VPNs entail creating private tunnels that span LANs and WANs, provisioned by the enterprise or by a carrier. They have proven far more popular than virtual LANs, since they allow secure domains to be created within a public network. Ad hoc solutions based on Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) have existed for almost two years, but excitement over IPsec is spurring new activity at router manufacturers, VPN specialists and chip-set vendors with encryption savvy.

Next week, Lucent's remote access business unit (the former Livingston Enterprises, Pleasanton, Calif.) is coming out with hardware-based IPsec support for its PortMaster 3 router, using a 100-MHz MIPS processor with Lempel-Ziv compression support. Cary Hayward, product manager for PortMaster at Lucent, said the consensus about IPsec — particularly in host-server or router applications — is that hardware support for both compression and encryption is a necessity, because early client beta implementations of IPsec from some vendors overtaxed the host CPU.

The former Livingston group is in an interesting position in that it can tout the PortMaster 3 as a combination router, firewall, VPN gateway and site-to-site tunneling device. At the same time, the division can work with the Lucent team designing managed firewall solutions based in part on Lucent's Inferno operating environment.

IPsec embeds bulk encryption as part of the standard, which L2TP does not do. The standard specifies several layers of security: an Authentication Header that can verify the origin of data, provide a check sum for data integrity and prevent against malicious replay. In addition, IPsec specifies an Encapsulating Security Payload that provides embedded support for encryption. IPsec also makes use of the Internet Security Association and Key Management Protocol (ISAKMP) for standardizing the establishment of security associations between clients and servers, as well as the distribution of keys.

Lucent is staging its IPsec support for PortMaster 3 in two phases. This month, hardware modules for the router will be offered which support 168-bit Triple-DES (Data Encryption Standard) IPsec tunnels for the creation of site-to-site Internets. The MIPS-based daughtercard that plugs into the PortMaster 3 motherboard, carrying a suggested price of $1,295, supports encryption rates of 1.1 Mbits/s.

Meanwhile, Lucent's Secure/VPN Solutions Group has inked an independent pact with super-router vendor Neo Networks Inc. (Minneapolis) to port the Managed Firewall to Neo's StreamProcessor switch-router. StreamProcessor will be able to forward encapsulated packets in VPN tunnels at up to 128 Gbits/s for Internet backbones.

At 3Com, a software-only solution for L2TP, PPTP and IPsec will roll this month, in anticipation of future network interface cards 3Com will develop with VLSI Technology Inc. (San Jose, Calif.), which will add hardware support for encryption and compression. David Flynn, vice president of marketing for 3Com's client-access business, said 3Com is focusing on putting client software into the hands of broadband modem users, including cable modem and xDSL modem clients, since this hardware takes the biggest hit when VPN tunnels are created.

Besides supporting three types of tunnels and several common encryption and hashing algorithms, 3Com's Dynamic Access software supports the new IP Packet Compression Protocol. 3Com allows users a choice of certificate authorities, with Entrust Technologies' CA supported immediately and VeriSign due in the second half of this year. The PPTP is supported through Windows, while L2TP is a home-grown 3Com product. IPsec uses code developed at TimeStep Technologies.

Internetworking security veterans, meanwhile, will face two new competitors with a delivery vehicle for merged policy and crypto management — companies whose business plans also bump up against the new breed of network-specific microprocessor startups. Effnet, spun off from a research project at Lulea University of Technology near Kiruna, Sweden, has a new routing algorithm that allows routing tables to be restructured and reduced in size on the fly, thus permitting fast router-table lookups without using content-addressable memories. Effnet collaborated closely with several of the Swedish startups promoting Dynamic-synchronous Transfer Mode and is the only licensee authorized to use DTM in a router platform.

Jim Spoerl, president of Effnet Inc., the U.S. arm, said the company is cautious about licensing its routing algorithms separately from hardware, but also recognized that it was useless to compete directly against router giants like Cisco Systems Inc. Even with a unique lookup-table accelerator, Effnet needed to define a board-level product to speed encryption and tunnel creation for VPNs. The technology can be reduced to the size of a DIMM module; Effnet is considering implementing the VPN accelerator in a Compact PCI card.

Using a marketing model similar to Effnet's, but a far different processor base, is startup NetBoost, which showed off its card-level Policy Engine to server manufacturers at the end of 1998. On March 2, NetBoost signed an integration deal with Secure Computing Corp. (San Jose, Calif.), a specialist in proxy firewalls, to integrate firewall software and highly parallel policy hardware in VPNs.

The NetBoost architecture has won initial investment support from Intel and Texas Instruments, in addition to the typical round of venture firms.

Len Rand, chief executive and founder of NetBoost, said the company's custom processor is small enough to integrate four on a single chip. A StrongARM controller oversees task assignments, and the Policy Engine offloads cryptography to independent crypto chips.