VPN

This is the first in a series of three white papers on this topic from the InternetWeek VPN Alliance. The purpose of the InternetWeek VPN Alliance and the white papers is simple: education. And that’s what makes this series unique.

Our charter at InternetWeek is to deliver the most authoritative news and information to IT managers. Helping to educate our readers on quickly developing technology trends with unbiased information is a logical extension of that mission.

This is precisely what the InternetWeek VPN Alliance was formed to do: to serve as an educational resource to IT managers with an interest in VPNs.

Most IT managers we’ve spoken to are interested in VPNs, but they also have a great need for basic information. The white papers are just one way we aim to satisfy this requirement. In addition, we have a VPN Source Page and we have conducted-and will continue to do so-VPN seminars in selected U.S. cities.

This initial white paper covers VPN basics. It is an extension of our recently concluded seminars. It starts by defining what a VPN is, then details emerging VPN applications, discusses why VPNs are needed in many companies today and introduces the core technologies needed to build a VPN. This white paper concludes with two case studies that illustrate how VPNs can be used to conduct business and save companies money.

The next white paper, which is scheduled to appear in the Jan. 25 issue of InternetWeek, will take the discussion of VPNs to a deeper level. In that installment, we’ll get into the specifics of picking a VPN platform or service.

In addition, we will sharply focus on general performance concerns, service and equipment provider reliability and performance issues, encryption export matters, and questions on what to do when you start scaling up VPNs to support thousands of users.

The final white paper in the spring will delve further into some of the core technologies-such as encryption key management and digital certificates-that are integral to VPNs. That paper also will explore the roles of policy-based management, quality of service and tiered service offerings with respect to VPNs.

The intent of these white papers is to give IT managers the necessary background information to start the evaluation process for VPN equipment and services. Ideally, the white papers will also serve as a helpful guide to simplify the selection process.

At a minimum, the white papers will provide you with a starting point to choosing the VPN services and equipment that are best suited to meet your needs. Perhaps the papers will answer some questions you already have in mind. Or they may tip you off to a particular issue that you should probably be asking your equipment vendors, systems integrators and service providers about.

Our ultimate goal is to try to cut through the hype of this exploding market. We’ll do this by focusing on the issues and technologies rather than looking at the offerings of just one vendor or service provider.

We also hope to show through case studies in each of the three white papers that VPNs are definitely here today. And, more importantly, that they do indeed live up to their billing as communications cost savers.

We look forward to receiving your feedback on the white papers and our VPN Alliance.

VPN: The Basics

With all of the current hoopla about virtual private networks, you may be asking yourself, why should I suddenly use VPN? And why now?

To understand why VPNs are needed, it is best to step back a minute and look at some connectivity and business trends. A number of events that are occurring in the corporate world are changing basic connectivity requirements.

The first major trend is the growth in telecommuting. Industry experts estimate that there were about 7.5 million full-time telecommuters in 1997. And there were probably several million more if you counted those people who work at home a couple of days a week.

Social factors are driving this number up. Many people want to work at home for personal reasons such as taking care of their children or eliminating time commuting to and from work.

In today’s competitive business climate, companies are catering to employee demands and often will let skilled employees telecommute in order to retain their services. Additionally, many companies will now hire the best candidate for a job regardless of where that person is located. To do this, companies let these people telecommute full time rather than move them closer to the office.

Additionally, there is a different kind of mobile work force today than in the past. People have always traveled, but today’s traveler needs frequent access to the corporate network. For example, access to e-mail is now considered essential by most travelers.

On top of that, more employees work extended hours. It is common for professionals to require access to e-mail and network applications at night and on the weekends. All of this is increasing the demand for connectivity.

Further driving the connectivity needs of a corporation are other major business changes. Decentralization of corporations is on the rise. Rather than having a corporate headquarters where the majority of employees are located, most companies today spread their operations across the country or even the world.

Pushing connectivity requirements even further is the fact that more companies now have business applications that require sites to share information frequently. For instance, in the past, a bank branch office might only need to check a customer’s account balance on a mainframe in the bank’s headquarters. Nowadays, associates in a branch office might need to look up the current rate on a money market certificate and check a customer’s investments that are man-aged by the bank.

In other words, the number of applications that require small sites to have access to information keeps growing. And this trend is forcing companies to change the way they connect sites.

The bottom line is that IT managers find they must support an increasing number of dial-access users, and at the same time, they must link more offices together.

Why Change?

Of course, remote and branch office connectivity has been a staple of most IT managers for many years. So why are VPNs even necessary?

The answer is that the costs of using traditional remote access technology is skyrocketing and will only get higher as more users and sites need to be connected.

To understand why costs are in-creasing, it is necessary to look at the total cost of ownership for remote access. During the past few years, several market research firms have done remote-access costs studies. Consistent findings have revealed that equipment costs are only about 15 percent to 20 percent of the total cost of ownership when connecting users and sites. The bulk of the cost to support remote access for a three- to five-year period (depending on the particular study) comes from two areas: recur-ring telecommunications costs and the operational costs to support the users and manage the equipment.

It turns out that remote access—both dial access for individual users and dedicated lines to link sites—combines the worst of the voice and data worlds.

On the data side, traditional remote access incurs the high management costs of supporting users. Typically, the equipment is complex and there are many kinds of devices—including remote-access servers, access routers and WAN switches—that must be installed, maintained and managed. Frequently, each type of equipment requires a different set of management skills, which adds to the total cost of ownership.

Traditional remote-access connections also suffer from the worst the voice world has to offer. Typically, companies pay a per-minute charge for connect time and long distance fees for both dedicated and dial access.

