Since September 1999, Loudcloud has been making a name for itself as an expert eServices infrastructure provider. Loudcloud focuses on high-growth companies that need to get connected easily, quickly, and reliably—primarily, dot-coms and ASPs. In industries where time-to-market will make you, and inability to scale will break you, getting the most out of every resource is essential. Loudcloud's value proposition is simple: Focus in-house talent on building your business, and leave the driving to us.
Pedigreed staff, best-of-breed platforms
For ASPs, establishing a robust on-line presence is not a sideline—it is the foundation on which the entire business rests. Choosing an ASP infrastructure provider is a huge decision with tremendous consequences. So, why trust a third party like Loudcloud?
Start with Loudcloud's impeccable pedigree. Founded by top talent from Netscape and AOL, Loudcloud is lead by Chairman Marc Andreesen and CEO Ben Horowitz. Board members include Intuit Chairman Bill Campbell and former Disney President Michael Ovitz. With deep-pocket equity funding by Benchmark Capital and Morgan Stanley Dean Witter, Loudcloud hired nearly 400 staffers with "deep expertise", including those responsible for high-volume sites like InfoSeek and Netscape. Its research group alone is said to possess 100 years of collective industry experience.
Expert staff is critically important, but an infrastructure is ultimately the sum of its parts. Loudcloud assembles best-of-breed platforms by leveraging strategic alliances with Akamai, EMC, Exodus, GlobalCenter, HP, iPlanet, Microsoft, Network Appliance, Sun, and others. For example, the platform Loudcloud created for SkillsVillage.com is based on three redundant pairs of Sun 4xx servers. These web, application, and database servers run Netscape Enterprise Server, Netscape Application Server, and Oracle8i, respectively. This site is hosted at GlobalCenter for robust network connectivity, front-ended by Cisco PIX firewalls and Alteon load balancers.
Loudcloud supports a variety of platforms, as required to meet diverse customer needs. During its first year of operation, Loudcloud evaluated the performance, stability, security, and interoperability of nearly 200 infrastructure technologies. "[Our] mission is to constantly evaluate advancements across the stack of networks, systems, and applications with an eye towards helping build out Loudcloud's environment," said Loudcloud VP David Posey. "This helps a customer more quickly build its custom application that runs on top of Loudcloud's software infrastructure services."
Tiered infrastructure
Loudcloud is a soup-to-nuts infrastructure provider. They supply the floorspace, high-availability hardware and software, and load-balanced network facilities, all backed by a 100% scheduled uptime guarantee. Loudcloud's operational environment includes 24x7 multi-level monitoring, storage management, and network and host security.
Managing a complex infrastructure can be incredibly resource-intensive. Even when this burden is outsourced, it can be tough to add services and capacity quickly. Loudcloud addresses this challenge with OpsWare, a proprietary technology that automates capacity management, configuration, provisioning, and versioning. Customers can also monitor and tune their own sites through my.Loudcloud, a self-service management interface. Loudcloud provides capacity on demand; each customer's monthly fee is based on usage.
Smart Cloud services
These core technologies support a suite of "Smart Cloud" services, assembled to meet each customer's needs. Start with Web Cloud and/or Application Server Cloud. These services provide a ready foundation for Internet business applications that operate in Linux, Solaris, or Windows NT/2000 AS environments. Web Cloud supports Apache, Microsoft IIS, and iPlanet Enterprise servers. Application Cloud alternatives include Allaire JRUN, ATG Dynamo, BEA WebLogic, Microsoft COM+, Netscape Application Server, and Vignette Story Server. Need another web or application server? Loudcloud claims to support nearly any application architecture, including custom systems.
Sites that require back-end systems integration can add Database Cloud: managed, high-availability database solutions based on Oracle8i or Microsoft SQL Server. Those that need inbound/outbound messaging or an open information repository can subscribe to Mail Cloud or Directory Cloud. All of these services are architected to avoid single-point-of-failure, and are accompanied by storage and backup management. Loudcloud lets you deploy applications that require these services without having to worry about platform design or administration.
Facilitating growth
For global load balancing and disaster recovery through rapid site redeployment, add GlobalConnect. To further increase delivery speed, add Content Distribution Cloud, a service that pushes content to the network edge using Akamai FreeFlow. Using Loudcloud's a la carte approach, a dot-com or ASP can deploy a basic site at first, then add premium services as the business grows. Because Loudcloud's infrastructure is designed for scalability from the get-go, capacity can be added quickly, with minimal fuss.
