What is a VPN? Some vendors maintain that any network service deployed over shared infrastructure while appearing to offer exclusive use is a VPN—for example, a Frame Relay PVC with CIR riding over a provider's ATM backbone. Others equate privacy with security, and define VPNs as encrypted tunnels with access control and host or user authentication.
Lack of vendor consensus on this definition nearly two years after initial deployment left me wondering: What do ISP customers expect from an outsourced VPN service today?
Today's net consumer often begins with a web search; what he or she finds helps to shape customer expectations. So, to answer my question, I conducted a modest survey of ISP web marketing material, searching for "VPN" services. Information garnered was predominantly about big, national/global providers—not surprising, since they've been the trail-blazers in VPN outsourcing. What was surprising was that a number of clear trends and differentiators emerged.
Managed vs. Turnkey
Today's VPN services fall into two distinct categories: managed VPN services and turnkey VPNs. Rhythms NetConnections and Savvis are two ISPs that offer turnkey VPNs. These providers sell or rent customer premise equipment (CPE) for use with their local access facilities and backbone network connectivity. Customers install and manage CPE like FreeGate's OneGate and CheckPoint's Firewall-1, and then configure their own VPN. GTE, Pilot, Savvis, and MCI WorldCom offer managed VPN services that include CPE and network connectivity, plus 24x7 management and service-level monitoring. For a higher monthly recurring charge, these providers not only build your VPN, they operate it for you.
Different Maps for Different Apps
Expectations are also driven by customer application—remote access VPNs for travelers and teleworkers, site-to-site VPNs for intranets and branch office connectivity, and extranets that link business partners by spanning corporate network boundaries. Many top-tier ISPs offer separate remote access and site-to-site VPNs. For example, MCI WorldCom's UUSecure VPNSM connects customer sites with anything from ISDN to T3 into full mesh or hub & spoke topologies using Xedia's QVPN. But for remote access, MCI's UUDial uses an IndusRiver server at each site and dial-up client software on roaming PCs.
Extranet VPN services appear to be less common today. One example: Pilot's Corporate Partner Networking (CPN) allows participants to dial one of seven Pilot Network Security Centers, where a proxy server controls access by group and user.
http://www.isp-planet.com/technology/vpn-customers-a.html
Saturday, September 29, 2007
Choosing Customer Premise Equipment for VPN Services
In my June column, I described both turnkey and managed Virtual Private Networking services offered today by various Internet service providers. The key differentiator between these two types of VPN services: who owns and manages the customer premise equipment—the customer or the ISP? This, of course, begs a more fundamental network-design question: What is the customer premise equipment, typically known as "CPE"?
Many remote-access VPN services need only a modem and client software on the remote PC. That is, they don't require any special-purpose VPN CPE. But some remote-access VPNs—and all site-to-site VPNs—require some type of CPE to be installed at the customer site to serve as the endpoint for VPN tunnels. It may be an access router, a hardware "black box," a firewall, or a proxy server.
Access routers
WAN access routers from vendors like Ascend, Cisco, and 3Com can be outfitted with software images that allow the router to act as an IPsec Security Gateway. This configuration can be attractive in a managed service because everything to be managed is contained within a single edge device.
Because it places the processing burden of encryption on the router, however, this configuration may introduce a bottleneck for all traffic—particularly if the access router is serving a high-speed link and is already operating at or near capacity. Furthermore, if the access router is compromised, no other device protects your VPN.
Hardware VPNs
Vendors like NetScreen, RADGUARD, VPNet, and Xedia market special-purpose hardware devices designed just to support VPNs. These devices are hardened to protect against attacks that might compromise a general-purpose device, and they employ custom ASICs that enable high-speed encryption.
Some products can be purchased with WAN interfaces to operate as edge devices, effectively replacing WAN access routers. Other products offer dual or triple Ethernet interfaces and are designed to sit just inside the access router or firewall.
Hardware CPE can be simpler to deploy—just drop in a new box—and bring more focus on services required by the VPN. However, it's not quite that simple: Should the box be placed in front of, or behind, the customer's firewall? The new box will also impact network addressing, packet filters, routing, and redundancy.
VPN enabled firewalls
Axent, Checkpoint, Network Associates, and other firewall vendors market VPN add-on software that turn general-purpose firewalls into either a PPTP Concentrator or an IPsec Security Gateway. This configuration centralizes security policy decision-making at the firewall and does not obscure the firewall's view of packets to be tunneled.
VPN hardware sitting inside the firewall can be incompatible with network address translation applied at the firewall; VPN hardware or routers sitting outside the firewall cannot ensure the privacy of traffic all the way to the firewall. These dilemmas can be sidestepped by placing tunnel endpoints on the firewall itself. On the other hand, as with the access-router solution, this alternative cranks up the processing demands placed on the firewall. Furthermore, adding new software to an existing firewall can be technically tricky and a political nightmare, depending upon whether the firewall is managed by the customer or the ISP.
http://www.isp-planet.com/technology/vpn-cpe-a.html
Many remote-access VPN services need only a modem and client software on the remote PC. That is, they don't require any special-purpose VPN CPE. But some remote-access VPNs—and all site-to-site VPNs—require some type of CPE to be installed at the customer site to serve as the endpoint for VPN tunnels. It may be an access router, a hardware "black box," a firewall, or a proxy server.
