Tunnel your way to secure communication

If you're a network or systems administrator, you've probably implemented some form of a VPN. As its name suggests, a VPN is a virtual private network connection over a public-access network, such as the Internet. VPNs were once exotic forms of dial-up connections that laptop users employed to connect to the corporate LAN. Today, VPNs take many forms—from a Windows NT RAS server's built-in PPTP connections to a full policy-based IP Security (IPSec) and Internet Key Exchange (IKE) scenario—and are attaining a significance that has Windows 2000 and NT server administrators and network managers devoting unprecedented amounts of time and money to VPN planning, implementation, and management.

A VPN has three primary goals. First, a VPN strives for privacy. Communicating parties want to make sure that no one else can read or see their communication. VPN products typically use encryption to address privacy. Second, a VPN offers integrity—a guarantee that the data arrives exactly as the sender intended (i.e., no one tampered with the message in transit). VPN products typically use an agreed-upon public-key private-key pair to address integrity. The third VPN goal is authenticity—a confirmation that the sender and receiver are who they say they are. VPN products typically employ digital certificates to address authenticity.

Because a VPN connection occurs over a nonsecure network medium, you must implement security measures. A VPN connection usually takes the form of a standard TCP/IP connection with an IP packet wrapped around the original packet. An encrypted payload inside this encapsulated packet is difficult to tamper with. This secure encapsulation is often called a tunnel. A server, called a gateway, on the corporate LAN acts as the tunnel coordinator and endpoint. Remote laptops or machines, called clients, typically run some form of VPN client software that monitors the tunneling with the gateway.

For this comparative review, I examine six Win2K- and NT-based gateway-and-client products: Citrix Extranet 2.0, Computer Associates' (CA's) eTrust VPN 2.1, F-Secure VPN+ 5.0, Network Associates' Gauntlet Firewall/Gauntlet VPN 5.5, Symantec's PowerVPN 6.5, and Check Point Software's VPN-1 Gateway 4.1. You'll see that some of these products are also bundled with—or are additions to—firewall software. Apparently, security-software manufacturers understand that many companies are looking for a one-stop VPN-and-firewall solution. However, my review doesn't cover firewall functionality. With each product, I attempted simply to implement a small VPN solution. If that implementation required me to install a firewall component, then I did so.

The Test Environment
My test environment represented a corporate dial-up VPN scenario, as Figure 1, page 102, shows. I used a Compaq ProLiant 6400 rack-mount server for the test gateway. This server ran NT Server 4.0 Service Pack 6a (SP6a) and had four 550MHz Pentium III Xeon processors with 1.8GB of RAM and a 50GB RAID-array volume. Under a typical VPN load, all the products in this review could safely run on a server equipped with one Pentium III processor with at least 256MB of RAM. However, a multiprocessor server is preferable. (Encryption algorithms, for example, take CPU cycles for each connection.)

My test client was a Hewlett-Packard HP OmniBook Xe2 with a 500MHz Pentium III processor and 128MB of RAM, running Windows 98. The gateway used two NICs. To simulate a mail server or application server, I used an AMD K6-233 PC on the network behind the gateway. Although I based my testing on simple connections between a gateway and a client, most of these VPN solutions also let you use multiple gateways to securely connect multiple private networks.

Before I describe my test results, I should note that VPNs are becoming inherently complex and require significant planning and foresight to implement correctly. Long gone are the days of PPTP or simple Point-to-Point Protocol (PPP) connections to NT RAS servers. Rolling out a good corporate VPN solution requires fundamental knowledge of TCP/IP, routing, data security, and encryption. If the product you choose contains firewall functionality, you have even more to consider. I caution less experienced administrators to research these technologies—as well as these products—before installing a VPN solution on their corporate network. If your company has migrated to a Win2K Active Directory (AD) server-domain structure, you should first consider the OS's decent built-in VPN capabilities. For more information, see the sidebar "What About Win2K?"

The Final Analysis
A VPN solution for your enterprise must be secure, scalable, and easy to use. All the products in this comparative review are secure—at least secure enough so that intruders using standard tactics will experience extreme difficulty hacking them. All the products can use the latest Triple Data Encryption Standard (3DES) encryption algorithms, along with MD5 or Secure Hash Algorithm-1 (SHA-1) hashing, and all but one use IPSec and IKE for their VPN architecture.

