& cplSiteName &

Carrier-Class IPSec: the Bigger the Better

Light Reading
6/5/2002
50%
50%

Managed security services are hot right now, and carriers have plenty of products to choose from. So which boxes are best for building scaleable, managed VPN services?

To find out, Light Reading worked with its testing partners, Network Test Inc. and Spirent Communications, to see which products are ready for the rigors of carrier-grade virtual private network service.

We asked vendors to supply IPSec-based products that would scale to securely support thousands of customers, move traffic into the gigabit range, and offer easy provisioning and management of customer circuits.

Turns out that was a little too tall an order.

We chose IPSec among the various VPN technologies available today because the alternatives simply aren’t suitable for managed security services.

Multiprotocol Label Switching (MPLS)-based VPNs and the Internet Engineering Task Force (IETF)'s MPLS Martini extensions offer a variety of benefits, but security isn’t one of them. Neither provides authentication or encryption, which are bedrock functions required to ensure data integrity and privacy. The Layer 2 Tunneling Protocol (L2TP) does authenticate users, but it’s mainly intended for dial-up links, and it doesn’t offer encryption or verify that data hasn’t been altered in flight.

In contrast, the IETF’s IPSec suite does provide strong security; even so, finding carrier-class products can be a challenge. To begin with, most IPSec gateways are intended for CPE (customer premises equipment) use and these won’t scale anywhere close to carrier-class levels.

Several vendors say they do offer carrier-class gear, but when it came time to put up equipment for testing, most – including Cisco Systems Inc. (Nasdaq: CSCO), Lucent Technologies Inc. (NYSE: LU), and Nortel Networks Corp. (NYSE/Toronto: NT) – proved awfully shy. (See: No Shows.)

In the end, only two vendors were willing to put their carrier-grade boxes to the test: NetScreen Technologies Inc. (Nasdaq: NSCN), a newly minted public company; and Quarry Technologies Inc., a startup.

We put both vendors’ IPSec gateways through a grueling set of tests, and both came up aces. While most vendors were busy hiding, the NetScreen and Quarry devices set new speed records: Both ran at Gigabit Ethernet line rates in at least some of our tests. Both scaled to support thousands of concurrent tunnels. Best of all, both delivered essentially the same performance with one secure tunnel and thousands active.

The throughput results are especially noteworthy, considering most CPE-based IPSec gateways can’t even run one tenth as fast. Even though these devices perform the most highly compute-intensive tasks imaginable, they manage to crank along at line rate while still providing strong security.

Picking a winner wasn’t easy. Quarry’s iQ series gateways delivered higher throughput in most tests, and offer full redundancy of components and an intuitive, powerful management platform. But the Netscreen-5200 is no slouch either. It set up far more concurrent tunnels than Quarry’s iQ, and the configuration we tested costs less. If we had to pick one, we’d give the nod to Quarry’s iQ, but either is up to the task of carrier-grade IPSec service.

The following report provides an in-depth account of what we tested, how, and what the results were. A hyperlinked index follows:

Alternatively, feel free to download an archived version of the May 23rd Webinar in which Light Reading shared the results of the test, by clicking here:

David Newman is president of Network Test Inc. (Westlake Village, Calif.), an independent benchmarking and network design consultancy. Network Test’s clients are end-users (enterprises and service providers), trade publications, and industry consortia; the company does not accept testing commissions from equipment makers.

(19)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
M$BIG
50%
50%
M$BIG,
User Rank: Light Beer
12/4/2012 | 11:41:49 PM
re: Carrier-Class IPSec: the Bigger the Better
I hear:

Alcatel - BAS integration test complete. They have qualified a broadband router access server and complimentary tunnel device (for their recent acquisition solution).

And the product provides stable and fully functional VR service. VPN, L2TP, IPSEC, PPP (remarkable # of sessions - E and ATM).

It was said; their favorite BAS beverage is now in the sales cycle and will be served in a number of European locations soon!!!
toohideous
50%
50%
toohideous,
User Rank: Light Beer
12/4/2012 | 10:18:12 PM
re: Carrier-Class IPSec: the Bigger the Better
I thought Cosine recently introduced a bunch of these features with the "shark" card....

Any ideas why Cosine or others for that mater didn't show up for this test?

If the space is so "hot", I find it strange that only two came to the table....

-th
jbsmith
50%
50%
jbsmith,
User Rank: Light Beer
12/4/2012 | 10:17:43 PM
re: Carrier-Class IPSec: the Bigger the Better
Wondering how the BIG question of security
on the access link is "out of the scope of
this paper". This question is at the very heart
of even considering CO-based SVPN products.
Without a solid value proposition, economic
argument AND customer acceptance of encryption
not occuring until it hits the carrier edge -
there is no sense in even considering these
products.

Who wants to tackle this issue?

Cheers...

