VPNs are easy - once you get the clients installed

Virtual private networks

The big draw of using virtual private networks (VPN) for remote access - tying more end users into your corporate network - is also one of the big drags. After all, the more end users you tie in, the more remote client software you'll need to manage.

Network executives have to consider how to distribute, install, maintain and upgrade VPN client software. In a VPN with thousands of users, that can be an unwelcome necessity.

VPN vendors are well aware of the client management problem and are working to fix it. Many vendors make client software available as Web downloads, include wizards to steer end users through the installation process and update the software as users log on to the corporate network.

Companies have started to turn to VPNs as a way to use the Internet as a WAN connection for remote access. That means using authentication, authorization and encryption to set up secure links, called tunnels, over the Internet. Client software on remote PCs is needed to handle all that security.

The simplest client to use is one that is already distributed within the operating systems used by the remote PCs.

Microsoft Windows 95, 98 and NT, for example, all support a VPN tunneling technology based on the Point-to-Point Tunneling Protocol (PPTP). This protocol encrypts packets and wraps them inside an IP datagram for transport across the Internet.

But many users think PPTP is not secure enough for sensitive corporate data and instead use IP Security (IPSec), a stricter standard for authorization and encryption over VPNs. IPSec is not yet embedded in any vendor's operating system, so using the security technology requires separate client software.

Distributing clients

The first hurdle users face is distributing the VPN software to client machines. This can be done via disk, e-mail or as a download from a Web server.

Disks work well if a company's IS staff is installing the client technology, but this method requires site visits or bringing all the PCs to a central location, according to Eric Zines, an analyst at TeleChoice. Either of these processes can turn into a logistical nightmare.

Network managers could send the disks to end users, but this would require end users to install the software themselves. Installation could be beyond their capabilities, Zines says. The same would be true of installing the software if it were sent as an e-mail attachment.

As a result, many VPN vendors have introduced ways to download client software from Web sites.

VPNet, for example, offers DynaPolicy Download, which automatically distributes clients and client policies. From a central server, network administrators set the parameters defining each end user's remote access rights.

Users fetch the client from a corporate intranet Web server, which is protected by a password. If the client changes, it has to be reinstalled. VPNet is trying to streamline that process.

This fall, VPNet plans to upgrade its distribution software to signal remote users that a new client is being downloaded, says Richard Kagan, a VPNet vice president.

Enterprises prefer to establish a standard PC platform for all their end users and install the VPN client software before issuing the machines. For example, Verisign is setting up a VPN for hundreds of users and is preconfiguring PCs with SoftPK clients made by Information Resource Engineering (IRE). The machines are then shipped to end users, according to Marshall Behling, Verisign's strategic business developer.

This is a safe way to go, says John Summers, senior product marketing manager for GTE Internetworking, which provides a managed VPN service. PCs need certain minimum hardware and software to support VPN clients, so making sure those requirements are met in advance makes sense, he says.

But this is not always possible. Once a PC is in use at a remote site, it is sometimes difficult to schedule time to take the machine down for an upgrade.

Because GTE manages clients for its customers, the service provider wanted to update customers' PCs in a way that is simple for end users.

GTE developed VPN Advantage Prep Tool, software that inventories remote PCs to determine what software they lack. The tool then directs users to Web sites from which they can get the appropriate downloads.

For example, the client GTE uses for its service is TimeStep's Permit/Client. This client requires a Windows 95 upgraded to include WinSock 2 software, which lets Windows programs interface with TCP/IP networks.

If WinSock 2 is missing, the VPN Advantage tool redirects remote users to the Microsoft Web page from which they can download the necessary software. Once the PC meets the specifications, VPN Advantage downloads Permit/Client. GTE launched the installation tool with its service three weeks ago.

Cracking the code

Beyond simply downloading software to the client, end users also have to register their encryption schemes so their coded messages can be deciphered by corporate servers.

IPSec uses encryption keys - strings of numbers used in conjunction with an encryption algorithm - to secure data.

Both ends of a VPN connection need to share keys to successfully pass data.

Passing keys between clients and central-site VPN gear requires the use of a certificate authority that stores users' keys and issues digital certificates that verify users' public keys to other users.

Managing the key process is tedious if done manually. That's why companies such as IRE and Verisign are working together to automate the process using certificate enrollment protocol (CEP).

Other vendors, including Network Associates, will have similar CEP tools by the end of the summer, Verisign's Behling says.

Microsoft plans to integrate an IPSec client with Windows 2000 to eliminate much of the concern about distributing VPN clients, according to Greg Marcotte, a vice president for VPN vendor Altiga. When that happens, VPN vendors will be able to exit the client business.

But, of course, not all enterprises upgrade quickly to the latest operating system or even use Windows on the desktop. So distributing VPN clients will remain an issue for VPN users and vendors for quite some time.