A few of the products require a fair amount of preparation to ensure proper installation and successful rules generation. Other products are easier to install and are ready for implementation in minutes versus hours. In general, however, ease of installation and time to production isn't necessarily a fair measure of any data security product. VPN and firewall software are by nature fairly complex.

When I recommend a product, I try to keep the readers' networks in mind. Large companies that have large NT networks typically have a high level of core knowledge and a big budget to work with. Their IT talent pool is substantial, and therefore their VPN choices are broader. For large companies, I recommend F-Secure VPN+ and VPN-1 Gateway. Both are extremely complex yet competent security packages that are based on many years of data-security experience. F-Secure VPN+'s advanced client-rollout features, along with an extremely granular policy builder, are powerful tools in a large installation. VPN-1 Gateway's flexible client-security levels and its excellent policy editor make this product a good alternative for the enterprise VPN. The product's architecture also includes an impressive firewall package that has long been an industry favorite. F-Secure VPN+ isn't a VPN-and-firewall solution, so if you're running a UNIX-based or hardware-based firewall and you're shopping for an enterprise-class VPN, you should take a hard look at the F-Secure product.

In contrast, a small company might not be able to afford the IT staff or consulting necessary to roll out a VPN solution as complex as VPN-1 Gateway or F-Secure VPN+. Small companies might want to consider a one-platform VPN-firewall combination product. Some of these products, such as Gauntlet and PowerVPN, are available bundled with extremely functional firewalls. You might also find this combination of functionality appealing if you're shopping for a VPN-and-firewall solution or are considering a second firewall.

The eTrust VPN package offers the easiest setup process, making it a strong alternative for smaller or less experienced offices. Unfortunately, the product's lack of support for IPSec might preclude it from larger offices that have already standardized their network security on IPSec. Gauntlet is also easy to use; its PGPNet client is extremely functional. If your company employs mobile users or local users who need additional desktop-hardening and local-encryption capabilities, I highly recommend Gauntlet. Because it uses IPSec and IKE, the product's configuration is more involved than that of eTrust. However, Gauntlet gives you a full-fledged firewall and VPN solution.

PowerVPN is a solid pick for a small to midsized office and is a great bargain if you need firewall functionality—the firewall add-on costs only $500. PowerVPN is easy to set up, and its mobile client is impressive. The product's use of Microsoft Management Console (MMC) makes administering PowerVPN a snap.

All six of these VPN solutions are solid security products that provide high levels of VPN functionality. However, I give a slight edge to VPN-1 Gateway as a product that can fit comfortably in any environment. Check Point's solution is reasonably priced (particularly if you need a firewall on top of your VPN functionality), offers outstanding documentation and support, and is scalable to environments of just about any size. The price leader is F-Secure VPN+, which is a great standalone VPN solution, provided your IT group can handle its high complexity level.

Citrix Extranet 2.0
Citrix's involvement in the VPN market is no surprise. The company's Extranet is essentially a secure way to deliver applications to remote users through a VPN tunnel. This functionality fits nicely into Citrix's existing line of MetaFrame and WinFrame application servers.

Extranet is a VPN-only, firewall-independent product. The shrink-wrapped CD-ROM comes with no hard-copy documentation. The accompanying PDF files are quite voluminous and are fairly difficult to follow because the documentation includes instructions for the Sun Microsystems' Solaris version of this product.

I installed the Extranet server component on my gateway server. The installation is simple; however, the license-key registration and certificate registration process is tedious. The product required that I register my license key at Citrix's Web site. I proceeded through an elaborate registration process that recorded my company information and CD-ROM serial number. Next, the software prompted me to use the company's Web interface to upload Citrix's proprietary keyname.has, keyname.pub, and sci.ini files. Then, I was able to download valid certificate and license files: keyname.cer and vone.lic. I copied these files into my Extranet installation's \data directory.

After I copied the new certificate file and license key into the appropriate directories, I rebooted the server. Then, I installed the client on my test laptop and rebooted the laptop. When I first ran the client, the software prompted me to move the mouse pointer to a certain area on the screen to generate a random key.

On the gateway server, I created a new user. After I activated the new user, I registered my client on the gateway through a Web browser. (Road warriors need only to connect to the Extranet server to register.) I performed the remainder of the configuration at the Compaq gateway server, from the Citrix Extranet Admin console, which Figure 2 shows. (You can also install the Extranet Admin console on a remote workstation, but you must establish rules so that the remote console can connect properly.) Although the client interface is intuitive, the tab-based GUI of the Extranet Admin console lacks direction.

