Alcatel-Lucent VPN Firewall Brick

Mailman List Mirror (Read Only)
1

Hello all,

Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up
spec and other published information but, as always, the devil is in
the detail and you just never know what wall you run into until you
actually try it so I wanted to see if anyone has used this and can
point out good/bad things about this device.

Our other option is Cisco IOS router right now. Are there better
options than these two?

If there is a better forum to post this question, my apologies.
Please direct me to the right place. :slight_smile:

Our goal :

We want to provide managed firewall/VPN for Colo/DIA customers.

Our specific requirements are
- Able to provide VRF/virtual router per customer since address range
can overlap between customers.
- Able to do client based VPN to the inside network. It could be
IPSec or SSL. It has to support Vista/Win7-x64
- Able to do site to site VPN with various devices.(Cisco,
- Can rate limit traffic in and out.
- Control NAT per customer instance.
- Stateful firewall per customer instance.
- Good logging

Thanks!

2

Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up
spec and other published information but, as always, the devil is in
the detail and you just never know what wall you run into until you
actually try it so I wanted to see if anyone has used this and can
point out good/bad things about this device.

Our other option is Cisco IOS router right now. Are there better
options than these two?

Fair warning: v6 honestly seems to have caught most firewall vendors with their pants down.

I've had Lucent Bricks hanging around here in various capacities for some time, and have been involved in a several bake-offs to some degree. Granted, the bricks we have are older models (1100s, mostly). We're looking at some new options as well as a number of ours are going EOL soon.

Good:
* The code and a basic config is very small - just enough to get it on the
   network to communicate with the LSMS server and download its full
   config.
* Support is reasonably responsive.
* Rule changes can be staged pretty easily in the LSMS, and then the
   changes can be applied later, if you only do changes during maintenance
   windows.
* IPSEC LAN-to-LAN VPN interoperability is pretty good. It can take a few
   tweaks to get things working with different vendors, but I've gotten
   VPNs working with Cisco routers, Cisco PIX/ASAs, Linksys, Checkpoint,
   Netscreen, etc...
* It does do TCP state enforcement (can be disabled) and you can configure
   the timeout if you enable enforcement.
* It does layer-2 firewalling, if you need it.
* Does partitions, which provides VRF-like functionality.
* Rate limiting and NAT are supported, but I don't know how robust the NAT
   support is - we don't use it.
* Logging is fairly robust but somewhat cryptic - it's not in a standard
   syslog format. Writing a script to parse the logs and make them a
   little more human-friendly or convert them into a syslog format would be
   pretty straightforward. Newer versions of LSMS might provide the option
   of logging in a syslog-compatible format.

Bad:
* Without the LSMS server(s), the Bricks are, quite literally, bricks.
   All of the management has to be done through the LSMS and its Windows-
   only GUI. There is a command-line interface, but it is not very robust.
   Newer versions of LSMS might have a web front-end, but I don't know for
   sure. If there is a web front-end to LSMS, the trick is finding out if
   it has feature parity with the Windows GUI (has presented an issue with
   other Lucent products).
* Licensing can be a PITA.
* Last time I looked at the IPSEC VPN client, it did not support Vista or
   64-bit XP. I haven't looked into this in a long time, as we do not use
   the Bricks for landing client VPNs. It's possible that Lucent has SSL
   VPN capabilities now. No idea if they support Windows 7 yet.
* If things start failing or hanging in neat and interesting ways, more
   often than not, the issue can be fixed by restarting LSMS :slight_smile:
* IPv6 support plans are unknown at this time. Since we're migrating
   away from this platform, I haven't looked into Lucent's position on
   this.

I don't know if the newer models do 10G yet, but that might be worth checking if you plan to firewall customers who need lots of bandwidth.

We can talk offline if you want to discuss in more detail.

jms

3

Hello,

I am working for a French ISP, we are working with this product in order to
provide a firewall for our VRF customers.

Quickly :

Used to :
* Firewall / NAT for IPV4 VRF
* Rate limit bandwidth & sessions
* A few logging

Pro:
* stable
* ipsec & pptp passthrough

Cons :
* ugly java interface

Really good feedbacks to provide .

If you need further detail I can share.

Eric

-----Message d'origine-----

4

I'm not really sure that in the year 2009 that's a fair thing to still
expect... honestly ipv6 has been in 'production' for ~7 years, for a
CPE deployment it's certainly been to the point where it should be
included by default.

-1 alcalu :frowning:

-Chris

5

I don't know about AL's v6 status because I'm in the process of migrating away from them, and have been in the process of lots of due diligence with vendors in the past 6-ish months. v6 support is pretty high on our list of 'must have' items. I've been pretty disappointed with the response from most vendors. Many of those have been along the lines of:

"Yeah... our v6 code should be out of customer trials in Q2 2010..."
"We do v6 in software today, and the next spin of XYZ hardware will do it in the ASICs..."
"We're working some kinks out, so the box forwards X pps of v6 today (let Y = the amount of v4 traffic the box can handle, let X = some amount significantly lower than Y), but we should have all of that sorted out in the next major code release and be able to handle Y pps of v6 then."
"The firewall handles v6 today, but v6 support in the management front-end is still baking. Should be ready to go in the next release."

Vendor responses to my "v6 has been around for about 10 years... why is all of this only happening *now*?" questions have largely been along the lines of "Customers only started asking for or requiring v6 support in the last X months/years...". This gets us back to chicken-and-egg time.

I can understand their position to a degree, i.e. why waste resources on things that customers aren't requesting (read: won't compel them to buy more/bigger hardware or renew/upgrade support contracts)? This might have been a somewhat valid position several years ago, but v6 as a necessity has been on many customers' radars for several years ago. Frankly, not having fully baked v6 support today is pretty much inexcusable IMHO.

jms