Firewall Wizards mailing list archives

Re: VPN and firewalls

From: Rick Smith <smith () securecomputing com>
Date: Mon, 9 Feb 1998 13:32:12 -0600

At 9:45 AM -0700 2/6/98, Rik Farrow wrote:

I am curious about why people are choosing VPN solutions which
are independent of firewalls, for example, Aventail or TimeStep.


I suspect it's because VPNs are still evolving, and people are simply
taking advantage of the product mix. I have yet to see two VPN crypto
implementations that really have exactly the same features, so it could be
that the buyers were charmed by particular features of the independent VPN
products. Or perhaps they already had firewalls in place that they didn't
want to mess with. Or perhaps the part of the enterprise interested in VPNs
is separate from the group handling the firewall. There are lots of
possibilities, both technical and non technical. Perhaps the sales people
got lucky.

Do people poke these streams through their firewalls?


This seems to be the popular approach, especially since that's the way most
firewalls do VPNs. We tried to force everyone through the firewall filters
on Sidewinder and had lots of customer resistance. Now there's a way to
route IPSEC traffic around it.

Is it a matter of performance?


I could see a busy site trying to do this, since this is a plausible way of
dividing up the processing effort among multiple devices. However, I've
never seen a serious performance test to show the relative benefits.

Keep in mind that there's no guarantes that a "hardware" crypto
implementation will run faster than one in software. Given the speed of
modern processors, especially if the work fits in the processor cache, the
hardware implementation has to be pretty good to keep up. A mature, stable
hardware product may be using an older programmable logic technology with a
cycle time comparable to the latest CPU chips.

Why pay extra for VPN capability which is already included in many firewalls?


It's not always free in the firewall -- in the past we've sold it as an
extra cost option. I don't know what our current pricing structure is, and
I can't speak for other vendors.


Rick.
smith () securecomputing com                Secure Computing Corporation
"Internet Cryptography" at http://www.visi.com/crypto/ and bookstores

Current thread:

VPN and firewalls Rik Farrow (Feb 07)
- Re: VPN and firewalls Paul D. Robertson (Feb 09)
- Re: VPN and firewalls Stuart Moore (Feb 09)
- Re: VPN and firewalls Rick Smith (Feb 09)
- Re: VPN and firewalls Steve Goldhaber (Feb 09)
- <Possible follow-ups>
- Re: VPN and firewalls Linwood Ferguson (Feb 09)
  - Re: VPN and firewalls Aleph One (Feb 09)
- Re: VPN and firewalls tbird (Feb 09)