Long distance charges for dial access start at about 10 cents per minute—about $240 per month per person for two hours of connect time a day. Those costs can become astronomical if the user makes a long distance call from a hotel in an international location.

Companies also often have additional hidden costs when supporting large numbers of sites or users. For instance, some businesses simply have telecommuters or travelers submit their phone expenses with their normal expense reports.

This is a productivity buster since the user must take the time to photocopy each phone bill and the accounting department must deal with the submissions.

A number of companies use 800 services to avoid such hassles and to make it much easier for their users to connect when on the road. Even the best rates on 800 services—about 5 cents per minute—amount to phone bills of $120 per month per user for about two hours of connect time each day. That adds up to $144,000 a year for 100 users.

Enter VPNs

The hidden management and recurring telecommunications costs of traditional access technologies will only grow as more users and more sites are added. Telecommunications costs are simply proportional to the number of users. If you double the number of people dialing in, you also double the phone charges.

VPNs offer a way to keep costs in check. First, they can reduce the recurring communications charges. VPNs use the relatively free band-width of the Internet or a service provider’s network to connect a user to a corporate network or carry traffic between sites.

For dial access, the basic idea is to replace that long distance phone call to the company with a local call into a service provider’s point of presence. If a flat monthly rate Internet account is used, the cost savings can be significant. It would cost $19.95 per month vs. $120 a month when using the 5-cent-per-minute 800 service for two hours a day every business day.

Flat monthly rate ISP accounts are fine for some applications, but increasingly, IT managers want more than a flat-rate account can deliver.

That is leading some IT managers to look at usage-based services that may cost more than a flat-rate account, but guarantee network availability and latency across that provider’s network.

Typically, quality ISP services that offer service-level guarantees range in price from about $1.50 to $3.50 per hour of connect time. That amount is still substantially lower than using an 800 service that typically charges between $4 and $10 per hour to connect users to an in-house modem pool or remote-access server.

The accompanying chart shows the annual cost for connecting 500 users for various levels of connect time and prices for an 800 service and using a VPN.

As the chart on this page shows, it would cost $119,700 per year for 500 flat-rate ISP accounts, where each account costs $19.95 per month. A VPN connection that runs over a usage-based ISP service costing $2.50 per hour would amount to $300,000 a year for 500 users, where each of these users averages 20 hours of connect time a month (an average of one hour per business day).

By comparison, the direct-dial approach would cost an annual average of $360,000 to support 500 dial-in users over an 800 number service that charges 5 cents per minute and where users connect for an average of 20 hours per month.

In other words, a company sup-porting 500 dial-up users could save $240,300 or $60,000 a year by shifting its 500 dial-access users to VPN access using, respectively, a flat-rate ISP or usage-based ISP account.

Another way VPNs can save communications costs and possibly reduce management costs is by reducing the amount of access gear required.

In the dial-access scenario, a company would typically have one or more dedicated T1 lines that connect to a remote-access server and that are only used for the dial-access users to get into the company network. Additionally, the company would have a high-speed Internet-access line.

If every one of the dial-access users switched from direct dial to VPN access, the T1 lines used for dial access could be eliminated since the user would enter the network over the existing high-speed Internet-access lines. This would also eliminate the cost of the T1 lines to headquarters for dial access.

Moving all users over to VPN access also eliminates the need for a remote-access server. So that piece of equipment could be removed, thus freeing up whoever had to manage it from these duties.

Similar savings can occur in site-to-site connectivity scenarios. Many sites have multiple access lines—one for traditional data connections, such as frame relay or T1 lines, and another for Internet access.

If branch offices are linked to a corporate headquarters over a VPN connection, it might be possible to reduce the number of traditional data lines companywide. And the WAN-access equipment might be able to be consolidated.

Marrying Emerging Technologies

VPNs are also getting attention because they have the potential to integrate a new class of user—the high-speed access telecommuter—into the corporate network.

Traditionally, the full time telecommuter used analog modems or, if they were lucky, ISDN service to connect to the corporate network. Basically, these workers were limited to 128 Kbps at best. And that meant they were, in a sense, second-class citizens when compared with their network-attached counterparts back in the office who were used to 10-Mbps LANs and T1 speed or better Internet access.

Until now, telecommuters had to make do with the speeds afford by these traditional dial access services. For most, there was no economical alter-native. Frame relay, fractional T1, T1 and other high-speed data services were simply too expensive to run out to every telecommuter’s home.

However, within the past year, there has been noticeable progress in the deployment of high-speed access services based on cable modems and Digital Subscriber Line technologies.

The problem with these services from a business standpoint has been that they really only provided high-speed Internet access and did not offer any way to get back to the corporate network.

That’s precisely where a VPN comes in. Marrying the security and network access features of a VPN to these high-speed access services seems like a match made in heaven.

Telecommuters and small remote offices need high-speed access to the Internet and to their corporate networks. And they need this connectivity to be priced economically.

DSL, particularly symmetrical versions of the service, seems to fit the bill for corporate users giving them T1 or better access speeds at a fraction of the cost of a traditional T1 line. And cable modem services typically offer between 1 Mbps and 2 Mbps connection speeds for between $40 and $100 per month.

As DSL and cable modems service deployment heats up in the coming year, IT managers should be looking at the combination of VPNs and these high-speed services for their remote users.

A small number of service providers are already combining VPN and high-speed services. These providers have targeted the connectivity needs of small to medium businesses and seem to be carving out a nice niche market.

However, many providers do not combine the two services for you. In most cases that means IT managers will be left to do VPN-enabled high-speed connections on their own.

VPN security applied to cable modems seems to have a particular appeal. Cable modem services are being aggressively rolled out in certain parts of the country.