Access routers
WAN access routers from vendors like Ascend, Cisco, and 3Com can be outfitted with software images that allow the router to act as an IPsec Security Gateway. This configuration can be attractive in a managed service because everything to be managed is contained within a single edge device.
Because it places the processing burden of encryption on the router, however, this configuration may introduce a bottleneck for all traffic—particularly if the access router is serving a high-speed link and is already operating at or near capacity. Furthermore, if the access router is compromised, no other device protects your VPN.
Hardware VPNs
Vendors like NetScreen, RADGUARD, VPNet, and Xedia market special-purpose hardware devices designed just to support VPNs. These devices are hardened to protect against attacks that might compromise a general-purpose device, and they employ custom ASICs that enable high-speed encryption.
Some products can be purchased with WAN interfaces to operate as edge devices, effectively replacing WAN access routers. Other products offer dual or triple Ethernet interfaces and are designed to sit just inside the access router or firewall.
Hardware CPE can be simpler to deploy—just drop in a new box—and bring more focus on services required by the VPN. However, it's not quite that simple: Should the box be placed in front of, or behind, the customer's firewall? The new box will also impact network addressing, packet filters, routing, and redundancy.
VPN enabled firewalls
Axent, Checkpoint, Network Associates, and other firewall vendors market VPN add-on software that turn general-purpose firewalls into either a PPTP Concentrator or an IPsec Security Gateway. This configuration centralizes security policy decision-making at the firewall and does not obscure the firewall's view of packets to be tunneled.
VPN hardware sitting inside the firewall can be incompatible with network address translation applied at the firewall; VPN hardware or routers sitting outside the firewall cannot ensure the privacy of traffic all the way to the firewall. These dilemmas can be sidestepped by placing tunnel endpoints on the firewall itself. On the other hand, as with the access-router solution, this alternative cranks up the processing demands placed on the firewall. Furthermore, adding new software to an existing firewall can be technically tricky and a political nightmare, depending upon whether the firewall is managed by the customer or the ISP.
http://www.isp-planet.com/technology/vpn-cpe-a.html
Content Delivery Networks:
To become a robust, reliable service provider, you have to invest heavily in your own network infrastructure: load balancing for nonstop delivery, caching for speedy Web response, distributed, replicated servers to limit the impact of Internet congestion. At the same time, you'll need to manage upstream bandwidth to strike a delicate balance between customer satisfaction and cost. Or, if that seems like too much work . . . simply partner with an up-and-coming Content Delivery Network (CDN) provider such as Sandpiper, Akamai, or Edgix and leverage someone else's network investment.
What is a Content Delivery Network?
Sandpiper defines a CDN as "a dedicated network of servers, deployed throughout the Internet, that Web publishers can use to distribute their content on a subscription basis." A CDN is essentially an overlay network of customer content, distributed geographically to enable rapid, reliable retrieval from any end-user location. CDNs use infrastructure technologies like caching to push replicated content close to the network edge. Global load balancing ensures that users are transparently routed to the "best" content source. Stored content is kept current and protected against unauthorized modification. Customer-accessible traffic logs enable data mining for marketing and capacity planning.
Most importantly, customers—typically, large enterprise Website owners—determine the content served by the CDN by selectively reassigning URLs to embedded objects. Dynamic or localized content can be served up by the customer's own site, avoiding the CDN, while static and easily distributed content can be retrieved from the nearest CDN server. According to Akamai, banner ads, applets, and graphics represent 70 percent of a typical Web page—content types easily offloaded to Akamai's FreeFlow CDN. Sandpiper's Footprint can handle other content types and can even use customer-delegated domain names like http://ww1.yourcompany.com/image.gif to offload content while maintaining customer branding.
CDN customers pay a premium price for premium services. For example, Footprint customers specify a Committed Aggregate Information Rate (CAIR), measured in Mbits per second, that can be changed daily. Monthly invoices apply rates based on CAIR to charge for delivery of the customer's content to end users.
Turning competition into opportunity
At first glance, a CDN might sound like steep competition for top-tier Web hosting service providers. Scott Yara, Sandpiper's VP of Marketing, wants you to think again: "Sandpiper allows Web Site Colocation and Hosting partners to resell Footprint directly to customers. These partners are an important distribution channel for Sandpiper." Footprint partners must satisfy minimum requirements, including 24x7 NOC support and Footprint-savvy sales and marketing staff. In return, Sandpiper offers Footprint subscription revenue sharing and a reduction in overall network costs through access to the Footprint CDN. "Elite" partners realize all subscriber revenues and can privately brand the Footprint service, but must commit to sales targets and contribute to joint marketing programs.
A different opportunity exists for Internet Access Providers. Akamai refers to this as its Accelerated Network Program; Sandpiper calls it the Footprint Alliance. IAPs broaden the reach of the CDN by providing POPs in return for network infrastructure gear and access to the CDN. To understand how this opportunity works, we first need to look inside the CDN.
