Maturity brings a new face to IPSec VPN products

As the VPN market approaches maturity at a brisk pace, vendors have been forced to rethink the tradition identity of their IP Security-based technology for letting users securely access enterprise resources via the Internet.

During the last 18 months, vendors have pushed VPN technology into different devices, have lessened the distinction between VPN and firewall products, and have demonstrated a strong willingness to deviate from standardized technology to meet corporate remote access requirements (see product review). What remains lacking, though, are features that offer strong centralized VPN management.

VPN technology now is built into a variety of products at all prices. Linksys' line of EtherFast firewall/VPN routers, which includes software and hardware encryption models, ranges in price from $100 to $180. Only a year ago, products with this level of encryption acceleration were 10 to 50 times more expensive.

Likewise, at least a dozen companies sell VPN/firewall devices that are little more than Intel-based boxes running Linux, a freeware firewall, IPSec and a Web graphical user interface. These appliances are low-priced but lack security certification and offer little by way of quality control.

At the same time, the boundaries between firewall and VPN devices have merged, virtually eliminating the dedicated VPN device category of products. With the demise over the past two years of Nokia's CryptoCluster, Cisco's 5000 series and products from the now-defunct Radguard and Redcreek, the last pure VPN devices have left the marketplace.

One way to evaluate combined VPN/firewall devices, says Nokia engineer Dan McDonald, is to recognize that some are better firewalls than VPN servers and vice versa. An example of the "big F firewall, little V VPN" devices is Secure Computing's Sidewinder, which has a perfectly capable VPN stack inside, but lacks in the areas of VPN manageability and functionality, such as in creation and management of large-scale site-to-site VPNs or in policy creation and distribution in remote access VPNs.

In the "little F firewall, big V VPN" category is Avaya's VSU series. Its mediocre packet filter is incidental to its outstanding VPN features.

This merger of firewall and VPN technology is good news for corporate network professionals on two fronts. The first is a greater opportunity to deploy VPN technology without having to compromise on network design. The second is enormous price pressure on all parts of the market in the customers' favor.

Management is missing

Centralized VPN management is not a problem that vendors have been able to solve. Skeptics charge that vendors don't care to solve it either, as doing so could open the door to multivendor VPN deployments. As Network World has proven in lab tests, building interoperable VPNs is not impossible - one can make almost any two IPSec products communicate. But managing all these VPN devices from a single point of view is not possible at this point in time.

Very few manufacturers have even started to think about what it takes to configure and maintain a VPN network with more than a dozen of their own nodes that changes in topology more than once a year. Cisco limped along with its Cisco Secure Policy Manager for most of this year but has recently introduced a management platform called CiscoWorks VPN/Security Management Solution Version 2, which the company says makes inroads into centralized management. Likewise, Check Point Software is making headway with its inclusion of management in its Feature Pack 2 of its NG firewall released in April. But again, in both cases, the vendors have addressed only management of their own devices.