Jeff
beowulf888
50%
50%
beowulf888,
User Rank: Light Beer
12/4/2012 | 10:17:38 PM
re: Carrier-Class IPSec: the Bigger the Better
toohideous wrote:
>Any ideas why Cosine or others
>for that mater didn't show up
>for this test?

Good question. Cosine is an aggressive player in that space. Did LightReading forget to invite them?

>If the space is so "hot", I
>find it strange that only two
>came to the table....

There's a lot of hype about IPsec in the Service Provider space at the moment. Most of the IPsec market seems to be Enterprise-oriented at the moment, though. I recently worked for a un-named company that was trying to market IPsec products in the carrier space, and there was not much interest from most of the big carriers.

Also, most SPs didn't seem too motivated to offer IPsec services. I suspect that it was because IPsec VPNs and related security technologies (firewalls, etc.), require a lot of care an feeding. Most SPs don't seem have the either the trained staff on hand to manage these services.

The one bright spot in the telecom IPsec VPN market was the smaller and more agile managed service providers who are starting to consider business models which involve partnering with the big carriers to offer these services to the Fortune 500 customers of carriers.

Another issue I encountered was that Enterprise customers seemed to bereluctant to outsource their security infrastructure (IPsec VPNs, firewalls, etc.) to Service Providers. There attitude seemed to be: "Give us the pipes, and encrypt our traffic ourselves, thank you very much."

cheers,
--Beo



beowulf888
50%
50%
beowulf888,
User Rank: Light Beer
12/4/2012 | 10:17:37 PM
re: Carrier-Class IPSec: the Bigger the Better
Sorry, too many typos in that last post. Let me try it again ;-)

toohideous wrote:
>Any ideas why Cosine or others
>for that mater didn't show up
>for this test?

Good question. Cosine is an aggressive player in that space. Did LightReading forget to invite them?

>If the space is so "hot", I
>find it strange that only two
>came to the table....

There's a lot of hype about IPsec in the Service Provider space at the moment. The most active segment of the IPsec VPN market, however, seems to be Enterprise-oriented. I recently worked for a un-named company that was trying to market IPsec products in the carrier space, and there just wasn't much interest on the part of the big carriers in IPsec VPN technologies.

I suspect that the reason that most SPs weren't motivated [to offer IPsec services] was because IPsec VPNs -- and related security technologies (firewalls, policy management, etc.) -- require a lot of care an feeding. Most SPs don't seem have enough trained staff on hand to manage these services in large-scale rollouts.

Hint: Anyone who can make a decent OSS package to provision and manage firewalls, IPsec VPNs and to do policy management -- and that will manage multiple vendors' equipment -- and that will SCALE to meet Service Provider levels of activity -- could probably make some money right now. But I digress...

The one potential bright spot in the telecom IPsec VPN market is the smaller and more agile managed service providers -- who are starting to consider
business models that involve partnerships with the big carriers. The MSPs would manage these services to Enterprise customers on the behalf of the carriers.

Another issue I encountered was that Enterprise customers seemed to be reluctant to outsource their security infrastructure (IPsec VPNs, firewalls, etc.) to Service Providers. Their attitude seemed to be: "Just give us the pipes, and we'll encrypt our traffic ourselves, thank you very much!"

cheers,
--Beo










Webinars
Register for upcoming free
Web seminars.

White Papers
From optical vendors

Register
Free email newsletters























www.net.com







WHITE PAPERS








Layers of Service
Creation

Service Creation For
Profit








DATA SHEETS








SCREAMGäó Service
Creation Manager

SHOUTIPGäó Open
Telephony Platform











buliwyf
50%
50%
buliwyf,
User Rank: Light Beer
12/4/2012 | 10:17:29 PM
re: Carrier-Class IPSec: the Bigger the Better
I seem to remember a few companies that tried to make services around cosine boxes (ie aduronet)
Seems to me the only value cosine has is the cash they hold but how are they going to generate revenue or a product that SP's can actually make money from?

On a different note...
The enterprise wants security but are they willing to pay the premium? Skilled staff are getting cheaper then they used to be (once a key driver to outsource)

In the long view will the service provider handle the crypto *and* the network services or will specialist services companies to manage the IPSEC VPN's over the SP's infrastructure (SP sticks to core business)

SeaW
50%
50%
SeaW,
User Rank: Light Beer
12/4/2012 | 10:17:26 PM
re: Carrier-Class IPSec: the Bigger the Better
jbsmith wrote: Wondering how the BIG question of security on the access link is "out of the scope of this paper".
------------------------
More often than not the access link is a point-to-point connection and as such is considered secure enough for most implementations. The service provider's IP backbone, however, is a shared network and therefore needs additional security (ie. encrypted VPNs).