Under the covers
Each CDN operates a bit differently, employing carefully crafted and sometimes patented network architectures to achieve its service goals. Akamai deploys its own rack-mounted, custom OS, Intel-based servers in IAP-owned POPs, at no cost to qualifying IAPs. To qualify, domestic providers need DS3 or better upstream connectivity, secure POPs, and 10,000+ subscribers.
Edgix plans to support its HotMedia service with a rack-mountable satellite receiver and a Dell caching appliance running Novel ICS, plus a rooftop satellite dish for upstream connectivity. HotMedia is currently in beta trials; pricing and partner details are not yet available.
Sandpiper provides a COTS combo of Alteon L4 switches, Sun RAID content storage, and Inktomi caches free of charge to "Premier" Alliance members (IAPs that provide direct or indirect access to 100,000 end users and 2 x DS3 or better connectivity.) Alternatively, Sandpiper will "Footprint-enable" an IAP's existing cache(s), allowing participation by smaller IAPs and those with existing cache infrastructure.
Although approaches differ, the basic benefits are similar in each case: reduced bandwidth consumption and latency for sites accessed through the CDN. Partnering with a CDN provider may also be simpler than designing, installing, and managing a private cache network to speed content delivery.
Getting a piece of the action
If industry interest is any indicator, CDNs hold promise. Cisco recently invested in start-up Akamai; Sandpiper merged with high-speed over-net provider Digital Island. According to Sandpiper's Yara, "the Digital Island merger only enhances service provider partner opportunities—Footprint partners will now have even greater coverage and bandwidth at their disposal."
Players in the emerging CDN market will be working to differentiate themselves. While Sandpiper and Akamai rely on partner-provided landline connectivity, Edgix will build a separate satellite network to deliver content. Akamai uses no-cost hardware to lure service provider partners. And Sandpiper differentiates itself by supporting all content types. According to Yara, "We actually assemble pages on the fly; we aren't limited to static content like Akamai. We also have an open architecture that accommodates streaming media."
CDNs are relatively new and ISP partnership programs will likely evolve over time. But one point seems clear: for a CDN to excel, it must have a broad reach. Partners are key to obtaining access to both POPs and subscribers. Service providers may be wise to leverage this point to their own advantage.
http://www.isp-planet.com/technology/cdn_connection.html
What is a Content Delivery Network?
Sandpiper defines a CDN as "a dedicated network of servers, deployed throughout the Internet, that Web publishers can use to distribute their content on a subscription basis." A CDN is essentially an overlay network of customer content, distributed geographically to enable rapid, reliable retrieval from any end-user location. CDNs use infrastructure technologies like caching to push replicated content close to the network edge. Global load balancing ensures that users are transparently routed to the "best" content source. Stored content is kept current and protected against unauthorized modification. Customer-accessible traffic logs enable data mining for marketing and capacity planning.
Most importantly, customers—typically, large enterprise Website owners—determine the content served by the CDN by selectively reassigning URLs to embedded objects. Dynamic or localized content can be served up by the customer's own site, avoiding the CDN, while static and easily distributed content can be retrieved from the nearest CDN server. According to Akamai, banner ads, applets, and graphics represent 70 percent of a typical Web page—content types easily offloaded to Akamai's FreeFlow CDN. Sandpiper's Footprint can handle other content types and can even use customer-delegated domain names like http://ww1.yourcompany.com/image.gif to offload content while maintaining customer branding.
CDN customers pay a premium price for premium services. For example, Footprint customers specify a Committed Aggregate Information Rate (CAIR), measured in Mbits per second, that can be changed daily. Monthly invoices apply rates based on CAIR to charge for delivery of the customer's content to end users.
Turning competition into opportunity
At first glance, a CDN might sound like steep competition for top-tier Web hosting service providers. Scott Yara, Sandpiper's VP of Marketing, wants you to think again: "Sandpiper allows Web Site Colocation and Hosting partners to resell Footprint directly to customers. These partners are an important distribution channel for Sandpiper." Footprint partners must satisfy minimum requirements, including 24x7 NOC support and Footprint-savvy sales and marketing staff. In return, Sandpiper offers Footprint subscription revenue sharing and a reduction in overall network costs through access to the Footprint CDN. "Elite" partners realize all subscriber revenues and can privately brand the Footprint service, but must commit to sales targets and contribute to joint marketing programs.
A different opportunity exists for Internet Access Providers. Akamai refers to this as its Accelerated Network Program; Sandpiper calls it the Footprint Alliance. IAPs broaden the reach of the CDN by providing POPs in return for network infrastructure gear and access to the CDN. To understand how this opportunity works, we first need to look inside the CDN.
Under the covers
Each CDN operates a bit differently, employing carefully crafted and sometimes patented network architectures to achieve its service goals. Akamai deploys its own rack-mounted, custom OS, Intel-based servers in IAP-owned POPs, at no cost to qualifying IAPs. To qualify, domestic providers need DS3 or better upstream connectivity, secure POPs, and 10,000+ subscribers.
