Outsourcing VPNs: Privacy for hire

George Gaulda, CIO at Link Staffing Inc. wanted to securely connect 49 branch offices in 23 states to his company’s Houston headquarters. Gaulda decided he needed to build a virtual private network (VPN) to tie the far-flung parts of Link Staffing together. Trouble was, he lacked the staff to design and manage the system in-house.

So Gaulda chose OpenReach Inc. in Woburn, Mass., to provide Link Staffing with a secure VPN over the public Internet.

Link Staffing is one of many companies that are turning to outsourced VPNs, whether over the Internet or through the private IP network of a service provider. Some are pinched for security-savvy network personnel. And even some that have the staffs simply want to off-load the hassle of policing increased infrastructure to a firm that provides VPNs for a living.

The offerings of those providers, however, vary significantly and require users to evaluate their needs thoroughly and select their providers carefully.

For example, Gaulda discovered that his firm needed a VPN service that used the Internet as the transport mechanism but didn’t require Link Staffing to replace the eight Internet service providers that connect its remote offices. For Link Staffing, technical support for the VPN was also a crucial issue a fact proved by bitter experience.

Prior to cutting a deal with OpenReach, Gaulda says, he had a “very bad experience with a major service provider.” Gaulda won’t name the company, but he says it was unwilling to provide the support his firm needed. His technicians ended up doing most of the VPN support, which contradicted the idea of using a service provider in the first place, he says.

Although OpenReach manages the network, Gaulda says he never feels out of the control loop because he can view VPN performance from his own desktop through a special browser-based interface. “I can drill down to the workstation level on a remote location [to see how the VPN is performing],” he says.

The OpenReach service costs Link Staffing US$100 per month per site, or US$4,900 per month total, according to Gaulda.

APL Logistics Ltd., a contract logistics company and unit of Singapore-based shipping giant Neptune Orient Lines Ltd., wanted one managed service provider that could provide VPN service over a private IP network spanning 180 sites in 32 countries. Network availability is critical to APL because scheduling and shipping is time-sensitive, says Cindy Stoddard, the Oakland, Calif.-based firm’s CIO. APL recently selected Amsterdam-based vendor Equant NV, signing a three-year, US$23-million agreement for VPN and network services. APL chose Equant, says Stoddard, because Equant has global reach and the ability to manage the whole network and employs a routing scheme that speeds up time-sensitive traffic running over a VPN.

Joe Przepiora, IT manager for global network services at agribusiness giant Cargill Inc. in Minneapolis, pays for his VPN service by the hour. Cargill’s field salespeople and other remote employees log on to the corporate network via a VPN service provided by RemotePipes Inc. in Mendota Heights, Minn.

Many of Cargill’s employees work in rural areas that are woefully underserved with local Internet service provider dial-up numbers, Przepiora says, noting that RemotePipes specializes in providing VPNs over the public Internet via toll-free dial-up.

Przepiora acknowledges that analogue modem connections even if you’re lucky enough to get a quiet phone line for a connection speed above 56Kbps. are slow compared with Digital Subscriber Line and digital cable speeds of more than 1Mbps. But, he points out, at least his people can connect.

At a cost of US$6 per hour, Cargill’s remote users can log on to the company network via a VPN that uses IPSec encryption the current protocol for end-to-end encryption forged by the Internet Engineering Task Force (IETF). E-mail and sales force automation systems are among the applications most frequently accessed through the VPN service, Przepiora notes.

Many providers that use the Internet for VPN connections either have VPN devices or require VPN networking software to be installed on remote user PCs. But RemotePipes facilitates remote dial-up connections without requiring VPN client software. That means there’s one less thing to go wrong on remote users’ PCs, says Przepiora. But national coverage coupled with fixed price is really RemotePipes’ strength, he notes.

IP-based VPNs don’t always run over native IP networks, which leads to confusion about what’s really happening technically with any given VPN service, says Jason Smolek, an analyst at IDC in Framingham, Mass. For example, AT&T Corp. offers what it calls a “private IP VPN” service that rides on top of its frame-relay network. That might seem contradictory, because it implies the creation of a VPN over a virtual private circuit. And since the latter is already private, why bother?

Different Contexts

Tim Halpin, AT&T product manager for frame and Asynchronous Transfer Mode services, says the term VPN may be used in different contexts. In the case of AT&T’s private IP VPN, Halpin says, the technology is really a service allowing existing AT&T frame- relay users to run IP packets over those networks. In the process, he says, customers benefit from the existing security of frame relay’s private virtual circuits while getting the added functionality offered by IP.

One function, prioritizing network traffic by class of application, is what attracted Andras Bellak to AT&T’s offering. Bellak is director of wide-area network engineering at Wireless Facilities Inc., a San Diego-based contractor that designs and sets up cellular tower and transmitter systems. Bellak says he designates IP videoconferencing, which is susceptible to delays and jitter, as a high priority, while setting database applications as medium priority and e-mail as “best effort,” AT&T’s term for the class of traffic that’s least important.

“It really doesn’t make any difference if an e-mail gets there in one and a half seconds or seven seconds,” Bellak explains, but he adds that jerky video or voice audio that’s out of sync with video is unacceptable. Bellak also says he designates a voice over IP phone system over the AT&T network as high-priority traffic. Otherwise, he says, callers may have to put up with voice delay and echo when they’re on the phone.

To prioritize by class of traffic, both AT&T and Equant employ Multiprotocol Label Switching (MPLS) routing. MPLS is an IETF specification that enables routers at the edge of networks to read special tags on IP packets. That bypasses destination lookup in routers at the core of the network, which helps speed routing and affords quality of service at levels that can support a variety of types of network traffic, including video, says Jim Slaby, an analyst at Giga Information Group Inc. in Cambridge, Mass.

Stoddard says APL also chose the VPN service from Equant because of its MPLS routing capabilities, which she hopes will facilitate voice and video across the network as well as time-sensitive traffic involving scheduling and shipping.

The use of MPLS in conjunction with a frame- relay system that can understand IP also translates into the same service-level guarantees for latency 120Mbps. for data to make a round trip on the network on AT&T’s private IP VPN, says Halpin.

That’s one reason why Bellak says the US$1,800 that Wireless Facilities pays for each 1.5Mbps per month about US$150,000 per month is money well spent. Like other VPN users, he has found that finding the right provider to meet his needs is priceless.

IPSec: Making the VPN Secure

IPSec is a near-ubiquitous VPN security standard. IP VPNs on the public Internet use it. Hybrid networks that may employ private virtual frame-relay circuits and the Internet use it. Even private networks that require an additional level of security across parts of the network or the entire network use IPSec.

IPSec is a security protocol set by the IETF for securing the transmission of data across IP networks. It operates at the network layer of the Open System Interconnection standard, authenticating and encrypting all packets that traverse the network, no matter what the application.

IPSec separates network traffic virtually, using tunnelling and encryption protocols, and it makes the data on shared pipes invisible to other users who push their data through the same wires or airwaves.

There are two security modes possible with IPSec: the Transport Mode, in which only the payload (data) part of the packet is encapsulated through encryption but in which the IP header remains in the clear; and the Tunnel Mode, where IPSec encapsulates everything, including the original IP header, and generates a new header to guide packets. The Transport Mode is normally used for VPN connections between computers, whereas the Tunnel Mode is usually used to connect one LAN to another.

James Cope is a freelance writer in Notre Dame, Ind. He can be reached atjamescopeus@yahoo.com.