The virtues of VPNs

The challenges placed on today’s network infrastructures are forever growing. Networks now must not only handle an ever-increasing array and amount of information; there are now the additional challenges of maintaining security and managing a growing number of mobile workers, while at the same time balancing management’s demand that the costs of maintaining the network is kept within reasonable limits.

Over the last few years, companies have increasingly turned to virtual private networks (VPNs) as a way of handling some of these challenges, particularly in cutting down on the costs associated with dedicated connections and remote dialup systems common in the 1990s.

“If you go back even some four years ago, the major driver for taking on a VPN solution was to replace the dialup remote access networks,” says Ben McLeod, product marketing manager with the Andover, Mass.-based Enterasys Networks. “With the costs associated with dialup remote access, particularly the cost associated with the 1-800 number access and service, VPNs came to be seen as a much more cost-effective and efficient solution.”

According to statistics released by Toronto-based research firm IDC Canada Ltd., more than half of medium and large Canadian businesses (those with 100 employees or more) have moved over to VPN technology for their data and communications needs. By 2000, nearly 60 per cent of major Canadian businesses had moved to VPN technology.

“Who is deploying VPNs? It is virtually everybody, especially the medium to large enterprises,” suggests Warren Chaisatien, senior telecom analyst with IDC Canada.

These cost savings offered by VPN technologies were especially welcomed as the numbers of mobile workers and telecommuters who needed access to corporate information and databases increased during the heady technology boom days of the late 1990s, and with introduction of broadband access to the Internet. According to the online U.S.-based job board TrueCareers, nearly 65 per cent of those who responded to a recent online survey said that they currently telecommute or are planning to telecommute, and some 35 per cent of those who already telecommute spend a good part of that time telecommuting from home.

According to Statistics Canada, 1.5 million Canadians were telecommuting in 2001.

Enterasys’s Aurorean Virtual Network VPN solution lets companies give their telecommuting and mobile employees access to corporate information when away from the office. It can also scale to allow new employees access to the VPN and for creating secure business-to-business connections.

However, choosing a VPN solution and integrating it into a business brings a new set of problems, some very similar to those associated with integrating a new network in an organization, as well as others very much specific to VPN themselves.

All VPN vendors will say that there is no single, one-size-fits-all VPN solution that can be purchased and dropped into an organization. Every organization has to begin by carefully looking at the kind of organizational setup they have, the number of mobile and telecommuting employees they employ, and whether they are linking up to branch offices or other companies. Each of these factors will influence the kind of VPN product and configuration finally chosen. Most important is to remember that any VPN chosen has to be able to grow and change as the company grows and changes.

The most common kinds of VPNs are either remote access or site-to-site. Remote access, much as the name suggests, allows mobile workers to easily access corporate data and networks when away from the office. Site-to-Site is most usefully deployed either between companies that need a direct connection and don’t want to use expensive T1 lines, or on campus environments where there is a need to connect different buildings or to have dedicated connections for workgroups and collaborative teams.

Remote access VPNs bring with them a host of specific management and security issues that companies need to keep in mind when deciding to go this route. On the security side of things, there are already established security protocols and industry standards that can be deployed across a VPN to protect information and to help authenticate users getting onto the system. One can chose from such security technologies as IPsec and encrypted tunnels, as well as Multi-Protocol Label Switching (MPLS).

IPsec is considered by many in the industry to be a mature and robust security technology that can be applied across all type of VPNs.

Enterasys’s McLeod adds that many companies are also adding to IPsec security such things as password authentication, two-factor identification using secure IDs and public key encryption, and in some cases even biometrics to verify the identity of people accessing the VPN.

Richard Blacklock, director of business strategy and development for Thornhill, Ont.-based AT&T Global Services, says the site-to-site VPNs tend to be more secure, as they are often not connected to the Internet and are used primarily as dedicated ways to safely transfer information between workgroups or buildings on a company site, or between individual companies and branch offices.

