UUNET plots VPN course

By Denise Pappalardo
Network World, 06/21/99

UUNET plans to add strong security and greater network access control to its dial-up VPN services by year-end.

UUNET, MCI WorldCom's ISP business, will add support for integrated directory services, IP Security (IPSec) software, public-key infrastructure (PKI) and new customer premise virtual private network devices. The changes, which will bolster UUNET's dial-up VPN Services, now called UUDial, will take place over the next few months.

First, the company will give its dial-up VPN customers better control over user-access privileges by rolling out its Active Network Infrastructure (ANI) in the fourth quarter. ANI uses Cisco Networking Services for Active Directory - co-developed by Microsoft - to provision network resources and simplify net access administration.

ANI will let business users who have a Lightweight Directory Access Protocol (LDAP) Version 3-compliant server on their networks synchronize access privilege data between their directories and a master directory stored on UUNET's networks.

This move means that when network managers remove or change dial-up users on their LDAP servers, the managers will not have to contact UUNET to make the same change on the UUNET network. Today, most users have to fill out an electronic form or contact a person at an ISP to add, drop or change a user's access privileges, says Eric Zines, senior consultant at TeleChoice, a consulting firm in Boston. Integrating internal LDAP directories with UUNET's ANI will expedite that process, Zines says.

UUNET will also use ANI to let users more easily set up group access policies. This ability will be especially useful when trying to manage an extranet that may have employees, business clients and vendors accessing all or parts of a network.

In addition to adding directory services to its dial-up VPN offering, UUNET is boosting security features. Specifically, UUNETis adding support for IPSec - the IETF's standard for IP encryption, authentication and key management.

Expected in July, IPSec support will be added by using Indus River's Linux-based River Works VPN products. River Works includes a VPN access device that sits at a customer premise site and an IPSec-compliant client that will be deployed on each dial-up user's computer.

UUNET will support the River Works software client only for users who also have deployed River Works devices. But the ISP plans to team with a security software vendor to provide all of its dial-up users with an IPSec-compliant client by year-end, says Dennis Brouwer, vice president of dial-up services at UUNET. Once UUNET chooses an IPSec client, all of its dial-up VPN customers will be able to support the strongest encryption and authentication available. Until then, users can use the River Works products or wait a few more months.

Users at BMW Manufacturing are happy to see the IPSec support. BMW, a UUNET dedicated Internet access customer, has held off outsourcing its dial-up VPN needs because of a lack of IPSec support.

"We want managed, worldwide dial-up access using IPSec," says Sim Wright, BMW Manufacturing's coordinator of IT. But BMW has not been satisfied with the level of security ISPs have been offering, he says. "In the long term we expect [strong security] services to become available. Until then, we are managing our dial-up users internally," he says.

In July UUNET will also offer Nortel's Contivity Extranet Switch product family, which supports standard tunneling, security, authentication, directory, accounting and connectivity protocols in a single, integrated hardware platform.

The Contivity products as well as CheckPoint Software's Firewall-1, Windows NT and River Works servers will be included in UUNET's VPN Alliance Program, which the ISP is expected to announce later this month. The program will include several vendors' products that have been compatibility-tested and can be fully managed by UUNET in combination with its dial-up VPN services.

UUNET has also committed to rolling out its own PKI that will allow the ISP to support X.509 digital certificates used to authenticate users and network access devices. Digital certificate support will be just another option that UUNET's dial-up VPN users can add to their service. While UUNET has not committed to a specific vendor's PKI system or third-party digital certificate authority, the company says it will make those decisions by the fourth quarter.

Besides adding better management features and stronger security, UUNET has been busy cleaning house. UUNET has inherited assorted dial-up VPN services through a series of acquisitions. The services, such as SafeReach IP, SafeReach NT and ExtraLink Remote, will be woven into UUDial.

The change means some customers may have to swap out customer premises equipment. For instance, MCI WorldCom Advanced Network's SafeReach IP customers were using Layer 2 Forwarding to support secure communications between dial-up users and a headquarters site. But now UUNET is supporting Layer 2 Tunneling Protocol as a standard part of its UUDial service. SafeReach IP users will get a new Firewall-1 server to replace an ANS Communications Key Ring firewall server that UUNET will no longer support.

Because UUNET now comprises legacy CompuServe Network Services, ANS Communications and MCI WorldCom Advanced Networks, UUNET had to keep track of too many dial-up services, TeleChoice's Zines says.

UUNET: (703) 206-5600