InformationWeek

February 8, 1999

Automated-Policy VPNs Become Top Priority

continued...page 2 of 2

Related links from our sister publications:

InternetWeek VPN Products Confront FUD

Network Computing cIPro-DMZ: More VPN for Your Dollar

Keck says his organization also looked into customizing the hardware to filter access, but building controls into the application itself seemed to be the most effective and efficient method. A password-protected security application accesses only the specific database file a patient's representative requests and is authorized to see. All transported data is encrypted until it reaches the user's desktop.

Of course, not every VPN has such high security requirements. As a result, some companies are able to use the policy enforcement capabilities built into VPN products to set access rules without having to write a new application. In one case, a whole new business unit has been proposed because of a successful policy-based VPN.

Oracom Inc., which makes products to manage telecommunications equipment, first deployed a VPN to configure management equipment shipped to customers' sites. The company had been using a dedicated line to configure the gear or sending a technician to the site. "Either way was expensive," says Scott MacGregor, Oracom's VP of operations, "And when we used dial-up lines, we never really got full access." Oracom looked into alternatives and VPNs were the most appealing in terms of cost.

Of course, Oracom's customers had some qualms about allowing the company's technicians access to their networks. "We had to be able to guarantee we weren't getting full entry into their networks, because if we had too much access, we could bring a satellite operation down," MacGregor says.

Oracom looked at many options, including building its own VPN using the Linux open-source platform, but it couldn't spare the developers. In the end, Oracom decided to go with equipment from Assured Digital Inc., in large part because of its management capabilities.

In addition to VPN hardware, Assured Digital sells management software that administrators can use to specify access rights. Oracom was able to guarantee its customers it had only limited entry into their networks so none of their equipment was at risk from an error. "Policy-based networking reassures our customers they are still in control of their networks and all their equipment," MacGregor says.

New Opportunities
Oracom uses Assured Digital's products to configure gear and observe performance to ensure that the equipment is working properly. The management-equipment vendor also supplies device monitoring for clients who can't spare the resources to track the Oracom equipment. Oracom started using its VPN to monitor those devices, and a new business opportunity has unfolded.

"Most of our customers are relatively small, so they can't afford to produce the types of reports for their customers that a larger provider can," MacGregor says. "So it was obvious to us that we could leverage our VPNs over a wider customer base for less money." Essentially, Oracom expanded the services it was providing, tracking its customers' telecom networks around-the-clock and issuing usage reports. Oracom's customers' ability to set and enforce policies was of critical importance to the success of this new venture, MacGregor says.

Oracom's use of the Internet for monitoring purposes raised some eyebrows at first. "It was hard to sell this without having a very secure way to do the monitoring," MacGregor says. In effect, there were two sides to making the effort successful--monitoring and control. "We had to give them policy control that they would in turn use to give us only half access," MacGregor adds.

Oracom uses its VPN to see the customer's network and, in some cases, the customer's equipment. But once the initial set-up of the management equipment is complete, Oracom has monitoring-only rights.

While the new service business is small, MacGregor says, Oracom expects it to grow enough to warrant a separate business unit and to account for half the company's revenue within a few years.