Making the most of this platform requires careful deployment, on-going monitoring, and quality control. Staging Cloud permits site verification with a small-scale replica before production deployment, complemented by integrity testing and rollback. Stress Cloud uses Mercury Interactive's LoadRunner to simulate as many as 100K concurrent users. Transaction Monitoring Cloud uses Mercury Interactive's Topaz to continuously measure, alert, and report on site performance, as perceived by end users.
Smart Cloud is intended to help customers to move quickly to market. Indeed, the SkillsVillage.com site was deployed in just three weeks. "By not having to figure out all the pieces that make up the infrastructure of their eBusiness, Loudcloud customers have the time and resources to focus on developing new features that will generate revenue or differentiate their business from the competition," said CEO Horowitz.
Instant ASP
Loudcloud's core platforms and Smart Cloud services satisfy many common Internet application needs. But how do customers know what they need? Loudcloud assigns a dedicated Project Engineer and a Consulting Engineer to assist each customer during platform design, test, and deployment phases. Some customers build their own applications. Others work with Loudcloud partners like Lante, Proxicom, Viant, and Zefer. These consultants and system integrators can help customers create the Internet applications that ride over Loudcloud's platform.
While deploying sites for ASPs like Catapulse, Mercury Interactive, and StatementOne.com, Loudcloud saw a common thread emerge. Many ASPs require further application services like billing, configuration management, customer monitoring, and log management. Loudcloud has announced that it will bundle these higher-level services into an "Instant ASP" package, available in 4Q00.
According to Loudcloud CEO Horowitz, "For companies to flourish on the Internet, the process of adding new services and global growth needs to be dramatically simplified." Next generation services like Instant ASP "reflect the evolution and learning from working with our customers."
A promising start
Loudcloud appears to have hit the deck running during its first year. In addition to those already mentioned, Loudcloud's ASP roster also includes BlackHog, eDeploy.com, Interelate, and MetaTV. Dot-coms and ASPs dominate the two dozen customers identified on Loudcloud's site today, joined by brick-and-mortar companies like Nike and Britannica.
Testimonials echo a common theme that make it clear why these customers have signed with Loudcloud. "For Work.com to have the trust of its customers, it has to be up and running all the time—period," said Work.com CEO Don Hutchinson. "The commitment to quality that Loudcloud's service level agreement represents, and the fact that we can leverage Loudcloud's vast technical knowledge are key reasons Work.com chose Loudcloud."
Satisfied early adopters stand as evidence that Loudcloud has been able to meet expectations thus far. But remember that Loudcloud is a very well-funded start-up. Pouring considerable expertise and resources into a high-quality infrastructure has gotten Loudcloud off to a promising start. Time will tell whether Loudcloud can sustain this momentum over the long haul.
http://www.isp-planet.com/technology/loudcloud1.html
Saturday, October 6, 2007
ISS Bets the Shop on Managed Security Partnerships
Internet Security Systems (ISS), a long-time player in the Intrusion Detection market, jumped into the managed services market last year when it acquired Netrex Secure Solutions (see Best-of-Breed Platform for Managed Security Services). The combined company has a five-year history of selling managed firewall, VPN, antivirus, content filtering, intrusion detection, assessment, and emergency response services directly to large enterprises. Along the way, ISS also built ten resale partnerships, helping providers like BellSouth, Ameritech, and SAVVIS offer managed security to their own customers. Earlier this month, ISS announced nine new partnership agreements, signaling a shift in its go-to-market strategy.
According to Mark Hangen, president and general manager of ISS Managed Security Services, direct sales to ISS Enterprise Solutions customers account for 60 percent of services revenue. This approach continues to be profitable: A half dozen Fortune 100 companies were signed during the last quarter. But Hangen expects the market to change significantly.
"We're seeing a shift," said Hangen. "Enterprises are buying security as part of a larger offering from network integrators, web hosters, and cyber-carriers. In the long run, we expect 90 percent of our revenue will be derived from this larger market." To accomplish this goal, ISS Managed Security Services has changed its focus to signing partners who will bring managed security services to market along with their own services.
Targeting Market Segments
This week's announcement doubles the number of ISS channel partners, adding some big names: Lucent NetCares, PriceWaterhouseCoopers, iGroup (Computacenter), Qwest, HiFive!.net, Log On America, NOCpulse, SevenSpace, and the Sutherland Group.
According to Hangen, new customers reached through these deals number in excess of two million, world-wide. Where is this growth coming from? "Enterprises have many channels they can buy security from," said Hangen. "We set ourselves a modest goal: We want to be in all of them."
