Managed VPN and security service providers

May 31, 2002 12:00 PM, Jeff Wilson

Managed services for firewalls, especially for large customers, have a long history, at least as history is measured in the network world. As basic security products became generic-off the shelf, firewall-in-a-box-managed services declined in importance. But with the Internet boom in the mid-1990s, managed services regained importance. The Internet leveled the field, allowing small and medium companies to join the multi-connected world. It also leveled the field for intruders, who can now operate from their homes or dormitories.

As security and VPN products matured, the existing service providers added, or restored, managed services for them to their product lines, and start-ups aiming at particular security concerns entered the market as well.

End users of all types and sizes are clamoring for managed VPN and security services, and the dollar opportunity that this represents is difficult for service providers of any type to ignore.

Most service providers offer a mix of services. A few specialize in a particular area, such as vulnerability assessment, and some offer a full suite of managed services (though many of the more esoteric services are provided through partnerships with other companies).

Segmentation

The current set of service providers offering security and VPN services can be distinguished from each other in a variety of ways-those offering security only, those offering VPNs only and those offering both. Another distinction is between the long-established companies and the start-ups. Still another is that some providers simply deploy and manage security and VPN devices as they would any other network device, while others actively monitor logs and provide the customer with analysis of potential threats.

The most useful division is between those that are facilities-based-that is, they own their network-and those that are not. (This distinction aligns closely, but not exactly, with the established vs. start-up division.)

Facilities-based service providers further divide into those offering CPE only, network-based equipment only, or both; the non facilities-based companies offer only CPE but can be split up based on whether they offer off-the-shelf VPN and security technology, or whether they have built their own overlay VPN/security technology.

Facilities-based vs. non facilities-based service providers

Facilities-based VPN/security service providers

Service providers that are facilities-based-that own at least a Layer 3 IP services network (many own and operate layer 1 and layer 2 networks as well)-include the giant telcos such as WorldCom and AT&T and large data service providers like Genuity. They may offer access and a network backbone in addition to value-added services like VPNs and security, in which case they can market a rich end-to-end service. If they sell access and backbone bandwidth, their VPN and security service offerings may be limited by the areas in which they offer access services. Facilities-based providers that only own Layer 3 and higher networks (like Virtela and Genuity) can bundle access from a variety of providers, making it easier for customers to provide connectivity to all of their sites and users.

Facilities-based offerings may be network-based or CPE-based, or both. CPE-based offerings have the advantage of low initial costs, as the customer pays for the infrastructure, but they have the disadvantage of being an ongoing burden to manage. Network-based offerings, in which the equipment is at the service provider's site, are the opposite: the initial costs are high, as the service provider pays for the infrastructure, but management is much easier, as no house calls are needed.

Non facilities-based VPN/security service providers

The service providers that are not facilities-based, in that they have no network of their own, merely a well-equipped NOC, include companies such as OpenReach, SmartPipes, eTunnels and Fiberlink. Their NOC contains a provisioning platform, the software for which they have taken great pains to develop. They have a set of agreements with network providers, some for partnering, some to resell their connections. Of necessity, these service providers sell CPE only. This group splits into 2 divisions: providers that provision and manage off-the-shelf VPN and security CPE, and overlay providers, which have an end-to-end solution that rides on top of any IP/Internet access and doesn't require VPN/security products other than those they developed. Fiberlink and SmartPipes are examples of the first type, while OpenReach and eTunnels are examples of the second.

Many of these companies are staffed by engineers that left larger, established service providers when the latter, upon realizing the size of the programming task involved in creating flexible and scalable maintenance platforms, balked at turning themselves into software houses. Some of these maintenance platforms are now offered for sale back to the companies that didn't want to build them themselves.

Manufacturers should look this group over, see who's doing well and ensure that they can provision and maintain their products. Some providers in this space have already refocused (OneSecure sold their customers to Riptech and repositioned themselves as a multivendor security management product company), and others will merge, refocus or die.

Jeff Wilson is Executive Director for Infonetics Research.

Visit Infonetics online.