In-Depth
Linux on the Horizon: Users and Vendors Eye Linux for VPNs
The demand for Virtual Private Network (VPN) solutions running in a Linux environment is growing, although the actual size of the market is hard to pinpoint. The worldwide market for VPN equipment is expected to reach two billion dollars in 2004, according to Infonetics Research. For VPN services, the 2004 worldwide market will hit $18 billion, according to IDC.
Equipment providers, software developers and analysts agree that the demand for VPNs, in general, represent fertile ground for Linux product developers. Vendors already selling Linux equipment can expand their applications to include VPN offerings. Moreover, with innovative Linux networking solutions cropping up – such as the ANG 1000 gateway from Enterasys Networks and Linux Secure Virtual Network (SVN) from Check Point Software Technologies – the Linux loyalists will be able to implement VPNs that satisfy their security and centralized management requirements, as well as their budgets.
"Companies are waking up to this whole VPN thing and are getting pretty excited about it," says Opus One Senior Partner, Joel Snyder, a consultant for organizations implementing VPNs.
Until recently, VPN platform alternatives were either Solaris or NT. "No one likes NT as a security solution, so they’ve been pushing Solaris," asserts Snyder. "Solaris has a cost-benefits issue. Plus, if you have Intel, you don’t want Solaris, so users are flipping over to Linux."
As for the future of Linux VPNs, Opus One’s Snyder tells us that we’re going to see alot of small enterprises absorbing Linux.
When you see Linux, people are thinking cheap," says Snyder, adding that current Linux users are generally not in the enterprise space, so they’re not thinking about how to manage thousands of seats. "That differentiates Linux as a great platform for development from Linux as an enterprise server."
Two free IPSec packages exist in the Linux space – Linux Free S/WAN and KAME. Linux Free S/WAN and KAME are an implementation of IPSec and IKE for Linux that uses strong cryptography and builds secure tunnels through untrusted networks, resulting in a VPN.
"Both are outstanding, but neither are manageable worth a dime," maintains Snyder. "If a business has four branch offices and wants IPSec on the cheap, it can buy dumb PCs, stick Linux Free S/WAN on them and manually configure them for a total cost of $100." On the other hand, he says, "Nokia will want to sell you a $5,000 box, plus three other servers, totaling $10,000."
VPNs consist of dozens of sites requiring proper coordination, meshing and configuration. Each piece needs to interrelate to every other piece. Citing weak management on the Linux side for VPNs, Snyder notes that users are turning to commercial, prepackaged solutions, rather than roll-your-own Linux solutions.
"They happen to stick it on Linux, because Linux is a good thing between your firewall and the box," Snyder continues. "[Linux] gets out of way quickly. Firewalls ask the operating system, ‘I need to store stuff on disk and get to the NIC cards.’ Firewalls don’t want GUI, fancy recovery or anything built into the operating system. So, when you want to build something small and quick, Linux is an ideal candidate. Firewall products don’t care what they’re on top of."
Developers, such as Watchguard Technologies, use Linux, but transparently to the buyer, as OEMs do. Watchguard runs Linux underneath its hardware firewall product. "The buyer sees a red box that does the VPN and firewall, and the fact it has Linux is irrelevant," says Snyder.
Recently, Check Point Software Technologies started developing Linux-based systems in response to its customers’ requests. Its Linux SVN architecture gives Linux users access to the same Internet security benefits already available on other major operating systems and platforms.
Seizing the opportunity, Check Point also is working with hardware vendors to make firewall and VPN appliances. "A number of appliance vendors plan to use Linux as the operating system in their appliances," says Check Point’s Product Marketing Manager, Mike Lee. "The vendors will buy software from Checkpoint and sell a bundled VPN solution."
Lee touts Linux as a good security platform. "For us, Linux is probably the highest performing platform we have," Lee says, adding that in performance benchmarking, Linux consistently comes out at the top.
Other vendors are turning to Linux as a platform for their VPN solutions. "Most people think about Linux for general-purpose computer applications, but Linux is also a great system for special-purpose networking and Internet applications," says Openreach Inc.’s CEO, Mark Tuomenoska.
According to Tuomenoska, although software VPNs are flexible and run on readily available, inexpensive, general-purpose computers, these systems – UNIX and Microsoft Windows NT – don’t perform as well and are not as reliable as network equipment. On the other hand, hardware VPNs – designed to deliver optimal performance and reliability – are proprietary and expensive to buy and deploy.
"Linux-based VPNs provide the best of both worlds – the flexibility and low costs of a software-based solution, with the performance and reliability of a hardware-based solution," says Tuomenoska.
