Traditionally, routers used by small businesses have either employed dial-up analog
connections or ISDN BRI specifically for routing data to the Internet, or over a
LAN or WAN. Without converting data to analog and back, ISDN BRI routers transfer the data
directly in digital form. An ISDN BRI line connects to the telcos digital switching
system, avoiding the limitations and weaknesses of conversion and transit in analog form.
ISDN BRI lines support two B channels of 64 Kbps each that can be combined during periods
of high demand.
Recently, many remote access companies began adding more advanced features to their
equipment even SOHO ISDN routers. Ascend Communications has added firewall and
Virtual Private Network (VPN) capabilities to their Pipeline routers, starting with the
Pipeline 50 model. The SecureConnect Dynamic firewall provides a high-level packet
filtering method, often referred to as stateful inspection. This allows the router to
restrict traffic by network protocols, source/destination addresses, and even by specific
applications. By using public networks such as the Internet, VPNs make remote
communication possible without the added expense of installing and maintaining a new
remote access platform. By encrypting data for transmission through the Internet, it is
secure. For regular telephony applications, the Pipelines two built-in analog ports,
starting with the Pipeline 75 model, also support such advanced features as the ability to
transfer, conference, and drop calls. All of these specific features are the main reason
we decided to review the Pipeline family of routers.
INSTALLATION
We received a Pipeline 85 router to install and configure as
we were waiting for beta versions of both SecureConnect Manager and SecureConnect Client.
We connected a serial cable from the router to a Windows 98 workstation, and the power
adapter from the router to an outlet. We also connected a 10Base-T Ethernet cable from one
of the built-in ports to an uplink of a hub (an uplink contains crossover pairs for
connecting from hub to hub). It would have been nice to have an uplink (crossover port)
already incorporated in the P85 router. It would have made the setup a little easier.
Next, we set up an ISDN simulator to work with the router, but we still needed another
Pipeline router to test the ISDN BRI connection.
We set about configuring the P85 router. We opened HyperTerminal with the VT-100
setting and named the application "Pipeline." We set the serial port to Com 2
and the bits per second to 9600 and connected to Ascends VT-100 interface. We also
redrew the screen (CTRL-L) so that it looked clearer. From there, the initial
configuration was straightforward, but administrators have to be very knowledgeable about
which options to select since Ascend gives you a large list of features available for the
router, some of which can disrupt your configuration if improperly selected. For the most
part, however, we just had to know our IP address for the router as well as the primary
and secondary telephone number, and SPID numbers (SPID numbers may not be required
depending on where your company is located) needed to access the ISDN lines.
Since we used an ISDN simulator, we also had to make sure the switch type was NI-1
(also referred to as NT-1), and the channel type was 64 Kbps. Since we were exclusively
using the IP protocol, we made sure to pick IP options without any IPX options included.
There are other options available, which can be used if you need them, such as Network
Address Translation (NAT) or bridging.
We also installed the Java Configurator for the P85, and were able to view the settings
we had already configured in the VT-100 interface. Changes or additions can be done via
this interface, as long as the Java Configurator can read the routers IP address,
which must be set with the use of HyperTerminal or a similar application. When we received
the SecureConnect Manager and the SecureConnect client (with 56-bit and 3DES encryption),
we installed them on our Windows 98 client. The software installations were standard, and
presented no problems.
The plan from here was to set up a client at our end and connect to a router at
Ascends office in order to test the VPN functionality. We needed to dial up to an
ISP to do this, and we also set up the P85 router so that we could connect via an ISP
through the router. We called the local access number of the ISP and entered the proper
DNS addresses, as well as a user ID and password. We set up the connection on the router
by selecting Ethernet and then Connections, and listing a profile name. We then set the
options we required, such as entering our local access number and selecting the
appropriate authentication we would use (in our case, we chose the simple PAP
authentication).
As you may be able to tell from what weve already stated, the configuration
process can become complicated after adding or changing options. The administrator must be
aware of the specific routers settings, and should be aware of the many but
sometimes complex features associated with the SecureConnect firewall and VPN (which we
will discuss in the Operational Testing section).
