ISPPlanet • eTunnels VPN-on-Demand - page 2

Self-Service Sign-up
The VPN-On-Demand provisioning system, hosted by eTunnels, offers three management interfaces:

1. A web wizard automates customer sign-up.
2. A VPN management portal lets the customer manages his own account.
3. A subscriber management portal lets the provider manage customer accounts.

According to Sirota, "We let our channel partners decide what level of control they want. They can do provisioning themselves, or they can push it back to their own customers and allow self-service VPN setup." The web wizard is customized for each partner; options include branding, 128-bit SSL, and IP address restrictions.

For customers, self-service sign-up with the web wizard (right) is a simple, 5-step affair. Create a new account by supplying the company name and administrative password. Give the new VPN a name. Then add VPN clients and servers. Other VPNs, clients, and servers can be added later, using the VPN management portal. The final phase—activation—is the only step that requires any installation effort (see Provisioning Customer VPNs).

According to Sirota, a hosted service with self-enrollment makes it easy for channel partners to complement existing products with VPN-On-Demand. "A number of providers already have their own VPN solution for site-to-site. We don't really want to displace that. We want to make it easy to add a new solution that meets a different need."

Managing Subscriber Accounts
The eTunnels subscriber management portal is a secure website through which channel partners can view and manage active customers, VPNs, clients, and servers. Using this portal, subscribers can define macro-level security policies, view network status, and create usage reports for billing.

"Our centralized monitor provides alert windows and full reporting," said Sirota. "In release 1.0, we provide high-water mark notifications on usage. In our 2.0 release, we've added more reporting and alerting functionality to eNS. Down the road a bit, we want to add support for certificates and intrusion detection." Also on the long-term wish list: an XML-based interface to facilitate integration with back-end provisioning systems.

Provisioning Customer VPNs
Privately-branded VPN management portals, hosted by eTunnels, allow providers and their customers to create new VPNs and manage existing VPNs (below).

In release 1.0, VPNs are simply collections of Internet-reachable clients and servers. Every VPN member must have a public address, or a private address mapped to a public address with 1:1 NAT. In release 2.0, NAT compatibility is expanded with IPSec AnyWare—UDP encapsulation that tunnels through any NAT/PAT device. Why is this important? Address translation can play a significant role in site-to-site or Extranet VPNs—environments in which IPsec tunnels may terminate behind a firewall or access router performing NAT/PAT.

Clients and servers are also managed through this portal. Clients (users) are defined by name, email address, and password (right). Servers are configured in a similar fashion. Compared to most other VPNs, VPN-On-Demand requires very little configuration. This is due to eNS automation—and to some major simplifying assumptions. In release 1.0, a single confidentiality and addressing policy must be applied to the entire VPN. All VPN members are authenticated by the same method (login/password) and granted the same access. And the tunnel topology is always full-mesh. These assumptions are reasonable for small businesses with basic security policies, but may not satisfy larger enterprises.

For example, many companies use token authentication for remote access and will require strong authentication for Extranets, too. Some companies may want to limit VPN access to specific protocols—web access to an Extranet server, email access to an Intranet mail server. These are the details that tend to complicate VPN provisioning with other products. VPN-On-Demand 1.0 provides simplicity at the expense of flexibility. The final step—activation—involves installing software on every client and server PC (left). Server software must be downloaded and installed by the administrator.

For clients, end-user installation is also supported. With this option, VPN-On-Demand delivers a one-time-access URL to the client's email address. This URL leads to a secure web page that supplies the user with a name, password, and instructions for software download. Providers that opt for fast, distributed self-activation should also take steps to ensure these mail messages are not intercepted.

In release 2.0, the eNS will push software updates to activated clients. "This feature can be turned off if the provider or customer does not want updates installed automatically," said Sirota. "Basically, we don't want to intrude on either the provider or customer administrator's control."