1. Field
Embodiments of the present invention generally relate to the field of Internet processors. In particular, embodiments of the present invention relate to methods and apparatus for delivering security services, such as firewalls.
2. Description of the Related Art
The service provider game has grown extremely crowded and fiercely competitive, with numerous players offering similar products and services. While having a large number of comparable services is arguably beneficial to the enterprise, it poses a host of potentially disastrous consequences for a service provider. If all competitors in a given market are offering services that are indistinguishable by the customer base, the burden of differentiation falls squarely on cost, with the least-cost competitor emerging “victorious”. Jockeying for the cost-leader position rapidly drives down service pricing, reducing margins to rubble and rendering the service a commodity. Furthermore, numerous offerings that are similar in attributes and cost make it very difficult to lock in customers.
Operational costs also present a significant challenge to service providers. Cumbersome, manual provisioning processes are the primary culprits. Customer orders must be manually entered and processed through numerous antiquated back-end systems that have been pieced together. Once the order has been processed, a truck roll is required for onsite installation and configuration of Customer Premises Equipment (CPE), as well as subsequent troubleshooting tasks. This is a slow and expensive process that cuts into margins and forces significant up-front charges to be imposed on the customer. In order to be successful in today's market, service providers must leverage the public network to offer high-value, differentiated services that maximize margins while controlling capital and operational costs. These services must be rapidly provisioned and centrally managed so that time-to-market and, more importantly, time-to-revenue are minimized. Traditional methods of data network service creation, deployment, and management present significant challenges to accomplishing these goals, calling for a new network service model to be implemented.
Basic Internet access, a staple of service provider offerings, has been commoditized to the point that margins are nearly non-existent. This fact has driven service providers to look for new value-added features and services to layer over basic connectivity so that they are able to differentiate on factors other than cost. The most significant opportunity for differentiation is found in managed network services. Managed network services enable enterprise IT organizations to outsource time-consuming tactical functions so that they can focus strategic core business initiatives.
Enterprise customers are now demanding cost-effective, outsourced connectivity and security services, such as Virtual Private Networks (VPNs) and managed firewall services. Enterprise networks are no longer segregated from the outside world; IT managers are facing mounting pressure to connect disparate business units, satellite sites, business partners, and suppliers to their corporate network, and then to the Internet. This raises a multitude of security concerns that are often beyond the core competencies of enterprise IT departments. To compound the problem, skilled IT talent is an extremely scarce resource. Service providers, with expert staff and world-class technology and facilities, are well positioned to deliver these services to enterprise customers.
While IT managers clearly see the value in utilizing managed network services, there are still barriers to adoption. Perhaps the most significant of these is the fear of losing control of the network to the service provider. In order to ease this fear, a successful managed network service offering must provide comprehensive visibility to the customer, enabling them to view configurations and performance statistics, as well as to request updates and changes. Providing IT managers with powerful Customer Network Management (CNM) tools bolsters confidence in the managed network service provider and can actually streamline the service provisioning and maintenance cycle.
Customer Premises Equipment (CPE)-Based Managed Firewall Services
Data network service providers have traditionally rolled out managed network service offerings by deploying specialized CPE devices at the customer site. This CPE is either a purpose-built network appliance that, in addition to providing specific service features, may also serve some routing function, or a mid to high-end enterprise-class server platform, typically UNIX-based. In the case of a managed firewall solution, the CPE device provides services that may include VPN tunnel termination, encryption, packet filtering, access control listings, and log files. The CPE at each customer site is aggregated at a multiplexer via leased lines and/or public Frame Relay PVCs (permanent virtual circuits) at the service provider POP (point of presence), then into a high-end access router and across the WAN (wide area network).
In many cases, service providers and enterprise customers find it too expensive and cumbersome to deploy CPE-based security at every site, but rather deploy secure Internet access points at one or two of the largest corporate sites. In this model, all remote site Internet traffic is backhauled across the WAN to the secure access point and then out onto the Internet, resulting in increased traffic on the corporate network and performance sacrifices.
