x
Optical/IP

Quarry, NetScreen Ace the Test

Woody Allen once said that 80 percent of life is showing up. That certainly rings true for last month's carrier-grade IPSec VPN test, paid for by Light Reading and run by Network Test Inc. with Spirent Communications test equipment (see Carrier-Class IPSec: the Bigger the Better).

When we asked ten vendors to step up and prove that their IPSec VPN devices were up to the carrier test, only recently public NetScreen Technologies Inc. (Nasdaq: NSCN) and startup Quarry Technologies Inc. showed up (see Quarry Wins LR VPN Test). Although Quarry edged out NetScreen in the test, both showed impressive results, with throughput rates ten times faster than most CPE-based IPSec gateways. They set new speed records, ran at Gigabit Ethernet line rates, and scaled to support thousands of concurrent tunnels.

Notable industry players such as Cisco Systems Inc. (Nasdaq: CSCO), CoSine Communications Inc. (Nasdaq: COSN), Lucent Technologies Inc. (NYSE: LU), and Nortel Networks Corp. (NYSE/Toronto: NT) were invited to the test but chose not to participate. The reasons were varied, but most vendors declined either because the test methodology was not to their liking or because they didn't want to allocate resources to the project (see No Shows).

"The primary reason that CoSine chose not to participate, was that it didn't want to test for just a single customer instance," a spokesperson for the company says.

“We didn’t have the resources to commit during that time frame,” Ann Fuller, a spokesperson for Nortel says, “because the resources were being used on customer trials.”

Despite the excuses, such actions may not be perceived well by the public. A past Research Poll by Light Reading indicates that 39% of readers surveyed believe that when vendors don't show up for tests, it's usually because they're afraid they won't perform well.

The test concentrated on IPSec-based VPNs (virtual private networks), because the alternatives, Multiprotocol Label Switching (MPLS)-based VPNs and the Internet Engineering Task Force (IETF)'s MPLS Martini extensions, are simply not secure enough. IPSec VPNs, on the other hand, offer strong security. Still, finding ones that are carrier-class can be a challenge. Most IPSec VPNs are intended for use on customer premises equipment (CPE) and don't come close to scaling to carrier-class levels.

Both Quarry's iQ4000 and the NetScreen-5200 proved to be up to the test, offering high levels of security and carrier-class performance. Of course, there were differences between devices -- not least, their intended use. NetScreen’s device is a purpose-built VPN gateway, while Quarry’s box is a switch/router that happens to support IPSec. The test found pros and cons with each device. While the 5200 cost less than the iQ4000 and set up far more concurrent tunnels (see Scaling Up), Quarry finally stole the show with higher throughput in most tests, full redundancy of components, and an intuitive, powerful management platform (see Inside the CO, Speed Demons, Management Material).

The test of the two gateways was grueling. By pounding them with traffic from a Spirent SmartBits analyzer with Gigabit Ethernet interfaces and asking them to send various packet sizes at gigabit speed, the test aimed to get at the devices' real performance numbers. When bragging about performance, many vendors tout throughput numbers obtained in less-than-stressful network situations (see Lies, Damn Lies, and Vendor Specs). It is, for instance, easier to achieve high throughput by using larger packets and weaker encryption and message authentication.

Both devices set new speed records, but one of the major differentiators in the test was the throughput with 1,518-byte frames. While Quarry managed a throughput of 875.3 Mbit/s, NetScreen’s throughput dropped to only 276.6 Mbit/s. In addition, Quarry’s results were by far the most impressive when handling 64-byte frames, which it moved at 540.0 Mbit/s -- close to the theoretical maximum rate for IPSec in ESP tunnel mode.

“This suggests that Quarry gateways can handle short frames -- and transaction-intensive applications that use them, such as databases -- with no throughput penalty,” David Newman, president of Network Test, writes in the report.

All in all, Quarry notched up an impressive victory, but Newman also gave props to NetScreen for making it to the test and showing some good results.

— Eugénie Larson, Reporter, Light Reading
http://www.lightreading.com
Page 1 / 2   >   >>
H-Burger 12/4/2012 | 10:16:12 PM
re: Quarry, NetScreen Ace the Test interesting that in the same poll as to why vendor's don't show up that 16% of people suspected that Vendor doesn't have a product ready for comercial use and 21% made the cryptic statement that vendor wants to discourage comparison with competing products
tjs 12/4/2012 | 10:16:11 PM
re: Quarry, NetScreen Ace the Test The simple facts....

1. Quarry is inches from startup death, they have no REAL customers, and the management team is a JOKE. In short they are dead.

2. Tolly will write anything he is paid to write.

Tom
sigint 12/4/2012 | 10:16:03 PM
re: Quarry, NetScreen Ace the Test The simple facts....

1. Quarry is inches from startup death, they have no REAL customers, and the management team is a JOKE. In short they are dead.

