[vpn] Review of 13 VPN products

Joel M Snyder Joel.Snyder at Opus1.COM
Wed Oct 3 18:26:16 EDT 2001 

It's easy to make arrogant and unsupported statements like that, but it would
be more useful to everyone --- including the un-credible author of the
article --- if you would offer some proof.  

In the version of IOS and of PIX which was tested, I claim that you can have
only a single IKE policy, which is an ordered list of IKE transforms and
proposals which are acceptable.  That policy may have multiple transforms, but
you cannot express a policy such as, for example:
	
	When initiating an SA to 1.2.3.4, I would like to use certificates.
	When initiating an SA to 2.3.4.5, I would like to use PSS.
	When initiating an SA to 3.4.5.6, I would like to use certificates,
				but I would fall back to PSS.
	When initiating an SA to 4.5.6.7, I would like to use certificates,
				but I would fall back to encrypted nonces.
	When initiating an SA to 5.6.7.8, I would like to use PSS, but I
				would also be willing to use certificates.

If you can offer a working Cisco config on a GD release, I'll happily
apologize and offer a correction.

jms

Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
jms at Opus1.COM    http://www.opus1.com/jms    Opus One


>Joel Snyder wrote:
>>
>> Folks:
>>
>> In case you hadn't seen it, Network World just published a review I did
>> of 13 different VPN products, focusing on site-to-site and enterprise applications:
>>
>> http://www.nwfusion.com/reviews/2001/1001rev.html
>>
>> --
>> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
>> +1 520 324 0494 x101 (voice)    +1 520 324 0495 (FAX)
>> jms at Opus1.COM    http://www.opus1.com/jms    Opus One
>> Electronic mail is always the best way to contact me.
>>
>> VPN is sponsored by SecurityFocus.com

>I disagree with the assertion in the article that the Cisco products only allow
>a single IKE policy to be configured.  Both IOS and the PIX allow multiple
>isakmp policy clauses, and it's not very hard to figure that out.  If the people
>doing the testing missed something this obvious when configuring the Cisco gear,
>it makes me wonder how much else they might have missed.  Because of this, I
>have serious doubts about the credibility of the testers and their results.

>Dana

>--
>Dana J. Dawson                     djdawso at qwest.com
>Senior Staff Engineer              CCIE #1937
>Qwest Global Services              (612) 664-3364
>Qwest Communications               (612) 664-4779 (FAX)
>600 Stinson Blvd., Suite 1S
>Minneapolis  MN  55413-2620

>"Hard is where the money is."

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list