Auditors/Consultants: "These companies are hired to conduct security assessments; some provide network-based integration," said Hangen. "Customers often look to their consultants for product recommendation." Signing PriceWaterhouseCoopers is a major coup for ISS. PWC is the world's largest professional services firm, employing over 150,000 people in 150 countries. ISS services will be resold by PWC's Audit and Global Risk Management Solutions, an organization of more than 600 practitioners.
System/Network Integrators: Integrators have always been a lucrative VAR channel for hardware and software; adding managed services to the mix should be a slam-dunk. Last month, ISS announced an agreement with Dimension Data, the largest Cisco reseller, worldwide. "DimensionData has a dominant market share in Asia and presence in 35 countries," said Hangen.
This week, ISS adds two new integration partners: iGroup and The Sutherland Group. "iGroup's parent company, Computacenter, is Microsoft's largest reseller with 65 percent of the European market," said Hangen. "After an extensive competitive assessment, iGroup selected us to add security to their turnkey solutions for eCommerce." The Sutherland Group is an electronic Customer Relationship (eCRM) professional services company, another market where security is clearly important.
CyberCarriers: Existing partners Ameritech, BellSouth Business Internet Services, and MCI/ Worldcom subsidiary Embratel are joined this month by Qwest Communications International and Lucent NetworkCare Professional Services (NPS). Because Lucent focuses on selling to other cyber-carriers, the NPS deal actually represents over 100 carrier resale opportunities, including CLECs, incumbents, and hosting companies, according to Hangen.
xSP's: ISS isn't worried about differentiating between Managed Service Providers (MSPs), Internet Service Providers (ISPs), and Application Service Providers (ASPs) -- Hangen wants to partner with every kind of service provider. Existing partners in this space include Globix and SAVVIS. New partners announced this week are HiFive!.net, NOCpulse, and SevenSpace.
HiFive!.net delivers web-hosted network, security, and application assurance services. NOCpulse offers proactive management services for business customer web infrastructure. SevenSpace provides high-end managed operations and applications to Global 2000 customers. According to Hangen, these MSPs will resell ISS managed security in combination with web hosting services.
Industry-Focused Service Providers: Partnering with vertical network and service providers is an excellent way to reach new customers. These "industry-focused" providers have already penetrated a specific market, developing customer trust and building a brand. Breaking into a vertical market as an outsider can be tough. Leveraging a partner's sales force, business relationships, and brand name should be easier. GE Medical Systems, a $7B medical information and technology provider with presence in over 200 countries, is the first such partner announced by ISS.
http://www.isp-planet.com/hosting/iss_partners1.html
According to Mark Hangen, president and general manager of ISS Managed Security Services, direct sales to ISS Enterprise Solutions customers account for 60 percent of services revenue. This approach continues to be profitable: A half dozen Fortune 100 companies were signed during the last quarter. But Hangen expects the market to change significantly.
"We're seeing a shift," said Hangen. "Enterprises are buying security as part of a larger offering from network integrators, web hosters, and cyber-carriers. In the long run, we expect 90 percent of our revenue will be derived from this larger market." To accomplish this goal, ISS Managed Security Services has changed its focus to signing partners who will bring managed security services to market along with their own services.
Targeting Market Segments
This week's announcement doubles the number of ISS channel partners, adding some big names: Lucent NetCares, PriceWaterhouseCoopers, iGroup (Computacenter), Qwest, HiFive!.net, Log On America, NOCpulse, SevenSpace, and the Sutherland Group.
According to Hangen, new customers reached through these deals number in excess of two million, world-wide. Where is this growth coming from? "Enterprises have many channels they can buy security from," said Hangen. "We set ourselves a modest goal: We want to be in all of them."
Auditors/Consultants: "These companies are hired to conduct security assessments; some provide network-based integration," said Hangen. "Customers often look to their consultants for product recommendation." Signing PriceWaterhouseCoopers is a major coup for ISS. PWC is the world's largest professional services firm, employing over 150,000 people in 150 countries. ISS services will be resold by PWC's Audit and Global Risk Management Solutions, an organization of more than 600 practitioners.
System/Network Integrators: Integrators have always been a lucrative VAR channel for hardware and software; adding managed services to the mix should be a slam-dunk. Last month, ISS announced an agreement with Dimension Data, the largest Cisco reseller, worldwide. "DimensionData has a dominant market share in Asia and presence in 35 countries," said Hangen.
This week, ISS adds two new integration partners: iGroup and The Sutherland Group. "iGroup's parent company, Computacenter, is Microsoft's largest reseller with 65 percent of the European market," said Hangen. "After an extensive competitive assessment, iGroup selected us to add security to their turnkey solutions for eCommerce." The Sutherland Group is an electronic Customer Relationship (eCRM) professional services company, another market where security is clearly important.
CyberCarriers: Existing partners Ameritech, BellSouth Business Internet Services, and MCI/ Worldcom subsidiary Embratel are joined this month by Qwest Communications International and Lucent NetworkCare Professional Services (NPS). Because Lucent focuses on selling to other cyber-carriers, the NPS deal actually represents over 100 carrier resale opportunities, including CLECs, incumbents, and hosting companies, according to Hangen.
xSP's: ISS isn't worried about differentiating between Managed Service Providers (MSPs), Internet Service Providers (ISPs), and Application Service Providers (ASPs) -- Hangen wants to partner with every kind of service provider. Existing partners in this space include Globix and SAVVIS. New partners announced this week are HiFive!.net, NOCpulse, and SevenSpace.
HiFive!.net delivers web-hosted network, security, and application assurance services. NOCpulse offers proactive management services for business customer web infrastructure. SevenSpace provides high-end managed operations and applications to Global 2000 customers. According to Hangen, these MSPs will resell ISS managed security in combination with web hosting services.
Industry-Focused Service Providers: Partnering with vertical network and service providers is an excellent way to reach new customers. These "industry-focused" providers have already penetrated a specific market, developing customer trust and building a brand. Breaking into a vertical market as an outsider can be tough. Leveraging a partner's sales force, business relationships, and brand name should be easier. GE Medical Systems, a $7B medical information and technology provider with presence in over 200 countries, is the first such partner announced by ISS.
http://www.isp-planet.com/hosting/iss_partners1.html
Secure Desktop Access From Just About Anywhere
There are many ways lose your shirt in the ASP business. Develop an innovative solution for a problem that doesn't exist. Solve a business problem that is here today but gone tomorrow. Expect customers to adapt their business to your service. Silicon Valley startup uRoam has thus far managed to avoid these pitfalls.
This secure "anytime, anywhere" desktop access provider plans to help data service providers—ISPs, ILECs, and CLECs—serve two rapidly-growing markets. According to uRoam, there are 14.3 million mobile professionals today, a bountiful $2.2B market. And many workers carry WAP-enabled phones and wireless PDAs—a market projected to exceed $15B by 2002. What corporate traveler hasn't forgotten a file or yearned for a peek at email while out of the office? uRoam provides secure remote access to home or office PCs from any device with Internet access and an off-the-shelf browser.
Look Ma, no client
The key ingredient in this recipe is the absence of client software. Mobile professionals can walk into a nearby Internet cafe, stop at an airport web kiosk, or whip out a PalmPilot, log into uRoam, and gain encrypted, authenticated access to a host computer.
uRoam adjusts to the client device, rendering output in HTML or WML format as needed by the browser. Netscape and Internet Explorer, ProxiWeb on the PalmPilot, GoAmerica on the RIM BlackBerry, and micro-browsers on Neopoint and Sprint phones are supported now. AvantGo and OmniSky are also supported, with some limitations.
Browser-based solutions are great, but not when they make users jump through hoops. With solutions like HotOffice, you must upload files before you need them, then remember which version is current. "Our solution gives you browser access to your own desktop, with 128-bit SSL protection," said uRoam VP of Sales George Finnerty.
Anytime, anywhere desktop access
Finnerty introduced me to uRoam at a local Kinkos, using a public PC and his own PalmPilot. On each, he launched a browser, logged into uRoam, and entered a password. Browsers were then redirected to Finnerty's own desktop PC, back at his West Chester, Penn. office.
On Finnerty's desktop PC ran a compact 4 MB uRoam agent and web server. This software is compatible with any Win32 desktop, including those running Windows 2000 or ME. (Users with MacOS desktops are out of luck.) An extensible collection of weblets act as middleware between the uRoam server and desktop applications. For example:
* "Your Screen" is a remote host control weblet. Think PC Anywhere, but with greater security and far less hassle. When using a Java-enabled browser, "Your Screen" is nearly the same as being back at the office. On devices that lack Java, HTML menus simulate mouse activity - less elegant, but still quite usable.
* "Your Files" is a resource sharing weblet. Picture a secure Network Neighborhood on steriods. View, open, zip, upload, or download files stored on local drives or network fileshares. Send documents to a printer or fax on your office LAN. Use "View" to access any file that can be rendered as a .gif - no application is required on the client. Or use "Open" to run an application on the client that edits a file on the desktop. There's no need to upload your work when done; uRoam leaves nothing behind on the client PC.
