We've already showed you the original RFP sent to vendors and their responses. Now it's time to get down to the brass tacks and offer your our expert take on IPsec hardware solutions for ISP deployment to broadband-enabled SMBs.

Introduction by Lisa Phifer Core Competence, Inc. [June 13, 2001]

As any of you following this series may recall, we initiated this series early in April by issuing a Request For Proposal (RFP). After a long month of vendor emails and phone calls, we've gathered a small but impressive collection of RFP responses. Our RFP specified managed VPN requirements for IPRVnet—a fictitious regional ISP providing dial, dedicated, and broadband Internet access services to SMBs. We invited 40 vendors to respond to this RFP within three weeks.

A full quarter of those invited did not respond. Another three declined our invitation because they sold VPN software, not hardware. Four cited bad timing—product in redesign or not ready to evaluate. Eight did not see a good product fit or were unable to meet the RFP's mandatory requirements. Others lacked resources to respond at this time.

Our Take On The Turnout
What conclusions can we reach from this? Clearly, we set the bar too high for some. At the top of this list—mandatory remote monitoring and management. But we firmly believe this to be a realistic requirement for any managed service provider. We could also have included software or central-office VPN products. Instead, we opted to focus this series on apples-to-apples comparison of customer premises equipment (CPE).

Our three-week response period proved challenging during a busy tradeshow month. An extended deadline may have netted additional qualified responses. But, ultimately, we believe that insufficient resources and failure to reply are both market indicators. In today's economy, dot-coms and big guns alike are struggling for survival, doing more with fewer bodies and stretching dollars razor-thin. As the tech market shakes out, small VPN vendors are closing up shop or being acquired by large manufacturers with broad focus. Several vendors we contacted cited recent staff turnover or corporate (re)organization as a factor.

Nonetheless, this RFP accomplished its goal. The good news for our fictitious ISP? We ended up with four solid proposals that appear—at least on paper—to satisfy IPRVnet's requirements.

Our next step is to put these VPN products to the test. Our planned elimination phase of reader polling to further shrink the candidate list proved unnecessary. Therefore, the products proposed by NetScreen, RapidStream, Rebel.com, and SonicWALL will be evaluated in our lab this summer. These individual product line reviews will be published sequentially, culminating with a comparative series closer.

The responses
Now let's take a look at the RFP responses that satisfied our baseline criteria. We used three example customer networks to illustrate IPRVnet's target broadband-enabled SMB market. The solutions proposed these four RFP responses are summarized here. The full text of each RFP response is also available on-line, for your perusal—NetScreen RFP, RapidStream RFP, Rebel.com RFP, and SonicWALL RFP—respectively.

Each vendor supplied proposed configurations and component list prices. To enable rough comparison, we calculated the total list price of CPE and software for each scenario as follows.

Scenario 1: Low-tech small office with 10-25 employees
Vendors proposed low-end CPE to provide this small business with secure broadband Internet access. To secure remote administrator access, all recommended VPN client software, but most noted non-VPN options like SSL or SSH. In truth, SSL/SSH may be more cost effective in this particular scenario and we're pleased to see them mentioned. But given our focus, we'll calculate a list price for one gateway and one VPN client:

SonicWALL proposed the SOHO2 ($495 for 10 users or $995 for 50 users), a firewall appliance rated at 70 Mbps. With a VPN upgrade ($495), the SOHO2 supports 10 tunnels with 2.5 Mbps of 3DES-encrypted traffic. SonicWALL's VPN client for Windows runs $40-$75, depending on volume. We'd pitch the 50-user firewall to this customer.

Rebel.com proposed the NetWinder 3100 ($1795), a five-state proxy firewall that handles "hundreds of concurrent firewall connections." RebelConnect VPN (licensed from FreeS/WAN) supports 254 tunnels at 17 Mbps encrypted. Three licenses are included for RebelRemote ($999 for 10 users), a VPN client for Windows, Mac, and Linux.

RapidStream did not propose their entry-level RapidStream 500 ($695) because "a device that contains only 10 Mbps Ethernet interfaces sends a message to the customer that they are buying yesterday's technology." Instead, RapidStream suggested the RapidStream 1000 ($1995) with two 10/100 Ethernets and a high-availability port. The RSSA 1000 firewalls 500 sessions at 200 Mbps, or up to 10 3DES-encrypted tunnels at 50 Mbps. Five RapidStream Windows VPN clients ($75 when purchased separately) are included with the RSSA 1000.

NetScreen proposed the NetScreen-5 Elite ($995), a firewall, VPN, and traffic shaping appliance for trusted LANs up to 1000 sessions. This device can support 10 VPN tunnels with 3DES/SHA-1 performance of 2 Mbps (64 byte packets) and 13.3 Mbps (1600 bytes packets). This range demonstrates why one should never compare unqualified performance metrics—we're please to see a response that notes this. For remote access, NetScreen suggested its VPN client for Windows, NetScreen-Remote (from $95 for 10 users).