However, the service has primarily been seen as a consumer Internet access service. One reason for this perception is that many cable net-works are architected so that all homes served from the same neighborhood equipment pedestal essentially share a single LAN segment. This will not do for most business users.

VPNs solve this problem since the traffic is encrypted before it is sent through the cable modem box.

One potential obstacle to implementing a VPN-enabled high-speed telecommuting system is that cable and DSL modems do not typically support VPN technology. But then again, neither do analog modems. However, there is a difference between the analog and high-speed access worlds that needs to be taken into account.

With analog modems, the amount of data streaming from and toward a telecommuter is fairly modest. And any PC running VPN client software can easily handle the encryption, decryption and tunneling tasks associated with using a VPN.

The situation could be radically different with a high-speed connection. Commercially available cable modem and DSL services tout transmission speeds in the range of 1 Mbps to 2 Mbps. Before setting up a VPN, the question that needs to be answered is: Can a PC with VPN client software perform the necessary encryption and tunneling tasks at these rates?

And if the PC can handle these tasks, does it do so at the expense of other applications? It makes no sense to give telecommuters a connection to the corporate network if their PCs are going to lock up under the load.

Early indications seem to offer some assuring news. Users who have experimented with running VPNs over a DSL link say that a Pentium-class computer has enough processing power to handle these tasks.

So software-based VPN approaches in the telecommuter’s home seem to be viable. And hardware-based VPN solutions that are designed primarily to link branch offices over T1 lines can easily be used in a telecommuter application. In this scenario, the VPN device would be placed between the user’s PC and the cable or DSL modem.

If companies start using VPNs to connect large numbers of DSL and cable modem telecommuters, there might be implications with respect to the equipment used in the main office.

Traffic from these high-speed access users then needs to be aggregated. For main offices, companies will likely have to use some form of packet processor dedicated to VPNs on the LAN side of a router. These devices will handle VPN security along with a substantial number of other functions such as bandwidth management.

For the most part, it looks like IT managers are going to have to roll their own solutions.

This entire area of marrying VPN security services to high-speed access is just beginning to emerge. If the combination proves popular, it has the potential of increasing telecommuter productivity, and will allow companies to let more people telecommute. This might let companies keep highly skilled people thus saving the costs of replacing a worker who might have left otherwise.

Outsourcing Benefits

That’s because IT managers are trying to find ways to reduce the total cost of supporting ever-increasing numbers of remote users be they telecommuters, travelers or just users in other sites.

Exactly how prevalent is outsourcing you ask?

The Cahners In-Stat Group, a consultancy that tracks the communications industry, has projected that by the end of next year 49 percent of large and midsized enterprises will outsource some or all of their remote access.

Another consulting firm, the Gartner Group, has a similar message. According to Gartner, enterprises are increasingly turning to service providers to configure, own and manage their remote communications infrastructures.

Outsourcing remote access to a VPN reduces the total cost of ownership of remote access. It means no more modem pools to maintain, no more remote access servers to manage and no more WAN equipment such as Channel Service Units/Data Service Units associated with these devices.

An IT staff that does not have to maintain this equipment can be used to manage other tasks. Some companies have found that outsourcing remote access has allowed them to bring in-house other services that have previously been outsourced. For instance, one manufacturing company headquartered in the Northeast outsourced its remote access and was then able to take back the management of its e-mail gateways, which had been outsourced to the tune of approximately $6,000 per month.

Using a VPN for remote access or site-to-site connectivity means never having to upgrade access equipment again. This can represent a considerable savings since access technology is rapidly evolving. Just look at the past year: Many companies have needed to upgrade with remote access servers and concentrators in order to support emerging 56-Kbps modem technology.

Staffing Issues

One component of the total cost of owner for remote access is staff training. Using a VPN approach, a company could out-source its remote access communications to a service provider. And this can help reduce training costs.

Essentially, the service provider is responsible for the management of the equipment. As a result, there is no need to train staff in the use of the equipment.

Thus, a VPN can solve three training problems. The first issue most managers come up against is getting staffers up to speed about the workings of a new piece of remote access gear. Typically, companies will send the person who will be in charge of managing a new remote access server or WAN router to a seminar run by the equipment vendor. Typically, these classes are free, but they still take the employee away from work for the time of the course.

Having a service provider oversee and manage remote access equipment saves all the time that the employee would be away from the job.

A second problem in this area is that equipment is frequently upgraded, thus requiring more training classes for employees. Just look at what has happened in the remote-access market over the past year. Anyone with a remote-access server most likely had to deal with a move to the 56-Kbps modem standard.

And the management tasks become more complicated when we’re talking about site-to-site connections. Here, the need to change equipment has escalated as new data services have been rolled out. And IT managers will likely find they have to support even more services in the next year as Digital Subscriber Line and even fixed high-speed wireless services become more available.

A third area in which outsourcing remote access to a service provider-based VPN has an impact on staffing issues is retention. A number of IT managers have found that once they train staffers on a new technology or a vendor’s new line of equipment, the employees leave. From the employee’s perspective, he or she has acquired a new skill, so it makes sense to for them to seek compensation to match.

And in today’s job market, where IT professionals are in incredible demand, it is not very hard for them to find new jobs.

Outsourcing remote access to a VPN eliminates the staff churn problem. The service provider is responsible for managing the equipment and for training its own people on the equipment. If there is a churn problem, it is with the providers and not the IT managers.

IT managers also may find that when outsourcing a VPN to a provider, they can off-load other management tasks, again freeing up staffers’ time for other projects.

For example, some IT managers are facing a crisis with Year 2000 compliance for their WAN equipment. One clever way to work around this situation is to outsource the remote access to a service provider and make Year 2000 compliance part of the provider’s job.

