Network Computingwww.networkcomputing.com

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

VPNs touch virtually every part of your network, from security policies and network addressing to remote users and network management. Without a solid understanding of the impact a VPN will have on your network, a seemingly straightforward project can quickly get out of control--leaving you with a half-baked VPN that doesn't adequately address your needs and creates a management headache.

For this RFP, we created a fictitious electronics component company, Acme.com, that wants to reduce its WAN connectivity costs, secure communications among departments within its WAN and provide secure communications for remote users. Acme.com has three main offices in New York, London and Paris, all connected via T1 leased lines; a handful of smaller offices connected via fractional T1 at 384 Kbps; and several small offices connected via ISDN to local ISPs. Acme.com also employs 500 remote users on a mix of Windows95/3.1/NT and Macintosh desktops and laptops, who need connectivity to New York. The number of remote users is expected to reach 1,500 within two years.

In its RFP, submitted to 33 vendors, Acme.com asked for a way to replace its PVCs (permanent virtual circuits) with single access lines into a service provider with a local POP (point of presence). The reasoning was that a VPN-enabled backbone over the Internet would help Acme.com reach its first goal by replacing the high costs of dedicated connections with lower charges for access to local ISPs. It also would provide for more flexible configurations. We requested proposals from equipment vendors and service providers. Many equipment vendors offer consulting services, though the breadth of these services varies considerably.

Although using a single vendor for WAN connectivity can pose reliability problems, Acme.com expected the service providers to offer QoS (quality of service) guarantees and support SLAs (service-level agreements). The fact that these guarantees would govern only the quality of data passing within the service provider's network suited Acme.com, since nearly all of its larger sites and remote users would be connecting over the private network. Additionally, a service provider can enhance security by routing VPN traffic over the private network behind its existing firewalls. Equipment vendors seldom provide QoS or SLAs since they can't control the data flow past their own hardware. Ascend Communications, Bay Networks and PSINet, for example, all described the benefits of using a single service provider for just those reasons.

Furthermore, as Acme.com expands its business, the amount of sensitive traffic traversing the network exposes numerous opportunities for data theft. Acme.com asked vendors to provide a VPN solution that would adequately secure the data paths between distributed departments, while remaining as unobtrusive as possible to users.

Ten vendors responded to Acme.com's RFP with detailed proposals for a VPN: Ascend Communications, Assured Digital Inc. (ADI), Aventail Corp., Bay Networks, PSINet, RedCreek Communications, Shiva Corp., 3Com Corp., TimeStep Corp. and VPNet Technologies. Nearly every vendor noted the Internet-backbone cost savings Acme.com had sought, although in most cases these savings didn't seem significant. However, three vendors--Bay, PSINet and VPNet--found errors in Acme.com's WAN costs, and in working with these vendors a more realistic pricing picture emerged (see pricing schedule at www.NetworkComputing.com/912/912f1.html).

Also, although Acme.com did not specify a need for IPX support, only Bay, Ascend and ADI offered direct support via L2TP (Layer 2 Tunneling Protocol) or PPTP (Point-to-Point Tunneling Protocol) instead. Other vendors suggested IPX-in-IP encapsulation, such as through NetWare IP.

Acme.com's remote users have a mix of Windows95/3.1/NT and Macintosh desktops and laptops. Many of the vendors couldn't support Acme.com's entire mix of operating systems used by its remote workers. They proposed that Acme.com migrate these users to other, approved operating systems. This is not entirely acceptable to Acme.com, largely because of the high retraining costs and disruption in user productivity that would follow.

Surprisingly, only two vendors really shone in the softer areas of consulting and support: Bay and TimeStep. These are critical areas for Acme.com, which is making radical changes to its mission-critical network. Bay and TimeStep accommodated this transition by proposing consultation prior to installation, a thorough network analysis and security audits, all of which should provide a picture of Acme.com's current network structure including common data paths and protocol inventory. A security audit will help integrate the virtual private network into Acme.com's existing security architecture and highlight weaknesses that should be addressed in addition to the VPN implementation.

Bay and TimeStep noted that after installation of the VPN, service and support for administrators and users would be critical to a successful rollout. Both vendors address Acme.com's unique need for support in a multinational environment, where language is not the only barrier. Simple issues, such as time zones, become critical when basic service is offered during Pacific working hours, typically 8 a.m. to 6 p.m. PST.

Acme.com whittled the contenders to a short list of Ascend, Bay, Shiva, TimeStep and VPNet, and ultimately gave the bid for the VPN installation to Bay. Key among the advantages Bay presented is its superior level of project management, including consulting and support. Bay's VPN strategy covers all the requirements of Acme.com's RFP, and builds in room to scale as Acme.com grows. Although Bay's response is by far the most expensive, the breadth of service and support it offers during the first year provides a high degree of security for Acme.com's investment.

The shortcomings in the other vendors' proposals, especially those that made the short list, were seldom critical enough to completely discount the vendors--most fell short in securing the departmental networks end to end and in service and support. Indeed, for more cost-sensitive organizations, they all offer adequate VPN solutions.

Below, we present highlights from the 10 RFP responses, beginning with Bay's and proceeding alphabetically. Acme.com's RFP and the unabridged proposals from all vendors can be viewed online at www.NetworkComputing.com/912/912f1.html.