|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: VPN and firewalls
Rick Smith (smith
securecomputing.com)
Mon, 9 Feb 1998 13:32:12 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Aleph One: "Re: VPN and firewalls"
- Previous message: carsontla.org: "Re: IPsec and firewalls"
- In reply to: Adam Shostack: "Re: IPsec and firewalls"
- Next in thread: tbirdimhotep.cerner.com: "Re: VPN and firewalls"
At 9:45 AM -0700 2/6/98, Rik Farrow wrote:
>I am curious about why people are choosing VPN solutions which
>are independent of firewalls, for example, Aventail or TimeStep.
I suspect it's because VPNs are still evolving, and people are simply
taking advantage of the product mix. I have yet to see two VPN crypto
implementations that really have exactly the same features, so it could be
that the buyers were charmed by particular features of the independent VPN
products. Or perhaps they already had firewalls in place that they didn't
want to mess with. Or perhaps the part of the enterprise interested in VPNs
is separate from the group handling the firewall. There are lots of
possibilities, both technical and non technical. Perhaps the sales people
got lucky.
>Do people poke these streams through their firewalls?
This seems to be the popular approach, especially since that's the way most
firewalls do VPNs. We tried to force everyone through the firewall filters
on Sidewinder and had lots of customer resistance. Now there's a way to
route IPSEC traffic around it.
>Is it a matter of performance?
I could see a busy site trying to do this, since this is a plausible way of
dividing up the processing effort among multiple devices. However, I've
never seen a serious performance test to show the relative benefits.
Keep in mind that there's no guarantes that a "hardware" crypto
implementation will run faster than one in software. Given the speed of
modern processors, especially if the work fits in the processor cache, the
hardware implementation has to be pretty good to keep up. A mature, stable
hardware product may be using an older programmable logic technology with a
cycle time comparable to the latest CPU chips.
>Why pay extra for VPN capability which is already included in many firewalls?
It's not always free in the firewall -- in the past we've sold it as an
extra cost option. I don't know what our current pricing structure is, and
I can't speak for other vendors.
Rick.
smithsecurecomputing.com Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores
- Next message: Aleph One: "Re: VPN and firewalls"
- Previous message: carsontla.org: "Re: IPsec and firewalls"
- In reply to: Adam Shostack: "Re: IPsec and firewalls"
- Next in thread: tbirdimhotep.cerner.com: "Re: VPN and firewalls"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:32 CDT