Edgix plans to support its HotMedia service with a rack-mountable satellite receiver and a Dell caching appliance running Novel ICS, plus a rooftop satellite dish for upstream connectivity. HotMedia is currently in beta trials; pricing and partner details are not yet available.
Sandpiper provides a COTS combo of Alteon L4 switches, Sun RAID content storage, and Inktomi caches free of charge to "Premier" Alliance members (IAPs that provide direct or indirect access to 100,000 end users and 2 x DS3 or better connectivity.) Alternatively, Sandpiper will "Footprint-enable" an IAP's existing cache(s), allowing participation by smaller IAPs and those with existing cache infrastructure.
Although approaches differ, the basic benefits are similar in each case: reduced bandwidth consumption and latency for sites accessed through the CDN. Partnering with a CDN provider may also be simpler than designing, installing, and managing a private cache network to speed content delivery.
Getting a piece of the action
If industry interest is any indicator, CDNs hold promise. Cisco recently invested in start-up Akamai; Sandpiper merged with high-speed over-net provider Digital Island. According to Sandpiper's Yara, "the Digital Island merger only enhances service provider partner opportunities—Footprint partners will now have even greater coverage and bandwidth at their disposal."
Players in the emerging CDN market will be working to differentiate themselves. While Sandpiper and Akamai rely on partner-provided landline connectivity, Edgix will build a separate satellite network to deliver content. Akamai uses no-cost hardware to lure service provider partners. And Sandpiper differentiates itself by supporting all content types. According to Yara, "We actually assemble pages on the fly; we aren't limited to static content like Akamai. We also have an open architecture that accommodates streaming media."
CDNs are relatively new and ISP partnership programs will likely evolve over time. But one point seems clear: for a CDN to excel, it must have a broad reach. Partners are key to obtaining access to both POPs and subscribers. Service providers may be wise to leverage this point to their own advantage.
http://www.isp-planet.com/technology/cdn_connection.html
Network-Based VPN Platforms
In my September column VPN Platforms for Internet Service Providers, I surveyed a spectrum of commercially-available VPN products. Shortly thereafter, I received email from Matt Karash, Manager, Marketing & Business Analysis, at Celotek Corp. Matt asked "As I understand it, virtually all managed VPN services available today utilize CPE equipment. . . . Central office VPN equipment should be at least have been beta tested by now. Have you heard any early reports from ISPs?"
Matt's question, along with my own exposure to a couple of new network-based VPN products at The Internet Security Conference (TISC), intrigued me. I decided to contact vendors in this arena and ask to speak with trial or early production customers.
It was no surprise to find few customers ready to speak publicly about their experiences with these emerging "carrier class" products. While a number of top-tier ISPs and telcos are trialing central office VPN products, most are in the "hush hush," pre-service-deployment stage and thus reluctant to tip their hands. Clearly there is significant interest here; it's just too early for public consensus.
What makes a Network-Based VPN product different?
Most VPN hardware is geared for enterprise use or for deployment at the customer's premises. These VPN tunnels end at the enterprise network edge—at a VPN-enabled router, firewall, or security device.
The good news: confidentiality and authentication services can protect every packet that enters or leaves the enterprise network. The bad news: CPE involves up-front investment, recurring management costs, and security expertise.
Some CPE products integrate multiple functions—firewall, VPN, QoS—while others focus on performing a single function well. The dilemma: put all your eggs in one (presumably more easily managed) basket and hope it scales, or deploy several products in sequence for greater flexibility—and complexity. In very large scale, centrally-managed service provider networks with many CPE devices per customer, this CPE-based approach becomes unwieldy.
Some vendors think they may have a better answer for service-provider VPNs: move the VPN tunnel termination into the provider's own network. To build a "network-based VPN," providers will need heftier, more versatile VPN products, suitable for central office use, scalable and manageable for both large numbers of subscriber terminations per customer and large numbers of customers. These products are designed to sit someplace between the subscriber access line termination and the core network, concentrating and aggregating customer traffic headed for the provider's backbone network. This is a convenient place to enforce policies that control access, filter packets, shape traffic, and perform high-speed bulk data encryption.
Sounds Interesting, Tell Me More?
As you might expect, each vendor has its own spin on what it takes to be a network-based VPN product. Let's take a quick look at a few of the new products now under development.
The Compatible Systems IntraPort Carrier supports a variety of tunneling protocols (IPsec, L2TP, PPTP), routing protocols (RIP, OSPF, BGP4), and authentication services (RADIUS, SecurID, X.509 certificates). Initially suited for Frame Relay networks, Compatible Systems also plans to support ATM and MPLS networks.
