VPN software boosts new Intel SOHO router

Today's enterprise routers, layered with VPN tunneling, firewall services and IP address administration tools, require considerable engineering skill to get up and running. So when Intel claimed that a single Windows application shipping with its new Express 8205 VPN Broadband Router enabled quick and easy deployment by small business and home users, we were justifiably skeptical.

It's a small unit, about the size of a cable-TV converter box. But it's designed to deliver everything needed to connect a telecommuter or branch office to the Internet - and over the Internet to other corporate sites through secure VPN tunnels. The system performs straightforward IP routing, offers network address translation services and can be a Dynamic Host Configuration Protocol server. The Express 8205 is also configurable as a VPN gateway and this is something you don't often find in a low-end, small office/home office-oriented router.

Ordinarily VPN software runs on users' PCs, which then set up VPN tunnels through the local router, out over the Internet to a VPN gateway at a central site. With the Intel Express 8205, the VPN processing is consolidated in the router, and enables generally better administration and security than providing VPNs via client software.

We found the Express 8205's VPN support to be fully functional and complete in most respects. It supports all necessary VPN components: authentication via MD5 or SHA-1; and various encryption algorithms and key management options such as shared keys and scheduled rekeying.

However, the product does not support remote client access. That's where remote or traveling users run VPN client software on their laptops and dial in to the home office. The Express 8205's VPN support is site-to-site only, which means it provides secure tunnels to other sites equipped with a compatible VPN router.

Intel also provides some rudimentary firewall capabilities with this box. The user can apply rules for passing or restricting traffic based on network characteristics.

As router management goes, the Windows management application that comes with this system, called Intel Device View, is excellent. Device View provides an accurate image of the device, which the manager can click on to collect current data on the system, or a particular interface or VPN tunnel. On-screen help is good, and so is the ability to perform real-time monitoring and graph the results of traffic activity in several ways. Device View is a SNMP-based application, which uses ongoing polls to obtain device status and activity updates, and special commands called "sets" to perform configuration actions. We were impressed to find that because SNMP is not inherently very secure, the administrator can readily limit the level of access that a management station gets.

We distinguished the management features of the Express 8205 router from installation and ease of use in that the latter is not as well done as the former.

First, there's physical topology. There are two Ethernet interfaces on this fixed-configuration device. To connect to a WAN facility, you need another external unit - a DSL or cable modem. However, if you want to connect to a regular T-1 line you need another router-type device, one that takes Ethernet on one side and outputs T-1 on the other.

Then there's ease of use. Proper setup and configuration of this device is not as easy as Intel claims.The Device View application has an excellent configuration wizard, but it's not idiot-proof. Configuration is not especially intuitive, and due to the sheer complexity of router and VPN setup, you still need to know what you're doing.

In the performance category, the Express 8205 is average. Throughput is fine - meaning it achieves wire-speed - when conducting plain IP routing. However, the product is also sold as a VPN gateway, and that's where performance takes a big hit. We tested throughput using Triple-DES (see "How we did it," www. nwfusion.com, DocFinder: 3332), which is the strongest encryption processing the Express 8205 supports. With Triple DES-encrypted data through one VPN tunnel, the maximum throughput is reduced to less than 750K bit/ sec per direction, which is not enough to fill even half a T-1. For minimum-size, 64-byte packets, maximum throughput is 363K bit/sec for unidirectional traffic, or 187K bit/sec per direction for bidirectional traffic. With 1,462-byte packets, throughput peaks at 747K bit/sec in each direction.

The vendor's marketing materials claim, "VPN throughput up to 1.3M bit/sec." We can only conclude that this is based on a total of about 650K bit/sec in each direction. If this product is targeted at users likely to have T-1 connections, is maximum throughput that is only half a T-1's capacity adequate?

The Express 8205 VPN Broadband Router is a versatile product that features excellent management. The addition of VPN support is an uncommon and valuable benefit. The many functions the Express 8205 performs work, including VPN tunneling. The most notable concern, though, is throughput when encrypting data.

Brown is lab test engineer and Mier is founder of Miercom, a network consultancy and product test center in Princeton Junction, N.J. They can be reached at kbrown@ mier.com or ed@mier.com.

Send this article to a colleague