2. Tolly will write anything he is paid to write.

Tom
__________________________________________________

What you say could be true - doesn't necessarily mean the product isn't any good.

A group of engineers developed a product that many comapanies with 'good managements' wouldn't dare compete against. I would applaud that effort.
wackitabacki 12/4/2012 | 10:16:02 PM
re: Quarry, NetScreen Ace the Test It's nice to see that in these uncertain times
in networking that the cynics have all pulled together in order to drag everyone else down.
Granted, if you were a competetor of either one
of these companies (tjs?), maybe you would have
reason to pigeonhole any of their sucesses. If not, what a loathsome and miserable human being
you must be.
I'm not familiar with the management of
either one of these companies, but I continually
read on these pages about all star management
teams that do not even make it to where these
companies are. What's up with that?
NanC 12/4/2012 | 10:16:02 PM
re: Quarry, NetScreen Ace the Test Tom, you bozo, this was a competitive test sponsored by Light Reading, not a Tolly test.
Kangaroo 12/4/2012 | 10:16:01 PM
re: Quarry, NetScreen Ace the Test Eug+¬nie Larson, Reporter, Light Reading wrote

....The test concentrated on IPSec-based VPNs (virtual private networks), because the alternatives, Multiprotocol Label Switching (MPLS) -based VPNs and the Internet Engineering Task Force (IETF)'s MPLS Martini extensions, are simply not secure enough......
________________________________________________

Eug+¬nie or anyone,

Please help me out here, my understanding is that MPLS is as secure as an ATM or a Frame Relay, is this not correct ?

If MPLS VPN "are simply not secure enough" why are they being deployed ?
asmo 12/4/2012 | 10:16:00 PM
re: Quarry, NetScreen Ace the Test Yes, using MPLS as a VPN technology is as secure as existing ATM/Frame Relay technology. I don't understand why some people present MPLS and IPSEC as technologies that are exclusive to each other.

If a company wants to use IPSEC on their traffic and then use MPLS as a VPN technology there is nothing stopping them. But if a company is happy enough with the security provided by ATM/FR based VPNs they are not losing any security benefits by switching to L3VPNs or L2VPNs.

Asmo
CarrierClass 12/4/2012 | 10:15:59 PM
re: Quarry, NetScreen Ace the Test Please help me out here, my understanding is that MPLS is as secure as an ATM or a Frame Relay, is this not correct ?
________________________________

Yes you are correct, MPLS offers security comparable to Frame Relay and ATM.

However, this level of security is not adequate for certain customers, e.g. banks, military, etc. In fact, there is a legal requirement that certain types of data must be encrypted when being transmitted over a shared infrastructure.

Edge boxes from vendors like Quarry, Netscreen, and Cosine, allow the service provider to offer IPsec encryption as an additional service on top of basic VPN connectivity.

However, it is yet to be seen how large the market for outsourced IPsec services is. Many large organizations only want a pipe to send their data down and want to handle the encryption themselves - they would not trust a service provider to manage encryption for them.
foptix 12/4/2012 | 10:15:53 PM
re: Quarry, NetScreen Ace the Test MPLS security is comparable to ATM and FR, and the only likely threats involve using some form of attack against MPLS router control plane. Exactly similar attacks can be foreseen against IPSEC tunneled operator VPNs.

with respect to IPSEC in operator edge devices, I do not believe that this adds any real security. In this model, the traffic will be encrypted after the subscriber access link, which is and is likely to remain the simplest point for the attacker to tap (physically) onto. The E2E security of the operator IPSEC does not really add anything but huge equipment cost and IPSEC management complexity components over the MPLS tunnel based VPNs.
SeaW 12/4/2012 | 10:15:46 PM
re: Quarry, NetScreen Ace the Test MPLS and IPsec are both useful VPN technologies and each has its own advantages (most notably traffic engineering for MPLS and encryption for IPsec). Encyption does make IPsec more secure, but Asmo has the right idea suggesting that they could be used together to get the best of both worlds. Both technologies are experiencing rapid growth in provider networks, however IPsec is also more mature and, as such, is currently far more widely deployed.

With regard to using IPsec encryption at the edge of the provider's network, it often makes a great deal of sense, and could add real value for many subscribers. For example, my company's point-to-point T1 access link to the Internet is far more secure than the Internet itself. As such, I'm not concerned about encryption until my interoffice traffic reaches the first service edge router on the shared IP network (and I'm happy not to have to monkey around with a CPE VPN device). Similarly, my circuit-switched dial-up connection from home to my ISP is relatively safe, but once my traffic hits my ISP's first router it's much more likely to be exposed to security risks. Encrypting it there at the provider edge and tunneling it back to service edge router closest to my office keeps it safe and makes life easier for me.

SeaW
Page 1 / 2   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE