OT> As far as understanding your companies needs for a VPN, this article covers all the basis, and is one of the best written.
Virtual Private Networks:
The Big Payoff
Access to corporate IT resources from anywhere at any time has become a
mission-critical requirement for today's organizations. VPNs step up to the
plate.
Mark Tuomenoksa
Network and IS managers are besieged by an ever-increasing
number of mission-critical applications demanding their time and
attention. E-mail, e-commerce, sales support, customer service, IP
telephony, and data warehousing are all high priorities on corporate
agendas. Demands for these applications come 24 hours per day,
seven days per week from traveling salespeople, telecommuters,
customers, partners, and branch offices.
All of these applications and users share a common need: instant,
inexpensive business access from any location at any time. Business
access includes dial-up remote access that connects traveling
employees and telecommuters through the telephone network,
intranets that connect branch offices through leased line and frame
relay services, and extranets that connect business partners and
customers to corporate information and commerce services.
Universal business access requires a flexible, secure, and reliable data
communications infrastructure. Network administrators face the
daunting task of increasing function and capacity, maintaining security
and quality, and reducing costs. Business access presents an
especially difficult cost-reduction challenge: It has all the complexity of
data networking (with accompanying high administrative costs) as well
as the expensive, transport-intensive costs of the telephone network.
The litany of costly services associated with business access starts
with dial-up connections provided by the telephone network and
progresses through ISDN, frame relay, DSL, and T1 and T3 leased
line services. How expensive are these services? The 800-number
charges for a mobile salesperson connecting to e-mail and information
servers can easily run $240 per month. A dedicated, 64-kbps,
coast-to-coast frame relay circuit costs about $900 per month.
An emerging technology that both slashes business access costs and
greatly enhances productivity is virtual private networks (VPNs).
VPNs offer an inexpensive, reliable, and secure alternative to
traditional business access methods.
VPNs create secure paths or tunnels through the Internet (or through
private networks) to transmit data between individuals, branch offices,
and the corporate network. VPNs can use the Internet to replace
traditional private networking resources or public telephone networks
(see Figure 1). They support two basic applications: individual remote
access and office-to-office communication.
With VPN remote access, it is no longer necessary, for example, to
make a long-distance telephone call from Boston to San Francisco in
order to connect back to the corporate resources on a dial-up
modem bank. Instead, the employee dials into a local modem
provided by an Internet service provider (ISP) in Boston and
connects through the Internet to the LAN resources in San Francisco.
Making a local telephone connection and a long-distance Internet
connection avoids the expensive long-distance toll charge.
In the case of office-to-office applications, a company may want to
connect several offices in different locations. Typically, such
connections are made with a leased line or a frame relay network.
Leased lines can cost thousands of dollars per month. To manage
these costs, it is important to provide the right bandwidth for each
interoffice connection. Some offices are connected at 56 kbps, some
at 384 kbps, and others at 1.5 Mbps.
Instead of privately connecting the offices, a VPN connects each
office directly to the Internet via local Internet points of presence
(POPs). Because it is a short, inexpensive hop from the office to the
Internet, this connection can have more bandwidth than the
long-distance office-to-office connection. A 384-kbps fractional T1
office-to-office circuit can be replaced with a full 1.5-Mbps T1
connection to the Internet. A VPN server in each office then uses the
Internet connection to establish secure tunnels between individual
offices. As a result, any office can communicate with any other office.
Again, long-distance, leased line, and frame relay charges are
eliminated by connecting over the public Internet.
Security Concerns
People have been resistant to using the Internet for corporate network
access because of security concerns. VPN technology is addressing
this problem on three fronts: privacy, integrity, and authenticity.
Privacy ensures that no one can view or obtain data as it is
transmitted. Integrity ensures that no one can modify or tamper with
the data; data arrives intact. Authenticity guarantees that the
communicating parties are who they represent themselves to be.
Privacy and integrity are ensured through the use of encryption
technology such as DES, Triple-DES, and 3DES. These powerful
and popular encryption techniques are used by many VPN vendors
and, when combined with a sound security policy, provide levels of
security as good or better than traditional private networking.
Authentication is provided by using digital certificates, which ensure
that unauthorized users cannot misrepresent themselves and gain
access to the network.
