It's a VPN thing - Technology Information

Communications News, August, 1999 by Morris Edwards

Enterprises are discovering assorted reasons for implementing virtual private networks (VPNs) over the Internet or a service provider's dedicated IP backbone.

Some are finding IP VPNs an effective way to provide a dispersed and mobile workforce with readily available and inexpensive access to the corporate LAN. Some are using IP VPNs as a less costly and more flexible alternative to leased lines for interconnecting LANs at different sites, while others are leveraging the ability of IP VPNs to connect partners, suppliers, and customers in a supply-chain extranet.

Remote access for mobile workers traveling worldwide is a particularly attractive use of VPNs. Rather than place a long-distance call to the corporate facility, the traveler simply dials the local Internet service provider's (ISP's) closest point of presence to access the Internet and communicate via the company's VPN. Even compared with dial-in 800/888 service for domestic users, VPNs can save as much as 60% of the line costs.

When used to replace leased lines, the savings with VPNs can be equally large. VPNs are also useful for shortening the time to establish new connections, especially abroad. And, since VPNs use Internet standards and technology, organizations can readily use them to create extranets for communications and sharing of information with members of the supply chain.

Looking ahead, with the growth of services such as Internet telephony and video over IP, enterprise VPNs could become the vehicle for integrating all forms of traffic onto a single, scalable IP network that maximizes bandwidth efficiency and simplifies policy-based management.

TUNNELING TRIO

In implementing a VPN, companies can buy carrier-provided services with varying degrees of management, or they can build one with hardware and software from a number of vendors.

Given the challenge of integrating the required hardware and software, outsourcing some or all of the VPN to a service provider is an attractive option. Less equipment must be purchased and maintained, and the service provider takes responsibility for implementation and end-to-end management. Even so, most organizations still prefer to keep at least part of the VPN implementation in-house, if only to retain internal control of security and such functions as user authentication.

In its global 1999 survey of WAN managers, International Data Corp. of Framingham, Mass., found that, of the companies with VPNs, only 20% had outsourced the service totally. Over 43% had implemented managed firewall or security solutions as a supplement to Internet access, while more than 26% were using VPN hardware and/or software.

VPNs employ a process called tunneling to create a virtual, dedicated path over the shared Internet or IP backbone. Various security services are then used to keep the data private. Security includes authentication, which validates that the source of the data is the one claimed, and access control, which restricts unauthorized users from gaining access to the network. Beyond that, the VPN needs to ensure confidentiality and data integrity by preventing anyone from reading, copying, or tampering with the data as it traverses the Internet or IP backbone.

Three popular tunneling protocols have emerged: Microsoft's Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Tunneling Protocol (L2TP), and the IP Security Protocol (IPSec), backed by the Internet Engineering Task Force (IETF).

PPTP creates tunnels for transporting multiprotocol traffic over the Internet, but encryption is weak and its capabilities are more limited than IPSec's. L2TP supports multiple, simultaneous tunnels for a single client and provides better user authentication. However, IPSec is the most comprehensive protocol. Besides encryption and tunneling, IPSec provides for user authentication and automated key management with a standardized scheme known as Internet Key Exchange (IKE).

EQUIPMENT OPTIONS

In the battle for VPN equipment market share, network companies are adding security features to their products, including provisions for authentication and administration. At the same time, firewall and security companies are moving to provide turnkey VPN solutions for remote access, LAN-to-LAN, or extranet connectivity.

Not surprisingly, Cisco Systems is building its VPN strategy for both service providers and enterprises around its routers, effectively putting full VPN functionality in one box.

For enterprises, Cisco recently unveiled the new 7100 series of routers, which integrate high-speed routing with six key VPN components: tunneling, data encryption, security, firewall, advanced bandwidth management, and service-level validation. The router also comes with embedded WAN and Fast Ethernet interfaces to permit a turnkey VPN solution. Cisco argues that this approach reduces network cost and complexity compared with deploying numerous single-purpose devices.

Task-specific service modules handle VPN functions, such as encryption and tunneling, freeing the central processor to handle the high-speed routing. An optional integrated services module expands the router's VPN scalability, supporting up to 2,000 simultaneous VPN tunnel sessions with Triple DES encryption at full DS3 speeds.