After I registered my laptop through the Web browser, I began the multistep process of creating a unique authentication token on the client laptop. Extranet supports many forms of authentication, including Remote Authentication Dial-In User Service (RADIUS) and RSA Security's RSA SecurID. After I registered myself, I started building rules and access channels for the user. I discovered that I could also set up groups of clients, then establish rules based on those groups. For example, I could set up a series of user IDs for the accounting group, then create rules based on that group of IDs.

I set up my back-end server and established the connection from my remote laptop through the Extranet VPN gateway. The successful connection required a few settings tweaks, but I was finally able to FTP from my laptop to the back-end server through Extranet. Because I wasn't connecting through a firewall in this setup, I didn't need to worry about which Extranet and Citrix ports I used in my test network. However, in a production environment, this product requires extra firewall configuration to ensure the use of the correct ports.

Extranet is a good VPN gateway with an above-average complexity level. Extranet lets the client use many different authentication types to verify user information with the gateway; therefore, the product provides nice flexibility for the firewall and the client side of the equation. Extranet's price is about average among its competitors; unfortunately, current MetaFrame and WinFrame shops get no price breaks.

Citrix Extranet 2.0
Contact: Citrix * 954-267-3000 or 800-437-7503
Web: http://www.citrix.com
Price: About $12,500 for 100-user license
Decision Summary
Pros: Flexible client installation; numerous authentication types; full-featured IP Security and Internet Key Exchange VPN functionality
Cons: Confusing documentation; unintuitive administration console

eTrust VPN 2.1
eTrust VPN is a VPN-only gateway-and-client product. Both the client and server component come on one CD-ROM. The printed documentation is a bit skimpy, but the online PDF files are helpful. The product includes no firewall functionality but offers plenty of packet-filtering and protocol-filtering mechanisms.

The product's architecture lays its foundation on groups of servers. Each server accessed through the VPN can belong to one only group, so you can set up rules at a granular level. eTrust doesn't use IPSec or IKE in addition to this unique approach. (For more information about IPSec and IKE, see the sidebar "IPSec and IKE: New VPN Standards.") Instead, eTrust uses a proprietary tunneling protocol running on port 509 and an RSA Cryptosystem-based 1024-bit public-key and private-key exchange. I asked CA's technical support about the product's proprietary approach. According to CA, you can wrap the encrypted packets around other IPSec packets to maintain an IPSec tunnel through a compatible router. However, this approach adds CPU overhead to the network devices. Although I wouldn't go so far as to call CA's approach a drawback, bypassing a strong, growing standard such as IPSec is certainly unusual.

Another unusual aspect of this product is the requirement that the management interface must sit on a Win2K or NT server instead of a workstation. I chose to install the management component on the same server as the gateway, but I found that scenario somewhat constricting. (I prefer placing the management GUI on my desktop.) I performed a simple installation of the eTrust gateway on my Compaq 4-way server. The installer walked me through the necessary configuration parameters.

The architecture of eTrust is based on server groups and local client policies. You set up server groups, then base your policies on these groups. The client also sets up a local policy for connections to nongroup members.

When the client connects to known groups, it obtains the public key and uses the group policy that you specified on the management server to create a secure tunnel. A known group is a group with which the client has already established a secure connection. If the client connects to an unknown group or vice versa, you have a more complicated situation. An unknown group is essentially an eTrust group not previously defined as known and from which the client hasn't retrieved the public key.

You can set the client to dynamically retrieve the key and add the group to the known list, or you can set the client to simply deny the communication. The client and server installer places on the task bar a small eTrust icon that can show one of three colors: green for a secure group-based tunnel, red for a nonsecure status, and gray for a secure connection based on local client settings to a nongroup-based eTrust client. After you spend some time working with group communications and nongroup communications, you'll become more confident in your ability to configure eTrust in environments of any size.

