Solitary Guard or Army?

By eweek  |  Posted 2001-06-11 Print this article Print

D-Link and Linksys sell their products for $120 and $129, respectively.

D-Link and Linksys sell their products for $120 and $129, respectively. Those are simply unbeatable prices if all your price-conscious client wants is a basic level of protection from the outside world. Do they ship with a VPN? Nope. Encrypted remote management? No. RADIUS and LDAP authentication? No way. For those features—and other advanced features such as integration with a global management system—youll need to acquire one of the products from NetScreen, Watchguard and SonicWall, which quadruples the price right off the bat. With the VPN and other add-ons, the once reasonable low price can skyrocket to $1,000 or more. So how should you choose which product is best for your client?

To connect offices securely, there are two options available: private line and a virtual private network (VPN). Private lines are often expensive (less so if it doesnt connect to the Internet), but offer unparalleled security and guaranteed throughput. VPNs drop the price, encrypting data over the Internet, but are more prone to the bandwidth inconsistencies of the Internet as well as security risks in exposing the network to the outside world.

Only the products from NetScreen, Watchguard and SonicWall ship with an IPSec VPN (IETF standard thats more secure than PPTP), which enables office-to-office encryption, but that functionality can double the price of the product. Four of the five products we reviewed support PPTP and IPSec passthrough, which means you can set up a separate VPN server behind the firewall or deploy VPN clients to the computers—both options add to the complexity of the network, the former for you, the latter for your client.

Another consideration for office-to-office connectivity is the capability to authenticate with RADIUS servers or LDAP. RADIUS has been widely used to associate user access with billing, important for cost centers in enterprises as well as for ISPs, while LDAP is up and coming. Only the NetScreen-5XP authenticates both LDAP and RADIUS, while the SonicWALL SOHO supports RADIUS authentication.

Finally, remote management is especially important for office-to-office connectivity. A branch office and telecommuter probably wont have the IT expertise to manage the firewall. Fortunately, all of the products come with some sort of remote management (all have Web-based management interfaces), but the inexpensive Linksys EtherFast BEFSR41 and the D-Link DI-704 are unencrypted, relying on username/password and an IP address. Passing username and password information is not necessarily bulletproof and can be a threat, especially from degenerates inside the network or anyone that can hack a border router.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel