FOR

Five years ago, the hottest topic in the trade press was telecommuting. Journalists and industry watchers alike were predicting a future in which the office became redundant, with workers connecting to the corporate network from home. The benefits were obvious: given the horrendous cost of office space and the overheads of having employees on the premises, telecommuting would usher in a brave new world of flexibility and cost savings.

Of course, the reality has been somewhat different. A host of problems which were either not foreseen or were dismissed, proved to be a major stumbling block. They ranged from how to monitor users' behavior when outside the office, to how to maintain lines of management, and, most importantly, security. A remote user connecting to the office network over a phone line is opening that network up for attack, rolling out a red carpet for hackers straight into the corporate network, bypassing the firewall and offering unprecedented access. Not only that, but unencrypted data traveling via the Internet is about as secure as a postcard through the mail.

There are, however, few problems in the IT industry that remain unsolved for long, and the development of virtual private networks (VPNs) has provided a solution to this. Information is encrypted at one end, and can pass through the Internet unhindered, to be decoded at the other end. For the so-called road warrior, who needs access to the corporate network from all over the world, this offers a safe and relatively cheap method of keeping in touch.

Trispen Technologies' IP-Granite is one such solution. Aimed at the small to medium business, it is a dedicated VPN gateway device that can be used to allow secure connectivity for both remote users and external networks, such as tunneling between a branch office and the corporate LAN. Physically, the IP-Granite V100 is a rack-mountable unit, which is solidly built. It also has an uncluttered front panel with the requisite number of displays, while the back-plate offers all of the ports you would expect from a standard PC, as well as the two RJ45 ports you need to plug it in to your network. One surprising aspect of the device is its weight: the V100 is deceptively heavy for a unit of this size. Then again, it isn't as if you are going to be lugging it around, is it?

Installation is simple. The V100 is installed just like a firewall, sitting between the private and public networks. In essence, the device is a router with IPsec encryption. All you have to do is plug in the two RJ45s and install the workstation software. Installing the management software is quick and painless. You are then confronted with an extremely easy to understand command line interface (CLI) for configuration. In the world of GUIs, this may appear a bit primitive, and normally a CLI would raise some eyebrows; but configuration is so simple that there is no need for anything more advanced. Configuration can also be performed remotely, even through a Telnet session, adding even more flexibility. All further management is then performed by the GUI manager.

The core of the product is the IP-Granite engine. This comprises two components: the packet interceptor, which reads all packets that pass through the VPN and decodes them, and the policy manager, which determines access through the VPN. Setting policies through the policy manager is extremely simple: through a Java virtual machine, you are led, step-by-step, through the entire process. This is one of the simplest VPN policy configurations on the market, and kudos to Trispen for that.

Once installed, the V100 can support up to 250 users - perfect for the small to medium business. Trispen has also provided some future-proofing to add scalability, so that the device can be upgraded to support a much larger number of users.

The V100 offers three levels of password security. The user level password provides limited access to the command line interface, which simply allows the user to see basic information. From here, the privileged level password allows configuration changes, while the management key password is used to establish secure management tunnels to the device from the central manager (M100).

The IP-Granite is fully IPsec compliant, and provides support for a number of encryption algorithms, such as DES, triple-DES and Blowfish. It is also one of the first devices to offer the advanced encryption standard (AES). But the device isn't quite so well-equipped when it comes to certification: it may support x.509v3 and IKE, but surprisingly there is no support for RADIUS. Given the increasing popularity of RADIUS, this is a serious shortcoming that Trispen needs to look at as soon as possible. [Ed note: Trispen comments that in order for users to make use of RADIUS, a third-party RADIUS server has to be implemented, which is typically not in place in many of its client organizations. The company says that it provides a better alternative using public key certificates, as well as an online enrolment procedure to activate the certificates.]

Logging is provided through remote syslog to a UNIX host, to the console, or can be viewed security using the workstation-based log viewer. There are no bells and whistles, but it does what it is meant to do - report.

Documentation is a bit of a mixed bag. The information supplied in PDF format on the CD is of a very high quality, easy to understand and perfectly straightforward. Sadly, the same cannot be said of the printed information. The three manuals supplied with the product are indistinguishable, with nothing on the cover to indicate which is which; and in the drive to reduce the size of the manuals, the font size verges on the microscopic. This is definitely an area that Trispen needs to address. [Ed note: The company says that this has been rectified.]

The IP-Granite V100 is an extremely cost-effective VPN solution for the small business or start-up, but the lack of support for certain popular certificates and the substandard documentation needs to be rethought for the V100 to live up to its full potential. But nevertheless, it is an impressive piece of kit.  

SC On-Line
SC Magazine
www.scmagazine.com