The eTrust management interface is more wizard-based than the other products' interfaces are. The eTrust VPN Administrator Wizard, which Figure 3 shows, walked me through the steps of creating a new server group on my management server. I included the gateway server in that group, specifying the gateway by IP address. I created the policy so that only group members could attach to the server; I also allowed use of the FTP protocol, although I could choose from most of the major authentication types, such as SecurID and RADIUS. I used 3DES as my encryption protocol. I set the FTP protocol rule to not require any authentication. I created a one-time password that an unaffiliated server would use to join the group. (An unaffiliated server isn't part of the defined server group but will participate in the VPN environment—for example, clients that connect through the VPN for resources will see the whole group of servers, which might include newly affiliated servers.)

I then installed the client component on my test laptop and connected to the back-end host server. No configurations were necessary on the client, and I was able to establish an FTP connection. I noticed that the status icon on my client was green, indicating a secure group-based tunnel. Although eTrust doesn't let you distribute clients remotely, you can purchase CA's Uniserve, an enterprise monitoring and management tool, to perform this task.

eTrust is a fascinating product that might find success in NT or Win98 shops that need a low-profile VPN solution but already have an established firewall provider. The easy installation and wizard-based configurations are definite benefits, but make sure you completely understand CA's unusual VPN architecture before you purchase this product.

Pricing will also be a determining factor with eTrust. An enterprise gateway server license (which lets your clients connect securely to the corporate side of the network), along with 100 client licenses, costs a whopping $14,000 ($4000 for the administrator and gateway components and $100 per client). If you require tunneling all the way to the corporate server (as opposed to tunnels into the corporate network), each additional server license will cost $4000.

eTrust VPN 2.1
Contact: Computer Associates * 631-342-5224 or 800-225-5224
Web: http://www.ca.com
Price: $4000 for one gateway server; $100 per client
Decision Summary
Pros: Simple setup of server and client; quick wizard-based policy building; transparent client
Cons: Product's proprietary approach doesn't support IP Security

F-Secure VPN+ 5.0
F-Secure VPN+ is a firewall-independent, VPN-only solution that caters to large environments that might already have a firewall platform in place. F-Secure VPN+ is an IPSec-and IKE-based product that is far more complex than the other products in this review (except for VPN-1 Gateway).

Before I started the installation process, I took time to read through the excellent printed documentation. (I recommend that you do the same because a blind installation of F-Secure VPN+ can be fairly intimidating.) This multi-tiered product consists of three main components:

  • Policy Manager Communications Directory Server, which is a repository for VPN policies (i.e., rules for VPN connections), certification requests, and approved certificates retrieved from VPN+ hosts.
  • Policy Manager Console, which consists of the F-Secure Administrator and Certification Wizard. You use these two components, which communicate with the Policy Manager Communications Directory Server, to build and deploy policies for each host.
  • VPN+ hosts, which include the clients, servers, gateways, and enterprise gateways.

I decided to also install the Policy Manager Console on the same server (i.e., the Compaq gateway server) on which I installed the Policy Manager Communications Directory Server system. The documentation recommends installing Microsoft IIS on the Policy Manager Communications Directory Server system. However, after digging a little deeper, I discovered that smaller installations can bypass the Policy Manager Communications Directory Server installation and instead use a standard shared folder to store the VPN policies and key requests on the Policy Manager Console server. For larger rollouts, I would use the IIS and shared-network-directory options, which provide greater scalability. For my test environment, the combination of the Policy Manager Communications Directory Server and the Policy Manager Console was ideal.

On the gateway server, I created a directory called \gateway\commdir off of the large D: RAID array. Then, I created an NT domain account that had Read rights to only this directory. Finally, I installed the Policy Manager Console on the big server. The easy installation then asked what type of communications directory I wanted to use. I selected the local directory, then finished the installation with a required reboot.

The first time you run F-Secure Administrator, it asks for a new seed key (which a simple mouse movement generates), initializes the new communications directory server, then asks for a new console passphrase. The software also prompts you for a communication directory location—after all, you might have a multitude of communication directories to manage in your enterprise. Finally, you need to determine how often F-Secure Administrator looks in the communication directory for new policies to distribute to hosts and for certificate requests to process.

The F-Secure Administrator console, which Figure 4 shows, consists of a series of panes. The Policy Domains pane shows the various policy domains that you've created. The necessity of separate policy domains will be different from site to site—for example, you might need a policy domain for two separate business groups that have different security needs. I created one policy domain. The Properties pane displays a policy's various properties. On the Policy tab, you can make changes to a policy. The Reports tab contains log information that F-Secure Administrator generates. The interface is logical but crammed with information.