PSINet is using the IntraPort Carrier-8 as a VPN security gateway on its backbone network to support a new Secure Remote Access service. This service, now in alpha test, available 1Q2K, will support up to 40,000 concurrent tunnels between Compatible's IntraPort Client and the IntraPort Carrier gateway. PSINet chose the IntraPort Carrier primarily because of its scalability in performance, price, and deployment. According the Prasad Tumuluri, Product Manager for Security Services at PSINet, "One advantage of this type of product is that we can start with a 10,000 client license and upgrade as the number of users increase." Tumuluri expects a carrier-class VPN gateway to be suitable for backbone deployment: bigger, more robust hardware. PSINet shied away from offering a CPE-based VPN service because doing so would involve greater expense and management by the customer. "With a core based VPN solution, we can take both of these problems out of the customer's hands," says Tumuluri.
CoSine Communications's IP Service Delivery Platform adds a "service processing layer" between subscriber access line concentrators (frame relay switches, DSLAMs) and the provider's core network. In a presentation made at TISC, Dean Hamilton, CoSine CEO, suggested that scalable, network-based VPNs require a non-stop switch delivering service to thousands of subscribers' networks, automated provisioning of services, tracking and reporting against SLAs, and customer network management tools that allow subscribers to view performance and configure their own priorities and services. CoSine employs "virtual routers" (VRs) that can be independently provisioned to reflect the needs of each subscriber. Traffic from customer VRs is aggregated through service provider VRs to provide core network access. Branch office VPN traffic can arrive "in the clear" on private access lines, while remote access PPTP or IPsec traffic can arrive encrypted, allowing both high-performance tunneling between VRs and integration of dial-up clients or remote CPE.
The Nortel Shasta 5000 Broadband Services Node sits at the subscriber edge of a provider's network, integrating DSL, cable, and dial traffic onto a backbone ATM or IP network. In October, I demonstrated the Shasta 5000's Service Creation System (SCS) during VPN @ TISC. SCS enables subscriber self-provisioning and service provider creation of policies. A profile manager is used to create rule-based policies that include VPNs, firewalls, anti-spoofing, differentiated service marking, traffic policing and traffic shaping. Multiple service policies can be combined to create a service profile—a gold package or a bronze package, for example. The Shasta 5000 can operate as an L2TP LNS or LAC and supports site-to-site IPsec tunnels. Nortel sees network-based security as an enabler for residential broadband: residential users won't tolerate CPE-based VPNs, but "always on" services like DSL and cable increase exposure to hacking.
The Redback Subscriber Management System 1000 is designed for placement at service provider's POP, concentrating traffic from leased lines, DSLAMs, cable modems, and wireless head-ends, then grooming traffic for delivery to the service provider's backbone router. The SMS 1000 can be partitioned into 20 virtual routers. "Dynamic service selection" provisions different service characteristics to subscribers sharing the same backbone connection. "Dynamic provider selection" supports both wholesale and wholesale/retail service provisioning models. Redback's target market includes both tier one and tier three ISPs, but its VPN support is limited to L2TP in LAC, LNS, or tunnel switch mode.
Spring Tide's IP Services Switch 5000 is said to lie in the "service layer" of the public Internet because it performs service processing on individual user traffic flows, based on provisioned authentication, encryption, compression, and CoS/QoS characteristics. The IP Services Switch detects new user traffic flows and performs session-level filtering to map each new flow onto an authorized VPN. Input and output protocol stacks are constructed for each virtual access and backbone network connection, and virtual routers maintain separation between customer networks. The IP Services Switch will support IPsec, L2TP, and PPTP tunnels, with service policies stored in RADIUS or LDAP directories.
The proof is in the pudding
These network-based VPNs sound promising: improved scalability, subscriber-based provisioning, rapid service creation and faster service turn-up. Next spring, we'll check back with early network-based VPN customers to see how well this promise has been fulfilled.
http://www.isp-planet.com/technology/carrier_class_vpns.html
Matt's question, along with my own exposure to a couple of new network-based VPN products at The Internet Security Conference (TISC), intrigued me. I decided to contact vendors in this arena and ask to speak with trial or early production customers.
It was no surprise to find few customers ready to speak publicly about their experiences with these emerging "carrier class" products. While a number of top-tier ISPs and telcos are trialing central office VPN products, most are in the "hush hush," pre-service-deployment stage and thus reluctant to tip their hands. Clearly there is significant interest here; it's just too early for public consensus.
What makes a Network-Based VPN product different?
Most VPN hardware is geared for enterprise use or for deployment at the customer's premises. These VPN tunnels end at the enterprise network edge—at a VPN-enabled router, firewall, or security device.
The good news: confidentiality and authentication services can protect every packet that enters or leaves the enterprise network. The bad news: CPE involves up-front investment, recurring management costs, and security expertise.
Some CPE products integrate multiple functions—firewall, VPN, QoS—while others focus on performing a single function well. The dilemma: put all your eggs in one (presumably more easily managed) basket and hope it scales, or deploy several products in sequence for greater flexibility—and complexity. In very large scale, centrally-managed service provider networks with many CPE devices per customer, this CPE-based approach becomes unwieldy.
Some vendors think they may have a better answer for service-provider VPNs: move the VPN tunnel termination into the provider's own network. To build a "network-based VPN," providers will need heftier, more versatile VPN products, suitable for central office use, scalable and manageable for both large numbers of subscriber terminations per customer and large numbers of customers. These products are designed to sit someplace between the subscriber access line termination and the core network, concentrating and aggregating customer traffic headed for the provider's backbone network. This is a convenient place to enforce policies that control access, filter packets, shape traffic, and perform high-speed bulk data encryption.