* Microsoft Outlook users can avoid inbox replication and synchronization hassles by checking mail on their primary desktop. My favorite feature: forward attachments without downloading them to your handheld by dropping filenames into a "shopping cart," attached to an Outlook message. If you've spent any time reading mail on a WAP phone or PalmPilot, then you know how helpful these optimizations can be.
The company expects to develop other common weblets to meet market demands. Quicken, camera, and jukebox weblets are among those already developed. Custom weblets can provide access to backoffice systems - for example, uRoam developed a weblet to browse schedules in a physician's database.
Under the covers
uRoam leverages the storage, streaming, and on-line collaboration background of its founders: CEO Michael Herne, VP of Engineering Igor Plotnikov, and CTO Alexander Sokolsky. Since its launch in 1998, uRoam has focused on inventing, proving, and refining the patent-pending technologies needed to make roaming desktop access secure, flexible, and easy-to-use.
These founders identified and addressed security concerns that plague today's road warriors. SSL is an obvious choice for confidentiality of corporate data sent over the Internet, without added client software. But uRoam goes further than most. Not only are the user and desktop authenticated by uRoam, but a shared secret known only to the user is required for desktop access. uRoam does not proxy traffic; the browser and desktop communicate directly. Because nothing is cached at the browser, private data and credentials are never left on a public PC after the session ends.
URoam engineers also realized the importance of connection independence. Browsers can connect over wireline or wireless; the uRoam agent adapts content as needed. Desktops can connect to the Internet over any media, including DSL, cable, ISDN, or dial-up. If a dial or ISDN agent is inactive when access is requested, uRoam calls the agent to bring it on-line. As long as the desktop PC is powered on, with a modem to answer incoming calls, uRoam can reach it. uRoam and the desktop authenticate each other, then drop the call. The desktop dials back out to the Internet. uRoam redirects the browser to the desktop's (possibly dynamic) IP address, and an SSL session is established between the desktop and browser. This entire setup took about a minute during Finnerty's demonstration.
http://www.isp-planet.com/services/uroam1.html
This secure "anytime, anywhere" desktop access provider plans to help data service providers—ISPs, ILECs, and CLECs—serve two rapidly-growing markets. According to uRoam, there are 14.3 million mobile professionals today, a bountiful $2.2B market. And many workers carry WAP-enabled phones and wireless PDAs—a market projected to exceed $15B by 2002. What corporate traveler hasn't forgotten a file or yearned for a peek at email while out of the office? uRoam provides secure remote access to home or office PCs from any device with Internet access and an off-the-shelf browser.
Look Ma, no client
The key ingredient in this recipe is the absence of client software. Mobile professionals can walk into a nearby Internet cafe, stop at an airport web kiosk, or whip out a PalmPilot, log into uRoam, and gain encrypted, authenticated access to a host computer.
uRoam adjusts to the client device, rendering output in HTML or WML format as needed by the browser. Netscape and Internet Explorer, ProxiWeb on the PalmPilot, GoAmerica on the RIM BlackBerry, and micro-browsers on Neopoint and Sprint phones are supported now. AvantGo and OmniSky are also supported, with some limitations.
Browser-based solutions are great, but not when they make users jump through hoops. With solutions like HotOffice, you must upload files before you need them, then remember which version is current. "Our solution gives you browser access to your own desktop, with 128-bit SSL protection," said uRoam VP of Sales George Finnerty.
Anytime, anywhere desktop access
Finnerty introduced me to uRoam at a local Kinkos, using a public PC and his own PalmPilot. On each, he launched a browser, logged into uRoam, and entered a password. Browsers were then redirected to Finnerty's own desktop PC, back at his West Chester, Penn. office.
On Finnerty's desktop PC ran a compact 4 MB uRoam agent and web server. This software is compatible with any Win32 desktop, including those running Windows 2000 or ME. (Users with MacOS desktops are out of luck.) An extensible collection of weblets act as middleware between the uRoam server and desktop applications. For example:
* "Your Screen" is a remote host control weblet. Think PC Anywhere, but with greater security and far less hassle. When using a Java-enabled browser, "Your Screen" is nearly the same as being back at the office. On devices that lack Java, HTML menus simulate mouse activity - less elegant, but still quite usable.
* "Your Files" is a resource sharing weblet. Picture a secure Network Neighborhood on steriods. View, open, zip, upload, or download files stored on local drives or network fileshares. Send documents to a printer or fax on your office LAN. Use "View" to access any file that can be rendered as a .gif - no application is required on the client. Or use "Open" to run an application on the client that edits a file on the desktop. There's no need to upload your work when done; uRoam leaves nothing behind on the client PC.