I added a new policy domain for my test lab, then tried to use the NT Domain Autodiscover Windows Host option to add my laptop to the new domain. But because my laptop was running Win98, the autodiscover option couldn't add the laptop to the policy domain. I needed to first install the F-Secure Management Agent, then import the information into F-Secure Administrator.

Overall, adding policy domains and members is fairly straightforward. You can remotely install the client component without even touching the remote hosts—a major benefit for rollouts of any size. I created a generous policy for my test environment and accomplished a simple ICMP ping connection between my test back-end server and my test laptop. Although the product is complex, after spending a few hours with its setup and configuration, I found that I was working with a capable and scalable product.

F-Secure VPN+ is a complex package. To roll it out successfully, you need to plan the implementation before you even open the CD-ROM's jewel case. However, if you've adequately prepared for the product, F-Secure VPN+ is the most complete VPN-only solution on the market. I would recommend this solution to any midsized to large enterprise that needs a robust IPSec-based VPN solution. F-Secure VPN+'s cost structure is similar to that of eTrust. If your IT staff can manage F-Secure VPN+'s high complexity level, this product offers an excellent value.

F-Secure VPN+ 5.0
Contact: F-Secure * 408-938-6700 or 888-432-8233
Web: http://www.f-secure.com
Price: $2490 for one gateway server; $100 per client; each additional secured server connection costs $595
Decision Summary
Pros: Great value; granular VPN flexibility; thorough documentation; IP Security and Internet Key Exchange protocol support; impressive scalability
Cons: High learning curve; involved installation and planning phases

Gauntlet Firewall/Gauntlet VPN 5.5
Gauntlet Firewall/Gauntlet VPN is a firewall-and-VPN combination product. The software, which uses a standard IPSec and IKE architecture, doesn't come with a VPN client; I needed to download Network Associates' PGPNet, which is the company's VPN client product. PGPNet is a full desktop encryption package that lets remote users encrypt portions of the local hard disk, set up digital signatures for various email clients, and participate in VPN communication with any IPSec-based gateway. The documentation is adequate but scattered across several manuals.

My test environment was a simple single-gateway setup. The product's impressive installation process scans your system and reports any perceived configuration roadblocks that might hamper installation. On my large gateway server, this process found two idle NICs that didn't have the TCP/IP protocol bound to them. Therefore, the entire installation process terminated. I removed the two dormant NICs from the network bindings and rebooted. The second time around, the installation proceeded without a hitch but warned me that Network Associates had not fully tested my version of NT Server (i.e., SP6a) with Gauntlet. Such proactive measures are extremely helpful.

The remainder of the installation consisted of a typical firewall installation, complete with private and public network interface delineations. (Network Associates refers to the internal interface as trusted and the external interface as untrusted.)

Gauntlet's UI is compact, as Figure 5 shows, and easy to navigate. You'll find all the product's VPN functionality on the GUI's VPN tab.

I decided to create a new VPN link. Gauntlet lets you choose from three types of VPN links:

  • Private link—The product's firewall proxies encrypt and inspect this link. You would use a private link to connect to an untrusted or foreign network.
  • Trusted link—This link is a VPN connection to a known network that the proxies encrypt but don't inspect.
  • Pass-through link—This link permits all VPN traffic through the firewall without inspection.

I set up a roaming-client tunnel (i.e., trusted connection) between my test laptop and the back-end server. For the sake of simplicity, until this point in my testing, I had been using preshared keys to establish tunnels. However, Gauntlet requires that you use an IKE-type key exchange to establish the client tunnel. I wouldn't call this requirement a drawback because most companies with large-scale VPN rollouts establish a more convenient and secure method than shared keys. But in some situations, for the sake of simplicity, I prefer to use a shared-key mechanism to establish the encryption.

Gauntlet's documentation walked me through the process of setting up a public key infrastructure (PKI), from the initial download of certificates to the creation of key-exchange policies. I successfully established a key exchange and communicated through the tunnel to the back-end server.

Gauntlet is compact, user-friendly, and utilitarian in design. The product gives you nearly every feature that you'll find in some larger firewall products and supports the Data Encryption Standard (DES), 3DES, and CAST128 encryption algorithms. (Network Associates recommends using CAST128 for the highest level of security.) The easy-to-use client component includes a desktop encryption package that lets users set up secured areas on their hard disk and digital signatures for their email. The product's price is higher than that of most of the other products. However, the PGPNet client offers increased functionality (e.g., client-side hardening and encryption features) rivaled only by the feature set of Check Point's SecureClient product.

