Alcatel-Lucent VPN Firewall Brick
Hello all, Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device. Our other option is Cisco IOS router right now. Are there better options than these two? If there is a better forum to post this question, my apologies. Please direct me to the right place. :) Our goal : We want to provide managed firewall/VPN for Colo/DIA customers. Our specific requirements are - Able to provide VRF/virtual router per customer since address range can overlap between customers. - Able to do client based VPN to the inside network. It could be IPSec or SSL. It has to support Vista/Win7-x64 - Able to do site to site VPN with various devices.(Cisco, - Can rate limit traffic in and out. - Control NAT per customer instance. - Stateful firewall per customer instance. - Good logging Thanks!
On Mon, 26 Oct 2009, Jay Nakamura wrote:
Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device.
Our other option is Cisco IOS router right now. Are there better options than these two?
Fair warning: v6 honestly seems to have caught most firewall vendors with their pants down. I've had Lucent Bricks hanging around here in various capacities for some time, and have been involved in a several bake-offs to some degree. Granted, the bricks we have are older models (1100s, mostly). We're looking at some new options as well as a number of ours are going EOL soon. Good: * The code and a basic config is very small - just enough to get it on the network to communicate with the LSMS server and download its full config. * Support is reasonably responsive. * Rule changes can be staged pretty easily in the LSMS, and then the changes can be applied later, if you only do changes during maintenance windows. * IPSEC LAN-to-LAN VPN interoperability is pretty good. It can take a few tweaks to get things working with different vendors, but I've gotten VPNs working with Cisco routers, Cisco PIX/ASAs, Linksys, Checkpoint, Netscreen, etc... * It does do TCP state enforcement (can be disabled) and you can configure the timeout if you enable enforcement. * It does layer-2 firewalling, if you need it. * Does partitions, which provides VRF-like functionality. * Rate limiting and NAT are supported, but I don't know how robust the NAT support is - we don't use it. * Logging is fairly robust but somewhat cryptic - it's not in a standard syslog format. Writing a script to parse the logs and make them a little more human-friendly or convert them into a syslog format would be pretty straightforward. Newer versions of LSMS might provide the option of logging in a syslog-compatible format. Bad: * Without the LSMS server(s), the Bricks are, quite literally, bricks. All of the management has to be done through the LSMS and its Windows- only GUI. There is a command-line interface, but it is not very robust. Newer versions of LSMS might have a web front-end, but I don't know for sure. If there is a web front-end to LSMS, the trick is finding out if it has feature parity with the Windows GUI (has presented an issue with other Lucent products). * Licensing can be a PITA. * Last time I looked at the IPSEC VPN client, it did not support Vista or 64-bit XP. I haven't looked into this in a long time, as we do not use the Bricks for landing client VPNs. It's possible that Lucent has SSL VPN capabilities now. No idea if they support Windows 7 yet. * If things start failing or hanging in neat and interesting ways, more often than not, the issue can be fixed by restarting LSMS :) * IPv6 support plans are unknown at this time. Since we're migrating away from this platform, I haven't looked into Lucent's position on this. I don't know if the newer models do 10G yet, but that might be worth checking if you plan to firewall customers who need lots of bandwidth. We can talk offline if you want to discuss in more detail. jms
If there is a better forum to post this question, my apologies. Please direct me to the right place. :)
Our goal :
We want to provide managed firewall/VPN for Colo/DIA customers.
Our specific requirements are - Able to provide VRF/virtual router per customer since address range can overlap between customers. - Able to do client based VPN to the inside network. It could be IPSec or SSL. It has to support Vista/Win7-x64 - Able to do site to site VPN with various devices.(Cisco, - Can rate limit traffic in and out. - Control NAT per customer instance. - Stateful firewall per customer instance. - Good logging
Thanks!
On Mon, Oct 26, 2009 at 12:36 PM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
On Mon, 26 Oct 2009, Jay Nakamura wrote:
Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device.
Our other option is Cisco IOS router right now. Are there better options than these two?
Fair warning: v6 honestly seems to have caught most firewall vendors with their pants down.
I'm not really sure that in the year 2009 that's a fair thing to still expect... honestly ipv6 has been in 'production' for ~7 years, for a CPE deployment it's certainly been to the point where it should be included by default. -1 alcalu :( -Chris
On Mon, 26 Oct 2009, Christopher Morrow wrote:
On Mon, Oct 26, 2009 at 12:36 PM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
On Mon, 26 Oct 2009, Jay Nakamura wrote:
Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device.
Our other option is Cisco IOS router right now. Are there better options than these two?
Fair warning: v6 honestly seems to have caught most firewall vendors with their pants down.
I'm not really sure that in the year 2009 that's a fair thing to still expect... honestly ipv6 has been in 'production' for ~7 years, for a CPE deployment it's certainly been to the point where it should be included by default.
-1 alcalu :(
I don't know about AL's v6 status because I'm in the process of migrating away from them, and have been in the process of lots of due diligence with vendors in the past 6-ish months. v6 support is pretty high on our list of 'must have' items. I've been pretty disappointed with the response from most vendors. Many of those have been along the lines of: "Yeah... our v6 code should be out of customer trials in Q2 2010..." "We do v6 in software today, and the next spin of XYZ hardware will do it in the ASICs..." "We're working some kinks out, so the box forwards X pps of v6 today (let Y = the amount of v4 traffic the box can handle, let X = some amount significantly lower than Y), but we should have all of that sorted out in the next major code release and be able to handle Y pps of v6 then." "The firewall handles v6 today, but v6 support in the management front-end is still baking. Should be ready to go in the next release." Vendor responses to my "v6 has been around for about 10 years... why is all of this only happening *now*?" questions have largely been along the lines of "Customers only started asking for or requiring v6 support in the last X months/years...". This gets us back to chicken-and-egg time. I can understand their position to a degree, i.e. why waste resources on things that customers aren't requesting (read: won't compel them to buy more/bigger hardware or renew/upgrade support contracts)? This might have been a somewhat valid position several years ago, but v6 as a necessity has been on many customers' radars for several years ago. Frankly, not having fully baked v6 support today is pretty much inexcusable IMHO. jms
Hello, I am working for a French ISP, we are working with this product in order to provide a firewall for our VRF customers. Quickly : Used to : * Firewall / NAT for IPV4 VRF * Rate limit bandwidth & sessions * A few logging Pro: * stable * ipsec & pptp passthrough Cons : * ugly java interface Really good feedbacks to provide . If you need further detail I can share. Eric -----Message d'origine----- De : Jay Nakamura [mailto:zeusdadog@gmail.com] Envoyé : lundi 26 octobre 2009 16:56 À : NANOG Objet : Alcatel-Lucent VPN Firewall Brick Hello all, Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device. Our other option is Cisco IOS router right now. Are there better options than these two? If there is a better forum to post this question, my apologies. Please direct me to the right place. :) Our goal : We want to provide managed firewall/VPN for Colo/DIA customers. Our specific requirements are - Able to provide VRF/virtual router per customer since address range can overlap between customers. - Able to do client based VPN to the inside network. It could be IPSec or SSL. It has to support Vista/Win7-x64 - Able to do site to site VPN with various devices.(Cisco, - Can rate limit traffic in and out. - Control NAT per customer instance. - Stateful firewall per customer instance. - Good logging Thanks!
participants (4)
-
Christopher Morrow -
Eric RICHARD -
Jay Nakamura -
Justin M. Streiner