Two leading players in the VPN (virtual private network) market are launching products to ease and coordinate management of VPNs and firewalls.
Cisco Systems Inc. this month is expected to announce the VPN/Security Management Solution (VMS), a suite of management applications for the CiscoWorks2000 platform that is designed to give users integrated management of Cisco VPN routers, concentrators and PIX firewalls.
Rival Check Point Software Technologies Ltd. is offering what it calls Next Generation Management, software that allows network administrators to set VPN policies and draws a diagram of policies that are in force.
Such tools are required by users looking to build out or scale their networks without having to individually configure devices or use separate applications to monitor VPNs and firewalls.
“I single-handedly support 1,200 VPN users and six [Check Point] VPN-1 firewalls. I can’t even imagine expanding my VPN without a tool like this,” says John Shelest, senior network security engineer for Equity Residential Properties in Chicago.
Cisco’s hoping its users can’t either. VMS provides a Web-based interface for monitoring VPNs and an application for configuring and monitoring firewall security.
VMS supports the following Cisco products: VPN 3000 Concentrator; 7100 and 7200 series routers running Cisco IOS Version 12.1(5a)E or later; PIX Firewall; and Intrusion Detection Sensor devices.
VMS monitors and troubleshoots common VPN protocols, such as IP Security (IPSec), Internet Key Exchange (IKE), Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). The suite includes CiscoWorks2000 Resource Manager Essentials 3.2, which provides basic syslog and configuration reporting, and software and inventory management for VPN devices.
The bundle also includes VPN Monitor 1.0, for monitoring of IPSec, IKE, L2TP and PPTP protocols; and Cisco Secure Policy Manager (CSPM) 2.2 for configuration and monitoring of firewall security.
Users say VMS is just a first step toward integrated, comprehensive VPN and firewall management and that Cisco needs to go a bit further.
“It’s very proficient in giving people the statistics and thresholding that are necessary to get an accurate indication of the success of your VPN network,” says Paul Forbes, network engineer at Trimble Navigation in Sunnyvale, Calif. “The next step would be to try and drive the management of the tunnels through a single configuration interface. Trying to come up with a technology to allow users to configure a VPN regardless of device across the entire product range is going to be something I certainly desire.”
Other users say they don’t need VMS; a stand-alone version of CSPM works fine.
“We use the Cisco policy management stuff for configuration of firewalls, for logging capability, for building VPNs, installing digital certificates onto VPNs, that type of stuff,” says Phil Ruenhorst, director of ChimeNet in Wallingford, Conn. “We can dynamically see and build VPNs from a central spot with policy management.”
VMS costs US$8,000 and is available now.
Check Point’s Next Generation Management software also uses policies to manage larger VPNs in less time. Currently, when administrators make changes or updates, they send them to one device at a time.
“The Next Generation Management checks if the VPN clients have the right configuration according to the security policies, and if not it will send them,” Shelest says, referring to a new feature called SecureUpdate.
He says the software also offers a high-availability feature that directs remote VPN users to a different gateway if the primary one is inaccessible. For example, if the Internet connection to the Chicago office were to go down, remote machines would automatically seek out the Scottsdale, Ariz., VPN gateway without the remote user having to do anything.