Gauntlet Firewall/ Gauntlet VPN 5.5
Contact: Network Associates * 408-346-5101 or 800-338-8754
Web: http://www.nai.com
Price: $5000 for 100-user server license; PGP+ costs an additional $7600 for 100 users.
Decision Summary
Pros: Compact UI; easy setup and licensing; IP Security and Internet Key Exchange VPN standards; extremely functional PGPNet client
Cons: VPN client costs extra

PowerVPN 6.5
Before its acquisition by Symantec, AXENT Technologies was no rookie in the data-security industry. The recent acquisition should introduce no major changes to the product, but I'm hoping for improved technical support.

Symantec shipped me PowerVPN on one CD-ROM. The software's client component, RaptorMobile (named after Symantec's Raptor firewall software), arrived on a separate CD-ROM. No hard-copy documentation accompanies the product, but the PDF files are fairly well written.

Although the latest version of PowerVPN isn't compatible with Win2K, you manage the product through MMC. PowerVPN runs equally well on NT Workstation and NT Server; I chose to run the product on NT Server. The product's system requirements vary depending on the number of connections that the system must handle. The vendor's technical support told me that version 6.5 was unlikely to consume more than 512MB of RAM, so keep that number in mind before you buy a gigabyte of RAM for your new PowerVPN system.

To get the product running on my gateway server, I ran the PowerVPN installer, which detects whether MMC is already installed on your server. (If necessary, the system automatically installs MMC 1.2.) The simple setup took 10 minutes. After I rebooted the newly installed firewall and VPN gateway, I opened the PowerVPN management console on the gateway server and began setting up my test VPN.

After analyzing the documentation, I decided to set up several network entities, including a local subnet, a VPN gateway, a RaptorMobile client machine, and a user. With these entities in place, I could assemble a tunnel. PowerVPN lets you specify the RaptorMobile entity as a static IP address or a dynamic address. I used the static address of my test laptop's "public" network connection, as Figure 6 shows. I set up a simple key-exchange profile that used preshared keys instead of IKE. To complete the security-profile setup on the MMC console, I used 3DES for encryption and MD5 for hashing. A one-time setup key is associated with the user ID. I saved the new settings, completing all my changes on the console.

Because of these requirements—the preshared key, user ID, password, and one-time setup key—I needed to write down a lot of information from the gateway server before installing the RaptorMobile component on the notebook. If I'd used IKE, this notetaking would have been unnecessary. With IKE, preshared keys aren't necessary, and you can base the user IDs on an NT domain database, so users can log on with their corporate network logon credentials.

I completed the fairly simple RaptorMobile client installation on my test laptop. After I rebooted the notebook, I used the gateway IP address, user ID, password, one-time setup key, preshared key, and 3DES encryption and MD5 hashing algorithms to establish the tunnel through the gateway. The connection worked fine on the first try—I was able to ping the back-end server. PowerVPN's log feature gave me all the necessary information about my new tunnel connection, including encryption type and the Raptor-Mobile client's username and IP address. I then set up advanced filtering on my tunnel to allow only an SMTP ping instead of an Internet Control Message Protocol (ICMP) ping. Everything worked as I expected.

PowerVPN and the RaptorMobile client make up an excellent VPN solution. Although the unintuitive interfaces of some MMC-based VPN solutions that I've seen have made me cringe, this product's implementation works well and is easy to learn. My primary concern is the lack of technical support—a shortcoming that Symantec would do well to address. (I don't enjoy rolling out a major component of my network security without being able to talk to a technician.) PowerVPN's price is a little below average, considering the supported number of users and the degree of functionality. For another $500, you can add the Raptor Firewall, making the combination license a strong bargain.