* Microsoft Outlook users can avoid inbox replication and synchronization hassles by checking mail on their primary desktop. My favorite feature: forward attachments without downloading them to your handheld by dropping filenames into a "shopping cart," attached to an Outlook message. If you've spent any time reading mail on a WAP phone or PalmPilot, then you know how helpful these optimizations can be.
The company expects to develop other common weblets to meet market demands. Quicken, camera, and jukebox weblets are among those already developed. Custom weblets can provide access to backoffice systems - for example, uRoam developed a weblet to browse schedules in a physician's database.
Under the covers
uRoam leverages the storage, streaming, and on-line collaboration background of its founders: CEO Michael Herne, VP of Engineering Igor Plotnikov, and CTO Alexander Sokolsky. Since its launch in 1998, uRoam has focused on inventing, proving, and refining the patent-pending technologies needed to make roaming desktop access secure, flexible, and easy-to-use.
These founders identified and addressed security concerns that plague today's road warriors. SSL is an obvious choice for confidentiality of corporate data sent over the Internet, without added client software. But uRoam goes further than most. Not only are the user and desktop authenticated by uRoam, but a shared secret known only to the user is required for desktop access. uRoam does not proxy traffic; the browser and desktop communicate directly. Because nothing is cached at the browser, private data and credentials are never left on a public PC after the session ends.
URoam engineers also realized the importance of connection independence. Browsers can connect over wireline or wireless; the uRoam agent adapts content as needed. Desktops can connect to the Internet over any media, including DSL, cable, ISDN, or dial-up. If a dial or ISDN agent is inactive when access is requested, uRoam calls the agent to bring it on-line. As long as the desktop PC is powered on, with a modem to answer incoming calls, uRoam can reach it. uRoam and the desktop authenticate each other, then drop the call. The desktop dials back out to the Internet. uRoam redirects the browser to the desktop's (possibly dynamic) IP address, and an SSL session is established between the desktop and browser. This entire setup took about a minute during Finnerty's demonstration.
http://www.isp-planet.com/services/uroam1.html
Cisco Joins the Network-Based VPN Market
Industry heavyweight Cisco, a longtime player in the VPN router space, infiltrated the VPN remote access concentrator market this past March by purchasing Altiga and Compatible Systems. Among the products acquired — Compatible Systems' IntraPort Carrier-8, a network-based VPN platform used by PSINet to deliver its Secure Remote Access service.
Last month, this platform was reborn as Cisco's flagship VPN 5008, prize member of its new VPN 5000 Concentrator series. This IPsec and L2TP tunneling platform, deployed at the service provider network edge, finally brings Cisco into the network-based VPN market.
Moving from customer, to provider network edge
The VPN 5000 Concentrator series currently comprises three products. At the low end, the 5001 is traditional customer premises equipment; it supports tunneling from the edge of a single customer network.
However, the two-slot 5002 and eight-slot 5008 are intended for deployment at a service provider's Point-of-Presence or Central Office, supporting up to 256 customer VPNs with a single device. VPNs are implemented in software using Customer Virtual Contexts. CVCs define tunnel terminations and mappings, address translations, IGP routing, RADIUS servers, encryption policies, and firewall filters. This approach allows customer VPNs operate independently while sharing a common platform. Cisco's CVC Pro, a directory-based provisioning system, is used to build and populate service templates, which in turn, are used to configure VPN 5000 systems.
Carrier-class horsepower
Providers can use the 5002 or 5008 to offer remote access and site-to-site VPN services. Incoming IPsec or L2TP/PPP tunnels can be mapped onto 802.1Q VLANs, Frame Relay PVCs, GRE tunnels, or other IPsec tunnels. Slots can be populated with Edge Service Processor (ESP) cards that enable growth and flexibility. Each ESP hosts a StrongArm RISC 233 MHz processor, two encryption coprocessors, a math coprocessor, 128 MB SDRAM, and one network interface. Any combination of HSSI, OC3-, DS-3, or 10/100 Ethernet interfaces can be used to connect the 5002/5008 to a Frame Relay network, OC-3/STM-1 POS network, or switched/routed Ethernet.
According to Cisco, each ESP supports up to 5,000 simultaneous remote access or site-to-site VPN tunnels. The 5002 can handle 10,000 tunnels with 195 Mbps 3DES throughput. A fully equipped 5008 can handle 40,000 tunnels with 760 Mbps 3DES throughput.
