Managed Security Services

Virtual Private Networks

Survey of Managed Security Service Providers:
Managed VPN

ISP-Planet's biennial survey of MSSPs finds that VPN offerings are becoming more popular and include more features than ever before.

by Lisa Phifer VP Core Competence, Inc. [May 23, 2003]

Managed VPN Services have finally reached parity with Managed Firewalls—this year, we have roughly the same number of participants in each category, including a few Managed VPN providers that do not offer Managed Firewalls services. Many VPN offerings can still be purchased as firewall add-ons, but several providers now sell firewall-resident and VPN-centric services as separate offerings.

As before, we asked providers to identify both site-to-site (S2S) and remote access (RA) VPN services. S2S VPNs interconnect branch offices, while RA VPNs tie in travelers and teleworkers.

Three providers mentioned Extranet add-ons or appliances—far fewer than in 2001. However, four providers told us all about their Network-Based (NW) VPNs. Like network-based firewalls, NW VPNs are delivered from an IP switch at the edge of the provider's network.

Most VPN services are still CPE-based, but network-based VPNs hold promise—particularly for site-to-site applications that require QoS control.

Once again, MSSPs identified CheckPoint and Cisco as common S2S VPN platforms. CheckPoint SecuRemote, Nortel Contivity, Cisco 3000 and SafeNet's VPN client appear in several RA VPNs. This year's survey also includes a couple of MSSP-specific appliances (Aventail, SecurePipe) and an ASP-hosted RA VPN service (Expertcity). For more information about VPN platforms, see the two part table (right).

We asked providers for supported tunneling protocols, encryption algorithms and message integrity algorithms. Most support IP security (IPsec) for S2S VPNs or Multi-Protocol Layer Switching (MPLS) for NW VPNs. A surprising number of RA VPNs also support Point to Point Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP). The new kid on the block appears to be SSL (Secure Sockets Layer), used by RA VPNs.

The old Data Encryption Standard (DES) and more-current 3DES are still the most common ciphers, but several providers already support the new Advanced Encryption Standard (AES). The RC4 cipher is widely used with SSL and PPTP. Message Digest #5 (MD5) and Secure Hash Algorithm #1 (SHA1) were the most common integrity algorithms.

Support for user authentication methods, databases and customer integration proved far more diverse. As expected, many MSSPs support username and password (uname/pass) authentication for RA VPNs and Pre-Shared Key (PSK) authentication for S2S VPNs. Public Key Infrastructure (PKI), digital certificates and RSA SecurID tokens had a strong turn-out—perhaps a good sign that weak passwords will someday fade into oblivion. Many providers support user authentication against Remote Authentication Dial In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP)—this can ease integration with user databases that RA VPN customers already have. A few providers offer hosted authentication (PKI, RADIUS) services as VPN add-ons.

A well-defined procedure for making policy updates may be even more important for VPNs than for firewalls. VPN configurations are complex, include sensitive credentials, and often span hundreds or thousands of RA users. User adds, changes and deletes must be implemented in near real-time. Some MSSPs allow customers to make changes like defining group permissions and populating groups with users. Another RA VPN challenge involves client installation and configuration. Many MSSPs said the customer is responsible for this, while others provide self-installers, helpdesk support or try to avoid client software altogether. In short, RA VPN services vary quite a bit, so look closely at what you get for your buck.

Finally, we asked these providers to describe report and log interfaces, SLAs, and service add-ons. SLAs were often the same as for managed firewall. We also asked whether VPN services were capable of supporting video or Voice over IP (VoIP) traffic (see Comments in the chart). Support does not mean that VoIP comes with the VPN—it means that if your company uses VoIP, you may be able to send that traffic between sites.

Next week, in Part 4, we will discuss managed intrusion detection systems (IDS), anti-virus, and filtering offers from the managed security service providers who participated in our survey.

—End