Virtual Opportunities -- Improving security and interoperability make VPNs attractive [ASND references]
techweb.com
Jackie Poole
July 20, 1998, Issue: 1415
Section: Technology -- Internet
A few years ago, virtual private networks (VPNs) appeared to be an easy
way to connect remote users into a corporate network. Using a public
network infrastructure, such as the Internet, VPNs were built with the value
proposition that they would replace expensive leased lines and connect remote
offices or users on the road.
Today, the value proposition is much greater, and VPNs are defined in
broader terms. A VPN is recognized as a flexible means of communications
that can be accessed from just about anywhere in the world and is extended
beyond employees to include customers, suppliers and business partners for
strategic business purposes.
VPN vendors have been very forward with the channel, and are actively
recruiting VARs and service providers (SPs) to resell their VPN equipment
and the services and access to go along with it. "Customers want a complete
solution," vendors say. That demand for service expertise has really put VARs
in the catbird seat: They will be able to choose from a variety of vendors, each
proposing high-margin service models.
But it's not all good news. Allowing outsiders to access a corporate network
opens a whole new can of worms. For many customers looking into VPNs,
security issues bubbled up as their No. 1 concern, followed by interoperability
(trying to get companies using VPN equipment from different vendors to work
together).
Improving security and interoperability standards, however, has played a key
role in stimulating VPN market growth, and although some customers remain
hesitant, analysts say the market is poised to explode during the next few
years. According to Infonetics Research Inc., San Jose, the VPN market was
an estimated $205 million in 1997-including VPN products, systems
integration and other services-and is expected to grow more than 100 percent
per year, through 2001, to $11.9 billion.
To get in on this projected boom, however, VARs will have to understand the
different types of implementations and the issues that revolve around them.
After familiarizing themselves with the nuances of each, VARs will be better
prepared to choose their allies. The most important of these will be the SPs,
which, although they look like the competition, should be considered for
partnerships.
One easy way for VARs to get started in the VPN space is to identify a
national service provider to work with, and follow its decision in VPN
technology. Even then, it is important to understand the range of VPN
implementations and their trade-offs first. Eventually, VARs may end up
providing the front-line services, working at the customer locations, while the
SPs sit on the edge of the network.
Understanding the Big Picture
Understanding the differences between implementations is key, says one
analyst. "In some ways, the VPN market is a temporary market. It's not a
long-term market for an individual device," says Maribel Lopez of Forrester
Research Inc., Cambridge, Mass. "[These devices often] have a two-year
window, at best. So, it's wise for VARs not to get too hung up on one
technology; rather, they should have a couple of different options for different
markets."
The three most common implementations for VPNs are software-only,
dedicated hardware and hardware-assist. The decision to implement one over
the other will depend on the applications to be run, the level of security and
performance requirements.
Software-Only VPNs
While they have the lowest performance and security, as well as the lowest
connection speed support, software companies such as Check Point Software
Technologies Ltd. and Aventail Corp. make a pretty good case for
software-only solutions.
"Being a software-only company means that we help pull other products for
the channel," says Rob Spence, director of product marketing at Aventail.
"The software needs a server to run on, so if a VAR is already selling a
common box, all they have to learn is the software. They can then add their
installation, configuration and maintenance/support services." It also gives
companies with existing hardware infrastructures the opportunity to leverage
their investments and dump the software right on top.
Dedicated Hardware VPNs
Of all three categories, dedicated hardware has the highest support.
Performance is much better because processor-intensive functions such as
encryption are supported by a particular piece of hardware.
Jeff Wilson, director of access programs at Infonetics Research Inc., San
Jose, says in terms of mind share, some of the large traditional hardware
vendors will be the ones to watch, including Nortel, Cisco Systems Inc., Bay
Networks Inc. and 3Com Corp., all of which are going to grow their VPN
strategies and be strong players during the next couple of years. They will
either continue to roll out new technology or obtain it through acquisitions of
other VPN companies.
Hardware-Assist VPNs
The last type of implementation falls somewhere between software-only and
dedicated hardware, in terms of performance, security and the connection
speeds it can support. Hardware-assist is essentially hardware that is added to
an existing device to improve performance for VPNs. If performance is a
concern, dedicated hardware is probably the best bet, but if a company
already has an established hardware infrastructure, it may opt for a software
solution instead, deciding to settle for limited performance or adding
hardware-assist.
Over time, more VPN vendors appear to be moving to hardware/software
combinations.
"Offering the combination is important, because the hardware is required to
deliver VPN services at acceptable levels of performance. It is often preferred
at centralized sites or service provider locations, then [VARs] use software for
the remote users," explains Rick Kagan, vice president of marketing at VPNet
in San Jose.
VPN Implementation
Now, just put all of those pieces together, add the management tools, global
roaming services, and you'll be set, right?
It's obvious that in addition to understanding the range of hardware and
software products, it's equally important to understand the different technical
approaches to implementing a VPN. VPNs rely on their ability to "tunnel"
data. Tunneling refers to the process of encapsulating protocols and data for
transmission over an IP-based network, such as the Internet. There are three
primary approaches to tunneling, which handles the point-to-point
transmission of data encapsulated inside IP packets. They are: Point-to-Point
Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and IP
Security (IPSec). The difference among the three is basically in the encryption
and authentication, as well as the different layers they operate on in the 7-layer
OSI network model.
