Posted: 04/2000

VPN Users Migrate
to Managed Services
By Brian Schulz

Enterprise e-business opportunities are driving demand for flexible and secure wide-area communications. New requirements are wrapped with Internet connectivity and IP networking advances that include guaranteed quality of service
(QoS) and service level agreements (SLAs) networkwide.

With these capabilities, IP-based virtual private network (VPN) service is proving to be a key solution for business connectivity.

Analysts predict that enterprise customers will spend more than $14 billion annually on VPN equipment and services by 2003. According to late 1999 market research by TeleChoice Inc.
(www.telechoice.com), one-third of the companies that rely on WANs already use VPN services either in production or in trials. Across the board–from organizations with three networked sites to multinational companies with 50,000 mobile users–enterprise customers are choosing IP-based VPNs for their
WANs.

VPNs will proliferate because they simplify the escalating network mission. With customers, suppliers and remote users, or business partners anywhere, the need for companies to exchange information is growing beyond the scope of traditional network solutions.

The mission also is growing larger than many companies will be able to handle effectively. The full benefits of the Internet and VPN solutions not always are achieved easily by the enterprise alone. The networking scope, scalability, and infrastructure needed to support such service and administer it is often more than an enterprise can invest in or manage.

Do
It Yourself or Not

Consider that TeleChoice has found outsourcing is the No. 1 change that today’s roll-your-own VPN managers have planned. Many early adopters are deciding they would rather use managed services. Roughly 3:1 in 1999, the split between homegrown and outsourced VPN service is narrowing as managed VPN growth doubles during the next 18 to 24 months, according to TeleChoice.

Large corporations have the staff and resources to deploy VPNs and test them on their own. They want the security and control of a self-managed solution, knowing that orders will be executed on command.

Graph: Worldwide VPN Opportunity and Managed Services Growth

However, two factors can influence the production-migration of parts or all of the VPN solution to a managed service provider.

First is the burden and distraction from core business that global networking imposes on an enterprise. Some of the largest customers choose VPN outsourcing because they can’t maintain the infrastructure that

e-business requires.

Second, there’s greater choice than there was 12 months ago. Providers now offer nationally and internationally on-net VPN service across carrier backbones, with guaranteed wide-area performance and, in some cases, end-to-end SLAs.

VPN Solution Considerations

It’s important to note the difference between premises-based and network-based VPN services. A premises-based solution includes CPE that allows end-to-end security and performance management. A network-based VPN is provisioned mainly by equipment at the service provider’s point of presence (PoP), and does not provide equivalent guarantees over the last mile.

Some customers want a managed service that leaves hardware out of the enterprise; they don’t want to maintain closet space for the gear, and will trade end-to-end control for the simplicity of a network-based solution. However, a fully secure VPN with robust SLAs and QoS will demand a premises-based solution.

The key differentiator of a VPN platform is whether it allows customer-shared control. The ability to carve an IP network into unique customer-managed zones and to extend granular administrative privileges is not found in all VPN platforms or service architectures.

Equally important are VPN SLAs that ensure network application needs will be met.

SLAs should cover individual links and overall performance among all of a customer’s sites. Likewise, QoS capabilities must be ubiquitous to support end-to-end business applications.

Because VPN hardware separates sensitive data and networking resources from hostile networks, a VPN product must be as strong as a firewall. The service platform should include a tightly integrated ICSA-certified firewall, not “firewall filters” or “access control lists.” It should be manageable with other enterprise firewall and intrusion detection systems. For strong user authentication, the platform should support SecurID tokens or X.509 digital certificates.

Avoid using general-purpose operating systems as a foundation for VPN devices. And don’t be sidetracked with proprietary security technologies or transitioning promise. The IP Security (IPSec) standard is approved, tested and being used fully to support large-scale business VPN solutions.

Other key attributes to look for in an end-to-end VPN architecture include:

Multiple CA Support: Support for multiple CAs (such as Entrust and VeriSign) allows net managers to select the best of breed in Public Key Infrastructure (PKI) technology.

Hardware-Accelerated Encryption: The processing required to perform encryption and decryption is intensive. For high-speed applications (e.g., T3), the service platform should feature hardware-accelerated encryption. For lower speed applications, software-based encryption may be suitable.

Scalability: Most customers face increasing and changing networking needs, so the ability to grow a VPN without wholesale hardware/software replacement is important. The architecture should support hundreds of VPN gateways and routers, and thousands of VPN clients.

VPN Router or Gateway?: VPN tunneling, encryption and firewall functionality can be added to legacy infrastructure through a low-cost VPN appliance, or gateway. Some providers use gateways for managed firewall services that can be grown into full-service VPNs. Gateways also can be used to overlay VPN security in existing IP networks.

A purpose-built VPN router is at the core of any large-scale VPN solution. Fully integrated, multiservice VPN routers that can support all network options are the foundation of enhanced IP services.

Customer Control Is Key

The managed VPN debate within organizations frequently boils down to control over network policy. Enterprise customers want to define and maintain control over their bandwidth utilization, network access and security policies. The service provider assumes network and protocol management responsibility, but if the enterprise can’t design policies for the provider to implement, the solution remains do- it-yourself.

The enterprise should be able to define any range of security relationships among its users while the service provider maintains a secure VPN that tracks those relationships and enforces them.

Since one strong VPN selling point is easy accommodation of new users and business connections, customers expect to configure access privileges themselves and to manage the bandwidth that their users consume.

Scalability is a key challenge of VPN security management. Deploying and managing a large number of security definitions across a variety of site-to-site and remote access configurations can be complex and unwieldy.

IP security expertise is essential and hard to come by. In global applications, VPN managers will run into cryptographic export quandaries. Deploying and managing VPN client software for hundreds or thousands of remote users is another challenge.

The skills required to meet these challenges are difficult. Hiring and retaining IP security experts also is expensive and difficult..

In its survey, TeleChoice found the leverage gained through outsourcing yields roughly 15 times greater staff power. The ratio of support staff to users in self-managed VPNs is 1:150, but will reach 1:2,300 in outsourced
VPNs.

VPN Service Provider Requirements

The ability to deliver policy-based VPN services that the customer can administer is crucial to service providers. A few years ago, all VPN service, was either roll your own or difficult and slow to configure when enterprise requirements changed. The difference in today’s IP-based VPN service is its easy extension of customer control.

Two enablers bring this improvement. The first is centralized policy management. By distributing VPN configuration and security policies holistically but controlling them centrally, policy management greatly simplifies VPN provisioning and administration. Services are no longer provisioned box by box–providers instead can deliver a broad mix of managed services over the same

policy-managed VPN infrastructure.

The second enabler is VPN system design that permits customer joint management of network resources. VPN equipment allows IP networks to be carved into distinct customer security zones that can each be flexibly administered without affecting other customers on the service provider’s network.

The network can be administered directly to accommodate daily changes without depending on the service provider’s help desk for reconfiguration. Bandwidth can be monitored and managed according to SLAs, yet the burdens of deployment and network routing/security management are removed.

Brian Schulz is the managing director of VPN products for Lucent Technologies Enterprise WAN Systems Group
(www.lucent.com). He can be reached at [email protected].