TimeStep's built-in certificate authority simplifies VPN planning
- By Tadesse Giorgis
- Mar 29, 1999
Easy configuration and solid security features distinguish
TimeStep Corp.s newest Permit/Gate 4520 virtual private networking device.
It has a built-in certificate authority (CA) that greatly simplifies configuration of
multiple VPNs. A network manager enters the configuration information once into a central
CA, and it downloads to each VPN device coming online.
Permit/Gate 4520 also supports more encryption algorithms than any other current VPN
product. The earlier version from TimeStep of Kanata, Ontario, was one of the slowest in
National Software Testing Laboratories Inc.s 1998 VPN tests [GCN, Jan. 25, Page 27].
Secure VPNs are becoming indispensable to connect branch offices and telecommuters to
headquarters networks via the Internet. Tapping into the Internet is a low-cost
alternative to leased-line WAN connections. Through the International Computer Security
Association Inc.-certified IPSec protocol, TimeSteps Permit Enterprise family
extends network security further.
The Permit/Director Suite consists of Permit/Director, Permit/Config, Entrust/Manager
and Entrust/Directory. It manages protected resources within a secure VPN. An integrated
public-key infrastructure from Entrust Technologies Inc. of Richardson, Texas, enables
multiple secure VPNs under one or more PKIs.
Permit/Director Suite has a Lightweight Directory Access Protocol-compliant X.500
The Permit/Gate hardware-based gateway products secure data communications over
intranets, extranets and Internet remote access. They can encrypt by the Data Encryption
Standard, Triple DES and several other algorithms.
NSTL tested the VPN Permit/Gate 4520 VPN gateway product for security, ease of
management and performance. The test bed modeled a LAN-to-LAN 10-Mbps Ethernet connection
with a matched pair of Permit/Gate 4520 VPN devices, one at each end.
NSTL sent unidirectional traffic from a station on one subnet to a station on the
other. The VPN devices on each subnet did not route, but they did handle authentication
The laboratory configured the VPN settings to tunnel traffic using IPSecs
Encapsulated Security Payload. NSTL applied Triple DES on each packet and authenticated
packets using the Secure Hashing Algorithm 1.
The traffic went over an Internet connection simulated by a 3640 WAN router from Cisco
Systems Inc. of San Jose, Calif., and passed through the 4520 VPN devices on each subnet.
NSTL measured throughput for three packet sizes64, 512 and 1,024 bytesusing
the Shomiti Explorer/Surveyor protocol analyzer and packet generator from Shomiti Systems
Inc. of San Jose, Calif., and the Sniffer Basic analyzer from Network Associates Inc. of
Santa Clara, Calif.
The Explorer hardware module generated the traffic being offered to the network, while
the Surveyor module crafted TCP packets and set their size.
To evaluate security, NSTL used SafeSuite 5.6.2 from Internet Security Systems Inc. of
Atlanta. SafeSuite 5.6.2 revealed a low-severity Traceroute and a medium-severity TCP
sequence prediction vulnerability in the two IP subnets.
To evaluate ease of management, NSTL performed hands-on configuration of the
Permit/Gate 4520 devices. Permit/Gate 4520s greatest gain was in
performance. In the new tests, packet loss was minimal.
Tadesse Giorgis is a senior test engineer at National Software Testing Laboratories
Inc. of Conshohocken, Pa.