Re: Alcatel-Lucent VPN Firewall Brick

["Justin M. Streiner" <streiner () cluebyfour org>]

On Mon, 26 Oct 2009, Jay Nakamura wrote:

> Looking for input on Alcatel-Lucent VPN Firewall Brick.  I can look up
> spec and other published information but, as always, the devil is in
> the detail and you just never know what wall you run into until you
> actually try it so I wanted to see if anyone has used this and can
> point out good/bad things about this device.
>
> Our other option is Cisco IOS router right now.  Are there better
> options than these two?

Fair warning: v6 honestly seems to have caught most firewall vendors with 
their pants down.

I've had Lucent Bricks hanging around here in various capacities for some 
time, and have been involved in a several bake-offs to some degree. 
Granted, the bricks we have are older models (1100s, mostly).  We're 
looking at some new options as well as a number of ours are going EOL 
soon.

Good:
* The code and a basic config is very small - just enough to get it on the
  network to communicate with the LSMS server and download its full
  config.
* Support is reasonably responsive.
* Rule changes can be staged pretty easily in the LSMS, and then the
  changes can be applied later, if you only do changes during maintenance
  windows.
* IPSEC LAN-to-LAN VPN interoperability is pretty good.  It can take a few
  tweaks to get things working with different vendors, but I've gotten
  VPNs working with Cisco routers, Cisco PIX/ASAs, Linksys, Checkpoint,
  Netscreen, etc...
* It does do TCP state enforcement (can be disabled) and you can configure
  the timeout if you enable enforcement.
* It does layer-2 firewalling, if you need it.
* Does partitions, which provides VRF-like functionality.
* Rate limiting and NAT are supported, but I don't know how robust the NAT
  support is - we don't use it.
* Logging is fairly robust but somewhat cryptic - it's not in a standard
  syslog format.  Writing a script to parse the logs and make them a
  little more human-friendly or convert them into a syslog format would be
  pretty straightforward.  Newer versions of LSMS might provide the option
  of logging in a syslog-compatible format.

Bad:
* Without the LSMS server(s), the Bricks are, quite literally, bricks.
  All of the management has to be done through the LSMS and its Windows-
  only GUI.  There is a command-line interface, but it is not very robust.
  Newer versions of LSMS might have a web front-end, but I don't know for
  sure.  If there is a web front-end to LSMS, the trick is finding out if
  it has feature parity with the Windows GUI (has presented an issue with
  other Lucent products).
* Licensing can be a PITA.
* Last time I looked at the IPSEC VPN client, it did not support Vista or
  64-bit XP.  I haven't looked into this in a long time, as we do not use
  the Bricks for landing client VPNs.  It's possible that Lucent has SSL
  VPN capabilities now.  No idea if they support Windows 7 yet.
* If things start failing or hanging in neat and interesting ways, more
  often than not, the issue can be fixed by restarting LSMS :)
* IPv6 support plans are unknown at this time.  Since we're migrating
  away from this platform, I haven't looked into Lucent's position on
  this.

I don't know if the newer models do 10G yet, but that might be worth 
checking if you plan to firewall customers who need lots of bandwidth.

We can talk offline if you want to discuss in more detail.

jms

> If there is a better forum to post this question, my apologies.
> Please direct me to the right place. :)
>
> Our goal :
>
> We want to provide managed firewall/VPN for Colo/DIA customers.
>
> Our specific requirements are
> - Able to provide VRF/virtual router per customer since address range
> can overlap between customers.
> - Able to do client based VPN to the inside network.  It could be
> IPSec or SSL.  It has to support Vista/Win7-x64
> - Able to do site to site VPN with various devices.(Cisco,
> - Can rate limit traffic in and out.
> - Control NAT per customer instance.
> - Stateful firewall per customer instance.
> - Good logging
>
>
> Thanks!