Archive for June, 2010
Aruba Network’s new remote office access point, the RAP-2WG, allows an enterprise to securely extend the corporate wireless network to remote offices. While REAP technology is nothing new, the price point on the RAP-2WG certainly is. List price is only $99, and the street price brings its price in line with that of a Linksys WRT54GL. The unit is extremely small, too: about the size of a deck of cards.
How does it work?
The RAP-2WG’s E0 port is connected to the internet connection at the remote or home office. The unit establishes an IPSEC tunnel (using your choice of 3DES or AES) back to the Aruba controller at the main office. Once connected, the controller extends the corporate wireless — including all security policies — to the remote unit. You can also configure the second wired port in any way imaginable – from 802.1x port security, to a vlan bridge, even as an 802.1q trunk. You can also apply an ACL and run the RAP-2WP in split tunnel mode so that client internet traffic doesn’t cross the tunnel.
Enough marketing, how well does it really work?
I tested an Aruba RAP-2WG as follows:
– Aruba OS 220.127.116.11
– 6000 Controller Cluster. The cluster was in regular production mode during this test.
– 100 Mb internet connection
– RedHat 5 running vsftpd – Server
– Ubuntu 10.04 – Client
– Dell D620 with an Intel 4965AGN wifi card
The Test Procedure:
After configuring the RAP-2WG to connect back to the mothership, I connected it to a high-speed remote network. To test the unit’s throughput, I created a file containing 20Mb of random data (testfile.tar.gz); this file would then be transferred via FTP to the client machine.
This technique generally works pretty well, the whole way up to 1Gb/s if you follow these two simple rules:
1) Ignore the results of the first test. The first time you download the file, the server has to read it from disk. Subsequent requests (within a few minutes, at least) will come from the server’s disk cache and be significantly faster.
2) Don’t actually write the file to disk on the client machine, otherwise you’ll just be testing the hard drive speed. The best way to do this is to use wget under Linux. The syntax I prefer is:
# wget -O /dev/null ftp://your-ftp-server.pskl.us/testfile.tar.gz
This will simply dump the data to /dev/null as it comes in. When wget completes, it will give you the average transfer rate in BYTES per second — don’t forget to multiply by 8.
Step 1: Baseline Test
To determine the maximum speed at this site, the client machine was connected directly to the local internet connection using the system’s wired ethernet port. The test file was then transferred ten times and the average bit rate computed.
Average Transfer Rate, No Crypto: 84.64 Mb/s
Step 2: IPSEC AES128, using the Wired port
The test system was then connected to the RAP-2WG’s E1 port. The test file was then transferred ten times and the average bit rate computed.
Average Transfer Rate, IPSEC 128, Wired Port: 2.73 Mb/s
Step 3: IPSEC AES128, Wireless 802.1X PEAP
The test system was then connected wirelessly to the RAP-2WG. The system established a solid connection at 54Mb/s using PEAP/MSCHAP/AES auth/crypto. The test file was then transferred ten times and the average bit rate computed.
Average Transfer Rate, IPSEC 128, Wireless PEAP: 1.821 Mb/s
The RAP-2WG works as promised. The rated IPSEC throughput of the unit is 2Mb/s, which agrees with my findings. The slightly slower throughput over wireless is due to a combination of effects, but most likely a result of the double-encryption (PEAP wifi plus the IPSEC tunnel) that the unit has to handle. The RAP-2WG is inexpensive enough that it can be deployed as a robust VPN solution for staff working from home. You could actually buy RAP-2WGs and hand them out to your staff for about the same cost as buying Cisco VPN licenses for your existing ASA. Yes, that ‘s right. A robust hardware solution for the same price as the competition’s software license.
Aruba, you guys rock.