A new twist on familiar technologies
- By William Jackson
- Feb 07, 2007
SAN FRANCISCO ' If you are in charge of protecting a network you know the value of being able to adapt quickly. A number of exhibitors at this week's RSA security conference are showing off some new tricks they have taught to some familiar dogs.
Array Networks Inc. of Milpitas, Calif., is demonstrating a site-to-site capability it has added to its SSL virtual private network for remote access.
'This is the first time a vendor has used SSL VPN technology to provide commercial site-to-site deployment,' said marketing VP Jim Greenway. The new configuration enables granular access control to network resources no matter where the user is connecting from, Greenway said.
And speaking of VPNs, Mistletoe Technologies Inc. of Cupertino, Calif., is demonstrating a 2Gbps VPN firewall that uses its custom purpose security processor to shrink the appliance from a 2U rack-mounted box to a single card powered over Ethernet.
'Mistletoe has developed an architecture that is tuned for layers 4 though 7 processing at gigabit speeds,' said Michael McDonald, another marketing VP.
The Reloadable Direct eXecution architecture lets the chip do parallel processing more than 10 times faster than a general-purpose chip at a relatively low clock speed of 250 MHz. The result is more efficient processing without having to load-balance traffic flows to multiple processors in a server.
The improved performance comes from using 16 Direct Execution Engines to do parallel processing on one chip rather than the sequential 'if-then' process chips typically perform. This reduces the overhead needed to process packets and eliminates the need for an onboard operating system.
The purpose-built chip has been available about six months and is being used by a number of equipment manufacturers. The 2Gbps VPN firewall being demonstrated is not yet an available product, but a similarly compact 200Mbps version will be available in May.
'We're shrinking back the performance of an enterprise class product for the small- and medium-sized business,' Greenway said.
Array's new site to site feature, called Site2Site, will be an add-on to its SPX series of SSL VPNs.
SSL VPNs, which use Secure Sockets Layer encryption to create a secure tunnel, have been gaining ground for some years on the traditional IPSec VPN. SSL's advantage is that browsers already support SSL, so it requires little or no additional client software, making it simpler to deploy, configure and maintain.
Array's SPX series of VPNs, the 2000, 3000 and 5000, support traditional remote connections. Site2Site will support secure connections between applications, hosts or networks at any locations. The big selling point of Site2Site is the ability to control the network resources a user can access. Rather than allowing unfettered access to the network, a feature called Resource Publishing lets administrators set policies mapping users to specific resources. The Site2Site feature can be used on remote access connections or on gateway-to-gateway connections.
The SPX 5000 SSL VPN, which supports up to 64,000 concurrent sessions, and the 3000, which supports up to 2,500 concurrent sessions, already are FIPS-140-2 compliant so the new Site2Site feature will be available for government users.
Greenway said Array expects a lot of interest in Site2Site from government as a replacement for existing IPSec VPNs. 'We think there is a migration that is set to begin pretty soon.'
William Jackson is a Maryland-based freelance writer.