Sounds Interesting, Tell Me More?
As you might expect, each vendor has its own spin on what it takes to be a network-based VPN product. Let's take a quick look at a few of the new products now under development.
The Compatible Systems IntraPort Carrier supports a variety of tunneling protocols (IPsec, L2TP, PPTP), routing protocols (RIP, OSPF, BGP4), and authentication services (RADIUS, SecurID, X.509 certificates). Initially suited for Frame Relay networks, Compatible Systems also plans to support ATM and MPLS networks.
PSINet is using the IntraPort Carrier-8 as a VPN security gateway on its backbone network to support a new Secure Remote Access service. This service, now in alpha test, available 1Q2K, will support up to 40,000 concurrent tunnels between Compatible's IntraPort Client and the IntraPort Carrier gateway. PSINet chose the IntraPort Carrier primarily because of its scalability in performance, price, and deployment. According the Prasad Tumuluri, Product Manager for Security Services at PSINet, "One advantage of this type of product is that we can start with a 10,000 client license and upgrade as the number of users increase." Tumuluri expects a carrier-class VPN gateway to be suitable for backbone deployment: bigger, more robust hardware. PSINet shied away from offering a CPE-based VPN service because doing so would involve greater expense and management by the customer. "With a core based VPN solution, we can take both of these problems out of the customer's hands," says Tumuluri.
CoSine Communications's IP Service Delivery Platform adds a "service processing layer" between subscriber access line concentrators (frame relay switches, DSLAMs) and the provider's core network. In a presentation made at TISC, Dean Hamilton, CoSine CEO, suggested that scalable, network-based VPNs require a non-stop switch delivering service to thousands of subscribers' networks, automated provisioning of services, tracking and reporting against SLAs, and customer network management tools that allow subscribers to view performance and configure their own priorities and services. CoSine employs "virtual routers" (VRs) that can be independently provisioned to reflect the needs of each subscriber. Traffic from customer VRs is aggregated through service provider VRs to provide core network access. Branch office VPN traffic can arrive "in the clear" on private access lines, while remote access PPTP or IPsec traffic can arrive encrypted, allowing both high-performance tunneling between VRs and integration of dial-up clients or remote CPE.
The Nortel Shasta 5000 Broadband Services Node sits at the subscriber edge of a provider's network, integrating DSL, cable, and dial traffic onto a backbone ATM or IP network. In October, I demonstrated the Shasta 5000's Service Creation System (SCS) during VPN @ TISC. SCS enables subscriber self-provisioning and service provider creation of policies. A profile manager is used to create rule-based policies that include VPNs, firewalls, anti-spoofing, differentiated service marking, traffic policing and traffic shaping. Multiple service policies can be combined to create a service profile—a gold package or a bronze package, for example. The Shasta 5000 can operate as an L2TP LNS or LAC and supports site-to-site IPsec tunnels. Nortel sees network-based security as an enabler for residential broadband: residential users won't tolerate CPE-based VPNs, but "always on" services like DSL and cable increase exposure to hacking.
The Redback Subscriber Management System 1000 is designed for placement at service provider's POP, concentrating traffic from leased lines, DSLAMs, cable modems, and wireless head-ends, then grooming traffic for delivery to the service provider's backbone router. The SMS 1000 can be partitioned into 20 virtual routers. "Dynamic service selection" provisions different service characteristics to subscribers sharing the same backbone connection. "Dynamic provider selection" supports both wholesale and wholesale/retail service provisioning models. Redback's target market includes both tier one and tier three ISPs, but its VPN support is limited to L2TP in LAC, LNS, or tunnel switch mode.
Spring Tide's IP Services Switch 5000 is said to lie in the "service layer" of the public Internet because it performs service processing on individual user traffic flows, based on provisioned authentication, encryption, compression, and CoS/QoS characteristics. The IP Services Switch detects new user traffic flows and performs session-level filtering to map each new flow onto an authorized VPN. Input and output protocol stacks are constructed for each virtual access and backbone network connection, and virtual routers maintain separation between customer networks. The IP Services Switch will support IPsec, L2TP, and PPTP tunnels, with service policies stored in RADIUS or LDAP directories.
The proof is in the pudding
These network-based VPNs sound promising: improved scalability, subscriber-based provisioning, rapid service creation and faster service turn-up. Next spring, we'll check back with early network-based VPN customers to see how well this promise has been fulfilled.
http://www.isp-planet.com/technology/carrier_class_vpns.html
Managed Security Service: A Primer
Recent years have seen tremendous growth in outsourcing all aspects of IT, creating a burgeoning market for managed services. Companies seeking to outsource typically expect providers offering managed services to supply the whole enchilada, from consultation and planning to hardware, software, administration, monitoring, and help-desk support. Customers can thus leverage a service provider's infrastructure and expertise to sidestep the relentless capital investment needed to keep pace with technology.
