November 1998

VPNet Technologies, Inc.
1530 Meridian Ave.
San Jose, CA 95125
Phone: 408-445-6600
Fax: 408-445-6611
Web site: www.vpnet.com

Price: $2,795 for hardware, $3,995 including 25 users

Ratings (0-5)
Installation: 4
Documentation: 3
Features: 4
GUI: 4
Overall: A-

The VSU-10 unit is a dedicated standalone unit used for implementing virtual private networks (VPNs) for interconnecting remote offices and remote users across any IP network. The unit is a member of the VPNware System - a family of integrated VPN hardware, software, and service packages.

Virtual Private Networks are becoming increasingly important in the networking arena, which directly affects the markets of both CTI and Internet telephony. Applications such as "remote voice" capabilities and the encrypting of voice packets for travel over IP networks are gaining currency and are going to become essential in the near future. TMC Labs is of the opinion that VPN technology will be increasingly used to ensure private communications when implementing CTI and Internet telephony applications.

Supporting Triple DES encryption - the highest level of security available - at a full 8 Mbps rate while maintaining the full 10 Mbps wire speed throughput of non-VPN traffic demonstrates the VSU-10's raw encryption power. The unit features real-time packet compression, which certainly aids in achieving higher throughput on both the LAN and WAN. Included with the VSU-10 is a browser-based administration software program called VPNmanager. This software allows you to provide global-level, VPN-level, group-level, client-level, and equipment-level monitoring and configuring capabilities. The VSU-10 supports from 25 to 100 remote access users and allows global roaming. The VSU-10 also supports both "tunnel" and "transport" mode as well as the ability to incorporate user-level authentication based on either multiuse (CHAP) passwords, or single use (one-time) passwords.

DOCUMENTATION
The product's documentation is contained in several Adobe Acrobat PDFs, which we printed out. They included a VSU-10 (hardware) user's guide, client software user's guide, and the VPNmanager user's guide. The resulting printouts were quite lengthy, particularly the VPNmanager manual, but they were all very descriptive, including diagrams and illustrations. The table of contents and index were also very complete. However, when we were setting up the VSU-10 for the first time, the documentation seemed to skip around from one section to the next. In addition, when configuring the VSU-10, one section of the VPNmanager manual seemed very unclear, requiring a technical support call. Though the documentation goes to great lengths to explain the concepts of VPNs, security, and other concepts and implications, we found it difficult in that some sections were explained in detail, while other explanations were very unclear. Thus, we gave the documentation an overall 3 rating.

FEATURES
For packet encryption, the VSU-10 supports DES encryption (56-bit key), as well as Triple DES (EDE-CBC) encryption (three 56-bit independent keys, effective key length of 112 bit). Digital Certificates, supporting X.509v3, are utilized for managing the VSU-10. The VSU-10 integrates well with firewalls, and includes a bypass mode for non-VPN traffic as well as reverse address translation for DHCP clients.

Packet Authentication

• ISAKMP: HMAC-MD5 and HMAC SHA-1, AH Message Digest Algorithm.
• SKIP: Keyed MD5 AH Message Digest Algorithm.

User Authentication

• RADIUS servers (Ascend Access Control, Security Dynamics ACE/Server Access Manager, BaySecure Access Control, Funk Steel Belted RADIUS Server).
• CHAP and SecurID tokens.

Key Management

• ISAKMP/Oakley.
• SKIP.
• All packet, traffic, and authenticating keys automatically generated. Encryption/authentication key updated automatically every 30 seconds.

Network Address Translation (NAT)

• Supports static, dynamic, and port mapping.

System Management

• Configuration via Java-based VPNmanager Tool Suite Version 2.3, VPNmanager MultiSite Version 2.3, and VPNmanager SOHO Version 2.3.
• Monitoring from any application with SNMPv1 via VSU-1010 MIB.
• Configuration traffic secured through SSL.
• Secure software download for upgrades.

Compatibility

• Fully compatible with VSU-1000 VPN Service Unit (using transport mode), VSU-1010 VPN Service Unit (using transport or tunnel mode), and VPNremote Client Software for Windows Version 2.1 (using transport or tunnel mode).

