We used Bay Networks 350T 10/100 switches to create two private LANs and one public LAN that represented the Internet. We set up three 500 MHz Digital Alpha systems on each of the private LANs to generate traffic, and we watched traffic using AG Group's EtherPeek. A pair of 350 MHz Pentium II systems served as management consoles and also as test units for vendors providing software-only solutions. We used a Cybex Autoboot Commander 4P keyboard/video/mouse switch to monitor our systems.
Most vendors chose to send representatives to install their products. After each one was installed, we started IP Security (IPSec) interoperability testing using a moderately complex tunnel configuration. We required vendors to support two different encryption algorithms: Data Encryption Standard and triple-DES.
Products that did not support IPSec and Internet Key Exchange (IKE) - including Internet Dynamics' Conclave, Microsoft's Windows NT Server 4.0, Routing and Remote Access Software and Novell's BorderManager Firewall Services 3 - were not part of this test phase.
The standards for IP security, which are often thrown together under the IPSec moniker, are long and complex. We found that most products are very similar when it comes to their IPSec implementations, probably because the standards are so comprehensive. Instead, we saw major differences in performance, interoperability and management applications. For this reason, our tests concentrated on these areas.
We tested PKI interoperability with a Windows NT-based product called Entrust/PKI from Entrust and verified whether vendors could really pass keys back and forth.
Finally, we used our test bed to stress-test the performance of all the products using TCP-based data streams. Our tests included a single-stream test, designed to show both throughput and latency of the VPN devices, and a multistream test, intended to show worst-case performance in a typical LAN environment.
We used a BSD-derived TCP/IP stack (Tahoe) and a greedy TCP data stream to send simplex traffic through the virtual private networks. On the receiving side, the same TCP/IP stack simply discarded the data. Because of the TCP stack compression syndrome, as well as the limits of MTU discovery in the stack, the VPNs had relatively dramatic effects on total system throughput. RELATED LINKS Back to the main review