A more recent trend that has emerged has been the integration of VPN functionality into security routers. The advantage of this kind of configuration is that it offers all the traditional advantages of IP routing services but with the added benefits of VPN tunnel termination, IPsec and other security measures. VPN vendors have also begun to move VPN security protocols and processes onto dedicated hardware and systems that can easily be integrated into VPNs and other networks.

What is most important security-wise, however, is to make sure that any VPN solution supports what is called extensible authentication protocols. This is an industry standard that allows a VPN to use and support any number of security authentication processes and mechanisms.

MPLS is the newer kid on the security block and seems to be particularly popular with companies looking to use VPNs as virtual private LANs. The more complicated of the security solutions is encrypted tunnelling and is often used only if the management of the VPN is outsourced.

According to IDC Canada, in its most recent report on the VPN market in Canada, “Paradigm Shift: Enterprise IP VPN Use in Canada”, MPLS also has the added advantage of easier management of the VPN in order to maintain a high quality of service throughout the network.

“IPSec and MPLS have both contributed to improved security options for today’s VPNs, along with improving the overall manageability of VPNs for many companies,” adds IDC Canada’s Chaisatien.

And manageability is the next big hurdle a company will have to look at when deploying a VPN; namely, the management of the system once it is installed. Unlike rolling out a set of workstations, managing a VPN can become quite a daunting and expensive task especially as the VPN grows with a company.

As an example, as more workers and computers are added onto a VPN, each computer accessing it has to be made secure so that sensitive information does not become accessible to hackers. And this becomes even more complicated as more workers are today accessing VPNs remotely. And as more people are added onto the VPN, the rules managing what each person can access, their level of security, how they can access information and the amount of VPN resources to give to each person can become so daunting that it is not uncommon for mistakes to be made.

Tracy Fleming, senior technical consultant for Markham, Ont.-based Avaya Inc. says executives can either chose to manage the VPN themselves, or to outsource the management. If they chose to do it themselves, Avaya offers what it calls its VPNmanager, which allows a company to more easily define, configure, monitor and manage its VPNs. It is made to allow a company’s IT manger to set network security policies and manage usage policies across a VPN from a single computer.

“Management of VPNs is one of the key issues a company is going to have to face when installing a VPN, particularly when they may have multiple sites spread over a large geographic area,” adds Fleming. “Let’s say I have some 64 sites across Canada that I have to manage. If I put a VPN gateway at each site, I have to manage each one of those individual gateways and I can’t physically be at each one of those sites to do so.”

Because VPNs tend to be such unwieldy beasts to manage as they grow, many companies opt instead to outsource the management of their VPN. The advantages of outsourcing are that it allows all the difficulties to be handled by someone else while keeping greater control on costs.

AT&T Global Services offers a variety of management services for its VPN customers, including such services as managed tunnelling services, Internet VPN gateway, site-to-site VPNs for both broadband and dedicated networks, and an enhanced VPN-Private IP option.

“VPNs require a much stronger technical skill than what most companies have,” adds AT&T Global Services’ Blacklock. “You need 7×24 coverage of the VPN, change control when there are changes made to the software or network, problem determination to see what has broken down, and you need expertise in such areas as voice over IP when you start carrying voice and data together.”

While studies generally find that outsourcing of VPN management does save companies money, savings will vary between firms. In each case, it will depend on the kinds of network traffic the VPN is being asked to carry, the number of mobile workers and telecommuters a company has, and how the company expects to grow in the next few years.

The market for such services is growing quickly. According to the Framingham, Mass.-based International Data Corp. (IDC) the VPN services market was some US$2 billion in 2000 and is expected to grow to US$18 billion by 2004.



Related Download
Understanding How IBM Spectrum Protect Enables Hybrid Data Protection Sponsor: IBM
Understanding How IBM Spectrum Protect Enables Hybrid Data Protection
Download this whitepaper by Enterprise Strategy Group to learn how to choose a backup technology that is capable of supporting a hybrid protection approach capable of covering both on-premises technology and offsite cloud capabilities.
Register Now