Cisco Systems Inc. has delivered a good set of virtual private network (VPN) products for the enterprise, but needs to do a better job explaining how it can provide an end-to-end solution over service providers’ networks, according to analysts.
Cisco’s Enterprise VPN roll-out is the second phase of of its overall VPN strategy, which was first launched in October when the company released products and services aimed at carriers and ISPs.
The new enterprise-focused VPN products include Cisco IOS software enhancements, such as IPSec acceleration on the Cisco 7500 and 7200 router series, as well as firewall feature set extensions and VPN service-level agreement monitoring services. Other security features include Triple DES support, time-based Access Control List (ACL) management software, public-key infrastructure support in CiscoSecure, the NetSonar 2.0 security scanner for Windows NT, and the NetRanger 2.2 intrusion detection system.
But, companies trying to build an end-to-end VPN should not assume Cisco’s Enterprise VPN products will work seamlessly with its previously released carrier-focused family of products, said Jim Metzler of the Metzler Group consultancy in Newton, Mass.
“The insinuation is there. I’m looking for proof points,” Metzler said.
He explained a proof point might relate to quality of service (QoS). While the campus equipment might support the 802.1p protocol, the WAN gear may support Differentiated Services (DiffServ) or Multiprotocol Label Switching (MPLS) — which aren’t standards yet.
“What are they going to do to provide the mappings between one and the other, and as they change, update that? Or do users have to do that themselves? Well, that’s just painful,” Metzler said.
He said a lot of customers are confused about how they put together a fully QoS-enabled architecture, and he said vendors such as Cisco, Lucent and Nortel need to articulate clearly how they expect enterprises to build an end-to-end, coherent, manageable VPN.
“I don’t think any of the three have demonstrated that, and that’s a challenge I give to all of them,” Metzler said.
Michael Speyer, program manager for Boston-based research firm The Yankee Group, agreed vendors need to show they can deliver an end-to-end VPN solution.
“They’re going to have to have encryption that can run all the way across from the service provider through to the enterprise. There are going to have to be class of service mechanisms that are, not interchangeable, but can be met between enterprise class of service and service provider types of implementations,” Speyer said.
Metzler did say he was impressed with the strong security features of Cisco’s Enterprise VPN family — namely the NetRanger 2.2 and NetSonar 2.0 tools, plus the time-based ACL Manager 1.0 software.
NetRanger detects live network intrusions, while NetSonar can be used to analyse network vulnerability before attacks occur, Metzler explained. With ACL Manager, a company could set up time-limited network access rights for an outside contractor or create a window of time during which an internal staff member is allowed to access corporate human resource data, for example.
“It used to be that people had these rights until someone, remembering to do it, went in later on and took them away. Now, when you set it up, you can put boundaries when they have these rights, so that’s kind of cool,” Metzler said.
Berkeley Keck, director of information technology for United Network for Organ Sharing (UNOS) in Richmond, Va., is currently evaluating Cisco’s Enterprise VPN products. UNOS operates the organ procurement and transplant network for the United States, which involves maintaining a nation-wide waiting list and matching donor organs to people on the list.
A year ago, UNOS began phasing out its X.25 network in favour of using the Internet to allow some 270 hospitals and 60 organ procurement organizations to access its system. However, not all of these organizations are comfortable using the public Internet to access the organ donor list, Keck said.
As a result, UNOS is considering implementing an Internet-based VPN solution, possibly from Cisco or Nokia, he said. Not only would it provide an alternative to the public Internet, it would also allow for a back-up route to UNOS’s system, he explained.
Currently, UNOS primarily uses Cisco equipment and would like to leverage that investment, Keck said, but he has found Nokia’s routers have some features which Cisco’s don’t.
“The flexibility of the product, in terms of routing for internal as well as external use, is going to be a decision point, and the Nokia product does a little better with that. But, they are more expensive,” Keck said.
However, because UNOS plans to migrate to an entirely Windows NT environment, he is particularly interested in the NT support in Cisco’s NetSonar 2.0 security scanner.
“The integration with NT — and I mean tight, trouble-free integration — is what we’re looking for. I don’t want to bring something in that’s ‘sort of’ compatible and then becomes a maintenance issue for us,” Keck said.
He said he expects UNOS to choose its VPN solution in three or four months.
In another recent announcement, Cisco rolled out the new Catalyst 6000 family of multi-gigabit enterprise switches. The Catalyst 6000 and 6500 provide up to 32Gbps and 256Gbps aggregate throughput, respectively, and can scale up to 150 million packets per second, according to Cisco. Other features include integration with Cisco IOS and the CiscoAssure QoS architecture, which allows users to apply network policies based on Layer 2, 3 or 4 information, including specific users, IP addresses or applications.
The Catalyst 6000 can support up to 384 10/100Mbps ports or up to 130 gigabit Ethernet ports, making it flexible enough to meet users’ evolving needs, Cisco said.
Yankee Group’s Speyer said the Ethernet-only Catalyst 6000 is optimized for the backbone and server farms.
“In terms of Ethernet switching, it’s a pretty significant announcement,” Speyer said. “Here’s a very, very strong product that will compete more than adequately with what’s come out so far from 3Com, Bay Networks, Cabletron or anybody else you may care to mention.”
The Enterprise VPN suite of products is available now, with the exception of software IPSec acceleration for the Cisco 7500, which will ship in a subsequent release of Cisco IOS 12.0, and hardware acceleration for the Cisco 7200 and 7500 systems, which will be available in the first half of 1999.
Both the Catalyst 6000 series and 6500 series each have a six- and nine-slot version. The Catalyst 6000 series starts as $29,997, and the Catalyst 6500 begins at $34,736.
Cisco Systems Canada Co. in Toronto is at (416) 216-8000 or on-line at www.cisco.com.