Problem solve Get help with specific problems with your technologies, process and projects.

VPN appliances

My company wants to implement the use of VPN or Firewall. Instead of configuring existing servers -- a pre-configured appliance may be beneficial. Any advice on what types to use or avoid?
The answer depends a lot on the size of your company in terms of number of locations and number of remote users. If you have a small number of sites, a VPN appliance should do the trick. You can use shared secrets for authentication and manage them manually. If you have a large number of locations, VPN appliances tend not to scale very well with their built in management systems that require that changes be made one appliance at a time. In this case, you need to also carefully consider the public key infrastructure (PKI) and the management systems that you will use. A couple of critical things to watch out for:

  1. Real world performance versus theoretical performance Many VPN appliances advertise high crypto throughput (sufficient for a broadband connection or T1), but fail to let you know that the performance benchmarks are based on large packets (say 1400 bytes.) Many are surprised that the actual performance is much less than advertised. This is because real-world packets can be much smaller. As the number of packets processed increases, the performance decreases. I've several appliances that advertise 6-8Mbps of encrypted throughput slow to 200Kbps of throughput when processing real-world data. So, make sure your vendor let's you know the whole story. Nothing worse than your end-users getting a high-speed connection and having a VPN that can't keep up with it.

  2. Tunnel limitations
    Many VPN appliances are sold by the number of simultaneous connections or tunnels they can support. Typically, a low-end appliance will support five tunnels or fewer. This is probably fine, if you're building a hub-and-spoke topology, but can cause problems if you want to mesh (directly connect) all your locations to each other. In particular, meshing becomes important if you want to support applications live VoIP, video and collaboration. You don't want all that traffic bouncing through a central hub as it goes from one remote office to another.

  3. Too many functions
  4. All-in-one appliances are great because they keep things simple. A problem occurs if you really use all the features at once. Typically, performance ratings are measure individually (e.g., routing, firewall, VPN, etc.). Each of these functions uses the same processing power and memory. So the net performance may be less than what you really want. Check out the processor speeds and the amount of memory. If they are sub 100Mhz and only a few Mbytes, it's likely that you won't get the performance you're looking for.

Hope this helps.
This was last published in March 2003

Dig Deeper on Network Hardware

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.