These concentrators offer carrier-class horsepower and scalability that far exceed those of VPN CPE. However, Cisco's numbers do not approach the self-described capacity of Lucent's IP services switches sold as part of its Spring Tide ("100,000 simultaneous sessions") and CoSine lineups ("tens of thousands of subscriber networks"). Providers seeking the operational efficiency of network-based VPN without a big-league price tag may start small and grow incrementally with the modular 5000 series.
Flexible client, push configuration
Every VPN 5000 series concentrator includes a blanket license to brand and distribute IPsec VPN client software, required by remote access VPNs. Clients can connect over dial-up, ISDN, DSL, or cable modem. Cisco's client provides the broadest OS support available on the market today. Windows 95, 98, NT, and 2000 are supported now; a Windows ME client is underway. PowerPC Macs running MacOS 7.6 and OpenTransport 1.1.1 or higher are supported now, as are Intel platforms running Linux variants like RedHat 5.2 and 6.0. Solaris 2.5.1 is available for Sun SPARC now; Intel Solaris is coming soon. This extensive support makes it easier for providers to sell remote access VPN services into any enterprise account.
The VPN 5000 client offers many attractive features:
* Centrally configured security policies can be pushed to the client during tunnel establishment, eliminating confusing, error-prone configuration by desktop users.
* Using a clever port 80 encapsulation trick, this client is able to send IPsec traffic through packet filtering firewalls that perform NAT/PAT (a technology often incompatible with IPsec).
* This client leverages round-robin DNS and hostnames associated with multiple addresses to circumvent unreachable concentrators and distribute tunnels across active concentrators.
* By using hybrid XAUTH, a variety of client authentication methods are supported, including preshared secrets, RADIUS PAP/CHAP, SecurID, AXENT Defender, Entrust and standard PKCS#12 digital certificates, and (via RADIUS proxy) LDAP, NT Domain, or token-based authentication services.
Trading footprint for functionality
Proprietary features like these make the VPN 5000 client more flexible, but inhibits multi-vendor interoperability. The VPN 5000 series interoperates with other Cisco IPsec products: routers running IOS 12.01T or later, PIX firewalls, and 3000 series concentrators.
But Cisco chose not to support the native Windows 2000 IPsec client because it "lacks many of the features that differentiate the VPN 5000 client and enable large scale IPsec VPN deployments."
Why does this matter? Adding any software to enterprise desktops can be an uphill sell — even a lightweight, centrally configured client.
Nonetheless, there are many enterprises willing to add desktop software when required to overcome other hurdles.
According to Terry Milholland, Electronic Data Systems CIO, "Cisco's client support of all major operating systems, including Windows 2000, is critical as we continue to expand our diverse customer base around the world. We have added VPN services to our existing dedicated dial solution, leveraging our CiscoSecure authentication and accounting system. [This] permits our remote access users to take advantage of cable modem and DSL broadband Internet access."
A promising service delivery platform
Cisco VPN series concentrators are well-suited for use by ISPs and DLECs that want to deliver both site-to-site and remote access services through a combination of desktop software, customer premises gateways, and PoP or CO edge devices. Many industry analysts believe the latter approach is required for cost-effective, large-scale VPN service delivery. By adding the 5000 series to its VPN product line, Cisco finally joins this club.
http://www.isp-planet.com/equipment/cisco_vpn.html
Last month, this platform was reborn as Cisco's flagship VPN 5008, prize member of its new VPN 5000 Concentrator series. This IPsec and L2TP tunneling platform, deployed at the service provider network edge, finally brings Cisco into the network-based VPN market.
Moving from customer, to provider network edge
The VPN 5000 Concentrator series currently comprises three products. At the low end, the 5001 is traditional customer premises equipment; it supports tunneling from the edge of a single customer network.
However, the two-slot 5002 and eight-slot 5008 are intended for deployment at a service provider's Point-of-Presence or Central Office, supporting up to 256 customer VPNs with a single device. VPNs are implemented in software using Customer Virtual Contexts. CVCs define tunnel terminations and mappings, address translations, IGP routing, RADIUS servers, encryption policies, and firewall filters. This approach allows customer VPNs operate independently while sharing a common platform. Cisco's CVC Pro, a directory-based provisioning system, is used to build and populate service templates, which in turn, are used to configure VPN 5000 systems.
Carrier-class horsepower
Providers can use the 5002 or 5008 to offer remote access and site-to-site VPN services. Incoming IPsec or L2TP/PPP tunnels can be mapped onto 802.1Q VLANs, Frame Relay PVCs, GRE tunnels, or other IPsec tunnels. Slots can be populated with Edge Service Processor (ESP) cards that enable growth and flexibility. Each ESP hosts a StrongArm RISC 233 MHz processor, two encryption coprocessors, a math coprocessor, 128 MB SDRAM, and one network interface. Any combination of HSSI, OC3-, DS-3, or 10/100 Ethernet interfaces can be used to connect the 5002/5008 to a Frame Relay network, OC-3/STM-1 POS network, or switched/routed Ethernet.
