Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FBI warns of holiday cyber scams
U.S. Open used Web filtering to prevent online gambling
Google Earth used by terrorists in India attacks
Verizon trounces competition in wireless quality survey
Mumbai terrorist attacks don't deter technology companies
Google layoffs: 10,000 jobs being cut, report claims
Experts to Feds: Sign the DNS root ASAP
Cisco shutting down between holidays
Sprint completes Clearwire WiMAX deal
Mobile sales to beat economic gloom, forecasts Ovum
Start-ups starting to feel economic pain
Spam levels fluctuate as crooks try to revive botnets
Mozilla eyes extra beta for Firefox 3.1
Grim forecast for holiday e-commerce sales
Talking Web, memory assistants and solar-powered cell phones headed mainstream, IBM says
/

VPNs take center stage

Virtual private networks merge IP technology with encryption to offer significant cost savings on WAN traffic.

Related linksToday's breaking news
Send to a friendFeedback

By TIM GREENE
Network World, 08/14/00

Tech Insider Sure you want a VPN.

It can save you money. It can give you a better-meshed network. It can let more people share your enterprise resources securely. It can make you a hero.

VPNs have come a long way from where they started five years ago with simple secure connections across the Internet. Today, VPN encryption is virtually uncrackable. Encrypted tunnels can be integrated with firewalls. Authentication and key exchanges are standardized, and service providers are offering service-level guarantees over their own IP networks instead of the unpredictable Internet.

VPN service providers
Trimble Navigation finds VPNs useful for remote access
VPN vulnerability
Face-off: Build your own VPN or outsource?
Archive of Network World features
Subscribe to our VPN e-mail newsletter

The time is ripe to take advantage of VPNs, but be ready to do your homework.

Define your terms

Make sure you know what you mean by a VPN. It's where you use an IP backbone -- either the Internet or a network run by one service provider -- to carry your WAN traffic. To protect your data, you establish secure, encrypted connections called tunnels across that network.

This is accomplished by adding a mix of VPN gear to your network: VPN clients for PCs, VPN firewalls, VPN routers, VPN gateways and VPN appliances that perform VPN functions separate from PCs.

Remote PCs can connect to corporate sites that are outfitted with a VPN server or gateway. Corporate sites can connect gateway-to-gateway over a VPN. With cooperation, VPNs can be extended to include business partners and customers.

A VPN doesn't have to do all of that to be worthwhile. Consider Travelways travel agency in Minneapolis. It cut its WAN costs by 75% with a VPN that replaced four 56K bit/sec dedicated, digital data service lines. Those lines linked four Travelways offices with the Sabre travel network at a monthly cost of $1,600.

A VPN, based on standard technology that comes with Microsoft's Windows NT Server and Windows 95 and 98 clients, lets Travelways connect the four offices via the Internet and share just one link to Sabre. Three of the dedicated links were retired, slashing the monthly bill to $400.

That's about as simple as a VPN gets. Travelways is discovering more ways to save money through VPN technology, such as when the company owner heads to South Africa several months of the year. Now he can tap into the corporate network over the Internet via a local Internet access phone call rather than using international long-distance for direct dial.

More sophisticated networks require more sophisticated solutions. Healthcare provider Kaiser Permanente, for instance, plans a VPN that will have more than 20,000 users. It is preparing for a VPN trial that will include remote access for its employees, but it will also test whether business affiliates can tap select corporate resources securely over the VPN, replacing frame relay connections that cost more.

Frame relay is not only more expensive, it also requires more work to map static IP addresses from the business affiliates' networks to Kaiser's network, says Jim Best, Kaiser's network architect.

Build or buy?

There are layers of complexity to sort through, but first consider whether you want to piece together your own VPN or hire a service provider to do it for you.

If you have stringent security needs, you probably want to build your own VPN. That way you control what client software you use, what gateways you use, who gets what level of access to corporate resources and what authentication scheme you put in place.Plus, building it yourself is a good way to educate yourself about the technology.

Interoperability still a problem

If anyone out there is going to connect to your VPN from a PC, they will need a client that is compatible with the gateway you are using.

All gateway vendors sell clients that work with their own gateways, and some defer to other vendors to supply these clients. Most notably, Information Resources Engineering's client, SoftPK, is used by many other vendors. (Cisco recently dropped SoftPK after buying VPN vendors Altiga and Compatible and is working on its own client.)

If a company wants to give access rights to users who work for a business partner, it would simplify matters if the partner's VPN clients worked with the host company's VPN gateway. Then the host would only have to grant access and privileges via the host gateways.

But although clients and gateways support IP Security (IPSec), the VPN standard, most do not interoperate with gear made by other vendors.

Users had hoped that Windows 2000 would solve this problem. Sporting a VPN client already, vendors could build interoperability between it and their gateways. Or companies that adopt Win 2000 Server could turn their servers into gateways. Win 2000 would be so available that the likelihood of finding a business partner using Win 2000 would be high.

