June 1999

Price: Varies depending on which router you use and if you upgrade VPN to IPSec 56-bit or 128-bit encryption — for example, a 56-bit upgrade for P85 is $195, and an upgrade for the P220 is $495

Traditionally, routers used by small businesses have either employed dial-up analog connections or ISDN BRI — specifically for routing data to the Internet, or over a LAN or WAN. Without converting data to analog and back, ISDN BRI routers transfer the data directly in digital form. An ISDN BRI line connects to the telco’s digital switching system, avoiding the limitations and weaknesses of conversion and transit in analog form. ISDN BRI lines support two B channels of 64 Kbps each that can be combined during periods of high demand.

Recently, many remote access companies began adding more advanced features to their equipment — even SOHO ISDN routers. Ascend Communications has added firewall and Virtual Private Network (VPN) capabilities to their Pipeline routers, starting with the Pipeline 50 model. The SecureConnect Dynamic firewall provides a high-level packet filtering method, often referred to as stateful inspection. This allows the router to restrict traffic by network protocols, source/destination addresses, and even by specific applications. By using public networks such as the Internet, VPNs make remote communication possible without the added expense of installing and maintaining a new remote access platform. By encrypting data for transmission through the Internet, it is secure. For regular telephony applications, the Pipeline’s two built-in analog ports, starting with the Pipeline 75 model, also support such advanced features as the ability to transfer, conference, and drop calls. All of these specific features are the main reason we decided to review the Pipeline family of routers.

INSTALLATION
We received a Pipeline 85 router to install and configure as we were waiting for beta versions of both SecureConnect Manager and SecureConnect Client. We connected a serial cable from the router to a Windows 98 workstation, and the power adapter from the router to an outlet. We also connected a 10Base-T Ethernet cable from one of the built-in ports to an uplink of a hub (an uplink contains crossover pairs for connecting from hub to hub). It would have been nice to have an uplink (crossover port) already incorporated in the P85 router. It would have made the setup a little easier. Next, we set up an ISDN simulator to work with the router, but we still needed another Pipeline router to test the ISDN BRI connection.

We set about configuring the P85 router. We opened HyperTerminal with the VT-100 setting and named the application "Pipeline." We set the serial port to Com 2 and the bits per second to 9600 and connected to Ascend’s VT-100 interface. We also redrew the screen (CTRL-L) so that it looked clearer. From there, the initial configuration was straightforward, but administrators have to be very knowledgeable about which options to select since Ascend gives you a large list of features available for the router, some of which can disrupt your configuration if improperly selected. For the most part, however, we just had to know our IP address for the router as well as the primary and secondary telephone number, and SPID numbers (SPID numbers may not be required depending on where your company is located) needed to access the ISDN lines.

Since we used an ISDN simulator, we also had to make sure the switch type was NI-1 (also referred to as NT-1), and the channel type was 64 Kbps. Since we were exclusively using the IP protocol, we made sure to pick IP options without any IPX options included. There are other options available, which can be used if you need them, such as Network Address Translation (NAT) or bridging.

We also installed the Java Configurator for the P85, and were able to view the settings we had already configured in the VT-100 interface. Changes or additions can be done via this interface, as long as the Java Configurator can read the router’s IP address, which must be set with the use of HyperTerminal or a similar application. When we received the SecureConnect Manager and the SecureConnect client (with 56-bit and 3DES encryption), we installed them on our Windows 98 client. The software installations were standard, and presented no problems.

The plan from here was to set up a client at our end and connect to a router at Ascend’s office in order to test the VPN functionality. We needed to dial up to an ISP to do this, and we also set up the P85 router so that we could connect via an ISP through the router. We called the local access number of the ISP and entered the proper DNS addresses, as well as a user ID and password. We set up the connection on the router by selecting Ethernet and then Connections, and listing a profile name. We then set the options we required, such as entering our local access number and selecting the appropriate authentication we would use (in our case, we chose the simple PAP authentication).