IT managers who have done this say it works well for their companies. They do not need to become experts at Year 2000 issues for their WAN equipment. They also do not need to bring in high-priced consultants just to make sure their WAN equipment meets company Year 2000 compliance standards. And their staffs do not have to spend endless hours tracking down manufacturers’ fixes (if they even have them) to old equipment.

When you take all of these factors into account, it becomes very easy to see why VPNs are attracting so much attention.

Now is a good time to define a VPN before there can be further discussion because the term can mean many things.

For years, voice and data services were delivered using what the telephone companies called virtual private networks. In fact, just about all software-defined networks are considered VPNs by the phone companies.

But the current generation of VPNs is very different. The working definition of a VPN that will serve as the basis for all discussion in this white paper is the following: a combination of tunneling, encryption, authentication, and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider’s backbone.

The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access.

Some academics and engineers disagree with this definition. In the past six to 12 months, there have been editorials and commentaries in several engineering and academic journals decrying the use of the term VPN in this manner.

The typical argument is that the IT world has taken a very generic networking term and bastardized it for marketing purposes. It’s a valid point.

But there also is a need to have a common working definition to discuss VPN implementations, deployment, products and services. For the IT community, a VPN as defined above seems to work.

Now that a definition is nailed down, the next question to consider is, what are VPNs used for? The answer: VPNs reduce communications costs.

The next article in this white paper will provide a detailed cost analysis for using VPNs.

However, the general idea behind using a VPN is that a company reduces the recurring telecommunications charges that are incurred when connecting remote users and branch of-fices to resources in corporate headquarters.

Applications Aplenty

Several distinct VPN applications are emerging, each with its own performance requirements, which in turn dictate a set of equipment and service requirements.

The emerging application areas are remote access, site-to-site connectivity, extranets and an all-encompassing “other” category.

When it comes to remote-access VPNs, the basic concept is to give telecommuters and mobile workers a way to get back to a corporate network over the Internet or a service provider’s backbone.

In a remote-access VPN, a user dials into a service pro-vider’s point of presence, establishes a tunnel back to headquarters over that provider’s network or the Internet, and authenticates himself or herself to gain access to the corporate network.

That is in contrast to the traditional dial-access approach whereby a user dials into a bank of modems, a remote-access server or concentrator located within the corporate headquarters.

There are a number of reasons to use a VPN for remote access. First, there is cost savings on the calls. Rather than having a user make a long distance phone call or use an 800 service to dial directly into the company, the VPN approach lets the user make a local phone call to the provider’s POP.

The cost savings can be substantial. The next article will give detailed examples on how to calculate such savings. But some companies say they cut their tele-communications charges from $1,000 to $2,000 per month per person with dial access to less than $20 per month per person when using a flat monthly rate ISP service.

Further savings can come from reducing the operational costs associated with supporting remote users. For example, when using a VPN, companies can get rid of their modem pools and remote-access servers.

Additionally, companies may be able to save other communications charges. For example, before using a VPN, a company may have a dedicated link to an ISP for Internet access and a channelized T1 line into a remote access server to support dial-in users.

A complete cutover to a VPN would eliminate the need for the T1 line for dial access. The traffic from these users would be rolled over onto the existing Internet access line. Thus the monthly cost of a T1 line to support dial access could be cut out.

Branching Out

The next general application of VPNs is for site-to-site connectivity. As in the remote-access scenario, branch offices are connected to corporate headquarters through tunnels that transport traffic over the Internet or via a provider’s backbone.

Again, as in the case of remote access, a company might be able to reduce communications costs by paying only for the access line from a branch office to the service provider’s POP, rather than paying for a long distance link to headquarters.

In some cases, the cost of using a VPN link is not significantly less than that of frame relay, since essentially the only cost is for a local connection at each end. But there are a number of other ways a VPN site-to-site connection can cut down on communications costs.

For instance, many sites have multiple access lines: one to carry data back to headquarters and a second for Internet access. In fact, some industry studies have found that as many as 72 percent of sites have multiple access lines.

Using VPN technology for site-to-site connectivity would let a branch office with multiple links get rid of the data line and move traffic over the existing Internet access connection.

Additionally, site-to-site VPNs can cut communications costs significantly if a company has many international sites.

Typically, the cost to link a European site to a North American headquarters office can be quite high when using leased lines or data services such as frame relay.

A VPN built around a service provider with points of presence in countries where there are branch offices would allow the international sites to pay only for dedicated Internet access to that point of presence. That would be much less expensive than the paying for a long distance link back to the United States.

In both dial access and site-to-site connectivity VPNs, there are some other economical differences between a VPN and traditional access.

First, with VPNs there is flexibility. Most data services require long-term contracts. That’s typically not the case with Internet services.

This flexibility allows companies to quickly move to a lower-priced service if they so desire. But a point of caution: If you use a service provider for more than basic access, it may be harder to switch providers.

Another area where VPNs can have an impact on a company’s finances is the time to establish a connection.

Though not always the case, companies can usually get a high-speed Internet connection established in a much shorter time frame-on the order of weeks-than it takes to get high-speed data services.

This is particularly true if you are talking about using a VPN instead of a leased line, where it can take several months for the connection to be installed in the United States.

In foreign countries, it can take a year or even longer for such a line to be installed.

In industries such as construction and insurance, where temporary styles are set up, this time difference can be the deciding factor in getting a job completed or not.

Letting In Strangers

The third emerging application for VPNs is extranets. There are a number of ways to create extranets that do not involve VPN technology, but, VPN-based extranets give IT managers another option.

The basic idea of VPN-based extranets is to use the access control and authentication services with a VPN implementation to deny or grant customers, trading partners and business associates access to specific information that they may need to conduct business.

It’s difficult to estimate the cost savings of using a VPN vs. another networking technology for extranets. For many companies, VPN-based extranets simply allow them to do business they could not do before.

So some IT managers use a soft-dollars argument for justifying a VPN-based extranet.

The argument typically goes like this: An extranet gives certain customers or classes of customers privileges they did not have before and that other customers do not have at all.

For example, a brokerage house could set up classes of users so that a client that spends the minimum amount gets to trade electronically; a higher-spending customer gets to trade and gets an Internet account thrown in for free; and a premium client gets all of this and access to internal stock market research.

Basically, VPN authentication and access control services are used to manage such levels of access.

The selling point for this VPN application is that it builds customer loyalty. Once the client gets to that second or third level of service with Internet access and proprietary research thrown in, these intangibles may be enough to keep a client from switching to another brokerage firm.

A harder cost analysis might be possible if the VPN extranet replaces something else. For instance, some companies that do business with trading partners using electronic data interchange (EDI) are looking to VPN extranets to reduce costs. Typically, EDI applications require custom software and the use of a value-added network (VAN) provider.

Such VANs typically charge anywhere from $6 to $12 per hour for connectivity. A VPN extranet would allow trading partners to connect

groups on the corporate network.

The bulk of the first VPN Alliance White Paper addressed this question. To make sure everyone is working with the same definitions and concepts, this article will quickly summarize the VPN basics so that IT managers new to the topic can put the rest of this white paper into context.

VPN has meant many things to different groups of people over the years. For years, voice and data services were delivered using what the telephone companies called virtual private networks.

In fact, almost all software-defined networks are considered VPNs by the telephone companies. But that is not what is being referred to today when the term VPN is used.

The working definition that will be the basis for all discussions in this white paper is that a VPN uses a combination of tunneling, encryption, authentication, and access control technologies and services. VPNs use these technologies to ride traffic over the Internet, a managed IP network or a provider’s backbone. The traffic reaches these backbones using any combination of access technologies including T1, frame relay, ISDN, ATM or dial access.

Some academics and engineers disagree with this definition. In the past 12 months, there have been editorials and opinion columns in several engineering and academic journals decrying this use of the term VPN. The typical argument is that the IT world has taken a very generic networking expression and perverted its use for marketing purposes.

Although they may have a point, there is a need to have a common working definition to discuss VPN implementations, deployment, products and services. For the IT community, the above definition of VPN seems to work.

Now that the definition is nailed down, the next basic question to consider is “What are VPNs used for?”

Applications Emerge

While a working definition of VPN is a good starting point for any discussion, the term is still too general.

There is an emergence of several distinct VPN applications going on in the marketplace: remote access, site-to-site connectivity, extranet and the all-encompassing “other.” Each has its own performance needs, which dictate a corresponding set of equipment and service requirements.

When it comes to remote-access VPNs, the basic concept is to give telecommuters and mobile workers a way to get back to a corporate network over the Internet or a service provider’s backbone. In this scenario, users dial into a service provider’s point of presence, establish a tunnel back to headquarters over that provider’s network or the Internet, and authenticate themselves to gain access to the corporate network.

By contrast, in a traditional dial-access approach, users dial into a bank of modems, a remote-access server or a concentrator located within corporate headquarters.

There are many reasons to use a VPN for remote access. First, there is the cost savings on the calls. Rather than having a user place a long distance phone call or use an 800 service to dial directly back to the company, the VPN approach lets the user make a local phone call to the provider’s POP.

The cost savings can be substantial. Some companies have reported that they cut their telecommunications charges from $1,000 to $2,000 per month with dial access to less than $20 per month using a flat monthly rate ISP service. Significant cost savings can even be realized when using hourly rate premium ISP services.

Further savings can come from reducing operational costs associated with supporting remote users. For example, when using a VPN, companies can get rid of their modem pools and remote-access servers.

Additionally, companies may be able to save other communications charges. For instance, before using a VPN, a company may have had a dedicated link to an ISP for Internet access and a channelized T1 line into a remote-access server to support dial-in users. A complete changeover to a VPN would eliminate the need for the T1 line for dial access. The traffic from these users would be rolled over onto the existing Internet access line. Thus the monthly cost of a T1 line to support dial access would be eliminated.

Branching Out

The next general application of VPNs is site-to-site connectivity. As in the case of remote access, branch offices are connected to corporate headquarters through tunnels that ride traffic over the Internet or a provider’s backbone.

Companies also might be able to reduce communications costs by paying only for the access line from a branch office to the service provider’s POP, rather than paying for a long distance link to headquarters.

In some cases, the cost of using a VPN link is not much less than that of, say, frame relay because you essentially only pay for a local connection in each case. But there are other ways a VPN site-to-site connection can reduce communications costs.

For instance, many sites have multiple access lines-one to carry data back to headquarters and a second for Internet access. In fact, some industry studies have found that as many as 72 percent of sites have multiple access lines.

Using VPN technology for site-to-site connectivity would allow a branch office with multiple links to get rid of the data line and ride the traffic over the existing Internet access connection.

The third emerging application for VPNs is extranets. There are many ways to create extranets that do not involve VPN technology. However, VPN-based extranets give IT managers one way to accomplish the same thing.

The basic idea behind VPN-based extranets is to use the access-control and authentication services with a VPN implementation to deny or grant customers, trading partners and business associates access to specific information they may need to conduct business.

With a VPN-based extranet application, the outside party would get to the corporate firewall by tunneling across the Internet or a service provider’s network. And the ability to get behind the firewall will be controlled by the VPN access-control services.

It is hard to estimate cost savings of using a VPN vs. another networking technology for extranets. For many companies, VPN-based extranets allow them to do business they could not do before. Some IT managers use soft dollar arguments for justifying an extranet VPN. The argument typically is that an extranet gives certain customers or classes of customers privileges they did not have before and that other customers already have.

For example, a brokerage house could set up different classes of users: Clients that spend the minimum amount can trade electronically; higher-spending customers can trade and also get a free Internet account as a bonus; and premium clients get those services plus access to internal research on the market.

Basically, VPN authentication and access-control services are used to manage such levels of access. The selling point for this application is that it builds customer loyalty. Once the client gets to that second or third level of service, those bonuses may be enough to keep a client from switching to another brokerage firm.

A harder cost analysis might be possible if the VPN extranet replaces something else. For instance, some companies that do business with trading partners using EDI are looking to VPN extranets to reduce costs. Typically, EDI applications require custom software and the use of a value-added network (VAN) provider.

Such VANs typically charge high rates of $6 to $12 per hour for connectivity. A VPN extranet would allow trading partners to connect over traditional service providers at much lower costs.

New Solutions

The fourth emerging application area is the all-encompassing “other.” However, even within this ill-defined category, one application is starting to develop: the internal use of VPNs.

The idea is to use the encryption, authentication and access-control services of a VPN to segment populations on a corporate network or intranet.

In many situations, companies need to ensure the confidentiality of data. For instance, a human resources department might want to let employees check on vacation time, but not allow them to see managers’ reviews. In another case, a national sales manager might be granted access to the sales performance records of all sales associates, while these associates only have access to their own individual records.

VPNs can help an IT manager establish and manage these scenarios. Using VPN technology to set up access control to data for different groups of workers solves some problems IT managers have faced for a long time. For example, many IT managers have tried to segment user populations using VLAN technology. With VLANs, a manager can quickly create ad hoc groups of workers who appear to be on a single LAN segment. A manager can dynamically assign users to specific groups and can restrict others from any one group.

The problem with VLANs is that many approaches are proprietary and do not work when equipment from multiple vendors is used.

VPNs can cut across the mixed equipment environment by using tunnels between a user’s workstation and a server. The traffic between the two devices would be encrypted, which helps ensure confidentiality. VPNs create an environment that is analogous to physically segmenting users on distinct LAN segments.

The exciting thing about VPNs is that all four applications are not mutually exclusive of each other. A company could deploy a VPN to link its branch offices, expand the access to single remote users and then open up the network to outsiders while using the same equipment and services. Once connectivity needs of remote and outside users are satisfied, the installed equipment can also be used to segment user groups on the corporate network.

Why VPNs Now?

To understand why VPNs are needed, one only has to look at connectivity and business trends. There are events happening in the corporate world that are changing basic connectivity requirements.

There is also a different kind of mobile workforce emerging today. People have always traveled, but increasingly today’s travelers need frequent access to the corporate network. Access to e-mail is also considered essential by most travelers.

Further driving the connectivity needs of a corporation are other major business changes. Decentralization of corporations is on the rise.

What it all comes down to is that IT managers find they must support ever-increasing numbers of dial-access users and they must link more offices together. The costs of using traditional remote-access technology is skyrocketing and will only get higher as more users and sites need to be connected.

VPNs offer a way to keep costs in check. Recurring communications charges can be reduced by using the relatively inexpensive bandwidth of the Internet or a service provider’s network to connect a user to a corporate network or carry traffic between sites.

For dial access, the basic idea is to replace that long distance phone call to the company with a local call into a service provider’s POP. The cost savings can be significant (see InternetWeek, Dec. 14, 1998, page VP12).

Another way VPNs can save communications costs and possibly cut down on management costs is by reducing the amount of access gear required.

In the dial-access scenario, a company would typically have one or more dedicated T1 lines connected to a remote-access server which are only used for dial-access users to get into the company network. Additionally, the company would have a high-speed Internet access line.

If all of the dial-access users switched from direct dial to VPN access, the T1 lines used for dial access could be eliminated since the user would enter the network over the existing high-speed Internet access lines. This also would eliminate the cost of the T1 lines to headquarters for dial access.

Moving all users to VPN access also eliminates the need for a remote-access server. With this piece of equipment removed, the person responsible for its management would then have more time to concentrate on other duties.

Similar savings can occur in site-to-site connectivity scenarios. Many sites have multiple access lines-one for traditional data connections and another for Internet access.

If branch offices are linked to corporate headquarters over a VPN connection, it might be possible to reduce the number of traditional data lines companywide. And the WAN access equipment could possibly be consolidated.

When you take all of these factors into account, it is easy to see why VPNs are getting so much attention.

The current generation of VPNs is very different. A VPN may be defined as a combination of tunneling, encryption, authentication, and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider’s backbone.

The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access.

VPNs are getting attention because they reduce communications costs. They have the potential to integrate a new class of user -the high-speed access telecommuter—into the corporate network.

However, within the past year, there has been noticeable progress in the deployment of high-speed access services based on cable modems and Digital Subscriber Line technologies.

The problem with these services from a business standpoint has been that they really only provided high-speed Internet access and did not offer any way to get back to the corporate network.

That’s precisely where a VPN comes in. Marrying the security and network access features of a VPN to these high-speed access services seems like a match made in heaven. VPNs encrypt the traffic is before it is sent through the cable modem box.

Telecommuters and small remote offices need high-speed access to the Internet and to their corporate networks. And they need this connectivity to be priced economically.

Changing business trends are changing basic connectivity requirements, thus increasing the demand for connectivity.