Service providers face significant challenges when deploying, managing and maintaining CPE-based managed firewall services. When a customer expresses interest in utilizing such a service, a consultation with experienced security professionals is required to understand the corporate network infrastructure and site-specific security requirements, yielding a complex set of security policies. This may be accomplished through a set of conference calls or a number of on-site visits. Once the security requirements and policies have been identified, the service provider must procure the CPE device. In some cases, the equipment vendor may provide some level of pre-configuration based upon parameters supplied by the service provider. While CPE vendors are driving towards delivering fully templatized, pre-configured systems that are plug-and-play by enterprise staff, most service providers still assume the responsibility for on-site, hands-on configuration, and a truck-roll to each of the customer sites is necessary. This is particularly true in server-based CPE systems, where a relatively high degree of technical sophistication and expertise is required to install and configure a UNIX-based system.
Typically, a mid-level hardware and security specialist is sent onsite, along with an account manager, to complete the CPE installation and configuration. This specialist may be a service provider employee or a systems integrator/Value-Added Reseller (VAR) who has been contracted by the service provider to complete CPE rollout. This complex process begins with physical integration of the CPE device into the customer network. In the case of a CPE appliance, where the OS and firewall/VPN software components have been pre-loaded, the tech can immediately proceed to the system configuration phase. Server-based CPE services, however, require the additional time-consuming step of loading the system OS and software feature sets, adding a further degree of complexity.
In the configuration phase, the tech attempts to establish contact between the CPE device and central management system at the service provider NOC (network operations center). In cases where the device has not been previously assigned an IP address, an out-of-band signaling mechanism is required to complete the connection, typically a modem and a plain old telephone service (POTS) line. If the integration process has been successful, NOC staff should be able to take over the process, pushing specific policy configurations (and possibly an IP address) down to the CPE device through a browser-driven management interface. This entire process must be repeated for every enterprise site utilizing the managed-firewall service.
Additionally, maintenance processes and costs for CPE-based managed firewall services can also be overwhelming to both the service provider and enterprise customers. Enterprises are forced to either keep cold spares onsite or be faced with periods of absent security when their firewall fails, a situation that is unacceptable to most of today's information intensive corporations. Service providers must have an inventory of spares readily available, as well as staff resources that can, if necessary, go onsite to repeat the system configuration process. Troubleshooting thousands of CPE devices that have been deployed at customer sites is an extremely formidable challenge, requiring extensive call center support resources, as well technicians that can be quickly deployed on-site.
As CPE-based firewall services have traditionally been deployed in private enterprise networks, the original management systems for these devices have difficulty scaling up to manage several large, multi-site service provider customers. CPE device vendors are scrambling to ramp up these systems to carrier-grade and scale. Firewall management systems are typically GUI-based (graphical user interface-based), browser-driven interfaces that run on industrial grade UNIX platforms in the service provider NOC. The management system interfaces with the CPE devices based on IP address. The CPE-based managed firewall model faces service providers with another issue: capital costs. In addition to the significant costs required to build out a POP/access infrastructure, including multiplexers and high-capacity access routers, the service provider must also assume the initial costs of the CPE device, including firewall and VPN software licensing charges. In many cases, these costs are passed on to the customer. This creates steep up-front costs that, coupled with per-site installation charges, can present a serious barrier to service adoption. In markets where several service providers are offering managed firewall services, a service provider may absorb the CPE cost to obtain a price leadership position, cutting deeply into margins.
The CPE-based model is also limited when rolling out services beyond the managed firewall offering. New services, such as intrusion detection, may require additional hardware and/or software. This results in higher capital costs, as well as another expensive truck roll.
There is also a performance penalty in conventional IP-SEC-mode (Internet protocol secure mode) transmissions, in that each packet going through must be examined at the sending end of a transmission to determine whether it must be encrypted, and then each packet at the receiving end of the transmission to determine whether it must be decrypted.
Thus, there is a need for a method and apparatus of delivering a variety of network services, for example, security services, such as firewalls, and secure transmission of data across a network, such as the Internet.