Another article:
progstrat.com
A Look at the Microsoft Proxy Server/RRAS vs. Novell BorderManager Debate
By Louis Heibert, Chief Product Analyst & Jamie Ladd, Senior Product Analyst
Introduction
In addition to being the two leading vendors of network operating systems, Novell and Microsoft are each seeking to establish themselves in the growing network security market.While both companies are building security solutions on their respective OS platforms, recent publications from each company highlight other significant differences in product direction and design philosophy. Unfortunately, these competitive documents rely on the lexicon of the company that wrote them, often leading to misunderstandings about each product's capabilities. In fact, some of the documents that are intended to "clarify" each company's position need to be clarified themselves.
Since Microsoft has published the latest documents in this ongoing competitive exchange, we will focus on their assertions in this analysis of the competitive situation. The topics we will cover include Virtual Private Networking, Proxy Caching, and Remote Access, as well as "big picture" issues such as overall solution scope and relative cost of ownership. Although our purpose is not to select a single "best" solution or perform extended lab tests, this report will give you a balanced perspective on the individual points raised in the Microsoft documents.
Caching
Reverse Proxy Caching - In contrast to regular proxy caches that speed local access to commonly used Internet data, reverse proxy caching increases the availability of local data to the Internet. A good reverse proxy cache can provide better response times to outside queries and better overall hit rates than even a large web server farm. We were puzzled by Microsoft's position, since they appear to both endorse and reject this concept in two of their positioning papers.
In Clarifying Claims they state that "placing a cache between an HTTP server and the Internet does not reduce the Internet link use and is normally an unnecessary complexity." However, in the "How We Compare" matrix, they say that MS Proxy Server and not BorderManager supports Reverse Proxy, Reverse Hosting, and Server Proxying.
Although Microsoft seems unconvinced of caching local HTTP servers, hardware load-balancers from companies like Cisco, SGI, and IBM, are often placed in front of multiple servers to enhance access from the Internet.
Unfortunately, both of Microsoft's messages are misleading. BorderManager does in fact support those three types of reverse proxy caching and Novell tests show that performance benefits are hardly "rare" as Microsoft purports. Microsoft is also mistaken when they referred to reducing "Internet link use" as the purpose of reverse proxy caching. In fact, a high-speed cache's improved query response times should allow prospects, customers, and business partners to use the link even more (instead of waiting for delayed requests).
Our Opinion: Reverse proxy caching services (including Microsoft's) definitely enhance Internet access to local HTTP servers; only Microsoft seems unsure if they offer this.
CARP vs. ICP? - Microsoft's contention that "ICP is inferior to CARP" seems like a clear statement at first. The problem is that Microsoft's proprietary Cache Array Protocol (CARP) and the IETF's Internet Cache Protocol (ICP) are not really comparable. While ICP dynamically extends the reach of individual caches through inter-cache queries, the Microsoft CARP scheme is meant for creating local cache "clusters."
If a single Windows NT Proxy Server cache is not sufficiently fast, CARP is a good way to enhance performance by dividing cache data among multiple servers in a load-balancing "array." Since CARP does not provide any communication options for dealing with other intranet or Internet cache servers, its scalability is limited to adding more servers to the local array. Novell does not need to use such a scheme since their single, high-speed cache by itself is more effective for individual network segments.(For instance, their tests on a single-processor Compaq Proliant 3000 show that BorderManager's FastCache Web Accelerator can respond to over 10,000 hits per second.)
ICP is intended for larger scale applications than is CARP; as an Internet standard, ICP is supported by a variety of products such as the NetScape Proxy Server, Inktomi Traffic Server, Cisco Cache Engine, SkyCache, Mirror Image, and Squid Internet Object Cache. The concept behind ICP inter-cache communications is that if a local cache doesn't have the requested data, another cache might. By passing queries on to cache servers that are progressively closer to the target web server, the odds of getting a cache "hit" increase. Even with several such hand-offs, a cache response will still be faster than a direct web server query. This type of scalability allows products such as FastCache to become part of an intranet cache hierarchy and even extend cache requests to compatible servers at an ISP or news agency.
Our Opinion: On a small scale, CARP may help overworked Windows NT Proxy Servers. However, Internet-ready cooperative caching is only offered by BorderManager FastCache. This is key to working with the standards-based caches at ISPs and other sites.
Part II
Virtual Private Networking
Proxy Server and RRAS - Although Novell mistakenly discounted RRAS features when considering Proxy Server, it is understandable in light of its past compatibility problems. Until the most recent Hotfix update, RRAS and Proxy Server could not be installed (reliably) on the same NT Server. The section of Microsoft's Clarifying Claims document that deals with this issue also makes a questionable claim concerning RRAS and Windows NT 4.0. Although RRAS allows remote NT servers to use a dial-up connection (like a workstation), this only minimally qualifies as a server-to-server VPN; it still precludes typical multi-office environments where dedicated Internet (or intranet) connections already exist.
