VPN: Hold the firewall
Check Point sees package removing obstacle, cutting costs.
|
|||
 | |||
|
Advertisement: |
REDWOOD CITY, CALIF. - Check Point Software will introduce this week a stripped-down version of its popular virtual private network software in an effort to get users to make the leap to VPNs even if they have firewalls from other vendors.
According to Check Point, users are reluctant to try VPNs because the gear often comes bundled with firewalls, and customers don't want to pay for something they already have. So rather than a fully configurable firewall, Check Point's new VPN-1 Net combines VPN functions with four basic stateful-inspection firewall options: allow all traffic; allow all encrypted traffic; allow only encrypted traffic; and block all traffic.
To further entice users, Check Point is introducing a new pricing scheme to make it easier to directly compare the cost of frame relay with VPNs. The latter can cost $300 to $1,600 less per site per month vs. frame relay. "[Check Point] is encouraging users to extend their networks to sites where they can't justify a frame relay connection today," says Rosemary Cochran, an analyst for Vertical Systems Group.
Advertisement: |
With VPN-1 Net, Check Point charges a one-time fee for a VPN-1 software license that covers a certain number of VPN tunnels per site. For example, a license for five tunnels costs $1,000, so setting up a link between two sites would cost $2,000. Check Point centralized management software to control the environment costs another $15,000. The access link would be an Internet connection that a company has in place and is paying for anyway.
By contrast, a single 56K bit/sec frame relay connection costs $300 to $500 per month and a T-1 frame relay circuit costs $1,500 to $1,600 per month, Cochran says. And customers would still pay for their Internet connection. If users want a frame link to connect to more than one site, they pay an additional fee per permanent virtual circuit (PVC) per month. A virtual circuit is roughly analogous to a tunnel in that it enables a link between specific sites. A 64K bit/sec PVC from AT&T costs $126 per month, list price.
Still, if the IP VPN option becomes attractive enough so corporate users at least try it, they might find it is inexpensive enough to tie in more locations, Cochran says. According to Vertical Systems, last year there were 1.2 million frame relay links in place vs. 196,000 IP VPN connections.
Competitors such as NetScreen, Nortel, Rapidstream and WatchGuard come with full firewalls, and an entire line of Cisco VPN gear is based on its PIX firewall. "I haven't seen anyone else roll out anything like [VPN-1 Net]," says Jeff Wilson, who researches VPN vendors for Infonetics Research. "[This software] can ease some cost and complexity fears that people have about migrating sites away from frame relay."
The VPN-1 Net firewall running on a server or a custom VPN appliance made by one of Check Point's hardware partners, can be set so that it doesn't interfere or compete with whatever firewall is already protecting corporate Internet connections. But the VPN-1 Net firewall can be turned on at sites that might not have one yet.
Frame relay users would lose some features if IP VPN were added. For example, frame relay comes with minimum bandwidth guarantees, while VPNs that rely on the Internet are subject to unpredictable delays. But it is much faster to turn up a VPN link to a site that has Internet access than to wait months for a frame relay connection.
Once frame relay networks were considered secure because they operate at Layer 2, but with heightened interest in security, users are becoming wary but also receptive to VPN technology that is secure from site to site.
"Administrators are beginning to question how well that frame cloud is managed from a security standpoint," says Christopher Arnold, network security architect for Wheelhouse, a maker of customer-relationship management software in Burlington, Mass. The company bases its five-site WAN on Check Point VPN/firewall software that runs on Nokia hardware.
Check Point is also adding new management shortcuts in its software to make it easier to set up user groups and establishing hub-and-spoke connections, a common frame relay configuration. "You can set up a tunnel between end points in 60 seconds. Before, if you were really good at it, it took 30 minutes," Arnold says. These features come with Check Point's VPN-1 Pro software, formerly called VPN-1/Firewall-1 Gateway.
VPN-1 Pro also includes a graphical interface that simplifies adding a site and changing the user group that a particular site belongs to. "If you have a tight budget and are short-staffed, you can really appreciate this," Arnold says. "Once it's designed properly, it can be deployed by less experienced administrators."
VPN-1 Net and VPN-1 Pro are available now. VPN-1 Pro, including centralized management to connect a 500-person office with a 40-person office, would costs $24,500.
RELATED LINKS
