Virtual Private Networks, Part 5: Novell BorderManager

In the last column we looked at some of the methods you can use to set up VPNs, using either in-house or service provider systems. Since many corporations and organizations shy away from trusting service providers, it’s worth spending some time looking at in-house solutions. These can range from very small setups such as the one we described earlier in the series using Windows NT and its VPN system, to large, multiport VPN solutions with dedicated hardware and software. There are also several products that include VPN capabilities as part of a much larger suite, such as the Novell BorderManager. Since BorderManager is one of the more capable and flexible systems available, we’ll look at it this column.

BorderManager is a security management package which provides a lot of features for medium sized networks. Of course there is VPN capabilities as part of the package, but Novell BorderManager also provides overall firewall services like access control and proxy handling as part of the same package. Although I didn’t look at BorderManager when I was writing about firewalls several series ago, BorderManager does embody all the features a network manager would want from a firewall. As well as fully configurable proxy management there is network address translation (allowing you to hide confidential or non-registered subnet addresses inside your registered subnet) and packet filtering (to block out anything you don’t want to allow). Since authentication is an integral part of any firewall as well as VPN, BorderManager provides RADIUS software authentication.

There are some very nice features built into BorderManager that make user’s lives easier. For example, BorderManager permits a true single login sign-on from either inside or outside the firewall software. There are no special extra steps necessary if a user is logging in from a hotel room instead of from their desk connected to the corporate LAN. BorderManager uses Novell Directory Services (NDS), which has become very popular of late because of its flexibility. (You need to be running NetWare4 or 5 to take advantage of BorderManager and NDS. The Enterprise edition of BorderManager includes a two-user runtime license for NetWare 5.) One other caveat about BorderManager is that access is through IPX. Although it is possible to use protocol translators to run TCP/IP, BorderManager is designed to work with NetWare and hence IPX/SPX.

The focus of this series is VPNs, though, so we should look at BorderManager’s VPN capabilities in more detail. The BorderManager system can be configured for site-to-site VPN quickly and with a minimum of fuss. Simply provide the IP addresses or routes between the two BorderManager servers, and a VPN is established with no headaches or hassles. BorderManager also provides for client VPN, allowing a user to dial into the VPN from anywhere in the world. Authentication of the user along with the traditional firewall tools prevents unauthorized access through an open VPN port. Combing both fixed and floating VPN access make BorderManager more flexible than many VPN solutions that have only one or the other.

An evaluation copy of BorderManager along with tons of documentation is available from the Novell Web site (http://www.novell.com/canada). The hardware requirements are docile: a slow Pentium (or even an 80486) will run the software, but you really need a decent Pentium II or III to sustain good firewall and VPN performance. The RAM requirements are what will hurt most people (especially with the high price of RAM these days). BorderManager recommend 128MB RAM, but on any machine with high traffic and more than a dozen users, 256MB is a better start. Half a gigabyte of disk space is required, too. Installation is simple as is the learning curve, although those with no experience with NetWare will have a little harder time.

Configuring BorderManager to support VPN and firewall services takes a few hours to get right, but the steps are logical and well presented. The encryption and authentication choices for a VPN are varied and you can choose the best options for your users. BorderManager allows up to 256 sites per tunnel, with up to 1,000 users per server. Although no Intel-based system could handle that kind of traffic on a regular basis, most BorderManager users sustain smaller traffic loads on an Intel machine without problem. BorderManager proves to be a stable, well-designed VPN solution if you can get along with NetWare and IPX.

There has been a bit of a publicity war going on between Novell and Microsoft about the relative features and problems with both BorderManager and Microsoft’s PPTP-based VPN system. While the mud-slinging has been mostly civilized, those who have followed the arguments have come to the conclusion that there’s been a lot of effort spent on very little real substance. Both Windows NT VPN and BorderManager are capable of doing VPNs, but BorderManager is a more rounded package with extra features that Windows NT lacks. The Microsoft arguments primarily revolve around some practices used in BorderManager and the fact that Microsoft’s system is free. The truth of the matter is that this is not an apples-to-apples comparison, really, and either product will suit particular types of networks and communications tasks. So when you are shopping for a VPN or a VPN plus firewall package, don’t get too wrapped up in the comparisons both Novell and Microsoft offer.