[vpn] Review of 13 VPN products

Philipp Buehler lists at fips.de
Thu Oct 4 20:27:20 EDT 2001


On 04/10/2001, Joel M Snyder <Joel.Snyder at Opus1.COM> wrote Cc vpn at securityfocus.com:
> In the real world, it is actually IKE which is the problem in interoperability,
> rather than IPSEC.  (See, for example, all of the discussions on the IETF IPSEC

And this not only for a short time. They *all* claim to be "compatible",
but IKE/isakmp "issues" are always there.

> In the IKE policy, there is no analog to the extreme flexibility of the IPSEC
> policy.  You can only create a single IKE "crypto map," and that map applies to
[.. more like that ..]

Yes, and this is for almost any commercial product out there.
Picking out the "Leader" Checkpoint, you actually *can* tune about "any"
parameter for isakmp - but not always via the GUI - and you dont want 
people to fiddle in their .C files by hand, do you? :)

I was testing several systems against the isakmpd from OpenBSD (due to
massive possibilities in "fine" tuning and *extreme* debugging) cause
$customer is planning to connect a real varity of current products in the
IPsec/IKE sector.
Crossplattform between commercial ones? Can work.. can fail after "updating"
one peer for some other reason.. Nice, isnt it?
Why is this remembering me all day long about the years where PPP came up as
"Industry Standard"? Because they do only <95% of it, the rest is 
filled up w/ "enhancements" (<sarcasm> of course for OUR beloved 
customers (and our single point of sales)</sarcasm>).

Conclusion: Stay as homogenous as you can (regarding IKE). Say all "foreign"
fw1 peers go to fw1, cisco to cisco .. put them back to back via unencrypted
(crosscable) links. Use a 'mulit purpose' isakmpd (like OpenBSD or sometimes
FreeS/WAN) for the "uncommon" rest.

I hear "complex" and "difficult"? Well, it needs very good planning, dont
"rush" for it..
<rant>
Management? Sure a task, but I prefer running networks about "easy to
manage" failing networks.
The so-called "management" is usually some GUI, supported by "industry
leading" techologies like LDAP/XML/<insert next buzzing thing here ..>
In the real world it will fail - especially for heterogenous networks.
"Easy Management" lures people into the misunderstanding that IPsec/IKE is
somthing to be set up via <n> mouseclicks. Ack'd, it *can* make the task
easier or not (ever scripted in a GUI? :>) - but dont expect it can
substitute the lack of knowledge about what is going on.
</rant>

ciao
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ? 

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list