Big ISPs play VPN catch-up [Nice room for future growth]
nwfusion.com
By Denise Pappalardo
Network World, 08/17/98
If you think choosing one of the big ISPs is the
safe way to get the latest and greatest in virtual
private network (VPN) services today, you're
mistaken.
Smaller, lesser-known national ISPs are
showing they're more nimble than their giant
counterparts and are already supporting some
of the latest twists in VPN technologies.
Companies such as Concentric Network,
Epoch Internet and TCG CERFnet have
deployed new tunneling capabilities, digital
certificates and other features that give
customers faster, more secure VPNs.
But the big boys aren't lying down just yet.
Three of the top ISPs - AT&T WorldNet,
WorldCom Advanced Networks and GTE
Internetworking - are testing some of the latest
VPN tunneling and security protocols that will
be deployed in next-generation VPN services.
IP-based VPNs offer corporations private
network capabilities, but they use carrier
Internet facilities for transport. While VPNs
promise cost savings and flexibility,
performance and security are key issues for
corporate buyers.
Glenn Botkin, intranet manager at Galaxy
Scientific, an Egg Harbor Township, N.J.,
engineering firm, says users are waiting
anxiously for ISPs to bring secure, robust VPN
services out of the labs and into their product
portfolios. "We want a provider to come to us
with a complete VPN package, and I don't feel
any ISP has that today," Botkin says.
ISPs at work
But large companies are working to address
Botkin's complaint.
AT&T, for instance, is currently testing a variety
of new technologies, including the Layer 2
Tunneling Protocol (L2TP), the Point-to-Point
Tunneling Protocol (PPTP), Internet Security
(IPSec) and digital certificates, with some of its
customers, says Ed Nalbandian, a managing
partner for AT&T's Managed Network
Solutions division. These tests are expected to
result in improved WorldNet VPN services that
offer users stronger encryption and better
network performance.
AT&T WorldNet's VPN service, introduced
late last year, supports TCP tunneling, which is
not the most efficient means for shuttling private
corporate data over the Internet. TCP tunneling
adds more overhead to IP packets than other
tunneling protocols, including PPTP, which is
more popular today than TCP tunneling.
As a first step toward improving its VPNs,
Nalbandian says AT&T will deploy L2TP
tunneling support next. L2TP is a pending IETF
specification that combines technology from
PPTP and Cisco Systems' Layer 2 Forwarding
(L2F) protocol. One of the benefits of L2TP is
that it can support multiprotocol traffic.
While AT&T is also testing IPSec, Bob
Schroder, product manager for IP services at
AT&T WorldNet, says more work still needs
to be done to ensure the protocol doesn't bog
down networks.
IPSec, also a pending IETF specification,
defines how to encrypt IP packets carried over
a secure tunnel through a public or private IP
network. IPSec uses a powerful 164-bit key
encryption algorithm based on the Digital
Encryption Standard (DES).
The specification supports the use of digital
certificates based on the X.509 Version 3
standard. Digital certificates are based on public
and private keys, and are typically issued by
certificate authorities such as banks or other
trusted institutions. These certificates
authenticate users trying to access information
across the VPN.
WorldCom's plans
WorldCom Advanced Networks expects to
support digital certificates next year, but is
waiting for Cisco Systems' and Microsoft's
Active Directory platforms to become available,
says Skip Taylor, group manager for remote
access services at WorldCom Advanced
Networks.
Cisco Networking Services for Active
Directory (CNS/AD) is expected to store
information about applications, users, routers
and switches. Taylor believes the best way to
manage digital certificates for thousands of users
will be to house that information in a directory
that's more flexible than the typical directories
based on the Light-weight Directory Access
Protocol (LDAP).
WorldCom is also vigorously pursuing L2TP,
Taylor says. The ISP is expecting Cisco's first
draft of L2TP tunneling software this week.
What's ahead at GTE?
AT&T WorldNet and WorldCom Advanced
Networks may not today be offering VPN
services as advanced as those marketed by
Concentric Network, Epoch or TCG CERFnet,
but the two giants at least have formal offerings.
GTE Internetworking, one of the largest
business ISPs, has yet to introduce a VPN
service.
But expect that to change by year-end, says
John Summers, senior product manager at the
ISP. And for its VPN service, GTE
Internetworking is currently testing hardware
encryption devices that are believed to offer
users the highest level of security and
performance, says Greg Howard, senior analyst
at Infonetics, a San Jose, Calif.-based
consulting firm.
Compared to software-based encryption, such
as the type that GTE Internetworking is using
with its SitePatrol managed firewall services,
hardware can encrypt and decrypt data faster,
Summers says.
GTE Internetworking will also have an edge in
the digital certificate arena. Sister company
GTE CyberTrust is a digital certificate authority,
and GTE Internetworking plans to tie its
upcoming VPN service into GTE CyberTrust's
operations. That could make it easier for VPN
customers to manage thousands of digital
certificates.
But users should keep in mind they don't need
to wait for any of these ISPs to finish up their
testing. Epoch Internet and TCG CERFnet's are
already using hardware encryption devices from
Red Creek, and both support IPSec and digital
certificates. Concentric Network also has a
VPN service based on VPNet's IPSec
hardware encryption devices.
Contact Senior
Editor Denise
Pappalardo |
