contains all the vital
information for finding and connecting to the VSU-10. Next, we launched the VPNet
client-software, which prompted us to enter a password that we previously set. Upon
completion, the VPNremote application displayed the message "VPNremote is
enabled." From that point, the virtual private network is established and packets
sent from the client over any TCP/IP transport are encrypted and sent to the VSU-10.
From the VPNremote GUI you can click the 'Disable' button, which will allow all IP
traffic to travel unsecured. However, with the VPNremote disabled, it will not be possible
to communicate with secure resources. Another feature of this client-based applet includes
packet statistics to show whether packets are being transmitted securely or unsecured,
which we found to be useful.
ROOM FOR IMPROVEMENT
The VSU-10 doesn't have an Off switch, so we were relegated to unplugging the unit when
we ran into some problems connecting and configuring the unit. Also, as previously
mentioned, the VSU-10 only allows one manager per VSU unit. We would like to see support
for multiple management PCs.
Since many (if not all) standalone VPN units, including the VSU-10, do not support
Point to Point Tunneling Protocol (PPTP), only TCP/IP is supported when trying to
communicate securely over a VPN. Thus, other Layer 3 protocols (such as IPX) must travel
unsecured through the VSU-10. In those cases, a server-based solution (such as Microsoft's
built-in VPN support in Windows NT), which allows for "encapsulating" other
protocols into TCP/IP, might be more appropriate.
CONCLUSION
This particular model is at the lower-end of VPNet's line of VPN products, which has
inherent cost advantages over the pricier models. Since the VSU-10 supports from 25 to 100
remote access users, this product is targeted towards small to medium businesses, or even
large corporations that do not have a large constituency of remote users. The
browser-based system of management using Java was a nice touch, which certainly made setup
much easier than a text-based console/command line interface. Overall, we were quite
pleased with the performance, manageability, and security of the VSU-10, which help make
it a good fit to those looking for a VPN solution.
|