Product Group Tests
IPsec VPN (2010)
CipherOptics series is the Best Buy this month for its performance and great enterprise features.
Netgear’s ProSafe SRX5308 v3.0.7-5 offers excellent value for money and is easy to use. We rate it Recommended.
Full Group Summary
IPsec allows networks and hosts to establish secure channels of communication. It seems like an important part of a security architecture, yet we read very little about it, says Michael Lipinski.
IP security is a set of protocols developed by the Internet Engineering Task Force to support secure exchanges of packets at the IP layer. It delivers a point-to-point security solution by authenticating and encrypting each IP packet. With options for transport or tunnel modes, you can choose between encryption of the entire packet or encryption of the payload only. Tunnel mode is typically used to create the traditional VPNs between gateways. Transport mode is used most commonly between hosts.
Since IPsec works at the IP layer, it has an advantage over technologies such as SSL VPN in that your applications do not have to be customised or aware to leverage the secure communications. Secure connections between unsecure and secure networks can also be accomplished without changes to the individual user devices or network infrastructure.
IPsec was developed as a framework and not as a policy, so that as long as endpoints agree on authentication and encryption mechanisms, you have flexibility and options in your deployments and configurations. This benefit comes at a cost, as there are a lot of options that must be dealt with in configuring and deploying gateways and host-based clients. Choices include: authentication verses authentication plus encryption; tunnel verses transport; hash type; encryption type; and key exchange options.
This month we focused our review on IPsec VPN products. The criteria for entry into this group was for solutions that provide encrypted point-to-point remote access using IPsec. Some focus on the delivery of this through a focused, purpose-built offering, while others offered the service as part of a combined security appliance, delivering additional features such as firewall, NAC, IPS, email/web filtering and SSL VPN options.
Some implementations focused on the client side IPsec software designed to support connectivity to any industry standard IPsec gateway. Others focused on the purpose-built appliances to deliver an enterprise meshed offering that could be inserted into the current LAN/WAN infrastructure with very little impact.
Our testing methodology for this group consisted of utilising the appliances as a gateway between our internal test network and the public internet. A number of the products delivered IPsec as part of a suite of security services. We did not focus on testing the additional security components other than what was required for us to pass traffic and gather reports or alerts.
We set up each appliance so that it sat on our public internet and provided IPsec connections from our internal clients or from a test machine coming through the internet. We utilised the vendor-provided IPsec VPN clients on our test endpoints to create various IPsec connections to the appliances.
Most of the setup on the appliance and client side was pretty straightforward. Some were a bit more complex than others but there were no negative experiences to report.
Most of the solutions delivered the traditional IPsec features and functions as expected. We discovered that some provided options, such as the ability to create custom packet-level encryption settings that would allow for more or less of a packet to be encrypted, supporting things such as NAT, QoS and the ability to track NetFlow stats, while still delivering payload encryption.
Some products provided tools for making policy changes to multiple appliances or deploying clients across a large, distributed enterprise deployment through minimal to single mouse click operations.
Throughout the review we noticed several observations, the first being that for a large enterprise-wide deployment, it would make sense to give a serious look at the purpose-built products. Not only did these provide the performance and high availability capabilities, but also the management and deployment features that will allow you to keep up with the numerous changes. The second observation was that a number of the solutions really made it easy for the small and medium-sized organisations to add this level of security to their overall architecture without requiring a high level of IT overhead.
After spending time with all of the products, you really would not go wrong with whichever one you choose to deploy.