DOCUMENTATION
There is an abundance of documentation available: A Pipeline start-up guide, a Pipeline
reference guide, a documentation library (CD-ROM), and a SecureConnect Manager user guide
(.pdf file). This is both a strength and a weakness, as there is a lot of information to
be gained by reading this material. If you wish to find out about Ascends routing,
VPNs, and firewall techniques, this documentation has its value. Unfortunately, there is
so much information in all of these bulky guides that it starts to impede users in finding
what they specifically need. For this reason, some careful trimming of the documentation
would be helpful.
The documentation library has most of the information you might need in reference to
the Pipeline family, and it is easy to locate specific information. Readers can just click
the appropriate heading closest to what they are researching, and the information comes up
in Acrobat. Unfortunately, the version we had was not updated. We were able to obtain the
SecureConnect Manager user guide in Acrobat format, and this was very educational.
However, it was difficult to obtain an overall sense of all the components involved since
each manual had information that was integral to set-up, configuration, and operational
testing. Reviewing one manual and then the next can at times be frustrating and
counterproductive. It should be noted, though, that since much of what we tested is still
in beta, it is likely that information involving these features will be integrated into
the manuals in the near future. A little more procedural information would also help.
Overall, the documentation is well thought-out. It has a decent amount of screenshots,
diagrams, and charts to help with difficult notions, such as Ascends VPN and
firewall. The SecureConnect help files are also informative, explaining a feature when the
user double clicks on the item.
FEATURES
Each router in the Pipeline family increases in features and functionality as the
model number increases. The Pipeline 15 router is specifically used for very small
businesses or for home offices. It links to a PC via a serial connection and does not
support a LAN Ethernet connection. The Pipeline 50, 75, and 85 routers are used for small
offices as well, but have a few more features, including the SecureConnect firewall and
VPN with 40-bit IPSec encryption. (56- and 128-bit IPSec encryption can be obtained at
their respective additional costs.) Some of the other main features of a Pipeline 85
router include:
� The major transport protocols (IP, IPX, AppleTalk), the
RIP 1 & 2 routing protocols, and multiprotocol routing and bridging.
� Java-based Pipeline Configurator GUI.
� Network Address Translation (NAT).
� Remote Management (Telnet, SNMP).
� Unlimited LAN access to the Internet or other locations.
� Two analog ports used for basic telephony applications, such
as transfers and call conferencing (only available with the Pipeline 15, 75, and 85
models).
� 4-port built-in hub (does not have an uplink port
only the Pipeline 85 has this feature).
The Pipeline 130 and 220 models have T1 connections available, and should be considered
higher-end routers, for use by businesses that are big enough to require such an expensive
connection, although the Pipeline 130 router still has an ISDN BRI line available. Ascend
will also have T1 connectivity for a router called the Aqueduct, which is a high-end VPN
and firewall router. There will be many port options available: Two-port T1 card,
four-port T1 card, seven-port T1 card, one-port DS3 card, two-port DS3 card, or one-port
OC3 card. The Aqueduct will be introduce at some point in the next quarter.
OPERATIONAL TESTING
The focus of our testing was on Ascends firewall and VPN features. We opened the
SecureConnect Manager and configured a basic firewall in the Main Ruleset. Since we only
wanted a simple test of the firewall, we allowed all traffic to pass through the firewall
by turning on the "Trusted Sites" feature. In normal cases, the Trusted Sites
feature would most likely be used only between branch offices, but for our purposes, we
allowed all traffic to pass through by typing an asterisk in both the "Between
Local" and "Remote" windows.
Other features we turned on were IP Address Resolution, Internet Control Message
Protocol (ICMP), and IPSec. We allowed for Address Resolution Protocol (ARP), and we
enabled ICMP so that we could be notified of errors and information requests while
attempting to connect to other hosts on the Internet (Figure 1). Of course, IPSec needed
to be enabled for us to test Ascends VPN, and we allowed all Authenticated Header
(AH) packets to pass through, in addition to specifying the local gateway, where we would
send the firewall and VPN information. We also checked the Encapsulating Security Payload
(ESP) box to allow these packets to pass through in both directions.
