Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VPN Devices

From: Patrick Darden <darden () armc org>
Date: Tue, 4 Sep 2001 14:29:47 -0400 (EDT)

Not a problem, differing points of view are what it is all about.  Here's
what we have:

        1 X CES 600
        2 X CES 1000
        1 X CES 2600

We were running the 2 X CES 1000 (original bottom of the line CES) in
dual redundant mode, but were running into number of concurrent connection
problems (they are limited to 100 simultaneous tunnels).  We now use them
as backups, and the 2600 is our main VPN Switch.

The 2600 was middle of the line when we bought it about 9 months ago.  It
is capable of 1000 simultaneous tunnels, and a total of about 10mbps of
3DES IPSEC MD5 traffic in full duplex (as I remember).  We have 3 T-1s,
which is not taxing it in the slightest.  There are faster machines out
there, but we just don't need them at this point.  We have about 700
mobile users in total, plus about 22 branch offices including EMS and
Regional First Care (kind've regionally located ERs), 20 home
transcriptionists (pushing large files at high volume), 12 radiologists
viewing X-rays, MRIs, etc. from home (via DSL and cablemodems--they are
practically branch offices themselves, and they are pulling HUGE files
across), and somewhere around 30 vendors that connect to do
upgrades/monitoring/management of specific servers/switches/systems (like
a GE CAT scanner), plus miscellaneous managers working from home via
Citrix and PC Anywhere, and the IS people like myself who monitor and
control servers and switches from home.

The CES line IS middle of the road for performance.  But, unless you have
multiple T-3s, or are segregating LAN lines via VPN, you should be ok.

We HAVE had a client clobber a machine--when they did not follow our
uninstallation instructions.  It didn't clobber the whole machine, just
the networking had to be uninstalled and reinstalled.  Easily fixed, and
easily preventible by following our simple small instruction booklet.
Otherwise we have had no problems with the client--reliable, well-behaved
neighbor, and a great license.

We love the fact that we can push out mandatory client settings from the
server side.  We can create groups of users with settings and push out
settings for these groups like remember password or forget it, allow
simultanous LAN access or dedicate the PCs connection to the VPN when the
VPN is active, idle timeouts, etc.

The GUI is simple and easy to use.  It was not made to easily support
multiple switches.  We simply do a config and user database backup of the
main switch once a week, then just restore that backup to the smaller
switches in order to replicate any changes that have been made.

Nortel support has been glowing until the past few months, but we really
haven't needed it often as the product is so rock-solid.  They are still
developing the product, released the new client last week and are planning
on a new switch code release in the next few weeks.  The new client is
golden--supports multiple CPUs, etc.

I guess the end result is that we have had a working VPN infrastructure
for about 3 years--longer than anyone else I have heard of.  It
interoperates with Cisco, Checkpoint, and every other VPN product we have
worked with--much to the surprise of the vendors who have had the
alternative VPN product.  We continue to sample wares from other vendors,
read review, and keep current on what is out there, yet we are happy with
what we have.

--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center


On Fri, 31 Aug 2001, acs wrote:


I have used all three of the devices I mentioned.

I did not want to bad mouth Nortel.  But to offset
your glowing review.

The troughput is not good compared to the others I
mentioned.  The things are low end pcs running
VXworks.
Your load is on the big model, yes?  That thing costs.

The client has clobberd many folks 98 machines IP
stacks.  The gui gets very tiresome for COs with large
user bases, in fact it becomes so slow it is almost
unusable.  Nortel support leaves much to be desired. 

Getting the ipsec traffic out from where it is (behind
firewalls often) is more and more difficult due to
technology (NAT) and policy.

We have a bunch of the big nortels and a growing
number of the infoexpress servers.  The infoexpress is
not cheap or perfect but it is getting much more use. 
Getting out from behind NAT and proxies plus the
linux,
solaris, windows and mac clients are making it the
winner.

For speed, price and pure windows ipsec, netscreen
beats Nortel.  In fact, the client even does client to
client tunnels.

acs


 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: