Cisco offers low-end VPN, firewall gear

While Cisco Systems Inc. in April took the wraps off a new line of low-end, low-cost remote-access VPN and firewall gear for small to medium-sized businesses, the company has left users without a common way to manage it all.

The management muddle arises because Cisco’s new VPN 3005 Concentrator, which supports 100 simultaneous users, has to be configured and managed using one net management monitor, while the Cisco PIX Firewall 506, a pocketbook-sized unit for supporting up to 10 users, is managed by Cisco’s Secure Policy Manager 2.0.

In addition, Cisco’s new hardware-based virtual private network accelerator for the Cisco 1700 router, which speeds encryption processing by off-loading the task from router software, is managed by yet another console.

The new VPN 3005 Concentrator is based on technology Cisco got when it acquired Altiga Networks, which had the VPN 3015, 3030 and 3060 more expensive and feature-rich gear. The new VPN 3005 can’t be upgraded, lacks the redundancy and dual power-supply features of the older VPN 3015, and is designed for a maximum 100 simultaneous users. But the VPN 3005 costs just US$4,000 — less than half the VPN 3015’s US$10,000 sticker price.

The lack of a common management application for Cisco’s growing VPN line-up is a problem the company acknowledges, with sources there saying there are plans to bring all VPN-capable firewalls, routers and concentrators under a common management umbrella later this year using the CiscoWorks 2000 management platform.

A common management package is needed because corporations mix and match VPN-capable gear, and monitoring and configuring it from different consoles is a headache.

For example, Idexx, a supplier of animal health-analysis services and products in Westbrook, Me., uses the older Altiga VPN concentrator and Cisco PIX firewall together. At Idexx, the firewall sits in front of the concentrator to prefilter users and applications going in and out of

the network, said Craig Darling, the company’s network analyst.

Behind this firewall and in front of the corporate LAN, Idexx put the Altiga VPN Concentrator, now a Cisco product. It’s there to let Idexx salespeople set up a VPN-encrypted session using the Altiga VPN client software to gain access to the intranet.

“About 400 salespeople around the globe use this for secure connections over the Internet, and it saves us a lot of money over using private lines,” Darling said.

But monitoring the product is a problem because it requires two separate management platforms, he added.

“Altiga has a hell of a good Web interface for management, and Cisco is awesome for granular network configuration,” Darling said. “It’s two different mentalities, but if Cisco could meld the two, it would help a lot.”

In a different scenario, a branch office might use the PIX Firewall 506 to set up an encrypted IP session for up to 10 users back to the Cisco VPN 3005 Concentrator at the larger home office. There’s no common management application for this today, but Cisco has begun telling analysts this is on the drawing board for this year.

“Cisco does have a road map for this within the year,” said Mark Bouchard, program director at the Meta Group consultancy’s Reston, Va., office, confirming what Cisco sources told Network World (US).