Acme.com's 500 remote users will employ a Remote Access VPN based on the Bay Networks Extranet Switch 4000 (ES 4000). A single ES 4000 supports up to 2,000 simultaneous sessions, adequate for Acme.com's needs as the number of users grows to 1,500. Users will run Bay's Extranet Client, which implements the IPSec (IP Security) protocol. Most users will be able to choose their own ISP and access the VPN using whichever media they choose, including analog, ISDN, Data Over Cable and xDSL. Others will be able to connect via a service contracted between Acme.com and a global service provider.

Site-to-site VPN connectivity for Acme.com's plants and sales offices, as well as for its business partners, will be provided with existing equipment and WAN infrastructure combined with Bay Networks' BaySecure VPN Series 500 platforms deployed at those locations connected locally to the Internet. The VPN 500 is ideally suited for site-to-site VPNs. It supports IPSec Tunnel and Transport modes.

The VPN Series 500 also will be deployed in Acme.com's network where specific departmental security requirements exist.

Finally, the ES 4000 will be used to facilitate a supply-chain VPN between Acme.com and its customers, replacing the X.25 network currently used for this purpose.

Bay's proposed solution integrates seamlessly with Acme.com's existing network infrastructure, meeting a key requirement. Both the VPN 500 and the ES 4000 are designed to complement existing router, firewall and NAT (network address translator) functionality. Standard user authentication methods including RADIUS (Remote Authentication Dial-In User Service) and SecurID are supported.

Extranet Switch
The ES 4000 offers several key differentiators, making it ideally suited to meet the needs of Acme.com's remote work force:

Comprehensive Security
· Supports all leading tunneling protocols

· Strongest data encryption

· Filtering/firewalling

· Authentication through RADIUS, LDAP and

SecurID

Performance/Scalability/Fault Resilience
· 45-Mbps throughput--best in class

· Up to 2,000 simultaneous tunnels

· Dual processors

· Redundant power, storage, authentication servers, etc.

Bandwidth Management
· Prioritization through the switch

· External QoS-RSVP management

· Role-based management

· Browser-based

· SNMP-based monitoring

Client Software Support
· No charge, unlimited usage

· PPTP

· IPSec

· IPass

BaySecure VPN Series 500
The Bay Networks VPN Series 500 also offers several key advantages, making it the industry's best solution for securing interdepartmental networks, intercompany networks (extranets) and extended intranets:

Comprehensive Security
· Industry-standard IPSec

· Strongest data encryption

· Secure management--SSL (Secure Sockets

Layer), encrypted profile database

· Tamper-proof hardware--FIPS 140-1-compliant

Performance

· 10-Mbps throughput
· Choice of PPP or FR connection at T1/E1--

wire speed performance

· Bypass mode for Internet traffic

· Supports a server, segment or site

Bandwidth Management
· Layer 3 compression

· Hardware-based compression/encryption--wire speed throughput without compromising security

Management
· Browser-based

· Java-based monitoring

· Complements SNMP management tool

Overall, Bay Networks feels that the combination of products and services submitted within this proposal will help Acme.com increase productivity and reduce operating costs without compromising the security or performance of its network.

Network Computing's Evaluation of Bay Networks' Response

Size does matter--but only when accompanied by quality. That sentiment aptly describes Bay's hefty response to Acme.com's RFP and explains why, after reviewing all of the responses, Bay gets the bid. Bay's experience in network solutions is reflected in the depth of its response. Bay identifies numerous pitfalls in architecting networks and furnishes a detailed project-management process and a three-pronged systems analysis that includes a protocol inventory, security audit, and network and systems analysis. Bay's solution fulfills the RFP's security requirement with hardware that complements or replaces existing Acme.com infrastructure with BaySecure VPN 500 series platforms. Remote users and supply-chain partners are supported with Extranet Client coupled with the Extranet Switch 4000.

Acme.com's move to a VPN for its mission-critical WAN strategy is a new direction for the company, and the expressed level of consulting and systems analysis offered by Bay prior to installation of the VPN should result in a more robust, streamlined VPN migration. Leveraging Bay's experience, the estimated 10-day network and systems analysis, security audit and protocol audit covers the gamut of services that the VPN will affect and should unearth potential trouble spots. Only ADI offered a similar service, although it did not estimate how long the analysis would take or provide details of the analysis. Bay also plans to offer a training course on the new technologies that will let administrators effectively install, configure and manage Bay's VPN products.

We like Bay's project management plan, too, promising constant oversight by Bay engineers and communication between the Bay team and Acme.com. The generalized description and anticipated flow of meetings and events displays a long-term commitment to Acme.com's VPN rollout.

The resulting VPN combines two product lines. Remote users will connect to the Extranet Switch 4000 (ES4000), a network appliance capable of terminating IPSec (IP Security), L3F and PPTP tunnels in a single device. The ES4000 uses RADIUS (Remote Authentication Dial-In User Service) to access external user databases; it also can use its own internal LDAP database. Since Acme.com is heavily invested in both Windows NT and Novell's NDS, RADIUS authentication is a good solution. The extranet client is free, so in combination with PPTP--offered by Microsoft Corp. as a free upgrade--remote client costs are nil. Unfortunately, Bay doesn't make an IPSec client for MacOS, so those users will be limited to L2F or PPTP.

Acme.com's departments and remote sites will be secured with BaySecure VPN 500n and VPN 550n. The VPN 550n is for larger office and departmental sites with 10-Mbps Ethernet on each interface, while VPN 500n will replace the CPE at smaller offices. However, Bay's recommendation to coordinate the VPN with firewalls for access control doesn't offer the granular, user-based access control of Aventail's VPN server. Bay's Security Audit will certainly produce a more complete picture of the firewall requirements at Acme.com.Bay Networks