When selecting virtual private network (VPN) devices, think first about your existing equipment. If you want to integrate your VPN with your 3Com router network or your Axent firewalls, for example, your choice is pretty easy.
Adding on to an existing device, though, is not always wise. If your firewall or router is already bogged down with existing tasks, assigning VPN service to it will probably push it over the edge. Consider your management workload. If you plan to use the VPN for client-to-LAN as well as LAN-to-LAN encryption, the product's ability to manage thousands of VPN tunnels is critical. Generally, we found that the software-only vendors, including Microsoft, Novell, Internet Dynamics, Axent and Data Fellows, offer a more limited feature set and less control than their hardware-based competitors. However, if you're constrained by a tight budget, the software-only vendors make a compelling cost argument if you have an available server. And all could easily keep up with a T-1 circuit on our 350-MHz PII systems, even using the highest available level of encryption. If you haven't settled on a vendor yet, it's time to consider other features:- Selective encryption. Some products allow you to decide whether or not to encrypt traffic based on the service being accessed. Not every organization cares, but if you're trying to add a VPN to an existing firewall, you may want to encrypt only a subset of traffic. Or, you may want to apply a tougher encryption algorithm to packets going to the human resources system than to GIFs coming off the corporate Web server.
- Topology. Most hardware VPN products ship with a pair of 10M bit/sec or 10/100M bit/sec Ethernet interfaces. Software vendors are often more generous with LAN interfaces because they can depend on Windows NT, NetWare or Unix to handle LAN and WAN interfaces (although the CPU may not be able to handle the load of even two). Some hardware vendors, including 3Com, Lucent and Radguard, also offer more than two LAN interfaces on their products.
- Certificate authority support. The ability to work with a certificate authority, provided either by the VPN vendor or a third party such as Entrust Technologies' Entrust/PKI, is key if you think you'll be managing more than a handful of tunnels and clients. We tested only three products - TimeStep's Permit Gateway 4520, Axent's Raptor Firewall/VPN Server and Check Point Software's VPN-1 Gateway - that could handle online connections to our Entrust PKI.
- Logging. Once you've come up with a short list of products that fit, look at logging features. If you have a centralized logging facility, will your VPN integrate with it? What about SNMP? There is no defined VPN Management Information Base,
- but just being able to count packets with an SNMP management station can tell you a lot about the health of your VPN.
- Management modules. Management stations are more than decision points - they can be budget busters. For example, Lucent's hardware is downright affordable, until you realize that you have to shell out an extra $12,000 for the management station. If you're going to be linking only two or three sites, vendors such as VPNet, Radguard, Lucent and Check Point make you pay a high premium to set up their management infrastructure.