Next, we set up our VPN configuration for both the Local Tunnel Rulesets and the Remote
Main Rulesets. In both cases, we only needed to enable the Trusted Sites option since we
wanted to make sure that the packets we sent were being encrypted in both directions. We
also specified the IP addresses for the server side router (in this case, an Aqueduct
router at Ascends office).
Now, it was time to export the firewalls (the firewalls and VPNs are both called
firewalls here) to a directory via a preferred binary file. Then we opened the
SecureConnect Client, and had to load the firewalls before we could view the packet
transfers via the Details button after we sent some packets to the Aqueduct.
After we dialed up to the Internet, we sent the VPN information to the Aqueduct at
Ascend. Here, we had problems. For some reason, we kept receiving error messages, such as
"Failure to get/set current configuration on router," or "No TFTP response
from router." Since we were able to send the VPN via a Windows NT client on
Ascends side, we realized that the problem could be the specific client we had been
using, a compatibility issue with Windows 98, or, most likely, a LAN issue in which our
proxy server (instead of the ISP) was trying to send the data. This last possibility was
not acceptable because our own proxy server/firewall interfered when sending the data. To
alleviate this problem, we deleted the network driver from the Windows 98 client.
Finally, it was time to actually test the VPN with 56-bit IPSec encryption. We FTPed
the Internet to make sure we were connected properly, and then we pinged the Aqueduct
router, FTPed to a specific location, and viewed the results via the SC Client Details
screen. The entire VPN configuration was easy to accomplish once we remembered all
of the little steps required, and were able to see the encryption process successfully
working.
With everything that needs to be understood and implemented correctly, there is a high
learning curve for this product. Not only must you learn the intricacies of configuring
the router itself, but you must also learn about the firewall and VPN features, and
configure them according to your companys needs. This can be a very complex and
difficult task.
Luckily, the SecureConnect Manager and Clients GUI help tremendously
especially the help files. The GUIs are intuitive and use Windows conventions effectively.
The SecureConnect Manager even changes which window is showing, depending on if you are
configuring the incoming or outgoing component of a particular feature of the firewall or
VPN. For example, the GUI would list "Local Servers" in the left window for the
incoming component and "Local Clients" for the outgoing component. For the most
part, this avoids unnecessary confusion.
ROOM FOR IMPROVEMENT
While we realize that the software we examined was still in beta and some changes may
already be planned, that does not stop us from giving some of our suggestions about it.
Hopefully, any updates to the software for Windows 98 (Java Configurator, etc.) are
currently being implemented, so there is no need to dwell on that topic. Most of what we
suggest involves being able to seamlessly integrate the VPN and firewall features into the
Pipeline product line without undue difficulty. By giving more scenarios and
troubleshooting tips, and integrating the SecureConnect information into the Pipeline
manuals, administrators would be able to better envision the entire system with much more
clarity. Particular configuration schemes can be diagrammed (with the use of a
Windows-based application and/or in manuals) to help administrators figure out which
features are most important to them for their particular configuration requirements.
Simplifying the steps in all of the areas of the configuration process would also help
administrators tremendously.
There are three elements of the SecureConnect Manager that could be improved. While you
can maximize, minimize, or resize the Main Ruleset screen, the VPN Configuration screen
cannot do this unless in edit mode. Second, you cannot use the delete key on your
keyboard, and instead must use the delete button on the GUI. Finally, it would be nice to
list all of the features alphabetically in order to be able to find the feature you are
searching for more quickly. Maybe "Restricted Sites" and "Trusted
Sites" should stay at the beginning of the list, since they are more general and are
often used. On the SecureConnect Client, it would be nice to be able to maximize the SC
Client Details screen.
CONCLUSION
For the most part, the features added to the Pipeline products are effective and will help
small to medium-sized businesses (depending on the Pipeline router) have a secure and
resourceful network. The firewall and VPN features are a welcome addition to the Pipeline
family, and therefore, warrant our Editors Choice Award.
|