PowerVPN 6.5
Contact: Symantec * 301-258-5043
Web: http://www.symantec.com
Price: $7495 for 25-user to 100-user user license
Decision Summary
Pros: Reasonable price; user-friendly interface; easy setup and licensing; full-featured firewall; excellent VPN functionality; minor hardware requirements
Cons: Poor technical-support response; inability to take advantage of large amounts of RAM

VPN-1 Gateway 4.1
Primarily known for its excellent firewall products, Check Point also has a foothold in the VPN market. Check Point sent me the VPN-1 Gateway SP1 package, its combination VPN-1 and Firewall-1 product for NT Server. (The VPN-1 management and firewall modules don't support Win2K.) The hard-copy and PDF-based documentation effectively describes the technology and the complex software. The inclusion of a Recommended Reading section is a nice touch.

The installation, however, wasn't as pleasant. I ran the standard Check Point installation program on my test gateway and found myself in an annoying installation loop. Check Point had sent me an invalid evaluation license key, so the installation failed. Because the installation failed, the process never installed the uninstallation program. Therefore, I had a half-installed firewall-and-VPN gateway. After a brief call to Check Point's extremely helpful technical support team, I obtained a new key. With the new key, I completed the installation and was ready for configuration.

You must install the software's firewall component—a requirement that might be a disadvantage if you already have another vendor's firewall in place. (Running two firewalls is becoming increasingly common, however.) The VPN-1 Gateway architecture is a bit more distributed than that of other VPN solutions, but the installation program gives you the option of installing the management and firewall modules on one server. VPN-1 Gateway consists of three components: the Policy Editor GUI, in which you manage the polices and configure VPN and Firewall services; the Management Module, which stores all the policies, databases, logging files, and other object information files; and the Firewall Module, which inspects the packets on its defined network interfaces. I installed the Policy Editor on the back-end host behind the gateway, and I installed the Management Module and Firewall Module on the Compaq gateway.

You can connect the VPN clients to VPN-1 Gateway in two ways. You can use the SecuRemote client, which is a typical VPN client that lets remote (i.e., Internet-connected) and local (i.e., intranet-connected) users establish secure tunnels to VPN-1 Gateway. Alternatively, you can use the more secure SecureClient.

The SecureClient has a nice feature that lets you dictate to remote clients how the system handles incoming connections. You can use the Policy Editor to set up policies that deny incoming connections to the remote client, thereby ensuring that an intruder can't "piggyback" a connection from the gateway to the client. (A piggyback attack occurs when an intruder exploits the remote VPN client's vulnerability and breaks into the corporate network through the remote client's established tunnel.) You install SecureClient on the remote PCs—and local PCs, if you want to establish a VPN on the local private subnet—that you want to tunnel into the corporate LAN.

I installed the SecureClient on the test laptop. The SecureClient installation is somewhat less rigorous than a full firewall installation, but I wouldn't want to perform the installation over the phone with a CEO. You can choose from an assortment of authentication mechanisms—from a gateway-established user account and password to a more elaborate mechanism such as RADIUS or RSA Security's SecurID. I chose the simple gateway user ID and password mechanism.

The documentation was indispensable as I set up users, groups, encryption domains, and tunnels—all of which the product requires for proper operation. I quickly set up a temporary user, all the appropriate network entities, and the rules to which my test laptop would adhere when connecting into the back-end host behind the gateway.

I launched the Policy Editor, which Figure 7 shows, and successfully connected to the gateway. Policy Editor boasts the impressive and popular Check Point firewall interface, and VPN administration is essentially a function of firewall administration. Only after you learn the fundamentals of the Check Point firewall and Policy Editor will you be able to set up appropriate rules for VPN communication—and standard Check Point firewall schemes.

The bottom line is that this solid product is a firewall solution that gives you VPN functionality. Because of the product's comprehensive and complex nature, its installation was cumbersome. The configuration was also difficult, but after delving into the excellent printed and online documentation, I finally established a tunnel between my remote laptop and back-end server. VPN-1 Gateway's price is reasonable when you compare the product's excellent support and abundant features with that of its competitors.

Choose Carefully
Implementing a VPN solution on a network can be expensive and labor-intensive, especially if the solution involves a firewall installation. Take your time, read the documentation twice, install the demonstration versions, and choose wisely.

VPN-1 Gateway 4.1
Contact: Check Point Software * 650-628-2000 or 800-429-4391
Web: http://www.checkpoint.com
Price: $15,500 for 100 users (with SecureClient)
Decision Summary
Pros: Excellent documentation; great GUI; full-featured firewall; good flexibility
Cons: Tedious installation and licensing; expensive (if you don't need the firewall functionality); complex configuration