How We Tested... IPSec Virtual Private Networks
Three specific areas of our VPN roundup required test plans: CA (Certificate Authority) integration, bulk encryption performance and client performance. To test integration with an external CA, we used Entrust/PKI 4.0c with the VPN Connector. We used different procedures for certifying VPN (virtual private network) gateways depending on the vendor. VPNet and RadGuard both generated PKCS #10 Certificate requests, which we copied from the management station to the CA via floppy disk. We then certified the request and imported the certificates back into the gateways. ADI and TimeStep both sport Entrust clients and certified themselves online. RedCreek does not support external CAs at this time.
To run the bulk of performance testing, we used Ganymede Software's Chariot 3.1 performance application. We employed eight 200-MHz Pentium clients with 128 MB of RAM and a Digital 21140 NIC locked at 100 Mbps, full duplex. The test bed was interconnected with a Cisco Systems Catalyst 5500 and the traffic was segmented using VLANs (virtual LANs). A Cisco 7520 was our central router. We created two TCP sessions per Chariot endpoint. In total, we had four TCP streams in one direction and four TCP streams in the opposite direction. Without the VPN gateways, we were able to pass 167 MBps of bidirectional traffic. When we tested each VPN gateway, we tested the effect of the device in the network while passing data in the clear (with the exception of ADI), which gave us an indication of raw traffic forwarding rates.
The VSU-1100 forwarded traffic at a rate of 109 MBps in the clear--26 MBps faster than the Ravlin 7100, the closest contender. We then constructed tunnel-mode IPSec VPNs with 3-DES encryption and HMAC-MD5 authentication. With encryption activated, the VSU-1100 took a 26 percent performance hit, dropping to 81 MBps. On the other hand, the Ravlin 7100 took only a 6 percent performance hit to finish at a respectable 79 MBps.
To test client performance, we installed the vendor client on Windows 95 on a 233-MHz Pentium Pro server with 64 MB of RAM and a 3Com 3C905 NIC. We used the same Chariot test as in the bulk testing, though we restricted performance to 33.6 Kbps to simulate the average dial-up connection a road warrior can expect to get.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