As you may be able to tell from what we’ve already stated, the configuration process can become complicated after adding or changing options. The administrator must be aware of the specific router’s settings, and should be aware of the many but sometimes complex features associated with the SecureConnect firewall and VPN (which we will discuss in the Operational Testing section).

DOCUMENTATION
There is an abundance of documentation available: A Pipeline start-up guide, a Pipeline reference guide, a documentation library (CD-ROM), and a SecureConnect Manager user guide (.pdf file). This is both a strength and a weakness, as there is a lot of information to be gained by reading this material. If you wish to find out about Ascend’s routing, VPNs, and firewall techniques, this documentation has its value. Unfortunately, there is so much information in all of these bulky guides that it starts to impede users in finding what they specifically need. For this reason, some careful trimming of the documentation would be helpful.

The documentation library has most of the information you might need in reference to the Pipeline family, and it is easy to locate specific information. Readers can just click the appropriate heading closest to what they are researching, and the information comes up in Acrobat. Unfortunately, the version we had was not updated. We were able to obtain the SecureConnect Manager user guide in Acrobat format, and this was very educational. However, it was difficult to obtain an overall sense of all the components involved since each manual had information that was integral to set-up, configuration, and operational testing. Reviewing one manual and then the next can at times be frustrating and counterproductive. It should be noted, though, that since much of what we tested is still in beta, it is likely that information involving these features will be integrated into the manuals in the near future. A little more procedural information would also help.

Overall, the documentation is well thought-out. It has a decent amount of screenshots, diagrams, and charts to help with difficult notions, such as Ascend’s VPN and firewall. The SecureConnect help files are also informative, explaining a feature when the user double clicks on the item.

FEATURES
Each router in the Pipeline family increases in features and functionality as the model number increases. The Pipeline 15 router is specifically used for very small businesses or for home offices. It links to a PC via a serial connection and does not support a LAN Ethernet connection. The Pipeline 50, 75, and 85 routers are used for small offices as well, but have a few more features, including the SecureConnect firewall and VPN with 40-bit IPSec encryption. (56- and 128-bit IPSec encryption can be obtained at their respective additional costs.) Some of the other main features of a Pipeline 85 router include:

� The major transport protocols (IP, IPX, AppleTalk), the RIP 1 & 2 routing protocols, and multiprotocol routing and bridging.
� Java-based Pipeline Configurator GUI.
� Network Address Translation (NAT).
� Remote Management (Telnet, SNMP).
� Unlimited LAN access to the Internet or other locations.
� Two analog ports used for basic telephony applications, such as transfers and call conferencing (only available with the Pipeline 15, 75, and 85 models).
� 4-port built-in hub (does not have an uplink port — only the Pipeline 85 has this feature).

The Pipeline 130 and 220 models have T1 connections available, and should be considered higher-end routers, for use by businesses that are big enough to require such an expensive connection, although the Pipeline 130 router still has an ISDN BRI line available. Ascend will also have T1 connectivity for a router called the Aqueduct, which is a high-end VPN and firewall router. There will be many port options available: Two-port T1 card, four-port T1 card, seven-port T1 card, one-port DS3 card, two-port DS3 card, or one-port OC3 card. The Aqueduct will be introduce at some point in the next quarter.

OPERATIONAL TESTING
The focus of our testing was on Ascend’s firewall and VPN features. We opened the SecureConnect Manager and configured a basic firewall in the Main Ruleset. Since we only wanted a simple test of the firewall, we allowed all traffic to pass through the firewall by turning on the "Trusted Sites" feature. In normal cases, the Trusted Sites feature would most likely be used only between branch offices, but for our purposes, we allowed all traffic to pass through by typing an asterisk in both the "Between Local" and "Remote" windows.

Other features we turned on were IP Address Resolution, Internet Control Message Protocol (ICMP), and IPSec. We allowed for Address Resolution Protocol (ARP), and we enabled ICMP so that we could be notified of errors and information requests while attempting to connect to other hosts on the Internet (Figure 1). Of course, IPSec needed to be enabled for us to test Ascend’s VPN, and we allowed all Authenticated Header (AH) packets to pass through, in addition to specifying the local gateway, where we would send the firewall and VPN information. We also checked the Encapsulating Security Payload (ESP) box to allow these packets to pass through in both directions.

