Ask a group of Monday to Friday, nine a.m. to five p.m. employees what they hate most about their jobs and invariably one of the gripes will be “the morning routine.” Let’s face it, no one in their right mind looks forward to getting up at 6 a.m., showering, eating, putting on a presentable appearance and then sitting in bumper-to-bumper traffic – all before the real workday begins. Life would be so much simpler if people could just roll out of bed at 8:45 a.m., slip into some comfortable sweats and a ball cap, and log into work from their home PC.
For some employees this fantasy is actually a reality. Thanks to the ubiquitous Internet, stay-at-home workers can reach out and touch their corporate databases, spreadsheets and files from the comfort of their own den, bed, or — for the more adventurous — bathtub. With a wireless Internet connection, the possibilities become
almost limitless – working from a lawn chair in the back yard, or polishing off a sales report while sunning at the beach are easily imaginable.
Of course none of this would be possible without recent technological advancements, such as widespread Internet access and security mechanisms including Virtual Private Networks (VPNs) and authentication. Because the Internet is a public network, accessible to anyone with a dial-up account, securing connections between the Internet and a corporate network is an absolute must. While authentication schemes ensure people trying to access a corporate network from an external location are who they say they are, VPNs ensure traffic traveling between a remote workstation equipped with VPN software and the company network are encrypted – scrambled, so that only people possessing ‘keys’ to the encryption scheme will be able to reassemble and read possibly sensitive data.
One Canadian company that’s taking advantage of VPN technology is Markham, Ont.-based IBM Canada Ltd. IBM is in the process of deploying VPNs to enable its mobile workers to access the corporate network from wherever they happen to be and to allow most of its remaining employees to work from home on a limited basis. Twenty per cent of IBM Canada’s workforce is in mobile or full-time telecommuting positions and of the remaining workforce, 70 per cent is able to work from home on a limited basis. Given that IBM employs approximately 20,000 people in Canada, this represents a major VPN deployment.
Guy Kapuscinsky, principal with IBM Global Services’s network consulting and integration practice, noted that
the work-at-home program isn’t new for IBM. The program has existed since at least the late 1980s, he said. In its initial iteration it consisted of 3270 terminal emulation, then moved to dial-up and now consists of VPNs over high-speed access connections, such as DSL or cable modems.
When IBM first started up its work-at-home program with the 3270 emulation, it was a fairly simple process, because the company could provide secure dial-up access over its own network – IBM Global Networks. “Because we had the infrastructure, our attitude was, ‘It’s ours, it’s secure, we know who will be logging in, we’ll provide our internal users the ability to dial into our point-of-presence (POP), authenticate with our mainframe and be able to surf our internal network,” said Alex Bichuch, business development manager for VPN services with IBM Global Services in Canada.
But, Bichuch explained, IBM no longer has its Global Networks infrastructure in place and therefore doesn’t need to maintain its own POPs. And that’s where the VPNs come in. “The value proposition we have today is we can maintain a virtual POP, which is unlimited in the number of users, because any number of users can be logged onto the Internet at the same time, and the users can access IBM’s facilities from anywhere in the world the Internet is available with a secure, encrypted VPN tunnel,” Bichuch said.
VPNs offer IBM a number of benefits. Chief amongst these is price. “It’s not just the fact we were paying about $80 per business line and the fact we had to support a large amount of equipment [under Global Networks],” Bichuch explained. “The real estate savings of having that [POP] equipment hosted somewhere, the saving on the maintenance cost of having people running around fixing those modems and the cost of the user IDs and passwords are also big.”
The other major advantage of having VPNs as compared to 3270 emulation or dial-up over a Global Networks connection is speed. Depending on an employees’ geographical location, IBM Canada will provide them with either a cable or DSL modem for high-speed access. “Within my practice…some of the guys say they get a better response from home than in the office,” Kapuscinsky said.
Flexibility is another VPN benefit, Bichuch pointed out. VPNs can run over anything from a 28.8Kbps modem to an OC-48 connection (which a few IBM employees actually have access to).
IBM’s VPN rollout, which is still in its pilot phase, consists of software installed on employees’ workstations and, on IBM’s side, a public key infrastructure (PKI) implementation for challenge-response authentication. All traffic between employees and the corporate network is Secure Sockets Layer (SSL) and triple DES encrypted.
One potential problem with IBM’s VPN deployment is employees must install the VPN software on their own. But the company has tried to make the installation process as simple as possible. “We provide a single setup file on your Windows machine to get you there,” Bichuch said. “There is a ten-page pamphlet with pictures, so you can’t mess it up that much.”
IBM has tested its VPN scheme by giving its security practice team an opportunity to hack into it. “In the first phase there are always issues,” Bichuch noted. “You cannot secure anything and everything. But the way things stand now, the security practice has stopped trying to hack us.”
Enterprises planning to emulate IBM and set up VPNs for remote access have several installation options. The first is to pick a VPN from one of the many vendors providing and do the whole set up in-house. A second choice is to outsource the actual VPN deployment and set-up of the authorization system to a third party and have the enterprise handle ongoing maintenance. A third alternative is to outsource the entire VPN deployment and ongoing maintenance. The drawback of this final option is that security is in the hands of the vendor providing the managed service – not where most enterprises want it to be.
IBM, which provides VPN deployment services through its Global Services arm, has seen VPN technology grow in popularity in recent months. “We’ve started talking with our customers and the response has been enormous,” Bichuch enthused.
IBM is still in the initial phases of packaging together its VPN solutions. But Bichuch said, since Global Services is vendor agnostic, it will offer VPNs from a wide variety of VPN vendors and will provide IBM customers with complete systems. The firm is still reviewing whether it will provide ongoing VPN maintenance for clients.
“Traditionally the way we dealt with security was we’d tell the customer, ‘Let’s look at your house. You’ve got an expensive alarm, plenty of locks and you’re going to give me the key. That doesn’t make any sense,'” Bichuch explained.
However, IBM may make an exception to this policy when it comes to VPNs. “Lately a few customers have said to us, ‘It’s hard enough for us to manage our bricks and mortar infrastructure and now you want us to manage our virtual infrastructure,'” Bichuch said. So IBM is looking at options that would allow it to give customers the keys to access the entire VPN and authentication scheme, while IBM would keep keys that would allow the firm to do some ongoing maintenance of the VPN and authentication set up, but not have access to everything.
Bell Nexxia, which also installs VPNs for clients, gives its customers the choice of handling the authentication themselves, or passing it on to Nexxia, explained Tom Moss, senior lead for Nexxia’s IP VPN service.
Bell’s VPN offering consists of a Nortel Contivity switch, a dial-up or high-speed access product, and client software that resides on a remote employee’s workstation. The Contivity switch can be coupled with any authentication server that supports the TACACS or RADIUS standards, Moss said.
Nexxia charges businesses by the seat. This charge includes the end-user access, the Contivity switch and the large pipe required to connect the Contivity switch to the Internet.
Early adopters of the service have been primarily large businesses in the financial community, Moss noted. He explained that the Contivity switch is a relatively pricey product and doesn’t lend itself to small- or medium-sized business use. He added that Bell is investigating options for taking the VPN service downmarket.
Surprisingly, Moss said the main concern he’s heard from employers about the VPN system isn’t about security, but instead about whether employees are using their VPNs for personal as well as business purposes. “For example a dial access package would normally come with a finite number of hours,” he explained. “Businesses are concerned they may end up paying for incremental hours beyond that, because the employee is actually using the access they’re provided with to surf the Internet after hours.”