Key attributes of tunneling technology are the data encryption and user
authentication. Encryption is responsible for maintaining data privacy through a
series of complex mathematical transformations. Senders and receivers
exchange the "keys" that lock and unlock the data at each end. Authentication
is a way of knowing users are whom they say they are.
PPTP, the most commonly implemented standard, according to Infonetics'
Wilson, was originally driven by Microsoft Corp. and Ascend
Communications Inc. to work on Ascend hardware and Microsoft NT
software. L2TP is the combined efforts of PPTP and Layer 2 Forwarding
(L2F), a protocol supported by Cisco. IPSec has by far the largest following
of vendors and is a general initiative to add security to the IP protocol. IPSec
is already being implemented in the current IP protocol; the other two are in
front of the Internet Engineering Task Force (IETF) for inclusion as well.
Once the IPSec specifications are met by a VPN technology, they can
become IPSec certified. IPSec is, essentially, a means of negotiating like
security between different systems so that they can interoperate.
The IPSec initiative has garnered much attention and support because it is
being driven by the Automotive Network Exchange (ANX), a large group of
manufacturers and suppliers. The ANX pilot project, supported by the
Automotive Industry Action Group, is a VPN pilot that enables auto makers
to communicate with thousands of auto industry suppliers using an
IPSec-based VPN. The ANX project ensures the VPN technology meets
IPSec criteria and interoperates with, as well as meets the automotive
industry's business criteria. The ANX, essentially, provides a second level of
accreditation for VPN vendors.
"The ANX is a proof point," says Wilson. "The further they go to test
individual vendors and certify them, [the more] the enterprise will be sure to
follow."
According to Infonetics Research, IPSec is the only standard of the three set
up to go beyond remote access via tunneling, to support intranets and
extranets and provide multiple tunnels-providing simultaneous VPN and public
access. Yet, PPTP and L2TP can be coupled with IPSec to support extranets
and intranets, which provides additional support for data privacy and
authentication.
Making the Right Choice
In order to make educated decisions about these different implementations,
companies will be turning to the channel, seeking consultation, installation and
the ongoing services from VARs and SPs.
The VAR/SP partnerships may still be in the gestation period, but soon
enough, SPs will be looking for the integration piece VARs are well-equipped
to provide. In addition, SPs will want to leverage VARs' experience in buying
networking hardware in mass quantities, storing it and selling it, says Wilson.
SPs will be good at getting the connection in place.
"At the end of the day, the AT&T and UUNets of the world want to sell
customers a pipe," agrees Forrester's Lopez. "But selling a pipe with VPN
attributes is much more sexy. They don't really want to reach out and touch
the enterprise side too much. If anything, a service provider might drop a box
on the edge of the network and manage it," she says. SPs will look to VARs
to deal with users and help customers define their security.
VPNet's Kagan concludes that selling VPNs has changed over the years.
Rather than selling VPNs for their cost savings, his company focuses on
specific value propositions, appealing to the marketing, sales and operations
departments, as well as senior management in an organization, rather than to
the IT community. "To the IT community, VPNs represent new challenges and
risks, so we highlight the strategic opportunities from a business point of view,"
says Kagan. "What's nice is that the cost savings helps get the purchase orders
signed off faster."
-Quick Scan
Aventail Corp. Seattle, Wash. (206) 215-1111, www.aventail.com
Check Point Software Technologies Inc. Redwood City, Calif. (650)
628-2000, www.checkpoint.com
VPNet Technologies Inc. San Jose, Calif. (408) 445-6600, www.vpnet.com
---
Sidebar-
VIRTUAL PRIVATE NETWORK PRIMER
IPv6 (Internet Protocol Version 6): The next generation of the IP network
protocol in TCP/IP. It was developed by the Internet Engineering Task Force
(IETF). IPv6 was designed to fix shortcomings in the previous version (IPv4),
such as data security and maximum number of user addresses, which are
expected to run out within the next 10 years or so.
IPSec (IP Security): A security protocol from the IETF that provides
authentication and encryption over the Internet. Unlike SSL, which provides
services at Layer 4, IPSec works at Layer 3. IPSec is supported by IPv6.
PPTP (Point-to-Point Tunneling Protocol): A protocol that encapsulates other
protocols for transmission over an IP network. Due to its RSA encryption,
PPTP is also used to create a virtual private network (VPN) within the public
Internet. Remote users can access their corporate networks via any ISP that
supports PPTP on its servers.
L2TP (Layer 2 Tunneling Protocol): A protocol from the IETF for creating
virtual private networks (VPNs) over the Internet. It supports non-IP
protocols such as AppleTalk and IPX, as well as non-IPSec security
protocol. It is a combination of Microsoft's PPTP and Cisco's L2F
technology.
SSL (Secure Socket Layer): The leading security protocol on the Internet.
When an SSL session is started, the browser sends its public key to the server
so that the server can securely send a secret key to the browser. The browser
and server exchange data via secret key encryption during the session.
---
Sidebar-
Six New Revenue Service Opportunities For Service Providers
1. Sell basic Internet access and bandwidth; the enterprise customer handles
all VPN products and operations.
2. Sell business-quality Internet or IP network services; the enterprise
customer handles all VPN products and operations.
3. Sell compulsory VPNs embedded in point of presence (POP) equipment.
4. Offer VPN hardware and software bundles with VPN bandwidth and
services.
5. Design a customer's VPN solution.
6. Operate the total VPN solution for the customer, including design,
equipment installation, service and help desk support (100 percent outsource).
Copyright r 1998 CMP Media Inc. |
