[vpn] Review of 13 VPN products
Joel M Snyder
Joel.Snyder at Opus1.COM
Wed Oct 3 18:26:16 EDT 2001
It's easy to make arrogant and unsupported statements like that, but it would
be more useful to everyone --- including the un-credible author of the
article --- if you would offer some proof.
In the version of IOS and of PIX which was tested, I claim that you can have
only a single IKE policy, which is an ordered list of IKE transforms and
proposals which are acceptable. That policy may have multiple transforms, but
you cannot express a policy such as, for example:
When initiating an SA to 22.214.171.124, I would like to use certificates.
When initiating an SA to 126.96.36.199, I would like to use PSS.
When initiating an SA to 188.8.131.52, I would like to use certificates,
but I would fall back to PSS.
When initiating an SA to 184.108.40.206, I would like to use certificates,
but I would fall back to encrypted nonces.
When initiating an SA to 220.127.116.11, I would like to use PSS, but I
would also be willing to use certificates.
If you can offer a working Cisco config on a GD release, I'll happily
apologize and offer a correction.
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
>Joel Snyder wrote:
>> In case you hadn't seen it, Network World just published a review I did
>> of 13 different VPN products, focusing on site-to-site and enterprise applications:
>> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
>> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX)
>> jms at Opus1.COM http://www.opus1.com/jms Opus One
>> Electronic mail is always the best way to contact me.
>> VPN is sponsored by SecurityFocus.com
>I disagree with the assertion in the article that the Cisco products only allow
>a single IKE policy to be configured. Both IOS and the PIX allow multiple
>isakmp policy clauses, and it's not very hard to figure that out. If the people
>doing the testing missed something this obvious when configuring the Cisco gear,
>it makes me wonder how much else they might have missed. Because of this, I
>have serious doubts about the credibility of the testers and their results.
>Dana J. Dawson djdawso at qwest.com
>Senior Staff Engineer CCIE #1937
>Qwest Global Services (612) 664-3364
>Qwest Communications (612) 664-4779 (FAX)
>600 Stinson Blvd., Suite 1S
>Minneapolis MN 55413-2620
>"Hard is where the money is."
VPN is sponsored by SecurityFocus.com
More information about the VPN