But Win 2000 does not attempt to fully implement IPSec. For example, it uses Layer 2 Tunneling Protocol, which is different from tunneling used in fully IPSec-compliant gear.

The ubiquity of Windows is part of what made it attractive to Travelways, says Prashubh Batham, the Computer Pundits consultant who advised on that project. The travel agency used features that came with the Windows NT platform. If remote users want to connect to the corporate NT server via the VPN, they click an icon to get on the server.

NT VPNs are not considered as secure as some other VPN gear, but is useful for certain types of transactions.

Client distribution woes

Win 2000 VPN shortcomings also dash hopes that users would get around the burden of distributing VPN client software to thousands of PC users whose hardware is already in the field.

Win 2000 would solve the VPN client distribution problem for Kaiser Permanente, Best says. But Win 2000 is not deployed in its enterprise, and the company has a lot to learn about Internet remote access VPNs before Win 2000 might be useful, he says.

He places a high value on VPN clients already being installed on remote machines.

"Client distribution is one of the aspects of this technology approach that's worth avoiding," Best says.

Alternatives today include having IS staff install clients, distributing CDs and letting users do the installation (a potential help desk nightmare) or having them download the software from a Web site and installing it themselves.

Some vendors are working on easy-to-install clients that can also be managed from a central workstation, but these features vary from vendor to vendor, so check them out carefully.

PKI please

Setting up a VPN tunnel takes place in discrete steps, and at each step companies have choices about what technology to use.

First, one site or remote user has to connect with the network. That requires some form of verifying that the persons or devices connecting are who they say they are.

This can be done with a user name and password that are checked against a Remote Authentication Dial-in User Service database, as has been done traditionally with direct-dial remote access. This authentication can be enhanced with security tokens. If you have such security in place, it makes sense to buy a VPN that integrates with it so you don't duplicate efforts.

VPNs can employ public-key infrastructure (PKI) in which devices on the VPN swap encryption keys so they can send encrypted data back and forth. A certificate authority verifies users' keys and can issue and manage them for companies.

These certificate authorities can be set up by individual companies or a third party can run them. PKI is part of the IPSec standard, and while many vendors have adopted it, few have established interoperability with other vendors.

Two that have are RSA Security, makers of Keon PKI software, and Baltimore Technologies, makers of UniCERT PKI software. They say they have tested their products and are fully interoperable. UniCERT and Keon issue and manage digital certificates within a PKI and authenticates users.

Best says he is exploring the possibility of using PKI to authenticate users and distribute and manage encryption keys. Meanwhile, he will continue to use hardware security authentication tokens already used for direct-dial remote access. They take time to distribute and replace when they are lost, stolen or damaged, Best says, and he would like to drop that burden.

Remote security needs attention

Everyone has heard of DSL, and now they want it. It's cheap and fast and if an enterprise user becomes a telecommuter, they want DSL, not some pokey 56K bit/sec modem. If that telecommuter is hooked in to a VPN, that always-on DSL connection becomes a security risk that has to be dealt with.

That means a firewall to keep intruders out of that remote PC and out of corporate resources. But personal firewalls are not cheap if you're outfitting thousands of users. That has some users checking out VPN appliances such as those made by SonicWall or NetScreen. Those boxes cost approximately $500 and include a firewall, encryption hardware and VPN software. These are inexpensive, but require VPN servers made by the same vendors at central sites.

Through a spinoff called SofaWare, VPN vendor Check Point Software is looking into VPN firewall software that DSL and cable modem vendors could install on their gear to secure broadband connections. But at the moment, it is an issue users will have to struggle with, says Dave Kosiur, an analyst with The Burton Group, a consultancy in Midvale, Utah.

Retail chain Lamps Plus in Chattsworth, Calif., solved that problem by hiring a service provider, Zyan, to install the DSL. Lamps Plus runs its VPN over Zyan's network, avoiding the Internet and its security threats.

That also saves Louis Astorga, director of PC support for Lamps Plus, from dealing with three different local phone companies for DSL service. "We just gave Zyan the locations and they took it from there," Astorga says.

Forge ahead

The bottom line is VPNs aren't perfect, but they can be useful. Remember, all VPNs are not created equal, so tailor yours to the needs of your end users with the knowledge that maybe your VPN won't give you everything you want, at least not right away.

Forge ahead anyway. Vendors and service providers have been working on VPNs for five years now, and parts of the technology are well established. Firewalls? No problem. Triple-DES encryption? All set. Interoperable IPSec tunneling? Hmmm. Maybe someday.

Related links

Contact Senior Editor Tim Greene

Other recent articles by Greene

VPN service providers
There are plenty of options if you want to outsource your VPN.

Trimble Navigation finds VPNs useful for remote access
Employees find joy in setting up a VPN.

VPN vulnerability
Personal firewalls for remote users are recommended to protect the network from hack attacks.

Face-off: Build your own VPN or outsource?
Indus River Networks' Dave Zwicker and Concentric Network's Mark Fisher face off.

Archive of Network World features

Subscribe to our VPN e-mail newsletter


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.