I have been using several Nortel Contivity Switches for almost 2 years.
They have several options you can use, some are included, some are extra:
1) VPN - Obviously included. Ability to add filters on tunnels to limit
protocols over the tunnel. Also has ability to use not just IPSEC but PPTP
(Microsoft) as well. SOme others are also supported. Has RADIUS support
as well. It uses an internal LDAP server for storing user info. It totes
it can use an external LDAP server (Netscape's), which it can, HOWEVER,
without some magic you can't export your Contivity directory under an
existing one. You still must manage it from the switch's web interface
even though it resides externally on a Netscape Directory Server. For
instance, you have an Netscape Directory Server with a corporate
directory. You export your Contivity directory under this external
tree. The Contivity tree can't see the Corporate tree, and the Corporate
tree can't see the Contivity tree. Thus you have to still maintain two
directory structures. You can't merge them (without some magic) - Netscape
claims a meta-directory is the answer but I haven't seen any
implementations of a meta-directory yet but this is off-topic. As a VPN I
think its great.
2) FW-1 - This is extra. You have to by a FW-1 license for the Contivity
not to mention a second license for your management console. Playing with
this now, so I can't make a judgement call. Using your contivity as a
firewall also, in my opinion, puts more strain on the system leaving less
bandwidth/cpu for VPNs. It also limits you to ONE point of failure (unless
you get multiple contivities with failover).
3) COntivity's built in firewall (I believe this is now standard). This
looks like ACLs. Protocol/port restirctions but I did find that the web
interface was difficult to use. Its not very user friendly and you really
have to know your protocols. There is sub-menu after sub-menu just to set
up a few simple rulesets.
There is a bug, not sure if its fixed in 2.61, where you could (on the
INTERNAL network only) pass a $ or some other characters to the CGI-BIN
engine and it would crash the switch. I know there was an open incident
with Nortel on it but don't have a status.
Hope this helps.
- Kevin
At 01:12 PM8/29/00 Tuesday-0500, Brent Stackhouse wrote:
>Hello,
>
>I need a little help/info regarding
>Nortel's Contivity Extranet Switch and
>what the heck it is and is not able to
>do. I would love to RTFM but I've been
>given three firewall platforms to hook
>up production VPNs to within two weeks
>and I'm a little pressed for time.
>
>What I do know is that there is a
>Contivity firewall option and an FW-1
>option. I just crashed through FW-1
>training last week so I'm familiar
>with that, more or less. My requirement
>is to set up a site-to-site VPN using
>Nortel Contivity switches on both ends,
>running an IKE/IPsec tunnel that only
>allows our "encryption domain" boxes to
>speak with each other, in FW-1 parlance.
>
>Pretty straightforward with PIX and FW-1
>but I'm still unclear as to the
>capabilities of the Nortel stuff. Any
>tips, info, or pointers to doc are very
>welcome. If I'm missing the obvious
>(like this product sucks or I'm an idiot),
>let me know. Thanks.
>
>Brent Stackhouse
>Security Analyst
>2ndWave, Inc.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
*************************************
Kevin T Johnston
Research Engineer
Syracuse Research Corporation
6225 Running Ridge Road
North Syracuse, NY 13212
Phone: (315) 452-8318
FAX: (315) 452-8310
Email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
