VPN

VPN Product Briefs: May 2000

• IPSec improvements provide interoperabilty
• Expanded managed VPN platform from WatchGuard
• New "policy-enforced networking" from RedCreek
• GlobalOne offers managed VPN services globally
• Security-management, partnerships from F-Secure

by Lisa Phifer VP Core Competence, Inc. [May 24, 2000]

Newly-Certified IPSec Products Improve Multi-Vendor Interoperability
During the first week of May, several VPN vendors announced successful certification of IPsec products, tested against new ICSA version 1.0A criteria. Version 1.0A raises the bar on ICSA's previous IPsec baseline by adding message integrity based on SHA1, additional identity requirements, the Encapsulating Security Payload operating in NULL mode, and further testing of association lifetimes, packet fragmentation, and message replay protection. "ICSA's criteria for this round of product testing is significantly more stringent than the last round and addresses more features," said George Japak, VP, ICSA Labs.

IPsec products now certified under Version 1.0A include Alcatel Fort Knox, Check Point VPN-1, F-Secure VPN+, IBM OS/400, IRE SafeNet/Soft-PK, Lucent VPN Gateway, Network Associates Gauntlet VPN, Newbridge PERMIT/GATE 2500/4500, RADGUARD cIPro Client and Gateway, and VPNet VPNware VSU 1010. Visit http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml for certified product version info, test results, and ongoing additions to this list.

Certification signals vendor commitment to interoperability, according to RADGUARD President Patrick McHugh. "The fact that both our VPN hardware and client software meet the rigorous ICSA.net criteria is further proof of our commitment to IPsec standards development, compliance and improvement." According to IRE VP Phil Saunders, improved interoperability can both cost and increase security. "Installation and operation of the VPN are smoother and more efficient with product interoperability, and this means more cost-savings for the enterprise. Of course, the security of the system is paramount; improved interoperability makes a higher level of security easier to implement."

Interoperability involves more than product support; it also requires compatible security policies and practices. To this end, ICSA runs the Internet Service Providers Security Consortium. According the ICSA, ISPSec was created to "develop and promote ISP-based best practices and security solutions to support the continued growth of Internet services and connectivity worldwide". Current members include America Online, AT&T Cerfnet, Cable and Wireless, Digex, GTE Internetworking, IBM Global, Level 3 Communications, PSINet, Qwest, Sprint, and MCI/Worldcom.

WatchGuard Expands Managed VPN Platform for Service Providers
WatchGuard's MSS (Managed Security Services) product line is being extended to reach teleworkers, small offices, and large enterprises within a single, common managed service infrastructure.

Today, managed security service providers like FastNet, Genuity, PSINet, Verio, and UUNET deploy WatchGuard's Firebox II appliance in three configurations ($4,995 - $12,990) designed to meet the needs of larger enterprises. Fireboxes at the customer premise are centrally-managed by providers using WatchGuard's Network Operations Center (NOC) Security Management Software, assisted by on-going LiveSecurityService software updates and security advisories from WatchGuard.

By 3Q00, WatchGuard expects to finish integrating two new low-end alternatives: the Firebox SOHO ($449, for small branch offices up to 50 users) and Firebox Telecommuter ($649, for workers at home connecting to the corporate network). Both new appliances provide firewall security, VPN, Internet sharing, and (home) office networking over DSL, cable modem, or ISDN connections.

John Summers, director of Genuity's VPN and Internet Security Services, says "We are pleased that WatchGuard is adding support for their new broadband Fireboxes. This will enable us to develop broadband security services that use the same MSS platform our NOC administrators have grown accustomed to with our current WatchGuard service."

RedCreek Adds Policy-Enforced Networking Support to VPN Products
This month, RedCreek will begin shipping a new VPN management solution called the RedCreek e-Director (ReD). ReD supports "policy-enforced networking" through centralized entry of network rules and policies, broken down by organizational unit and role. These policies are then mapped by ReD's inference engine into device configuration parameters. Parameters are automatically distributed to Policy Enforcement Points (PEPs) — the nodes within the VPN responsible for enforcing policies by authorizing access and protecting confidential data.

According to RedCreek, without a solution like ReD, policy changes can consume up to 40 percent of a network administrator's time. But with policy-enforced networking, updates can be made centrally and propagated throughout the network automatically, speeding the change process, promoting consistency, and reducing administrative cost. Admin costs skyrocket in large, distributed VPNs where ad-hoc single-system changes prove unworkable. The ability to express changes in business rather than technical terms (organizational policies rather than device parameters) further reduces cost.

ReD ($10K per server) can be used to manage VPN products that support the RedCreek Operating System (RCOS). New entries to the RedCreek product line include the RedCreek Ravlin 7200 and the RedCreek Personal Ravlin II. The Ravlin 7200 ($15,900, available 3Q00) will tunnel traffic at multi-T3/OC3 rates suitable for large enterprise VPNs. The Personal Ravlin II ($550, available this month) is designed for use by small offices or teleworkers with residential broadband (DSL, cable) connectivity.

New International Managed VPN Service Offered By Global One
Global One, member of the France Telecom Group, plans to leverage its global network infrastructure (1400 network access centers in 65 countries) as the backbone for a new Global Internet VPN Service.

Customers will connect to the new Global Internet VPN service using the public Internet or Global One IP, Frame Relay, ATM, or International Private Line services. IPsec 56 and 128-bit encryption will be used for data confidentiality; digital certificates will be used for strong authentication. As the managed service provider, Global One will be responsible for design, implementation, 24x7 monitoring, and help desk support.

"Global Internet VPN gives multinational businesses another innovative option for harnessing Internet technologies to meet their global communications needs," said Jack Ziros, Global One VP. By introducing Global Internet VPN, Global One joins the small group of top tier providers who now offer international managed VPN services.

F-Secure Announces Policy Manager, "Security As A Service" Partnerships
Last week at Networld+Interop, F-Secure (formerly Data Fellows) announced its new security management product, F-Secure Policy Manager.

With the addition of Policy Manager, F-Secure has now created a three-tier management architecture. Policy Manager Console provides an administrative interface. Policy Manager Server acts as the repository of configuration data. F-Secure Management Agents manage each host, under the Server's direction. Working together, this trio can manage the broad range of F-Secure products that implement anti-virus, distributed firewall, file encryption, and VPN services. Alarms can be forwarded to enterprise management systems, including those sold by Tivoli, HP, CA, and IBM.

The F-Secure Policy Manager is designed both for use by large enterprises and by ASPs/ISPs who provide "Security as a Service" to corporate customers. "Security as a Service" combines policy-based centralized management, smart cards, and PKI to create a managed security service suitable for outsourcing. In April, F-Secure announced that it would partner with Cisco Systems and iD2 Technologies to build "Security as a Service" VPNs in Europe. The first provider to implement this service will be Communication Valley, an Italian ISP.

 —End