Our Opinion: RRAS is still a distinctly separate product from Microsoft's Proxy Server, and still fails to provide true server-to-server VPN capabilities for use over non-dialup LAN and WAN connections.
Is PPTP a VPN? - In the Clarifying Claims document, Microsoft disputes Novell's assertion that PPTP is only a Remote Access feature. In spite of this denial, we find little evidence to the contrary. In fact, Microsoft's own rebuttal indicates the fundamental problem. Although they continually refer to PPTP as a VPN protocol, they also concede that "The PPTP protocol acts as a VPN when used with encryption services."
Essentially, PPTP cannot make a Virtual Private Network without an additional encryption component. In Microsoft's case, they add the proprietary Microsoft Point-to-Point Encryption (MPPE) protocol. Interestingly, Microsoft's comment that Novell's PPTP implementation only offers a "Virtual Network" service is appropriate: that's all PPTP is supposed to provide. Novell, however, chose to use standard IPSec encryption to establish VPNs on top of standard PPTP links (which are unsecure by default).
Our Opinion: PPTP is a useful, non-secure remote-access tunneling protocol. However, adding a proprietary encryption scheme doesn't change PPTP itself. It actaully ignores standards by establishing another proprietary VPN product.
Industry Standards - While Microsoft (and Ascend, the original developer) claim PPTP as one of the oldest tunneling standards, Cisco will point to L2TP as the "real" layer 2 tunneling standard. Microsoft says that their proprietary MPPE is the right way to encrypt data using PPTP tunnels, while 3Com and Novell prefer the IETF's IPSec encryption protocols. For key management, some VPN manufacturers, like Shiva and VPNet, are adopting the emerging Internet Key Exchange (IKE) protocol (formerly ISAKMP/Oakley). Microsoft insists that their MSCHAP authentication protocol handles all your key management needs. Other manufacturers, including Sun, Checkpoint, and Novell support SKIP (an optional IPSec protocol) for key management, since it was stable and accepted long before IKE. Note: most manufacturers, including Novell and Microsoft, intend to support the ratified IKE protocol in the near future.
Novell has chosen to use two of the most widely supported security standards available: IPSec encryption/encapsulation and SKIP automatic key exchange. We therefore find it odd that Microsoft would accuse BorderManager of being "non-standard" while RRAS relies solely on proprietary extensions such as Microsoft Point-to-Point Encryption and Microsoft CHAP. The security of Microsoft's proprietary PPTP implementation has also been seriously questioned by cryptographers at CounterPane Systems.
Our Opinion: Until Microsoft stops promoting proprietary schemes and begins using standard IPSec encryption and standard authentication protocols like IKE or SKIP, they shouldn't be making such "non-compliance" accusations.
Involving the ISP - Microsoft's Marketing Bulletin emphasizes the concept of ISP-initiated tunnels. This Microsoft initiative essentially lets companies outsource their dial-in RAS facilities. The advantages are lower hardware maintenance costs and (potentially) better local access for remote clients. Of course, the key to this scheme is ISP involvement; the ISP has to authenticate each user and then set up the tunnel to the corporate site. The hidden implication is that you must trust an ISP to establish the secure access points into your private network. Microsoft essentially admits this in their RRAS FAQ, under the heading "Are there any risks associated with providing compulsory tunneling services?" Another, more obvious concern is ISP availability and accessibility, since only the largest Internet companies have nationwide coverage.
Microsoft addresses this problem with what they call "Global VPN Roaming," which lets a mobile client use a local ISP wherever they are (similar to cell phone roaming). Unfortunately, if all these participating ISPs were responsible for establishing your client VPNs, then even more people would have to be trusted with your private network.
Interestingly, this last scenario is not actually the way it works. In fact, "Global VPN Roaming" is really just "ISP Roaming." While services such as iPass and Gric can help initiate a PPTP connection, the client is still the VPN endpoint (requiring all the PPTP configuration steps that ISP-initiated VPNs are supposed to avoid). As a result, when you rely on an ISP to establish client VPN links, every remote user must connect through that particular ISP. Even employees who already use a different ISP at home, would have to reconnect through this "special" ISP.
Furthermore, in spite of the cost savings implied for "ISP roaming," our research actually indicates the opposite. iPass in particular, can cost between 5 and 25 cents per minute, depending on location. By contrast, a large ISP like AT&T WorldNet charges exactly 10 cents a minute for 800 number access (assuming one of their >400 local numbers isn't local enough). In any case, neither iPass nor Gric care which VPN runs over their roaming Internet connections.
Despite Microsoft's implications, the advantages of "Global ISP Roaming," such as global phone book management, can be enjoyed with almost ANY VPN product. In BorderManager's case, when a VPN link is initiated, it can easily be authenticated through a company's global NDS infrastructure rather than a single NT domain.
