Firewall Wizards mailing list archives
Re: VPN and firewalls
From: Rick Smith <smith () securecomputing com>
Date: Mon, 9 Feb 1998 13:32:12 -0600
At 9:45 AM -0700 2/6/98, Rik Farrow wrote:
I am curious about why people are choosing VPN solutions which are independent of firewalls, for example, Aventail or TimeStep.
I suspect it's because VPNs are still evolving, and people are simply taking advantage of the product mix. I have yet to see two VPN crypto implementations that really have exactly the same features, so it could be that the buyers were charmed by particular features of the independent VPN products. Or perhaps they already had firewalls in place that they didn't want to mess with. Or perhaps the part of the enterprise interested in VPNs is separate from the group handling the firewall. There are lots of possibilities, both technical and non technical. Perhaps the sales people got lucky.
Do people poke these streams through their firewalls?
This seems to be the popular approach, especially since that's the way most firewalls do VPNs. We tried to force everyone through the firewall filters on Sidewinder and had lots of customer resistance. Now there's a way to route IPSEC traffic around it.
Is it a matter of performance?
I could see a busy site trying to do this, since this is a plausible way of dividing up the processing effort among multiple devices. However, I've never seen a serious performance test to show the relative benefits. Keep in mind that there's no guarantes that a "hardware" crypto implementation will run faster than one in software. Given the speed of modern processors, especially if the work fits in the processor cache, the hardware implementation has to be pretty good to keep up. A mature, stable hardware product may be using an older programmable logic technology with a cycle time comparable to the latest CPU chips.
Why pay extra for VPN capability which is already included in many firewalls?
It's not always free in the firewall -- in the past we've sold it as an extra cost option. I don't know what our current pricing structure is, and I can't speak for other vendors. Rick. smith () securecomputing com Secure Computing Corporation "Internet Cryptography" at http://www.visi.com/crypto/ and bookstores
Current thread:
- VPN and firewalls Rik Farrow (Feb 07)
- Re: VPN and firewalls Paul D. Robertson (Feb 09)
- Re: VPN and firewalls Stuart Moore (Feb 09)
- Re: VPN and firewalls Rick Smith (Feb 09)
- Re: VPN and firewalls Steve Goldhaber (Feb 09)
- <Possible follow-ups>
- Re: VPN and firewalls Linwood Ferguson (Feb 09)
- Re: VPN and firewalls Aleph One (Feb 09)
- Re: VPN and firewalls tbird (Feb 09)