Clarity, please

Jon Carnes jonc at haht.com
Thu Jun 21 23:32:35 EDT 2001 

http://www.netscreen.com/aboutus/articles/news042401.html

The Netscreen 5 is a *cool* device.  What you get is a fantastic router with
a lot of cache and some awesome "built-in" capability.  Its a firewall,
router, DHCP server with the ability to run 10 simultaneous IP Sec based
VPN's, and it can also do limited QoS (Quality of Service: it gives certain
traffic higher priority so that your VPN stays up and running smoothly).

For the price, this is a killer box.

The three things you pay for are:
  - Built in IP Sec vpn with easy configuration.  This is worth the price of
the box all by itself.  Configuring IP Sec properly can be a major time
sink, unless you are a pro.
  - Speed.  The box was built to route and vpn, and it was built well.  It
routes quickly, whether over the internet or over an established VPN.  One
problem with poorly designed or overly secured VPN's is added latency (the
time it takes a packet to enter one end of the router and leave through the
other end). Also this box was designed intelligently so that your
connections stay up even with low bandwidth.
  - Capacity.  The darn thing can handle a thousand simultaneous
connections.  So you can have a lot of machines hitting the net
simultaneously.

In contrast, a Linksys Cable router, has no built in VPN ability.  It will
allow you to pass IP Sec and PPTP so that each client running behind it can
run a VPN connection (or you dedicate one of your internal boxes as a VPN
router).
There is no QoS built into the Linksys.  It passes packets on a
first-in/first-out basis, and if it gets too busy it starts to drop packets
indiscriminately, and then you loose your connections.
Price is the primary concern of the Linksys, not speed or capacity.  Yes it
runs fine in a small office situation, but its going to bog down when it
gets overloaded (say about 10 computers hitting the internet fairly hard).

All that being said, I've bought over 200 Linksys boxes for use in our
remote offices and employee homes.  If an office grows to the point that its
Linksys starts to fail, we replace it with a low-end computer running Linux.

Jon Carnes
----- Original Message -----
From: "Stephen Chowning" <schowning at home.com>
To: "VPN at SECURITYFOCUS.COM" <VPN at securityfocus.com>
Sent: Thursday, June 21, 2001 6:20 PM
Subject: Re: Clarity, please


> What does Netscreen 5 do that the cable/dsl routers/firewalls don't?
> IOW, why pay $500 for the Netscreen vs. under $200 for the cable/dsl
> router/firewall?
>
> Christopher Gripp wrote:
>
> > I'll address your later question first.  If using software on a PC it
> > will likely use 2 ethernet cards.  One will typically connect directly
> > to the ethernet cable coming from the ISP device (cable or dsl modem)
> > the other would plug into a hub with all other workstations.  Those
> > workstations would then point to that 1 PC as their path to the
> > internet or anything else that is not on their local lan.  This can be
> > a cheap and easy implementation but you would need to add the cost of
> > the PC to the cost of the software to get an acurate estimate.
> > Compared to say a Netscreen 5 or some other VPN hardware that can do
> > firewalling, vpn and routing, it begins to not look so cheap.
> >
> > A lot of people on this list like to use xNIX based products like
> > FreeSwan for VPN, and other apps for firewall, routing and such.  But
> > that would require you to be familiar and comfortable with setting up
> > linux or some other variation or unix.
> >
> > If your TCP/IP experience is limited an "appliance" like the NS5 will
> > do very nicely and they come in 2 models.  10 user and unlimited
> > user.  The cost is ~$500 and $1000 respectively.  There are others but
> > in my experience I like NS the best.
> >
> > Christopher S. Gripp
> > Systems Engineer
> > Axcelerant
> >
> > -----Original Message-----
> > From: Stephen Chowning [mailto:schowning at home.com]
> > Sent: Thursday, June 21, 2001 9:18 AM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Clarity, please
> >
> > I am (sooner or later) going to hook a (mostly Mac, one PC) small lan
> > to
> > a cable modem internet connection. I have looked at various hardware
> > solutions (cable/dsl routers) available for under $200. And at
> > software
> > solutions such as IPNetRouter for under $100. IPNetRouter claims to do
> >
> > all that a hardware device does for less money. As the hardware
> > devices
> > are not that much more $, I don't feel that this is a major issue. I
> > would like to implement VPN also, so I would like to know which option
> >
> > hardware vs. software is the better solution especially as it pertains
> >
> > to implementing VPN, but also in a more general sense, i.e. ease of
> > setup/use, security, etc. From reading the posts to this newsgroup, I
> > suspect that the main difference will be what my cable co. allows or
> > disallows as far as encrypted packets.
> >
> > On another note, does anyone feel like explaining how the software
> > solution protects the non-gateway machines on the lan? I believe that
> > I
> > understand how the hardware works, having an upstream and a downstream
> >
> > connection. But my simple, small lan has an ethernet hub with all
> > devices plugged into it. Would the gateway machine need two ethernet
> > cards, one designated as "upstream", the other "downstream" plugged
> > into
> > the hub?
> >
> > Thanks,
> > Steve
> >
> > VPN is sponsored by SecurityFocus.com
>
>
> VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list