|
By Tim Greene
Network World,
12/24/01
In their struggle to gain new business, VPN vendors are engaged
in a heated debate these days about speed. But most enterprise users aren't
swayed by anyone's grand performance claims.
In general, the hardware vendors say their devices encrypt
packets at faster rates than the highest speeds claimed by the software bunch.
Hardware VPN vendor NetScreen Technologies claims its NetScreen-1000
can process 1G bit/sec of VPN traffic, and RapidStream says its top-of-the-line
RapidStream 8000 hits 360M bit/sec. Meanwhile, Cisco says its top software
VPN gear, PIX 535, does 100M bit/sec of Triple-DES VPN encryption. Check Point
Software's VPN software runs on general server platforms and other vendors'
custom-made hardware. Of these, Check Point points to the Nokia IP740 as the
fastest, citing that vendor's clocking at 150M bit/sec.
The need for speed
All this talk about speed and the ensuing struggle among VPN
vendors to prove themselves fastest are borne out of a few market conditions.
One is the increasing availability of Ethernet access services
and enterprise use of these services to connect data centers to the Internet.
In these cases, sometimes sheer speed wins the day, as it did at Solid Systems,
a Houston firm that runs data centers in which corporations can house gear
and lease storage capacity.
Solid Systems gets its VPN speed from the NetScreen-1000,
which can handle the company's user base and, importantly, quickly add
VPN sessions (a strength of custom processors), says Steve Koinm, Solid
Systems' vice president of strategic technology. "I'm
concerned about speed, and in our network I've never even seen this
thing breathe hard," he says.
Traditionally, anyone shopping for this equipment on speed
alone would choose a hardware-based product built around specialized integrated
circuits rather than one based on software and general-purpose processors,
say analysts who pore over performance reports. "When you run things
in hardware, they're always much more scalable," says Zeus Kerravala,
a research director at The Yankee Group.
But software VPN vendors are tweaking their products and using
network processors to power them, giving rise to the
second market condition leading to the speed debate.
With these updates, software VPNs are making gains against
hardware ones, says Jeff Phillips, an analyst with TeleChoice.
In the PIX 535, Cisco included dedicated processor cards to
handle VPN encryption and boost performance. And Check Point has begun offering
load-sharing software that lets users strap up to five VPN gateways together
to boost total throughput at one site to 1.2G bit/sec. In addition, it's
overhauled its VPN-1/Firewall-1 to make it easier for hardware designers to
isolate individual VPN software processes for more efficient processing. Check
Point partners are still adopting this next-generation software release. Start-up
CrossBeam claims its upcoming gear can push the throughput of Check Point's
VPN-1 to 2G bit/sec.
"With all the right hardware components . . .
you can often make the software-based VPN controller run just about as efficiently
as a hardware-based VPN appliance," says Ed Mier, founder of testing
firm Miercom, and member of Network World's Global Test Alliance.
Why the speed greed?
When it comes down to it, though, the flap over speed can
be unnecessarily confusing. Solid Systems' Koinm, with his priority
on speed, is more of the VPN exception than the rule. Network executives generally
don't make buying decisions based on the fastest boxes possible. Rather,
they buy VPN gear to protect the particular size connections they happen to
have.
If connecting sites fed by a T-1 or lower-speed link, performance
drops out of the equation. Hardware and software VPN devices can fill the
pipes, says Kevin Tolly, president of testing firm The Tolly Group, and a
Network World columnist.
It is with higher-speed Internet connections — T-3,
10M, 100M and 1G bit/sec — that performance between hardware and software
matters, Phillips notes.
In this range, where hardware and software vendors'
claims about performance overlap, you need to beware, Tolly says. Performance
claims might not only be confusing, but also downright misleading.
Read Cisco's PIX 535 product literature and you'll
find that if you add the extra dedicated processors, called VPN accelerators,
the gear can deliver 100M bit/sec throughput and support 2,000 IP Security
tunnels over Gigabit links.
But The Tolly Group found that the PIX 535 achieves 109M bit/sec
with 1,400-byte packets being run through it from Gigabit Ethernet ports,
Tolly says. That number dipped to 80M bit/sec when the testers used 512-byte
packets — the processors being strained by the need to handle more packets
per second. Of course, the traffic in an enterprise network would be of various
sized packets, depending on what applications were running.
In a written rebuttal of these results, Cisco says internal
tests show the PIX 535 performing better — in some cases 37 times better
— than Tolly Group reports.
The Tolly Group ran the same test on the NetScreen-500, a
hardware-based VPN device touted by the vendor as able to hit 250M bit/sec
VPN Triple-DES throughput. Its tests, which NetScreen commissioned, showed
136M bit/sec throughput with 512-byte packets and 230M bit/sec with the larger
packets.
While NetScreen didn't hit its touted numbers in the
high-stress, small-packet tests either, it hasn't taken issue with the
Tolly Group tests.
Performance claims being what they are, the advice for network
professionals evaluating VPN options is not to get caught up in the back and
forth between hardware and software vendors over performance. Speed is important,
but it doesn't rule the day.
SCINET, a healthcare applications service provider in Scottsdale,
Ariz., chose SonicWall's hardware VPN gear because the devices were
easy to configure and distribute, and because they filter for viruses. Plus,
SCINET didn't have to worry about the security of the underlying operating
system as it would have had to if it had ported VPN software to a general-purpose
server, says Ryan McConky, senior systems/network engineer at the company.
"This had everything we needed in one box," he adds.
Rich management features can also be an important factor in
networks with several sites, says Paul Kahyet, chief systems engineer for
Schlumberger Network Solutions. The company uses Check Point VPN software-based
gear in networks it runs for Schlumberger's petroleum arm as well as
for other corporations because it is easy to manage and lets new sites be
added by making server entries and having all network equipment updated automatically.
Raw performance was secondary.
|