Protocol Support

• IEEE 802.3, Ethernet.
• Full IPSec compliance: RFC 1825, RFC 1826, RFC 1827, RFC 1828, RFC 1829, RFC 1851, IPSec Key Management using SKIP or ISAKMP/Oakley.
• Tunnel and transport modes supported.

OPERATIONAL TESTING
We downloaded the advanced firmware, which adds support for ISAKMP key management and advanced network address translation (NAT). We needed to use this advanced firmware since we weren't going to use a WINS server in our testing environment. Uploading the firmware was a simple process. Once this was done, we set about to configure the VSU-10.

We liked the fact that the VPNmanager is managed through a Web browser using a mix of HTML and Java, rather than using a "not so user friendly" console with a Command Line Interface (CLI). One of the initial things we had to do in setting up the VSU-10 was to connect to the VSU-10 from a Java-enabled browser, and then accept the certificate, which pops up immediately after connecting to the VSU-10's IP address. This certificate will then be used for future administration of the VSU-10. One important fact is that only the machine on which the certificate is installed will be able to administer the VSU-10. While this is a great security measure, we'd certainly like the ability to administer the VSU-10 from multiple locations.

Secure Socket Layer (SSL) is used to keep configuration traffic between the VPNmanager and the VSU-10 private. Also, X.509 certificates are used both by the VSU-10 and the Java-compatible browser running VPNmanager. These provide authentication capabilities to ensure that only authorized personnel can change the VSU-10 settings.

VPNmanager keeps you informed of the VSU status by polling the VSUs for status messages and configuration changes. In the event that you lose contact with the VSU, you can ping from VPNmanager and initiate a proxy ping from one VSU to another. In addition, VPNmanager includes a method of updating the entire configuration in the event that the configuration changes fail. The Web-based configuration screen is very user friendly.

After setting up the basic configuration on the VSU, such as IP addresses, clients, and groups, we tested connectivity between the VPNmanager server and the VSU-10, using the VPNmanager's ping capabilities. After verifying connectivity, we set up one client machine on a Windows 95 laptop. We ran the setup file and then added the VPNremote Adapter to the list of networking items listed under Windows 95's Network Control Panel applet.

Previously we had exported a ".VPN" configuration file from the VPNmanager software, which we copied to the client machine. This file contains all the vital information for finding and connecting to the VSU-10. Next, we launched the VPNet client-software, which prompted us to enter a password that we previously set. Upon completion, the VPNremote application displayed the message "VPNremote is enabled." From that point, the virtual private network is established and packets sent from the client over any TCP/IP transport are encrypted and sent to the VSU-10.

From the VPNremote GUI you can click the 'Disable' button, which will allow all IP traffic to travel unsecured. However, with the VPNremote disabled, it will not be possible to communicate with secure resources. Another feature of this client-based applet includes packet statistics to show whether packets are being transmitted securely or unsecured, which we found to be useful.

ROOM FOR IMPROVEMENT
The VSU-10 doesn't have an Off switch, so we were relegated to unplugging the unit when we ran into some problems connecting and configuring the unit. Also, as previously mentioned, the VSU-10 only allows one manager per VSU unit. We would like to see support for multiple management PCs.

Since many (if not all) standalone VPN units, including the VSU-10, do not support Point to Point Tunneling Protocol (PPTP), only TCP/IP is supported when trying to communicate securely over a VPN. Thus, other Layer 3 protocols (such as IPX) must travel unsecured through the VSU-10. In those cases, a server-based solution (such as Microsoft's built-in VPN support in Windows NT), which allows for "encapsulating" other protocols into TCP/IP, might be more appropriate.

CONCLUSION
This particular model is at the lower-end of VPNet's line of VPN products, which has inherent cost advantages over the pricier models. Since the VSU-10 supports from 25 to 100 remote access users, this product is targeted towards small to medium businesses, or even large corporations that do not have a large constituency of remote users. The browser-based system of management using Java was a nice touch, which certainly made setup much easier than a text-based console/command line interface. Overall, we were quite pleased with the performance, manageability, and security of the VSU-10, which help make it a good fit to those looking for a VPN solution.