streiner at cluebyfour
Oct 26, 2009, 9:36 AM
Post #2 of 5
(535 views)
Permalink
|
On Mon, 26 Oct 2009, Jay Nakamura wrote:
> Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up
> spec and other published information but, as always, the devil is in
> the detail and you just never know what wall you run into until you
> actually try it so I wanted to see if anyone has used this and can
> point out good/bad things about this device.
>
> Our other option is Cisco IOS router right now. Are there better
> options than these two?
Fair warning: v6 honestly seems to have caught most firewall vendors with
their pants down.
I've had Lucent Bricks hanging around here in various capacities for some
time, and have been involved in a several bake-offs to some degree.
Granted, the bricks we have are older models (1100s, mostly). We're
looking at some new options as well as a number of ours are going EOL
soon.
Good:
* The code and a basic config is very small - just enough to get it on the
network to communicate with the LSMS server and download its full
config.
* Support is reasonably responsive.
* Rule changes can be staged pretty easily in the LSMS, and then the
changes can be applied later, if you only do changes during maintenance
windows.
* IPSEC LAN-to-LAN VPN interoperability is pretty good. It can take a few
tweaks to get things working with different vendors, but I've gotten
VPNs working with Cisco routers, Cisco PIX/ASAs, Linksys, Checkpoint,
Netscreen, etc...
* It does do TCP state enforcement (can be disabled) and you can configure
the timeout if you enable enforcement.
* It does layer-2 firewalling, if you need it.
* Does partitions, which provides VRF-like functionality.
* Rate limiting and NAT are supported, but I don't know how robust the NAT
support is - we don't use it.
* Logging is fairly robust but somewhat cryptic - it's not in a standard
syslog format. Writing a script to parse the logs and make them a
little more human-friendly or convert them into a syslog format would be
pretty straightforward. Newer versions of LSMS might provide the option
of logging in a syslog-compatible format.
Bad:
* Without the LSMS server(s), the Bricks are, quite literally, bricks.
All of the management has to be done through the LSMS and its Windows-
only GUI. There is a command-line interface, but it is not very robust.
Newer versions of LSMS might have a web front-end, but I don't know for
sure. If there is a web front-end to LSMS, the trick is finding out if
it has feature parity with the Windows GUI (has presented an issue with
other Lucent products).
* Licensing can be a PITA.
* Last time I looked at the IPSEC VPN client, it did not support Vista or
64-bit XP. I haven't looked into this in a long time, as we do not use
the Bricks for landing client VPNs. It's possible that Lucent has SSL
VPN capabilities now. No idea if they support Windows 7 yet.
* If things start failing or hanging in neat and interesting ways, more
often than not, the issue can be fixed by restarting LSMS :)
* IPv6 support plans are unknown at this time. Since we're migrating
away from this platform, I haven't looked into Lucent's position on
this.
I don't know if the newer models do 10G yet, but that might be worth
checking if you plan to firewall customers who need lots of bandwidth.
We can talk offline if you want to discuss in more detail.
jms
> If there is a better forum to post this question, my apologies.
> Please direct me to the right place. :)
>
> Our goal :
>
> We want to provide managed firewall/VPN for Colo/DIA customers.
>
> Our specific requirements are
> - Able to provide VRF/virtual router per customer since address range
> can overlap between customers.
> - Able to do client based VPN to the inside network. It could be
> IPSec or SSL. It has to support Vista/Win7-x64
> - Able to do site to site VPN with various devices.(Cisco,
> - Can rate limit traffic in and out.
> - Control NAT per customer instance.
> - Stateful firewall per customer instance.
> - Good logging
>
>
> Thanks!
>
>
|
