More and more organisations are looking beyond the physical boundaries of their own sites in the quest to make the best business use of new technology.

Data communications between physically remote sites � perhaps for branch office to head office connectivity, or links between business partners � have become an essential part of modern business practice. In the past, such links have been forged using dedicated connections such as leased lines, but this approach � whilst certainly secure � can prove to be extremely expensive and inflexible. What if the sites are at opposite ends of the country, for example, or even on opposite sides of the globe? Imagine the costs involved in creating a dedicated network of such proportions.

That is why astute organisations are turning to the Internet to provide their WAN links, and devices like the Shiva LanRover VPN Gateway provide the means to achieve this is a secure fashion. The LanRover is a self-contained device which includes both firewall and VPN capabilities in a single box, providing a means to establish secure, encrypted connections from site to site, or site to remote user, over the Internet.

Housed in a simple black box with no external controls other than a power switch, the LanRover sports two Intel Fast Ethernet cards � one for the internal (protected) network and one for the external (unprotected) network � and a dedicated hardware-based encryption accelerator.

Initial installation and configuration of the hardware is relatively straightforward, and is performed from a terminal emulation program running on a PC connected to the console port on the rear panel of the LanRover. Once that has been done, the VPN Manager utility is the graphical tool that allows ongoing management and configuration. Multiple gateways can be controlled from a single console, and all management traffic between console and gateway is fully encrypted.

Once the LanRover devices have been described to the Manager utility, double clicking on any gateway downloads the configuration from that device and presents it in eight tabbed windows, covering general parameters, authentication, physical interfaces (only two are supported � so no DMZ capability), routing, management (via SNMP and Syslog), security profiles, VPN tunnels and firewall rules.

The Authentication tab provides a choice of X.509 digital certificates (using Shiva�s optional Certificate Authority software), RADIUS or SecurID. Windows NT Domain authentication or a simple challenge/response phrase can be used if none of these are available. The CA option allows a unique digital certificate to be assigned to every LanRover device and remote user in the network, and certainly provides the most transparent, yet most secure, means of authentication.

A number of Security Profiles can be created using the tab designated for this task, with each profile specifying a different authentication and encryption method (each of which may be applicable to different tunnels or remote users, for instance).

The LanRover gateway supports full triple-DES encryption with double (112 bit) or triple (168 bit) length keys, though we are (as usual) restricted to standard 56 bit DES outside the US. It also supports asymmetric public key cryptography � using RSA algorithms with up to 2048 bit keys � for authentication and key management. All key exchange operations are accomplished via the standard Diffie-Hellman system.

Tunnel encapsulation is either standard IPSec (32 or 64 bit, with MD5 or SHA1 headers) or the more efficient SST (Shiva Secure Tunnelling) protocol. Each tunnel defined on the network can be allocated a different security profile if required.

Site to Site, Single Remote User or Multiple Remote User tunnels can be created, and each tunnel can be designated as Black or Red. A Black tunnel terminates on the outside of the firewall and the traffic must then conform to the firewall rules before being allowed through (ideal for those you cannot trust completely).

A Red tunnel is for fully trusted sites or clients � your own branch offices or employees, for instance. Here, the tunnel terminates on the inside of the firewall, and thus provides full access to the protected network.

The final tab is concerned with Firewall rules. LanRover VPN Gateway incorporates a stateful inspection (dynamic packet filtering) firewall with inbound and outbound Network Address Translation (NAT). The firewall code operates at the network layer, making it very fast and secure. However, it is capable of maintaining full state information across all seven layers of the ISO reference model, allowing it to track the ongoing progress of all inbound and outbound connections.

Unfortunately, creation of firewall rules is not for the faint hearted, and a much more graphical "point and click" type of interface would be nice here, perhaps with some sample rules to cover the more common operations (such as outbound Web browsing). However, once you get to grips with it, it does the job adequately.

Together with the LanRover VPN Gateway, the VPN Client provides remote employees and partners with a means to gain transparent, yet completely secure access to your corporate network. Providing the same level of DES encryption (where allowed) as the gateway, the VPN Client requires no changes at all to existing applications at the client PC. Once a connection has been established, your PC behaves exactly as if it were connected directly to the remote network.

The LanRover VPN Gateway was reasonably straightforward to install and configure (given a degree of knowledge of firewalls and IP routing) and once installed, performed impeccably and completely transparently. It provides a good solution for SME�s, large corporates and ISP�s alike.

Verdict

Whilst the firewall portion of the product is fairly basic, the VPN side is extremely powerful and flexible, particularly when combined with the Certificate Authority software. The ability to terminate tunnels inside or outside the firewall is a very attractive feature, and performance is excellent too, thanks to the high-speed interfaces and dedicated crypto accelerator card.�

Contact: Shiva UK
Telephone� (01189) 774747

Send mail to webmaster with questions or�
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.