Managed Security Services

MSSP Survey Part 3, Page 2:
Managed Site to Site VPN Services

by Lisa Phifer VP Core Competence, Inc. [January 11, 2005]

Managed Site to Site VPN Services
Most of the MSSPs participating in this year's survey offer one or more Managed S2S VPN services to securely interconnect corporate sites and branch offices (see table). Absent from this list are Aventail and Fiberlink, who focus on connecting individual users to VPN resources (see RA VPN).

The S2S VPN services in this year's survey are CPE-based and access link-independent, except where noted in our chart. ClearPath, Globix, MCI, and VigilantMinds offer network-based S2S VPNs in addition to CPE-based services. In a network-based VPN, no VPN gateway is installed at the customer's site. Instead, traffic rides an access link to the provider's Point of Presence (POP), where a VPN router or switch funnels traffic onto a core network.

MPLS VPNs are usually network-based, and often (but not always) require purchasing access links from the VPN provider. For example, MCI's network-based offering permits limited use of third-party access links, but associated VPN Service Level Agreements begin at the point of demarcation between outside links and MCI-owned/managed network resources.

MPLS VPNs made their first appearance in our last survey, offered by 18 percent of participants in 2003 and 22 percent in 2004. Our small sample mirrors recent market research from Infonetics, which projects that MPLS VPN service revenue will grow gradually from 13 percent in 2003 to 20 percent in 2008. In short, MPLS VPNs are now readily available for enterprises that need high-performance and QoS management, but are not yet "taking over" the S2S VPN market. Many MSSPs will continue to offer IPsec S2S VPNs, both to SMBs who either don't need or don't want to pay for QoS, and to enterprises that want both QoS and cryptographic protection.

In past surveys, we asked MSSPs for one response covering both S2S and RA VPNs. This year, we requested separate S2S and RA VPN responses to differentiate between encryption ciphers, authentication methods, and tunneling protocols supported by each. MSSPs offering separate S2S and RA services, particularly on different platforms, had little trouble with this request. But a few MSSPs provided RA details in S2S responses—for example, listing interactive user authentication methods. In such cases, a single VPN service may support both gateway-to-gateway and user-to-gateway tunneling, but it is still important for customers to understand which capabilities can and cannot be used between peer VPN gateways.

Most participants now offer more than one kind of S2S VPN gateway/router/appliance. Several noted that VPN capabilities depend on the selected hardware platform; it is thus important to pick a platform that meets your company's requirements. For example, customers faced with regulatory requirements for strong security may prefer using AES encryption and certificate authentication between peer VPN gateways. We were pleased to see growing AES support, and more on the way in 2005, although frankly we had expected widespread AES by now. 3DES support is universal, but half still offer DES for customers who request it.

For S2S VPN authentication, we found more dramatic improvement. Digital certificates are now supported by all but one S2S VPN provider; even that MSSP generates new IKE Pre-Shared Keys (PSKs) daily. Why does this matter? Site-to-site VPN tunnels are (in principal) always up, giving an attacker time to brute-force-guess your PSK. You can reduce risk by using complex PSKs, but using certificates instead is more failsafe. However, certificates must be issued by a trusted Certificate Authority (CA), and that can be a deployment barrier. Fortunately, all but four participating MSSPs can generate certificates for VPN customers; several support both provider and customer-generated certs (of interest to enterprises with their own PKI).

Of course, AES and certificates only matter to customers who need them. More essential is whether a given service is capable of supporting your company's security and performance needs. As discussed in Parts 1 and 2, purchasing a Managed Security Service means engaging a business partner who can work with you to understand and implement your policies. As such, we asked each MSSP to describe their procedures for changing S2S VPN policies and providing customer visibility into VPN events. Many VPN responses were similar (even identical) to firewall responses, with a few interesting differences. For example, MCI offers standard (Concord eHealth) and add-on (CircuitView) reporting capabilities for its network-based VPN service. Securalis offers 75 VPN reports with its S2S service. AT&T optionally provides its customers with SNMP access to VPN routers.

We asked providers if each S2S VPN service could support Video or Voice over IP (VoIP)—this year, most said "yes," although several noted that performance varies by platform and network. For example, MCI offers an integrated IP Centrex service, and RedSiren made a point of telling us that their S2S VPN service is designed for resilient VoIP, usually after evaluation of each customer's environment. If your company is considering multi-site VoIP, ask your MSSP for reference customers now using their VPN services for VoIP.

Finally, we asked providers to enumerate VPN add-ons: four mentioned VPN load balancing, five offer VPN High Availability, and many offer additional security and/or network services. Load balancing and HA are essential to larger enterprises, but should be considered by any company with mission-critical VPN tunnels. Security/Network service bundles can reduce total cost, provide integrated management, and simplify trouble-shooting, but you may not find everything you need, everywhere you need it, if you lock yourself into just one provider.

< Back to page one

Go to page three: Managed Remote Access VPN Services >