Next, we set up our VPN configuration for both the Local Tunnel Rulesets and the Remote Main Rulesets. In both cases, we only needed to enable the Trusted Sites option since we wanted to make sure that the packets we sent were being encrypted in both directions. We also specified the IP addresses for the server side router (in this case, an Aqueduct router at Ascend’s office).

Now, it was time to export the firewalls (the firewalls and VPNs are both called firewalls here) to a directory via a preferred binary file. Then we opened the SecureConnect Client, and had to load the firewalls before we could view the packet transfers via the Details button after we sent some packets to the Aqueduct.

After we dialed up to the Internet, we sent the VPN information to the Aqueduct at Ascend. Here, we had problems. For some reason, we kept receiving error messages, such as "Failure to get/set current configuration on router," or "No TFTP response from router." Since we were able to send the VPN via a Windows NT client on Ascend’s side, we realized that the problem could be the specific client we had been using, a compatibility issue with Windows 98, or, most likely, a LAN issue in which our proxy server (instead of the ISP) was trying to send the data. This last possibility was not acceptable because our own proxy server/firewall interfered when sending the data. To alleviate this problem, we deleted the network driver from the Windows 98 client.

Finally, it was time to actually test the VPN with 56-bit IPSec encryption. We FTPed the Internet to make sure we were connected properly, and then we pinged the Aqueduct router, FTPed to a specific location, and viewed the results via the SC Client Details screen. The entire VPN configuration was easy to accomplish — once we remembered all of the little steps required, and were able to see the encryption process successfully working.

With everything that needs to be understood and implemented correctly, there is a high learning curve for this product. Not only must you learn the intricacies of configuring the router itself, but you must also learn about the firewall and VPN features, and configure them according to your company’s needs. This can be a very complex and difficult task.

Luckily, the SecureConnect Manager and Client’s GUI help tremendously — especially the help files. The GUIs are intuitive and use Windows conventions effectively. The SecureConnect Manager even changes which window is showing, depending on if you are configuring the incoming or outgoing component of a particular feature of the firewall or VPN. For example, the GUI would list "Local Servers" in the left window for the incoming component and "Local Clients" for the outgoing component. For the most part, this avoids unnecessary confusion.

ROOM FOR IMPROVEMENT
While we realize that the software we examined was still in beta and some changes may already be planned, that does not stop us from giving some of our suggestions about it. Hopefully, any updates to the software for Windows 98 (Java Configurator, etc.) are currently being implemented, so there is no need to dwell on that topic. Most of what we suggest involves being able to seamlessly integrate the VPN and firewall features into the Pipeline product line without undue difficulty. By giving more scenarios and troubleshooting tips, and integrating the SecureConnect information into the Pipeline manuals, administrators would be able to better envision the entire system with much more clarity. Particular configuration schemes can be diagrammed (with the use of a Windows-based application and/or in manuals) to help administrators figure out which features are most important to them for their particular configuration requirements. Simplifying the steps in all of the areas of the configuration process would also help administrators tremendously.

There are three elements of the SecureConnect Manager that could be improved. While you can maximize, minimize, or resize the Main Ruleset screen, the VPN Configuration screen cannot do this unless in edit mode. Second, you cannot use the delete key on your keyboard, and instead must use the delete button on the GUI. Finally, it would be nice to list all of the features alphabetically in order to be able to find the feature you are searching for more quickly. Maybe "Restricted Sites" and "Trusted Sites" should stay at the beginning of the list, since they are more general and are often used. On the SecureConnect Client, it would be nice to be able to maximize the SC Client Details screen.

CONCLUSION
For the most part, the features added to the Pipeline products are effective and will help small to medium-sized businesses (depending on the Pipeline router) have a secure and resourceful network. The firewall and VPN features are a welcome addition to the Pipeline family, and therefore, warrant our Editors’ Choice Award.