by Lisa Phifer VP Core Competence, Inc. [October 23, 2001]

What comes to mind when you think of October? Fall foliage, crisp mornings, apple cider, candy corn, jack-o-lanterns, and VPNs. Okay, perhaps that last one wasn't on your list. But it's true—VPN news increases during the fall conference season, culminating at Fall VPNcon.

This semi-annual conference held for three days—this year in Alexandria, Virginia October 15 through 18—revolves around virtual private networking, with sessions ranging from VPN engineering challenges—high-speed/high-availability, transporting voice/video—to the impact of emerging technologies like wireless, MPLS on VPNs. At this week's event, a live exhibit net demonstrated "n-way" interoperability between products from VPNC members Adtran, Alcatel, Avaya, Enterasys, and Nokia, and SafeNet.

Although subdued by the economy and recent events, speakers and vendors at VPNcon appeared to be trumpeting this message—debating whether VPNs can work or interoperate is passé. Let's focus on real deployment, creating integrated networks that leverage VPN technology. To hear the latest from the marketplace, I toured the VPNcon exhibit floor. Here are a few developments that caught my eye.

Asita Making Progress With LineSpeed
During the show, Asita Technologies announced that LineSpeed products had passed VPNC Basic Conformance and Re-Keying tests. These tests are designed to promote interoperability among VPNC member products by exercising common capabilities against reference implementations.

Asita entered the VPN market this summer by introducing the LineSpeed product family. At the low-end, Asita sells enterprise-class CPE—the LineSpeed 100, designed to carry 1000 tunnels at 100 Mbps, and the LineSpeed 5, pushing 100 tunnels at 5 Mbps. At the high-end, Asita produces two carrier-class switches. The GS is designed to handle 20,000 VPN tunnels at 1Gbps aggregate throughput; the LineSpeed GS2 covers twice that ground.

Asita's latest GS release adds a Virtual Router Redundancy Protocol (VRRP) for high-availability. The GS can be outfitted with up to 8 "cartridges" that host security applications. VRRP allows for hot cartridge insertion/removal and fail-over from master to backup cartridge. Support for dynamic routing protocols like BGP, OSPF, and RIP further help the GS route around network failures. The GS family is shipping now, priced from $75,000 to $325,000.

Asita also recently announced a partnership with eTunnels. eTunnels launched VPN-on-Demand last fall: a point-to-point software VPN service, managed from a central policy enforcement system. This partnership lets a VPNoD customer control eTunnels clients and Asita CPE from a single point.

Alone, these announcements are not remarkable. Together, they highlight the vast ground new players must cover to compete in this maturing market. Multi-vendor interoperability, high-availability, and scalable management can no longer be deferred to a future release. Asita is hitting the deck running, hoping to catch—and surpass—those that took years to reach this point.

(Back to top)

Global Crossing Combines IPsec And MPLS
Today, many providers offer managed IPsec VPN services. A small but increasing number of carriers now offer MPLS VPN services. At VPNcon, Global Crossing Ltd. announced a suite of IP VPN services that leverage both technologies.

Global Crossing's SmartRoute IP VPN applies IPsec tunneling and firewall filters at the network edge to protect and segregate traffic streams, prioritized by origin, destination, and application. Service level agreements define expected performance characteristics for Premium, Enhanced, and Basic classes, at speeds ranging from fractional T1 to DS3.

ExpressRoute IP VPN builds on the SmartRoute service. It uses MPLS to create customer tunnels across Global Crossing's IP-over-fiber backbone, guaranteeing very high bandwidth end-to-end. ExpressRoute incorporates usage-based billing, giving customers OC-12 capacity in a pay-as-you-use package.

Financially, leveraging the same transport for voice and data is attractive. Conceptually, VPNs make this possible. But VPNs are a tough sell for mission-critical, time-sensitive applications without QoS control on the backbone. On the other hand, some business data cannot be transported on public links without cryptographic protection. Combining IPsec and MPLS may satisfy both camps.

"We've created flexible, converged communications solutions that meet the rapidly evolving needs of our customers, whether they are streaming news, delivering video on demand, trading across borders, or conferencing to their desktops," said John Longo, a Global Crossing VP. "Because we own, operate, and manage the world's most extensive fiber optic backbone, we can take [customers] as far as they want to go, as fast as they want to get there." According to Global Crossing, these IP VPN services are available in North America, Europe, Asia, Australia, Latin America and the Caribbean.

(Back to top)

GRIC, Colubris Partner On Public Wi-Fi Hotspots
In early October, GRIC Communications and Colubris Networks joined forces to let GRIC travelers access corporate networks from Colubris Wi-Fi at "public hotspots." Airports, hotels, convention centers and the like. Pairing GRIC's secure remote Internet access with the Colubris CN3000 creates a turnkey public Internet access platform for wireless ISPs.

