VPN gear plays multiple roles

Nokia is bolstering its IP family of firewall-VPN appliances to make it possible to use a single chassis to create a range of firewall and VPN security domains, reducing the need for multiple devices or buying a bigger box than is really needed.

The new products, based on the same two-slot chassis, comes standard with four 10/100M bit/sec Ethernet ports for separate security zones, but can be expanded to support either six or eight Ethernet ports by adding two-port cards. So a user who needs six ports can buy the chassis with one card. The alternative would be to buy two boxes that have three or four ports each, or buy an eight-port appliance that would have two unused ports.

Competitor NetScreen Technologies Inc. has two fixed-configuration devices, the NetScreen 204 with four ports and NetScreen 208 with eight, but nothing in between.

Nokia's new rack-mountable hardware comes in two models: the IP 350 and IP 380. Other appliances in the IP family, such as the IP 330, have only three Ethernet ports standard.

This is important to Countrywide Home Loans, which has beta-tested the new equipment. The company wants to keep traffic in isolated zones so only authorized users can get at it. The alternative would be to add more appliances, says Ken Quan, Countrywide's vice president of network computing. "These have more Ethernet interfaces than the IP 330 so I can segregate traffic into [demilitarized zones]. It is more price-efficient," he says.

The devices sit in corporate networks connected to a LAN and to dedicated Internet links, and act as a firewall or VPN gateway or both.

Nokia says the IP 350 and IP 380 are designed to support VPNs and firewalls for corporate offices with 100 to 250 users. They run VPN-1/Firewall-1 software made by Check Point Software. Throughput on the IP 350 is 375M bit/sec for the firewall and 60M bit/sec for Triple-DES encryption. On the IP 380, the speeds are 600M bit/sec for the firewall and 90M bit/sec for the VPN. A hardware upgrade is available for the IP 380 that boosts the encryption to 130M bit/sec.

These speeds are more than ample to protect Internet access links of the size that is likely to be used at branch offices with 250 users, and the extra processing power might seem like overkill, particularly the IP 380 with the expansion card.

This power becomes necessary if the device is used to run intrusion-detection software at wire speed instead of firewall/VPN software. Both these devices can run Internet Security Systems' RealSecure intrusion-detection software, the speed of the IP 380 with the accelerator is 100M bit/sec, enough to shield a 100M bit/sec LAN segment at wire speed.

Few users would go out looking specifically for a hardware platform that supports both firewall-VPN and intrusion-detection software, says Zeus Kerravala, an analyst with The Yankee Group. Those are separate purchasing decisions, he says.

But Quan says that Countrywide uses both firewall and intrusion-detection software running on Nokia boxes, and that reduces the number of administration and management platforms network engineers have to learn.

IP 350 costs US$5,800 and the base model of the IP 380 costs $10,000. They will be available at the end of the month.

Join the newsletter!

Error: Please check your email address.

More about Check Point Software TechnologiesCountrywide Home LoansInternet Security SystemsNetScreenNokiaSECSecurity SystemsYankee Group

Show Comments

Market Place