Search and DocFinder
 
Search help/advanced search
  

Vendor Product Showcase



News NetFlash: Daily News Internat'l News This Week in NW The Edge Features Research Buyer's Guides Reviews Technology Primers Vendor Profiles Forums Columnists Knowledgebase Help Desk Dr. Intranet Gearhead Careers Free Newsletters Subscription Center Seminars/Events Reprints/Links White Papers Partner with Us Site Map Contact Us Home









The Signature Series
absurd buzzword contest


Send to colleague

By TIM GREENE
Network World, 09/27/99

IP virtual private networks are your answer to any number of problems: expensive remote access, complex WANs and insecure links between you and your business partners, right?

Maybe someday. VPNs are maturing rapidly, but they still can't do everything people say they can.

What a VPN can do today is replace dial-up remote access and save you money - maybe even big money, depending on the size of your operation. But it will take better quality-of-service (QoS) tools before VPNs can truly replace your data WAN. And interoperability among vendors' VPN gear will be needed before granting trusted outsiders secure access to your network becomes painless.

All that is coming, with lots of work going on in the Internet Engineering Task Force (IETF) to whip VPN standards into shape. At the same time, carriers are working to find the best way to guarantee QoS so they can offer service-level agreements that ensure key traffic gets priority handling.

An IP VPN - for which secure links are set up among sites over a public IP network such as the Internet - fits naturally as a replacement for remote access. Instead of calling corporate remote access servers via expensive 800 numbers or long-distance direct dial, remote users place a local call to an ISP. Users then establish a secure, encrypted IP link to a corporate tunnel server and access corporate resources over the 'Net.

The ISP charges a flat monthly rate that, for many users, dramatically undercuts the cost of direct dial for remote access. Reliant General, a San Diego insurance company, can attest to that.

Reassuring figures

Reliant had been paying between $8,000 and $10,000 monthly so just 10 users could dial in to the corporate network using an 800 number. The company decided to invest about $20,000 to install a T-1 to the Internet and to buy a VPN server and remote client software from Axent Technologies, says Carey White, director of MIS at Reliant. Now monthly costs are $2,500, and the number of remote users has increased to more than 100.

"The VPN is pretty solid. We have people on for six or eight hours at a time with no problem at all," White says.

VPNs are also great for connecting major corporate sites if you are willing to put up with uncertain service quality. At IT services firm Keane, the savings associated with replacing a T-1 with a VPN more than compensate for the delay incurred on the Internet link. The Boston firm saves $9,000 monthly because it replaced a T-1 to London with a VPN tunnel created using Indus River gear, says Rue Moody, Keane's manager of network services.

Some ISPs, such as Concentric Network and UUNET, offer VPN services that keep your traffic on their networks only, avoiding the unpredictability of the Internet. With this option, the ISPs offer service-level guarantees.

But QoS by application isn't an option offered by any service provider so far, says John Morency, an analyst at Renaissance Worldwide in Bedford, Mass. The only guarantees are for network transport time for all traffic, he adds. So e-mail gets the same priority as resource management applications.

Encryption is the fly in the QoS ointment. QoS is difficult to guarantee when traffic is encrypted because the bits marking QoS can't be read by routers in the network. The problem is dealt with in IPv6 by adding more unencrypted header fields to include QoS information. These, presumably, can be read by any router.

Of course, IPv6 hasn't been widely adopted yet.

Another potential solution is Multi-protocol Label Switching (MPLS), which secures traffic so it can go only to certain sites, thus eliminating the need for encryption. But again, this Layer 3 switching technology is not widely adopted in carrier networks. And the IETF's work on MPLS is not complete, although that hasn't stopped vendors from implementing MPLS and then extending it in their own ways - a nearly foolproof way to take a standard and remove vendor interoperability.

MPLS won't be a method to implement QoS on VPNs anytime soon.

The good and the bad

Without the ability to minimize delay and guarantee throughput, VPNs will be limited to handling low-priority enterprise traffic, says Eric Zines, an analyst with TeleChoice, a telecom consultancy in Owasso, Okla. "The tools haven't been deployed yet for VPNs to compete as mission-critical transport," he says.

Still, site-to-site VPNs are fast to set up, and that holds certain appeal. Software vendor Platinum Technology International, for example, has temporarily linked about 10 acquired companies to its network via a VPN. That's much better than waiting a month until frame relay circuits can be set up, says Chuck Horvat, manager of enterprise data communications at the company, which itself was recently acquired by Computer Associates.

Hovart"We are able to connect in a very short time using VPN equipment, so we can share Lotus Notes, e-mail servers and intranet Web servers with new acquisitions," he says.

It is a bit troublesome to set up a VPN that ties together major corporate sites, even though the concept is simple. In theory, you put a VPN encryption box at each site and off you go. And extranet VPNs - secure links with business partners that you want to grant access to certain network resources - are especially challenging to set up.

Both schemes are problematic because using the developing IP Security (IPSec) standard to encrypt data traveling between sites requires that partners share encryption keys with one another. Because of interoperability problems between vendors' gear, tools that use the Internet Key Exchange (IKE) authentication protocol spelled out in IPSec (specifically, in IETF's RFC-2409) generally don't work well unless you use equipment at each node that is made by the same company.

That is a plausible fix for a VPN intranet in which you have control over the entire purchasing decision. But getting your business partners to install the same-make gear is daunting for financial, logistical and political reasons.

VPN

Another choice is to exchange keys offline. But that's cumbersome and not as secure because it forfeits niceties such as the ability to choose an encryption algorithm on the fly - a feature IKE defines. Other IKE add-ons include support for certificates and token cards.

Makers of VPN gear recognize the key exchange problem and are working on it. Most participate regularly in interoperability bake-offs.

"I expect to see by the end of the year that most people will attack the public-key infrastructure problem," says Chris Liljenstolpe, who worked on VPN interoperability tests at NetWorld+Interop '99 in Las Vegas and is lead engineer for global networking at Cable & Wireless.

Of course, interoperability is key not only for setting up extranet VPNs but also for avoiding dependence on one vendor. Jim Logan, security specialist for the state of Kansas, found that a handy factor.

Kansas agencies are large enough to purchase their own VPN gear, but some agencies still need to talk to one another. "If all our devices stay IPSec-compliant, we should be able to communicate with one another. We kind of hate to be dependent on any single vendor for any equipment," he says.

IPSec is a good VPN standards package, Logan says, "as long as you qualify it with on paper.' The reality of it may be different."

Management challenges

Beyond the major nuts and bolts of VPNs, vendors are still working out the bells and whistles.

Distributing VPN clients and keeping them on the same software release is a challenge in VPNs with thousands of remote access users. Many vendors are embracing remote download of clients while they await Windows 2000 clients that Microsoft says will support IPSec.

Management of VPNs is also a challenge. Keeping thousands of encrypted sessions alive and repeatedly changing encryption keys to ensure security is a problem with which vendors and standards makers are still grappling. The IETF recognizes that under IPSec, VPN devices have no quick way of knowing when sessions they have established with other devices have failed. While the IETF has several proposals before it, the standards body has not yet taken up any of them.

VPNs have a way to go yet, but it is clear they provide some value today. If you begin on a small scale using VPN applications that work for you, you can grow your knowledge of VPNs as the technology matures. When it is ready for more sophisticated applications, you will be, too.

Related links

Contact Senior Editor Tim Greene

Other recent articles by Greene

Service providers want your VPN business
If it sounds like setting up a virtual private network is too much trouble, you might consider outsourcing it from a service provider. Buzz Issue, 9/27/99.

IPSec's double-edged security
Network World, 08/23/99

How to plan for your VPN expansion
Network World, 07/19/99

VPN study results show that real users are realizing real benefits
Network World, 07/12/99

Remote users - don't let them become your VPN's security weak link
Network World, 07/07/99

Stunning growth in store for VPNs
Network World, 07/05/99

Virtual private nets show QoS no respect
Network World, 06/21/99

Review: VPNs
Network World, 05/10/99

RFPS: VPNs
VPN vendors respond to a typical request for proposal. Network World, 05/10/99

Net Resources: VPNs
Primers and more. Network World Fusion.

Send this article to a colleague

Recipient's name:

Recipient's e-mail:
 Your name:

Your e-mail:
Comments:


Feedback

Tell us your thoughts on this article or the issues raised in it. We'll cc: the author and editors on all comments.

Comments:

Name:
E-mail address:

Can we post your comments in an online forum on the topic?
Yes No

What did you think of this article?
Very useful Somewhat useful Not at all useful

Would you want to see:
More articles on this topic
Fewer articles on this topic

Thank you! When you click Submit, you'll be taken back to this article.

Back to the Buzz home page
absurd buzzword competition
Hear our columnists discuss the buzzrelated linksmore stories

  SLAs

  ASPs

  Intrusion detection

  XML

  Directories

  Access services

  Policy-based switching

  Convergence

  More Buzz

  Buzz Control

  Y2K

Feedback
Tell us your thoughts on this article or the issues it raises.

Today's News

ICANN board approves reform agenda

House committee subpoenas WorldCom executives

KPMG Consulting to hire Andersen IT staff, not unit

Xerox accounting troubles may total $6 billion

Analysis: Ciena/ONI deal done


All of today's news

Compendium

A good .plan
Plus: Porn credit-card site hacked.

nutter

Prioritizing voice over data in VoIP
Nutter helps a user make sure voice gets priority on a Cisco net.

Research

E-comm Innovator of the Year Award
Know someone with a groundbreaking e-commerce project? Nominate him or her for our annual award.

The Signature Series


  Copyright, 1995-2001 Network World, Inc. All rights reserved.