When aspects of enterprise security are outsourced to an ISP—which is happening more and more—we've got a managed security service. There are several types of managed security services: managed VPN services, managed firewall services, even managed secure application or webhosting services.
Minding others' business
Nearly all such managed security services share a distinguishing characteristic: Hardware and software—even on a customer's premises—are supplied and managed by the ISP. A few providers allow hardware to be comanaged by the customer. Most ISPs also include pre-sales consultation to assess security risk and vulnerability, security policy configuration, 24x7 NOC support, some form of realtime, proactive service-level monitoring, accounting, and reporting.
To get a better feel for typical features and emerging trends, we surveyed several commercially available managed security services. We limited our survey to security infrastructure services: VPNs, firewalls, intrusion detection, anti-virus protection, and active content management (filtering and blocking). To maintain focus, we did not include secure application services—email, web hosting, enterprise resource planning—that are increasingly offered by a different kind of service provider: an ASP (Application Service Provider).
Our findings—the core of this survey—are summarized in a comprehensive table, below. We precede the table with some observations pertinent to each major category of managed security service.
Managed VPN
The lure of reduced-cost remote access for corporate travelers and teleworkers has fostered growth in managed Virtual Private Networking services, although it's still early days. Today, several ISPs market services for remote access (RA) and branch office (BO) site-to-site tunneling. Few offer secure Extranet communication between business partners and customers.
VPNs can be supported with a variety of tunneling technologies: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec), and other circuit or application proxies. We found IPSec most common, with fair diversity in hardware platform, nearly always located on the customer' premises. Pilot Network Services' approach (see table entry) is a noteworthy exception here.
Our survey table also identifies features that caught our attention, such as token-based authentication, integration of public key infrastructure (PKI), and service level agreements (SLAs). For example, GTE offers proactive monitoring and money-back guarantees for the following SLA: 99.9 percent availability and 125 ms or less round-trip latency between NOC and VPN CPE, 97 percent busy-free remote access or industry average, whichever is higher. Customer network management (CNM) provides on-line access to real-time and historical usage data.
Managed Firewall
Firewalls existed long before VPN, so it's not surprising that the managed firewall market appears more mature and consistent in its deployment. The majority of the ISPs we surveyed use CheckPoint's Firewall-1 for stateful packet inspection [see sidebar]. We found few providers willing to manage application proxy firewalls on behalf of customers. Of course, some ISPs combine both packet inspection and proxy approaches; PSINet even uses two platforms to accomplish this.
In many cases, one CPE firewall provides an integrated platform for both managed VPN and firewall services. A customer may subscribe to a managed firewall service and later add VPN support. Nearly every managed firewall service we saw involves CPE; AT&T/IBM Global Services is an exception to this rule. As with VPN, our survey table also identifies features that caught our attention, such as analysis reports, detailed logging, incident response support, and network forensics consultation.
Additional security services
Starting out, we expected to find services like Anti-Virus Protection, Active Content Management, and Intrusion Detection sold as free-standing managed security services. What we found was that, often, these services are included as a feature or add-on option with a managed VPN or Firewall service.
When included in a managed security service, Anti-Virus Protection (AV) may involve in-line scanning of packets flowing through a firewall or VPN device, or it may involve deflecting packets to an AV server using the content vector protocol. Some mail server AV products scan just email, an extremely popular carrier for infected attachments. As expected, we found most AV services to include regular updates.
We use the term Active Content Management to refer to services that filter or block traffic based on destination or user. Typically a firewall add-on subscription service, these products limit employee access to undesirable sites to reduce non-business activity and bandwidth consumption. They also allow enterprises to keep tabs on URLs or files being accessed. Half of the ISPs surveyed offer this service; this is a growth market.
The most prevalent managed security service, after VPN and Firewall, is Intrusion Detection. IDS platforms may probe individual hosts, servers, or scan entire networks. The key to offering a managed Intrusion Detection service is automated scanning, incident response, and escalation procedures. Corrective action must be initiated automatically; it is not enough to warn of intrusion after the damage has been done. The most successful managed ID service providers will be those that do this well.
Final thoughts
It's no surprise that managed VPN services are taking off more slowly than analysts initially projected. We found ISP sales staffs often had to rely on engineering to provide service details. This must improve, because managed VPN consumers are large enterprises that have a greater "need to know" than $20/month Internet access customers. We found many managed VPN services described in rather sketchy terms—with some noteworthy exceptions (Transport Logic, Concentric).
Most managed security services are not yet "complete packages"—they include some combination of single service offerings of the categories we surveyed. And while a number of ISPs have SLAs for QoS, we did not find a single ISP with a Security SLA. We expect these situations to change as the managed security services market matures. Security requires expertise; customers must be assured that ISPs really know what they're doing. This requires complete solutions with money-back guarantees.
The information included in this survey was drawn from service provider web sites and responses to email inquiries. This survey is intended to be representative, not exhaustive. Please contact service providers directly for further information on any managed service that interests you.
http://www.isp-planet.com/technology/managed_security.html
When aspects of enterprise security are outsourced to an ISP—which is happening more and more—we've got a managed security service. There are several types of managed security services: managed VPN services, managed firewall services, even managed secure application or webhosting services.