In circumstances where encryption is desireable on the access link, the poviders edge switch needs to be able to interoperate with IPsec clients on PCs and workstations as well as with little CPE VPN gateway boxes. This allows encrypted traffic to be passed through the provider's network securely. I believe both of the products in this test have these capabilities.

The next step in access link security is tunnel switching, where the provider's edge switch can terminate the access tunnel process the application flow and switch it on to a tailored backbone tunnel. This could also be used to aggregate similar application flows for transport across the backbone in order to simplify traffic management. I don't know where these companies stand on this functionality.

I hope this helps.
SeaW
skip181
50%
50%
skip181,
User Rank: Light Beer
12/4/2012 | 10:17:22 PM
re: Carrier-Class IPSec: the Bigger the Better
I have worked for vendors for years. These tests come along all the time and the cost alot of time and money for these vendors. Also typically they are initiated by one particular vendor who specifies the test criteria, so any other vendor will be behind the eightball from the get go.

Cisco infact went as far as to take a share in one of these so called independent Testers, so you will see alot of their results coming form one particular facility.

CoSine infact just completed a test suite with Tolly that was far more extensive, and so I guess saw no need to validate again so soon after. Here is an extract-full report is on CoSIne's website.

One point you should note about this test here is that they let the vendors have a bit of grace with the packet size. IE: Smaller packets would mean worse results. CoSine in fact got line rate down to 128 bytes....

Test Summary

-üDelivers 1,000 independent 1 Mbit/s firewalls (supporting 20 active rules) with NAT running at wire speed on Gigabit Ethernet with zero-loss throughput of bidirectional traffic down to 128-byte packets using only 17% of switch capacity

-üSupports 1,800 independent BGP/MPLS VPN networks running at 99% wire speed on Gigabit Ethernet with zero-loss through-put of bidirectional traffic down to 128-byte packets using only

-üHandles 100 customer networks simultaneously running IPSec encrypted (3DES+SHA1) bidirectional traffic for 1,024-byte packets at 99% of zero-loss theoretical maximum throughput on a Gigabit Ethernet interface Packet size (bytes)
SeaW
50%
50%
SeaW,
User Rank: Light Beer
12/4/2012 | 10:17:22 PM
re: Carrier-Class IPSec: the Bigger the Better
Having participated and avoided participation in various magazine tests of LAN and ATM switches in a past life, I can tell you that companies will not expose themselves and show their warts unless they are reasonably sure they have a good chance of winning. In other words, the no-shows for this test knew they couldn't win and didn't want to publicize their short-comings. It's easier to spin your way around non-participation than to try to explain away a loss. Read the no-shows' excuses here: http://www.lightreading.com/do...
Steve Saunders
50%
50%
Steve Saunders,
User Rank: Blogger
12/4/2012 | 10:17:12 PM
re: Carrier-Class IPSec: the Bigger the Better
skip181 wrote:

"I have worked for vendors for years. These tests come along all the time and the cost alot of time and money for these vendors. Also typically they are initiated by one particular vendor who specifies the test criteria, so any other vendor will be behind the eightball from the get go. CoSine infact just completed a test suite with Tolly that was far more extensive, and so I guess saw no need to validate again so soon after."

I assume you work for Cosine!

It all comes down to whether you like your tests indepdendent, or paid for by the vendors being tested. This was an independent test (paid for by Light Reading). So it wouldn't have cost Cosine anything to play. The Tolly Test, conversely, was paid for by Cosine.

Nothing wrong with that, but which test do you think is more likely to produce meaningful, independent results?

The comment about tests being initiated by one vendor is pure nonsense, by the way.

Steve
Page 1 / 2   >   >>
More Blogs from Tests
Content Switch Test Highlights:
* 3 market-ready switches
* Great scaleability
* Edge goes to Netscaler
Edge Router Test Highlights:
* Great VPN Delivery
* Great Scaleability
* Slight edge to Laurel
Multiservice Switch Test Highlights:
*Alcatel Stars
*Terrific ATM
*Good MPLS
*Other Vendors MIA
Step 1 in Light Reading's ultimate test of optical grooming switches
* What carriers want
* What's behind the test
* Potential players
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 6, 2018, London, United Kingdom
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
Telecom Jargonosaurus Part 1: Repeat Offenders
Iain Morris, News Editor, 7/13/2018
Broadcom Buys CA – Huh?
Mitch Wagner, Executive Editor, Light Reading, 7/11/2018
Verizon Taps Malady as Acting CTO
Dan Jones, Mobile Editor, 7/12/2018
FCC's Rosenworcel: US 'Falling Behind' on 5G
Iain Morris, News Editor, 7/13/2018
Viptela's Kingpins Have a New Stealth Startup
Ray Le Maistre, Editor-in-Chief, 7/12/2018
Animals with Phones
Casual Tuesday Takes On New Meaning Click Here
When you forget your pants.
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed