Network Management Strategies for the CIO
Requires Free Membership to View
The answer depends a lot on the size of your company in terms of number of locations and number of remote users. If you have a small number of sites, a VPN appliance should do the trick. You can use shared secrets for authentication and manage them manually. If you have a large number of locations, VPN appliances tend not to scale very well with their built in management systems that require that changes be made one appliance at a time. In this case, you need to also carefully consider the public key infrastructure (PKI) and the management systems that you will use.
A couple of critical things to watch out for:
- Real world performance versus theoretical performance
Many VPN appliances advertise high crypto throughput (sufficient for a broadband connection or T1), but fail to let you know that the performance benchmarks are based on large packets (say 1400 bytes.) Many are surprised that the actual performance is much less than advertised. This is because real-world packets can be much smaller. As the number of packets processed increases, the performance decreases. I've several appliances that advertise 6-8Mbps of encrypted throughput slow to 200Kbps of throughput when processing real-world data. So, make sure your vendor let's you know the whole story. Nothing worse than your end-users getting a high-speed connection and having a VPN that can't keep up with it.
- Tunnel limitations
Many VPN appliances are sold by the number of simultaneous connections or tunnels they can support. Typically, a low-end appliance will support five tunnels or fewer. This is probably fine, if you're building a hub-and-spoke topology, but can cause problems if you want to mesh (directly connect) all your locations to each other. In particular, meshing becomes important if you want to support applications live VoIP, video and collaboration. You don't want all that traffic bouncing through a central hub as it goes from one remote office to another. - Too many functions
- All-in-one appliances are great because they keep things simple. A problem occurs if you really use all the features at once. Typically, performance ratings are measure individually (e.g., routing, firewall, VPN, etc.). Each of these functions uses the same processing power and memory. So the net performance may be less than what you really want. Check out the processor speeds and the amount of memory. If they are sub 100Mhz and only a few Mbytes, it's likely that you won't get the performance you're looking for.
Hope this helps.
Mark
This was first published in March 2003
Join the conversationComment
Share
Comments
Results
Contribute to the conversation