Firewall Wizards mailing list archives
Re: VPN Devices
From: Patrick Darden <darden () armc org>
Date: Tue, 4 Sep 2001 14:29:47 -0400 (EDT)
Not a problem, differing points of view are what it is all about. Here's what we have: 1 X CES 600 2 X CES 1000 1 X CES 2600 We were running the 2 X CES 1000 (original bottom of the line CES) in dual redundant mode, but were running into number of concurrent connection problems (they are limited to 100 simultaneous tunnels). We now use them as backups, and the 2600 is our main VPN Switch. The 2600 was middle of the line when we bought it about 9 months ago. It is capable of 1000 simultaneous tunnels, and a total of about 10mbps of 3DES IPSEC MD5 traffic in full duplex (as I remember). We have 3 T-1s, which is not taxing it in the slightest. There are faster machines out there, but we just don't need them at this point. We have about 700 mobile users in total, plus about 22 branch offices including EMS and Regional First Care (kind've regionally located ERs), 20 home transcriptionists (pushing large files at high volume), 12 radiologists viewing X-rays, MRIs, etc. from home (via DSL and cablemodems--they are practically branch offices themselves, and they are pulling HUGE files across), and somewhere around 30 vendors that connect to do upgrades/monitoring/management of specific servers/switches/systems (like a GE CAT scanner), plus miscellaneous managers working from home via Citrix and PC Anywhere, and the IS people like myself who monitor and control servers and switches from home. The CES line IS middle of the road for performance. But, unless you have multiple T-3s, or are segregating LAN lines via VPN, you should be ok. We HAVE had a client clobber a machine--when they did not follow our uninstallation instructions. It didn't clobber the whole machine, just the networking had to be uninstalled and reinstalled. Easily fixed, and easily preventible by following our simple small instruction booklet. Otherwise we have had no problems with the client--reliable, well-behaved neighbor, and a great license. We love the fact that we can push out mandatory client settings from the server side. We can create groups of users with settings and push out settings for these groups like remember password or forget it, allow simultanous LAN access or dedicate the PCs connection to the VPN when the VPN is active, idle timeouts, etc. The GUI is simple and easy to use. It was not made to easily support multiple switches. We simply do a config and user database backup of the main switch once a week, then just restore that backup to the smaller switches in order to replicate any changes that have been made. Nortel support has been glowing until the past few months, but we really haven't needed it often as the product is so rock-solid. They are still developing the product, released the new client last week and are planning on a new switch code release in the next few weeks. The new client is golden--supports multiple CPUs, etc. I guess the end result is that we have had a working VPN infrastructure for about 3 years--longer than anyone else I have heard of. It interoperates with Cisco, Checkpoint, and every other VPN product we have worked with--much to the surprise of the vendors who have had the alternative VPN product. We continue to sample wares from other vendors, read review, and keep current on what is out there, yet we are happy with what we have. -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center On Fri, 31 Aug 2001, acs wrote:
I have used all three of the devices I mentioned. I did not want to bad mouth Nortel. But to offset your glowing review. The troughput is not good compared to the others I mentioned. The things are low end pcs running VXworks. Your load is on the big model, yes? That thing costs. The client has clobberd many folks 98 machines IP stacks. The gui gets very tiresome for COs with large user bases, in fact it becomes so slow it is almost unusable. Nortel support leaves much to be desired. Getting the ipsec traffic out from where it is (behind firewalls often) is more and more difficult due to technology (NAT) and policy. We have a bunch of the big nortels and a growing number of the infoexpress servers. The infoexpress is not cheap or perfect but it is getting much more use. Getting out from behind NAT and proxies plus the linux, solaris, windows and mac clients are making it the winner. For speed, price and pure windows ipsec, netscreen beats Nortel. In fact, the client even does client to client tunnels. acs
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN Devices Patrick Darden (Sep 03)
- Re: VPN Devices acs (Sep 03)
- Re: VPN Devices Patrick Darden (Sep 05)
- Re: VPN Devices acs (Sep 03)