Minding others' business
Nearly all such managed security services share a distinguishing characteristic: Hardware and software—even on a customer's premises—are supplied and managed by the ISP. A few providers allow hardware to be comanaged by the customer. Most ISPs also include pre-sales consultation to assess security risk and vulnerability, security policy configuration, 24x7 NOC support, some form of realtime, proactive service-level monitoring, accounting, and reporting.
To get a better feel for typical features and emerging trends, we surveyed several commercially available managed security services. We limited our survey to security infrastructure services: VPNs, firewalls, intrusion detection, anti-virus protection, and active content management (filtering and blocking). To maintain focus, we did not include secure application services—email, web hosting, enterprise resource planning—that are increasingly offered by a different kind of service provider: an ASP (Application Service Provider).
Our findings—the core of this survey—are summarized in a comprehensive table, below. We precede the table with some observations pertinent to each major category of managed security service.
Managed VPN
The lure of reduced-cost remote access for corporate travelers and teleworkers has fostered growth in managed Virtual Private Networking services, although it's still early days. Today, several ISPs market services for remote access (RA) and branch office (BO) site-to-site tunneling. Few offer secure Extranet communication between business partners and customers.
VPNs can be supported with a variety of tunneling technologies: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec), and other circuit or application proxies. We found IPSec most common, with fair diversity in hardware platform, nearly always located on the customer' premises. Pilot Network Services' approach (see table entry) is a noteworthy exception here.
Our survey table also identifies features that caught our attention, such as token-based authentication, integration of public key infrastructure (PKI), and service level agreements (SLAs). For example, GTE offers proactive monitoring and money-back guarantees for the following SLA: 99.9 percent availability and 125 ms or less round-trip latency between NOC and VPN CPE, 97 percent busy-free remote access or industry average, whichever is higher. Customer network management (CNM) provides on-line access to real-time and historical usage data.
Managed Firewall
Firewalls existed long before VPN, so it's not surprising that the managed firewall market appears more mature and consistent in its deployment. The majority of the ISPs we surveyed use CheckPoint's Firewall-1 for stateful packet inspection [see sidebar]. We found few providers willing to manage application proxy firewalls on behalf of customers. Of course, some ISPs combine both packet inspection and proxy approaches; PSINet even uses two platforms to accomplish this.
In many cases, one CPE firewall provides an integrated platform for both managed VPN and firewall services. A customer may subscribe to a managed firewall service and later add VPN support. Nearly every managed firewall service we saw involves CPE; AT&T/IBM Global Services is an exception to this rule. As with VPN, our survey table also identifies features that caught our attention, such as analysis reports, detailed logging, incident response support, and network forensics consultation.
Additional security services
Starting out, we expected to find services like Anti-Virus Protection, Active Content Management, and Intrusion Detection sold as free-standing managed security services. What we found was that, often, these services are included as a feature or add-on option with a managed VPN or Firewall service.
When included in a managed security service, Anti-Virus Protection (AV) may involve in-line scanning of packets flowing through a firewall or VPN device, or it may involve deflecting packets to an AV server using the content vector protocol. Some mail server AV products scan just email, an extremely popular carrier for infected attachments. As expected, we found most AV services to include regular updates.
We use the term Active Content Management to refer to services that filter or block traffic based on destination or user. Typically a firewall add-on subscription service, these products limit employee access to undesirable sites to reduce non-business activity and bandwidth consumption. They also allow enterprises to keep tabs on URLs or files being accessed. Half of the ISPs surveyed offer this service; this is a growth market.
The most prevalent managed security service, after VPN and Firewall, is Intrusion Detection. IDS platforms may probe individual hosts, servers, or scan entire networks. The key to offering a managed Intrusion Detection service is automated scanning, incident response, and escalation procedures. Corrective action must be initiated automatically; it is not enough to warn of intrusion after the damage has been done. The most successful managed ID service providers will be those that do this well.
Final thoughts
It's no surprise that managed VPN services are taking off more slowly than analysts initially projected. We found ISP sales staffs often had to rely on engineering to provide service details. This must improve, because managed VPN consumers are large enterprises that have a greater "need to know" than $20/month Internet access customers. We found many managed VPN services described in rather sketchy terms—with some noteworthy exceptions (Transport Logic, Concentric).
Most managed security services are not yet "complete packages"—they include some combination of single service offerings of the categories we surveyed. And while a number of ISPs have SLAs for QoS, we did not find a single ISP with a Security SLA. We expect these situations to change as the managed security services market matures. Security requires expertise; customers must be assured that ISPs really know what they're doing. This requires complete solutions with money-back guarantees.
The information included in this survey was drawn from service provider web sites and responses to email inquiries. This survey is intended to be representative, not exhaustive. Please contact service providers directly for further information on any managed service that interests you.
http://www.isp-planet.com/technology/managed_security.html
Subscribe to:
Posts (Atom)