Big ISPs play VPN catch-up

By Denise Pappalardo
Network World, 08/17/98

If you think choosing one of the big ISPs is the safe way to get the latest and greatest in virtual private network (VPN) services today, you're mistaken.

Smaller, lesser-known national ISPs are showing they're more nimble than their giant counterparts and are already supporting some of the latest twists in VPN technologies. Companies such as Concentric Network, Epoch Internet and TCG CERFnet have deployed new tunneling capabilities, digital certificates and other features that give customers faster, more secure VPNs.

But the big boys aren't lying down just yet. Three of the top ISPs - AT&T WorldNet, WorldCom Advanced Networks and GTE Internetworking - are testing some of the latest VPN tunneling and security protocols that will be deployed in next-generation VPN services.

IP-based VPNs offer corporations private network capabilities, but they use carrier Internet facilities for transport. While VPNs promise cost savings and flexibility, performance and security are key issues for corporate buyers.

Glenn Botkin, intranet manager at Galaxy Scientific, an Egg Harbor Township, N.J., engineering firm, says users are waiting anxiously for ISPs to bring secure, robust VPN services out of the labs and into their product portfolios. "We want a provider to come to us with a complete VPN package, and I don't feel any ISP has that today," Botkin says.

ISPs at work

But large companies are working to address Botkin's complaint.

AT&T, for instance, is currently testing a variety of new technologies, including the Layer 2 Tunneling Protocol (L2TP), the Point-to-Point Tunneling Protocol (PPTP), Internet Security (IPSec) and digital certificates, with some of its customers, says Ed Nalbandian, a managing partner for AT&T's Managed Network Solutions division. These tests are expected to result in improved WorldNet VPN services that offer users stronger encryption and better network performance.

AT&T WorldNet's VPN service, introduced late last year, supports TCP tunneling, which is not the most efficient means for shuttling private corporate data over the Internet. TCP tunneling adds more overhead to IP packets than other tunneling protocols, including PPTP, which is more popular today than TCP tunneling.

As a first step toward improving its VPNs, Nalbandian says AT&T will deploy L2TP tunneling support next. L2TP is a pending IETF specification that combines technology from PPTP and Cisco Systems' Layer 2 Forwarding (L2F) protocol. One of the benefits of L2TP is that it can support multiprotocol traffic.

While AT&T is also testing IPSec, Bob Schroder, product manager for IP services at AT&T WorldNet, says more work still needs to be done to ensure the protocol doesn't bog down networks.

IPSec, also a pending IETF specification, defines how to encrypt IP packets carried over a secure tunnel through a public or private IP network. IPSec uses a powerful 164-bit key encryption algorithm based on the Digital Encryption Standard (DES).

The specification supports the use of digital certificates based on the X.509 Version 3 standard. Digital certificates are based on public and private keys, and are typically issued by certificate authorities such as banks or other trusted institutions. These certificates authenticate users trying to access information across the VPN.

WorldCom's plans

WorldCom Advanced Networks expects to support digital certificates next year, but is waiting for Cisco Systems' and Microsoft's Active Directory platforms to become available, says Skip Taylor, group manager for remote access services at WorldCom Advanced Networks.

Cisco Networking Services for Active Directory (CNS/AD) is expected to store information about applications, users, routers and switches. Taylor believes the best way to manage digital certificates for thousands of users will be to house that information in a directory that's more flexible than the typical directories based on the Light-weight Directory Access Protocol (LDAP).

WorldCom is also vigorously pursuing L2TP, Taylor says. The ISP is expecting Cisco's first draft of L2TP tunneling software this week.

What's ahead at GTE?

AT&T WorldNet and WorldCom Advanced Networks may not today be offering VPN services as advanced as those marketed by Concentric Network, Epoch or TCG CERFnet, but the two giants at least have formal offerings. GTE Internetworking, one of the largest business ISPs, has yet to introduce a VPN service.

But expect that to change by year-end, says John Summers, senior product manager at the ISP. And for its VPN service, GTE Internetworking is currently testing hardware encryption devices that are believed to offer users the highest level of security and performance, says Greg Howard, senior analyst at Infonetics, a San Jose, Calif.-based consulting firm.

Compared to software-based encryption, such as the type that GTE Internetworking is using with its SitePatrol managed firewall services, hardware can encrypt and decrypt data faster, Summers says.

GTE Internetworking will also have an edge in the digital certificate arena. Sister company GTE CyberTrust is a digital certificate authority, and GTE Internetworking plans to tie its upcoming VPN service into GTE CyberTrust's operations. That could make it easier for VPN customers to manage thousands of digital certificates.

But users should keep in mind they don't need to wait for any of these ISPs to finish up their testing. Epoch Internet and TCG CERFnet's are already using hardware encryption devices from Red Creek, and both support IPSec and digital certificates. Concentric Network also has a VPN service based on VPNet's IPSec hardware encryption devices.