According to Cisco, each ESP supports up to 5,000 simultaneous remote access or site-to-site VPN tunnels. The 5002 can handle 10,000 tunnels with 195 Mbps 3DES throughput. A fully equipped 5008 can handle 40,000 tunnels with 760 Mbps 3DES throughput.
These concentrators offer carrier-class horsepower and scalability that far exceed those of VPN CPE. However, Cisco's numbers do not approach the self-described capacity of Lucent's IP services switches sold as part of its Spring Tide ("100,000 simultaneous sessions") and CoSine lineups ("tens of thousands of subscriber networks"). Providers seeking the operational efficiency of network-based VPN without a big-league price tag may start small and grow incrementally with the modular 5000 series.
Flexible client, push configuration
Every VPN 5000 series concentrator includes a blanket license to brand and distribute IPsec VPN client software, required by remote access VPNs. Clients can connect over dial-up, ISDN, DSL, or cable modem. Cisco's client provides the broadest OS support available on the market today. Windows 95, 98, NT, and 2000 are supported now; a Windows ME client is underway. PowerPC Macs running MacOS 7.6 and OpenTransport 1.1.1 or higher are supported now, as are Intel platforms running Linux variants like RedHat 5.2 and 6.0. Solaris 2.5.1 is available for Sun SPARC now; Intel Solaris is coming soon. This extensive support makes it easier for providers to sell remote access VPN services into any enterprise account.
The VPN 5000 client offers many attractive features:
* Centrally configured security policies can be pushed to the client during tunnel establishment, eliminating confusing, error-prone configuration by desktop users.
* Using a clever port 80 encapsulation trick, this client is able to send IPsec traffic through packet filtering firewalls that perform NAT/PAT (a technology often incompatible with IPsec).
* This client leverages round-robin DNS and hostnames associated with multiple addresses to circumvent unreachable concentrators and distribute tunnels across active concentrators.
* By using hybrid XAUTH, a variety of client authentication methods are supported, including preshared secrets, RADIUS PAP/CHAP, SecurID, AXENT Defender, Entrust and standard PKCS#12 digital certificates, and (via RADIUS proxy) LDAP, NT Domain, or token-based authentication services.
Trading footprint for functionality
Proprietary features like these make the VPN 5000 client more flexible, but inhibits multi-vendor interoperability. The VPN 5000 series interoperates with other Cisco IPsec products: routers running IOS 12.01T or later, PIX firewalls, and 3000 series concentrators.
But Cisco chose not to support the native Windows 2000 IPsec client because it "lacks many of the features that differentiate the VPN 5000 client and enable large scale IPsec VPN deployments."
Why does this matter? Adding any software to enterprise desktops can be an uphill sell — even a lightweight, centrally configured client.
Nonetheless, there are many enterprises willing to add desktop software when required to overcome other hurdles.
According to Terry Milholland, Electronic Data Systems CIO, "Cisco's client support of all major operating systems, including Windows 2000, is critical as we continue to expand our diverse customer base around the world. We have added VPN services to our existing dedicated dial solution, leveraging our CiscoSecure authentication and accounting system. [This] permits our remote access users to take advantage of cable modem and DSL broadband Internet access."
A promising service delivery platform
Cisco VPN series concentrators are well-suited for use by ISPs and DLECs that want to deliver both site-to-site and remote access services through a combination of desktop software, customer premises gateways, and PoP or CO edge devices. Many industry analysts believe the latter approach is required for cost-effective, large-scale VPN service delivery. By adding the 5000 series to its VPN product line, Cisco finally joins this club.
http://www.isp-planet.com/equipment/cisco_vpn.html
What To Look For In A Managed Security Provider
Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.
This bumper crop of emerging managed security providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.
Security expertise
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available—or affordable—in-house.
Ask for a client list and check references: does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.
Policy development and refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.
Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.
Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.
Breadth of services
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet. We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.
Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.
Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP.
On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that
http://www.isp-planet.com/technology/mss_what_to_look_for.html
This bumper crop of emerging managed security providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.
Security expertise
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available—or affordable—in-house.
Ask for a client list and check references: does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.
Policy development and refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.
Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.
Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.
Breadth of services
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet. We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.
Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.
Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP.
On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that
http://www.isp-planet.com/technology/mss_what_to_look_for.html
Subscribe to:
Posts (Atom)