VPNs offer uniform performance because VPN links are always
based on a local telephone call. For example, in the case of an
individual remote access application, a call from Seoul, South Korea,
to Miami would go through numerous analog-to-digital and
digital-to-analog conversions as it traveled from one telephone
company to another. This limits the baud rate to around 4800 bps.
Compare this to a VPN baud rate of 33.6 kbps that is available
simply by calling a local ISP in Seoul.
Significantly higher performance translates into improved personal
productivity. In this example, the amount of time required to transmit a
PowerPoint presentation could be slashed from one hour to 10
minutes.
Productivity can also be improved in office-to-office remote access
applications. Consider the case of Jetform Corporation, a vendor of
electronic forms and workflow applications. The company wanted to
connect 14 offices worldwide. It had used frame relay to provide
branch connections and communications servers for remote access.
Working through affiliate JetNet Internetworking Services Inc.,
Jetform replaced its frame relay network with VPN connections over
an Internet protocol (IP) network. The IP service was provided by a
single service provider, AT&T. Jetform was looking for a
well-engineered and bundled dial service, backbone service, and
Internet connections from one company without ever having to
traverse the public Internet.
Jetform stayed with the same service provider but replaced its frame
relay services with IP services. As it turned out, the VPN service
outperformed frame relay to the point where Jetform was able to run
voice over IP (VoIP) over its VPN. The VPN reduced data delay
times from 450 milliseconds to 275 milliseconds, on average. The
company hopes to save $40,000 per month and achieve a full ROI in
nine months.
Premises-based VPN Solutions
The premises-based remote access hardware and software required
to implement VPN technology often cost $5000 or less for small
companies and up to $20,000 for mid-size firms. Larger systems
typically support several hundred users. This compares favorably with
the use of access concentrators that may cost between $3000 and
$5000 for an eight-port box. All premises-based systems should
interoperate seamlessly with existing firewalls, routers, and services.
They should also interoperate easily with all authentication
technologies.
Network managers should closely evaluate potential premises-based
VPN solutions. Some vendors install VPN capabilities within existing
firewalls or Internet routers. While this method is inexpensive, it also
has certain drawbacks. For example, this approach creates a single
point of failure, as opposed to dedicated VPN implementations that
are not directly integrated with firewalls and routers. Firewall- and
router-based systems may further lack the performance to support
MIPS-intensive encryption requirements.
There is also a variety of software-only VPN solutions. One example
involves using a Microsoft Windows NT server in conjunction with
point-to-point tunneling protocol (PPTP). This alternative is also
inexpensive, because it comes with the NT server. However, PPTP is
an insecure protocol that lacks performance, especially in interactive
applications.
Multiservice technology is also an important factor to consider. VPN
transmission services vary by service provider. Some providers sell
individual remote access and office-to-office services as part of an
overall package. Although this may lead to lower costs, it also creates
liabilities. For example, customers are limited by the availability and
quality of the service provider's POPs. A service provider without
worldwide points of presence may not be able to supply the needs of
a worldwide sales force. Also, some service providers have a global
presence but do not have uniform quality or capacity throughout their
networks, which can lead to poor service.
A multiservice VPN solution allows businesses to mix and match
service providers, because it is implemented completely on the
business premises. A network administrator can install a VPN server
that supports multiple Internet connections. For example, one server
can terminate connections from both AT&T and GTE.
This ability to support calls from multiple carriers offers two
advantages. First, it provides businesses with coverage wherever they
need it because different service providers have strengths in different
parts of the world. Second, it offers redundancy in case one service
provider has a network failure. This approach also saves money
because one can use the prospect of multiple service offerings to
negotiate better pricing with service providers.
To calculate the cost of implementing a VPN, try the VPN Calculator
located at shiva. com/remote/vpnroi.
VPNs allow users to reduce operational costs, implement new
applications, and increase productivity in a wide range of networking
environments. The level of VPN awareness is growing and the
technology's quantifiable benefits are likely to bring VPNs
widespread recognition and use in the near future.
Mark Tuomenoksa is the chief technology officer and vice
president of Virtual Private Networking at Shiva Corporation. |
