Netopia enters the VPN game

Netopia box includes firewall, VPN and traffic shaping features.

By Tim Greene
Network World, 08/23/99

ALAMEDA, CALIF. - Netopia this week will introduce a device aimed at helping customers with multiple remote offices more easily set up virtual private networks.

The company will introduce the S9500, a VPN box for branch offices that includes a firewall and traffic shaping, as well as VPN capabilities that meet the IP Security standard for authentication and encryption.

Because the S9500 includes many functions, it is ideal for enterprises that don't want to get bogged down in piecing together a security package from many vendors, says Steve Rigney, a senior network analyst with NetReference in Sterling, Va.

The S9500 is designed for site-to-site connections among separate offices as long as their Internet connections are T-1 or smaller, Rigney says. The device would be unsuitable for a large corporation with a headquarters site connected to the Internet by something larger than a T-1, he says.

Netopia needs to develop interoperability with vendors of VPN gear that support larger Internet pipes to be compatible as a branch-office device in a large enterprise, Rigney says.

The S9500 can be used in conjunction with dial-up remote access VPNs using a Netopia VPN client that supports Windows 95, 98 and NT.

The S9500 connects to the LAN side of a branch office's WAN router via a 10M bit/sec Ethernet connection.

All incoming traffic is screened by the firewall. The S9500 decrypts VPN traffic and sends it out one of two LAN ports. The ports serve separate LAN segments, giving customers the option to send traffic directly to network servers or to servers in a demilitarized zone isolated from the rest of the LAN, Netopia says.

Terminating VPN sessions and encryption via Triple-Data Encryption Standard (DES) are done in Application Specific Integrated Circuits to enable wire-speed throughput. The company says the box can handle 4,000 concurrent firewall sessions at 10M bit/sec and 200 concurrent Triple-DES sessions at 1.5M bit/sec.

The firewall performs stateful inspection of packets, which means TCP ports in the firewall are closed unless there is no active connection. The firewall is also compatible with Remote Authentication Dial-In User Service (RADIUS) servers for authentication of users and is capable of network address translation and URL blocking.

Traffic shaping is performed according to criteria including IP source and destination addresses, and the TCP port that the packet is assigned. Using such parameters, network administrators can assign one type of traffic priority over another to guarantee better throughput.

The device can be configured and managed through a console port, plug-in modem or a Web interface.

The S9500 is available now and costs $3,695. Clients cost $699 for 10 licenses.