Our Opinion: ISP-initiated VPNs are not that convenient and ISP roaming is not as cost effective as Microsoft implies. Even if you do have to roam, Novell's VPN solution can work with any ISP or roaming service.
The dial-up link - In their Marketing Bulletin, Microsoft indicates that they use Multi-link PPP to dynamically add bandwidth to dial-up connections. As a carrier for (anyone's) client VPN traffic, bonded MLPPP connections are a good way to transparently increase bandwidth. It is important therefore that Microsoft Windows 95 and NT clients support the allocation scheme used by manufacturers such as Ascend, Cisco, 3Com, and Nortel Networks, who supply ISPs with their RAS equipment. Although supporting one industry-standard protocol is a good start, if Microsoft eliminated Windows' reliance on NETBIOS and WINS, it would make accessing NT servers much easier through these high-end RAS servers.
In the same document, Microsoft also claims that Windows NT is "installed 50% more often than any other server-based RAS platform." While this is impressive, it's also important to remember that NT RAS services are included with the operating system. Microsoft's statistics undoubtedly include everyone that has simply attached a modem to their server's extra COM port; that's not quite the same as offering corporate RAS services or running an ISP. All those "free" NT RAS hosts and Microsoft's RADIUS service are limited to the boundaries of their local domains. BorderManager Authentication Services (BMAS), Novell's RADIUS component, can authenticate dial-in clients on a global scale because it uses the distributed NDS directory. Since the major hardware vendors support RADIUS, the combination of BMAS and scalable, rack-mounted RAS units can provide an easily-managed, distributed dial-in solution.
Our Opinion: If you need an IP connection to an ISP, Microsoft Dial-up Networking clients work well. If clients need access to NT servers, WINS administration hassles may force you to use a Microsoft RAS. If your clients don't access NT servers, a hardware solution that supports RADIUS is more scalable, especially when used with NDS.
Customer-proven solutions? - Windows NT 5 (a.k.a. Windows 2000) & Active Directory are listed among Microsoft's "customer proven solutions" in their Marketing Bulletin. We're not sure how these could be "customer proven" since Microsoft is still developing their directory while Novell has been selling NDS for over four years. Similarly, NetWare 5 is a shipping product while NT 5 seems to be constantly delayed. Microsoft also claims to have "pioneered VPNs" two years ago with the Point-to-Point Tunneling Protocol. This is actually rather recent, considering that Novell has been tunneling IPX through TCP/IP since 1989.
Our Opinion: Novell has more experience with tunneling, directory services, and network operating systems in general. Consequently, the customer-proven solutions in these areas belong to Novell, not Microsoft.
Part III
The Big Picture
Installation and Management - Although Microsoft claims that BorderManager needs "two separate systems for management and offers no option for management from alternate platforms," this is not what our testing has shown. While BorderManager components do use their own installation and configuration tools, day-to-day management is performed through the same NWAdmin interface used for NetWare,
GroupWise, and Z.E.N.works (NWAdmin runs on Windows NT/95/98). This is possible because the underlying directory, NDS, can be extended (unlike domains) to include data required by any number of components. In addition to streamlining management, this NDS integration also allows for true single sign-on capabilities. Z.E.N.works tools in particular are key to automating distribution of software such as BorderManager VPN clients (in spite of Microsoft's apparent ignorance of this product). If Microsoft is actually suggesting that Novell offer management tools on non-Windows (alternate) platforms, then Novell's platform-independent Java-based ConsoleOne development efforts should satisfy them.
Our Opinion: Novell has the infrastructure on which to build unified management, client distribution, and single sign-on; Microsoft does not. As a result, Novell actually comes closest to achieving this convergence.
Cost of ownership - Microsoft correctly points out that BorderManager components are priced higher than NT Server and Proxy Server. For a small office with limited needs, these Microsoft products may be a good value. However, up-front cost savings alone do not indicate that a product offers a better value for everyone. A particular example would be BorderManager Fastcache. If it's as efficient as Novell indicates, the hardware needed to provide an equivalent MS Proxy Server solution alone would cost more even if the Microsoft software was free. Other components like BorderManager VPN services include features like true server-to-server tunneling that Microsoft doesn't offer. Novell's entire security solution is more manageable than Microsoft's, since all BorderManager components can rely on a consistent, enterprise-wide directory service. As a result, an NDS infrastructure lowers the cost of administering Novell security solutions. Until Active Directory becomes available, Proxy Server and RRAS still need to use the local, non-extensible NT domains.
Our Opinion: Microsoft doesn't "give away" software because they like you; they probably do it because they have to. Companies like Novell can charge more for their products because customers find that they're a better overall value. Microsoft's lower-priced products may end up costing you more in terms of missing features and lower performance.
January 1999 |
