Network equipment maker Nortel hopes to make security easier to sell -- and to buy -- by making it an option that can be turned on any time after a product has been bought. The strategy is part of a major announcement the company made on Monday that promises a "holistic" approach to locking up networks, including traditional telephony and converged networks carrying voice over IP. The company has also increased its support for the current trend towards Secure Socket Layer (SSL)-based virtual private networks. Nortel's strategy, which it launched under the umbrella term Unified Security Architecture, is a set of planning tools aimed at chief information officers and network planners, together with a commitment from Nortel that its products will include security tools that work together. The scheme will gather together and apply accepted security wisdom. Products include a new model in the Alteon SSL Accelerator range, the 410, which extends the existing SSL Accelerator 310 to include support for SSL-based VPNs that can give secure access to corporate applications at any Web browser. "The SSL accelerator offloads public key encryption and session management from the back end," said Rob Turner, Nortel's security spokesperson for Europe. "Heavy application usage and email with attachments will still require traditional IPsec VPNs though." Nortel also said that "Secure Routing Technology", a scheme first launched at Networld+Interop in May, is now available. This allows fully secure products such as the Contivity VPN router to be sold with security features disabled for an entry level price -- users then pay for a security key to upgrade to the fully secure version. "We're disabling security in the box, so we can sell it as a plain text router price-competitive with other such routers, but with the knowledge that it can be easily upgraded and managed in future," said Turner. For example, the Contivity 1700, which sells for $7000 and supports 500 VPN tunnels, will now be available for $3800, "strapped" back to a vanilla IP router with five VPN tunnels allowed "as a taster," said Turner. Adding the full VPN features will cost $4800. Buying the functions in stages adds 20 percent to the price, but Nortel claims this is still 60 percent cheaper than going the similar route using Cisco products, where the upgrade means adding hardware. "Before, you had to make a decision whether you wanted the secure solution of the ordinary solution," said Turner. "We future-proof, by allowing you to select additional security functionality as you need it." The Secure Routing Technology approach will also be added, in the fourth quarter of 2002, to Nortel's Business Communications Manager (BCM) product line -- a communications server for branches which includes Voice over IP, voicemail and traditional PBX in an NT server. The software upgrade will add VPNs and a firewall. "The product is in final testing," said Turner. The solution is aimed at users moving from leased lines or frame relay to VPNs, or at those who become concerned about security risks within frame relay. "Users have a perception that frame relay is secure," Turner said. "But as we see more network sharing between operators, the concept that your data is secure over frame relay is just not true any more." Selling a more complex product with some options disabled is a gamble, since it will have low margins unless a significant proportion of users take up the upgrade option. "We have to amortise functionality over the future," said Turner. "We believe people will enable it and we will get revenue over the fullness of time. We need to get into the IP connectivity market and begin lifting it beyond pure IP connectivity." The VPN clients can be linked to specific applications, for instance launching only when SAP is running, so that network bandwidth is not wasted by encrypting non-critical data, said Turner.