Starting at $2195, the Colubris CN3000 is a Wi-Fi access point with integrated firewall, routing, RADIUS authentication, and accounting features. The CN3000 also includes a VPN pass-through, letting wireless hosts use VPN clients to connect to a VPN gateway on the Internet; that is, back at corporate headquarters.

GRIC offers roaming Internet access in over 150 countries through more than 15,000 wired PoPs, owned by service providers in the GRIC Alliance Network. Members earn revenue from the Alliance for providing access to users with GRIC accounts. In April, GRIC launched a Global Broadband Wireless Alliance to make Wi-Fi access available to corporate travelers. Essentially, GRIC wants to extend its reach by adding wireless PoPs, continuing to operate as a financial clearinghouse between Alliance members—both wired and wireless.

(Back to top)

VPN Meets Wi-Fi (Part 1): Trilogy and Bluesocket
Vendors are rushing to address the shortcomings of WEP by leveraging VPN products over wireless links. This trend was clearly demonstrated in Trilogy's booth at VPNcon.

Trilogy's AdmitOne IPsec and IKE software is designed for OEM use by device vendors and service providers. Trilogy works with companies like 3COM, Cisco, eTunnels, IndusRiver, Radguard, Spring Tide, and Symantec to customize AdmitOne, paring down options, incorporating vendor extensions, and creating a private brand "look and feel". AdmitOne clients are available for Windows CE, XP, ME, 2000, NT, and 95/98 platforms. AdmitOne server software runs on Red Hat Linux.

To showcase AdmitOne's versatility, Trilogy set up a small demonet consisting of Windows CE, XP, and 2000 clients, tunneling IPsec to a Bluesocket WG-1000 wireless gateway. XP and 2000 clients were connected over Wi-Fi to a NetGear access point. The WinCE client was connected to Ethernet, but will support 802.11b on PocketPC 2002 by year end. All three tunnels continued over Ethernet to the WG-1000.

Bluesocket's WG-1000 (available from $5995) runs AdmitOne for Linux. This gateway is designed to sit between wireless APs and a wired network, using IPsec or PPTP to authenticate users and prevent eavesdropping. Role-based access controls limit what users can do—for example, letting visitors access the Internet only, while granting open access to employees. The WG-1000 uses a proprietary solution to eliminate re-authentication as clients roam from subnet to subnet (WG to WG).

(Back to top)

VPN Meets Wi-Fi (Part 2): Ecutel Viatores
Ecutel Inc. chose VPNcon to promote its new WLAN edition of Viatores. Viatores combines standard Mobile IP and IPsec protocols to enable secure, transparent roaming between wired and wireless LANs.

Ecutel developed Viatores while working for the US Department of Defense to enable transmission of sensitive data between field soldiers. But Ecutel did not develop proprietary roaming protocols. Instead, Viatores uses standard Mobile IP to support public and private addresses, network transversal, location discovery, and triangular routing. It also uses standard IPsec tunnels and X.509 digital certificate for privacy and authentication.

Windows 95/98/ME/NT/2000 PCs equipped with Viatores Client software can move from wired to wireless LANs, or between wireless access points, without being reconfigured or rebooted. These Clients tunnel IPsec to a central Viatores Server. The Server is responsible for encryption, authentication, and relaying traffic to its destination - which may be another client or a destination on the home network.

The Viatores architecture includes three additional components: a Gateway, Relay Point, and Multiplexer. A Gateway sits outside the home network firewall, authenticating traffic relayed to the inside Server. Relay Points sit within foreign networks that Clients visit, routing visitor traffic back to the home network. Multiplexers traverse firewalls by tunneling inside HTTP, a port usually left open in enterprise firewalls. Together, these components let PCs roam around a Viatores-enabled network without interrupting secure sessions.

Ecutel claims that Viatores Clients can use many wireless LANs and WANs, including 802.11b Wi-Fi, Bluetooth, GPRS, NTT DoCoMo, GSM-Data, CDMA-One, HS-CSD, and Ricochet. Carriers offering multiple wireless services might recommend Viatores for mobility between services. Network integrators tasked with creating a wireless enterprise network might use Viatores as a platform. Watch for Viatores Client software to show up in mobile devices sold by partners HP and Matsushita. A Viatores Server, Relay, and Gateway setup starts around $10,000.

What I find most interesting about these "VPN meets Wi-Fi" stories is that IPsec and Wi-Fi are simply network infrastructure components. IP security and wireless access are fast becoming baseline requirements that every product must have. Increasingly, the challenging, innovative bits are how a product makes underlying platforms and networks transparent, enabling seamless roaming between them.

—End