Nortel-Cisco, was: Re: VPN Solution (fwd)

Golder, Fred Fred.Golder at CENDANT.COM
Mon Dec 13 08:22:37 EST 1999


Check out the Gartner Group report from 13 September entitled "The Remote
Access VPN Magic Quadrant Criteria for 2H99" if you want an independent
assessment of positioning in the market place.

The sales info I was told by both companies 12/3/99 for # of users per box
is as follows.
Product		without hardware crypto		with hardware crypto
Nortel 4500           2000					5500
Cisco  7140		     100					700
("VPN router")

It should be noted that Cisco claims they can stack any number of routers
together and there by handle any number of sessions.  I don't know if I
believe that or not.  Further the sales man said if the router was also
routing performance would be lower.

Nortel can load balance between 2 boxes at once and IF you use failure
craftily you can get 8 boxes supporting your load at once.  It should also
be noted that Nortel hasn't yet released it's crypto card so that number is
a guess work  albeit educated guesswork.

-Fred Golder

-----Original Message-----
From: Tina Bird [mailto:tbird at KUSPY.PHSX.UKANS.EDU]
Sent: Friday, December 10, 1999 4:08 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: Nortel-Cisco, was: Re: VPN Solution (fwd)


Hi all,
Let me react on few points:
-Unfortunately I don't know the Contivity product, but even if it was very
well designed, if you have a software solution it is normally slower than
the hardware solution, because hardware solution uses dedicated
crypto-processor especially for asymmetric crypto.
-For the VPN on the router, as it implemented on IOS platform, we all know
that they are a security nightmares with many backdoors and bugs, (even if
new products are better), so it is not the best solution (this is my point
of view of course) in terms of security to implement a VPN only on Cisco
routers!
- We have tested some VPN products (both HW and software) in our company,
and it is difficult to say that one product is better than the other,
because it greatly depends on your requirements, but basically here are some
points:
1- hw or soft solution. It's a trade-off between flexibility and speed and
security: normally hw should be faster and secure, and soft solution might
suffer from the platform security (how the OS is or can be hardened) and
limitation (processor speed, memory capacity, etc.). On the opposite, soft
solution are more flexible especially if you have special needs, or if you
want to interact with other VPN products. Concerning the costs HW are
generally more expensive than soft solution but if for your soft
installation you have to buy a machine like a SUN, then costs become more or
less the same...
2- The product shall be fully IPSEC compatible to ensure you the possibility
to work with other IPSEC products. IPSEC lefts open many options (concerning
the algo, concerning the mode), the more options the product have the more
chances you will have for an integration with another IPSEC product.
3- Is it possible to make a central management of your VPN system? Remember
that easy and understandable management leads to better security. You have
to test this!!!
4- Finally, if you work with ceritificates, you will have to look closely on
how they provide the possibility to generate certificate to dowload them to
the right place and to verify them. Investigate also the possibility to
import third party certificates. X.509 is a standard for certificate format,
however if one product accept an X.509 certificate it doesn't mean that it
will accept all other X.509 compatible certificate.

Concerning US IPSEC products. We know that we have a large choice of VPN
products that are not US products. Because of  the US export law
restrictions, when we (in our company) have to look for an IPSEC product, it
is very very seldom that we are interested by US products!! And the new text
proposed for the modification of this law article won't change anything!!


Cheers



Azim Ferchichi
___________________
CIT-CT-TPM
IT security and Smart-cards
Swisscom AG
CH-3050 BERN
Phone: +41 31 342 09 22
Mobile: +41 79 301 55 56
Fax:      +41 31 342 00 08
______________________

> ----------
> From: 	Chris Carlson[SMTP:carlsonmail at yahoo.com]
> Sent: 	vendredi, 3. décembre 1999 18:27
> To: 	Noam Gruber; eyeque-india at telebot.net
> Cc: 	vpn at listserv.secnetgroup.com
> Subject: 	Nortel-Cisco, was: Re: VPN Solution
>
>
> --- Noam Gruber <noam.gruber at radguard.com> wrote:
> ...
> > The Cisco and Nortel VPNs are somewhat problematic,
> > because they are
> > based on router platforms which weren't build for
> > security. As such they
> > have security and low performance problems.
> ...
>
>
> Noam is grossly incorrect in his statement regarding
> the Nortel Contivity platform.
>
> The Contivity, which Nortel bought from New Oak
> Communications, uses a real-time OS for Intel written
> by Wind River.  This real-time OS is extremely small,
> efficient, with custom routing and IPSec drivers
> written specifically for the VPN application.  It is
> *NOT* based on the Bay Network router line.
>
> In fact, the Tolly Group did a performance bake-off
> between the Contivity 4000 and Cisco 7200 router.  The
> Contivity blew its doors off.  Noam is correct
> regarding the Cisco VPN boxes -- they are IOS routers
> with VPN code, but hardly bad products.
>
> As always, carefully research and test any product
> before implementing it into your environment.  Note
> that Noam's email is from "radguard.com", a VPN
> vendor.  As such, take his alleged "statements of
> fact" with a grain of salt with regard competiting
> products...
>
> Regards,
> Chris
> __________________________________________________
> Do You Yahoo!?
> Thousands of Stores.  Millions of Products.  All in one place.
> Yahoo! Shopping: http://shopping.yahoo.com
>
> ******************************************

VPN is sponsored by SecurityFocus.COM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/19991213/38e6ab3e/attachment.htm 


More information about the VPN mailing list