1. The number of telecommuters has increased. There were about 7.5 million full-time telecommuters in 1997

2. Today’s traveler needs frequent access to the corporate network, for example, access to e-mail is now considered essential by most travelers

3. Professionals require access to e-mail and network applications at night and on the weekends.

4. Decentralization of corporations is on the rise, most companies today spread their operations across the country or even the world

5. Companies now have business applications that require sites to share information frequently.

In other words, the number of applications that require small sites to have access to information keeps growing. And this trend is forcing companies to change the way they connect sites. The costs of using traditional remote access technology is skyrocketing and will only get higher as more users and sites need to be connected.

Applications

Several distinct VPN applications are emerging, each with its own performance requirements, which in turn dictate a set of equipment and service requirements.

When it comes to remote-access VPNs, the basic concept is to give telecommuters and mobile workers a way to get back to a corporate network over the Internet or a service provider’s backbone.

That is in contrast to the traditional dial-access approach whereby a user dials into a bank of modems, a remote-access server or concentrator located within the corporate headquarters.

Branch offices are connected to corporate headquarters through tunnels that transport traffic over the Internet or via a provider’s backbone.

A company might be able to reduce communications costs by paying only for the access line from a branch office to the service provider’s POP, rather than paying for a long distance link to headquarters.

Using VPN technology for site-to-site connectivity would let a branch office with multiple links get rid of the data line and move traffic over the existing Internet access connection.

Additionally, site-to-site VPNs can cut communications costs significantly if a company has many international sites.

Typically, the cost to link a European site to a North American headquarters office can be quite high when using leased lines or data services such as frame relay.

The third emerging application for VPNs is extranets. There are a number of ways to create extranets that do not involve VPN technology, but, VPN-based extranets give IT managers another option.

With a VPN-based extra-net application, the outside party would get to the corporate firewall by tunneling across the Internet or a service provider’s network. The ability to get behind the firewall is controlled by the VPN access control services.

So some IT managers use a soft-dollars argument for justifying a VPN-based extranet.

The argument typically goes like this: An extranet gives certain customers or classes of customers privileges they did not have before and that other customers do not have at all.

Basically, VPN authentication and access control services are used to manage such levels of access.

New Solutions

The idea is to use the encryption, authentication and access-control services of a VPN to segment populations on a corporate network or intranet.

In many situations, companies need to ensure the confidentiality of data. VPNs can help an IT manager establish and manage this. Using VPN technology to set up access control to data for different groups of workers solves some problems IT managers have faced for a long time. For example, many IT managers have tried to segment user populations using VLAN technology. With VLANs, a manager can quickly create ad hoc groups of workers who appear to be on a single LAN segment. A manager can dynamically assign users to specific groups and can restrict others from any one group.

The problem with VLANs is that many approaches are proprietary and do not work when equipment from multiple vendors is used. VPNs can cut across the mixed equipment environment by using tunnels between a user’s workstation and a server. The traffic between the two devices would be encrypted, which helps ensure confidentiality. VPNs create an environment that is analogous to physically segmenting users on distinct LAN segments.

All four of these applications are not mutually exclusive of each other. A company could deploy a VPN to link its branch offices, expand the access to single remote users and then open up the network to outsiders while using the same equipment and services. Once connectivity needs of remote and outside users are satisfied, the installed equipment can also be used to segment user groups on the corporate network.

Advantages of VPNs

1. Tthey can reduce the recurring communications charges. VPNs use the relatively free band-width of the Internet or a service provider’s network to connect a user to a corporate network or carry traffic between sites.

2. For dial access, a long distance phone call to the company is replaced by a local call into a service provider’s point of presence. If a flat monthly rate Internet account is used, the cost savings can be significant. A step further is to look at usage-based services that may cost more than a flat-rate account, but guarantee network availability and latency across that provider’s network.

3. Reducing the amount of access gear required, by switching from direct dial to VPN access. The T1 lines used for dial access could be eliminated since the user would enter the network over the existing high-speed Internet-access lines. This also eliminates the need for a remote-access server.

4. If branch offices are linked to a corporate headquarters over a VPN connection, it might be possible to reduce the number of traditional data lines companywide. And the WAN-access equipment might be able to be consolidated.

Techniques to Deploy VPNs

There are many ways to deploy virtual private networks, using existing networking equipment

Each one with its own advantages and disadvantages. The choice of which approach to use to implement a VPN is often based on a company’s networking philosophy. Some company networks are router-centric, which means the router may be where an IT manager decides to add VPN services. Other company networks are LAN-centric, where servers are the primary elements in an IT manager’s scheme of things. That may be the determining factor when deploying a VPN. Still other companies view the firewall as the heart of all secure Internet communications, thus leading to the selection of a firewall-based VPN approach.

Router-based VPNs

Using VPN-enabled routers, IT managers can send traffic between branch offices over the Internet or a service provider’s network. Dial-in users can access the corporate network by tunneling in over a provider’s network.

There are several advantages to a router-based approach that make it attractive to IT managers. First, adding VPN services to a router is usually a software upgrade. Frequently, the IT manager simply has to download some software from the vendor’s Web site or get a disk from the vendor and install it on an existing router. That’s usually the case with older routers.

New routers often come with the VPN services built into the unit’s software set or even into the router’s operating system. Pricing approaches for the VPN services vary greatly among router vendors. Some throw it in for free with the operating system; others charge a fee to make use of the VPN features.

Typically, the VPN software add-on for routers includes firewall, encryption and tunneling capabilities. Some vendors link the user authentication to existing authentication services such as the Remote Authentication Dial-In User Service.

Another advantage of the router-based approach is that there is no need to change the existing network. This can save operational costs in a couple of ways and thus reduce the total cost of ownership for a VPN.

In some VPN implementations, a dedicated box is needed. This adds to the management tasks of the IT staff. Installing VPN software on an existing router means no additional internetworking devices are added to the network.

Frequently, dedicated VPN devices are not from the same vendors that supply routers, switches and hubs. The router-based approach where software is added means the existing management systems can still be used with the VPN. So there is no need to train IT staffers on new equipment or management systems.

While these are all valuable reasons for using a router-based VPN, there are other considerations before selecting this approach.

First, firewall, encryption and tunneling are all done in software, which could cause a problem under heavy traffic loads. A dedicated VPN device or dedicated firewall would likely deliver higher performance. Of course, it will depend on your specific loads. In many cases, adding software to a router might do the trick.

Software-Based VPNs

Operating system suppliers and several third-party vendors offer VPN applications that perform the encryption, tunneling and authentication services required to link users over a VPN.

Although this is a similar approach to using a router-based VPN, one advantage to a software-based VPN is that it allows an IT manager to use existing equipment. The software is installed on an existing server. This means the network configuration remains intact and the same management skills and tools can be used to administer the VPN. Thus there is usually no additional training or management software required to keep the VPN connections up and running.

Another advantage to a straight software-based VPN is that the programs frequently tap existing network operating system authentication services. This can greatly simplify VPN administration by, for example, linking VPN access rights to already defined user-access privileges.

There are, of course, a few points to consider before using a straight software-based VPN approach. As in the case of a router-based VPN, performance may be an issue. Performing VPN encryption and tunneling tasks takes processing power. One problem in evaluating such a VPN approach is that there are no standard metrics for determining exactly what the processing load would be on a server.

The factors that determine the load include the number of simultaneous VPN sessions that need to be supported, the level of encryption of each session, the type of tunneling used and the rate at which data is being passed over the VPN.

Obviously, connecting hundreds of branch offices with T1 lines to a central site would require much more processing power in the central site than supporting a few dozen telecommuters dialing into their service providers over analog phone lines.

The consequences of too heavy a load can vary greatly. An IT manager may have to limit the number of simultaneous sessions that are supported, thus leaving some users unable to connect.

If the VPN software is running on a server that supports other applications, the performance of these other applications may suffer as the VPN services take more and more CPU cycles.

In either case, an IT manager may find that a higher-performance server would be required. So similar to what could happen with router-based VPNs, what may seem like an inexpensive way to establish a VPN might require the purchase of a new, high-end server.

IT managers who opt for the software-based VPN approach typically start using an existing server to get some experience with the technology. Usually a pilot program is established and it is during the pilot that the IT manager examines the VPN performance under various conditions. Such experiences will help determine if the existing server is capable of supporting a more expansive VPN deployment.

Firewall-Based VPNs

Many corporations center their Internet security activities on firewalls, which are used to keep hackers out. Some companies even check for computer viruses and malicious codes at this point in their networks.

For some IT managers, adding the security services of a VPN only makes sense at their firewall. As a result, many firewall vendors now support VPN services within their firewalls. Most often, the VPN services are supported in software.

This makes it easy for an IT manager to get started using a VPN. The IT manager simply has to install some new add-on package for the particular firewall. In some cases, the manager can pay an additional fee to have the VPN services supported in the firewall’s operating software turned on.

Again, the advantage is that the existing network remains the same, so there is no additional equipment to manage. Training is kept to a minimum because the VPN services are often managed by the same user interface that is used to manage the firewall.

On the other hand, VPN functions such as encryption and tunneling are handled by software. Again, performance may be an issue as in the router- and server-based VPN approaches. Essentially, these tasks may take more processing power than the firewall has to offer.

If performance becomes an issue, the IT manager may find that a higher-performance firewall is required. Once more, what initially looked like a low-cost software upgrade to support a corporate VPN can turn into a new equipment purchase.

Similar to the other two approaches, IT managers will have to determine for themselves whether performance will be an issue for their particular situation. It may be that the existing firewall can easily support the number of simultaneous sessions at whatever level of encryption is required by the IT manager, and at the data rates afforded at a particular site.

For an IT manager, the choice of which device to add VPN services to will probably be determined by a couple of basic factors.

The choice of platform might come down to performance. Once an IT managers tries implementing a VPN on one platform, it may be determined that the device simply cannot handle the loads anticipated for a full VPN deployment. The IT manager will then have to decide if it is more economical to stick with that specific platform type and buy a higher-end version, or if it might be better to select a different platform altogether.

Unfortunately, there is little help in determining beforehand what the performance will actually be. Some IT managers say the choice of a platform will come down to their corporate network networking

philosophy. If a company does not use firewalls, it's not likely they will buy one just for VPN services. Similarly, if a company has a bridged networking environment with servers in most offices, buying a router just for its VPN capabilities would probably be out of the question.

Conversely, if a company has a huge investment in WAN routers or firewalls, and a vendor offers a software upgrade that will add VPN services, that might be the deciding factor when selecting a platform.

Managers might also decide to leave their current networking gear unchanged and add on these services by installing a dedicated device that handles VPNs.

VPN: Making Choices

Three Different Routes That All Lead To VPN

Our First Lesson: The ABCs Of VPN

VPN: The Basics

Why Change?

Enter VPNs

Marrying Emerging Technologies

Outsourcing Benefits

Exactly how prevalent is outsourcing you ask?

Staffing Issues

Applications Aplenty

Branching Out

Letting In Strangers

Applications Emerge

Branching Out

New Solutions

Why VPNs Now?

Applications

New Solutions

Advantages of VPNs

Techniques to Deploy VPNs

Router-based VPNs

Software-Based VPNs

Firewall-Based VPNs