The Adoption Challenge
The superiority of Linux is not in dispute, but widespread adoption will be a challenge, partially due to the mystique surrounding Linux. "Linux has been the domain of the techies," says Tuomenoska. "The critical success factor for Linux is making it accessible to more people. Linux, technically, is a superior solution, but it’s not taking off because it’s esoteric."
"NT is not reliable enough for network applications and is too inefficient to provide high-performance," continues Tuomenoska. "And traditional UNIX systems don’t have the support required for a larger community of users."
Now enterprise customers who’ve invested in learning and managing Linux for other applications can reuse that learning to build advanced data networking applications.
"Today, most enterprises implementing VPN solutions have staff that really understand Linux and can set up the VPNs themselves using open-source projects or software available in its supplier’s Linux distribution; or, look to service providers who use Linux to implement VPN, but don’t require the customer to learn all the details of the VPN software, per se," says Tuomenoska.
Companies like OpenReach are creating services using Linux-based VPN software, allowing users to administer their entire VPN through a graphical user interface without having to make an investment in understanding all the ins and outs of Linux.
"Linux is [proving] to be a good alternative to embedded systems," asserts Tuomenoska. "Embedded systems were designed to do high performance, and one of the reasons why Cisco, Lucent and Nortel are able to sell VPN equipment is because Windows and UNIX can’t keep up with their embedded operating systems."
Responding to a growing desire on the part of thousands of customers who want to use Linux with VPN connections, Cisco Systems offers a Linux-based VPN solution.
"People make up their minds that they want to run Linux," asserts Cisco’s Product Manager, Pete Davis, who sees that Cisco’s challenge lies in bringing Linux, a multi-user system, to the same level as a VPN client. Typically, in this environment the VPN is not manageable or scaleable.
In a site-to-site application, customers may use S-WAN in conjunction with the Cisco 3000 concentrator. Although supporting Triple DES and IKE, S-WAN is very static. However, Cisco also offers a more dynamic Linux client as part of its VPN 5000 concentrator family, providing a user-based authentication system, allowing remote users to authenticate individual users.
The innovative approach taken by Enterasys Networks involves a low-end plug-and-play network gateway called the ANG 1000.
"Right from the beginning we’ve run into customers wanting VPN solutions for non-Microsoft platforms," observes Enterasys’ Director of Technology Development in the VPN Solutions Group, Inderpreet Singh.
Enterasys discovered that the many intelligent things it could do in a Windows environment were extremely difficult to replicate in the Linux world. Making one piece of code work in all the different Linux environments is a major challenge.
"We decided that [the Linux VPN] could be done, but in a better way," says Enterasys’ CEO, Dave Zwicker. Linux users tend to be higher-end engineers working at home or working collaboratively – as opposed to PC users who may just want to do e-mail. That’s why Enterasys can support a Linux environment with multiple nodes or small networks more effectively with a hardware client than with a software-embedded VPN client.
Centralized management remains a critical issue for the enterprise. "Linux users are quite savvy with configuring PCs for multiple applications," Singh explains, but VPNs present a different kind of challenge.
In fact, Singh sees centrally manageable remote access Linux-based clients as a fertile area for development. For example, now with IKE and IPSec, user authentication is also required, but it’s not readily available in Linux-based IPSec implementations. All of those implementations are site-to-site implementation. In general, enterprises want user-based, rather than device-to-device authentication.
In spite of progress in the Linux VPN area, much work remains to be done before current off-the-shelf Linux solutions are up to speed. "Progress has been made in the protocols themselves, but for a holistic VPN approach, the management piece is critical," asserts Singh. Centralized policy management, IP address management and distribution of user names and passwords are examples of the value that providers like Enterasys add to their Linux VPN implementations.
The Enterasys solution has all the VPN and management functionality built into it. There are also other network management features that Linux does very well, such as Dynamic Host Configuration Protocol (DHCP). PCs have to get IP addresses assigned to them. ANG 1000 already has that.
Typical Linux users have multiple PCs. They need some application that manages the IP addresses of the PCs. ANG 1000, can provide this, as well as a managed VPN solution.
"Until the Linux applications have those management holes and other issues solved, this ANG 1000 is an easy to use, quick value-add for remote users," Singh concludes.
Another advantage of using Linux in a VPN solution is that people working in the Linux environment can roll up their shirt-sleeves and dig in to provide the best possible feature set and performance, according to Linux Wizardy’s CEO and President, Mike Carpenter. "As a result, the open software is very dynamic and really keeps pace with the software world, like Microsoft and Adobe," insists Carpenter.
Linux Wizardry offers an embedded Linux product, Magic Passage VPN. Its box runs Linux on a VPN server and/or client that can scale from small- or home-offices and telecommuters to large businesses and ISPs. Magic Passage VPN interconnects its networks through a robust embedded firewall.
Linux Wizardry’s solution also insulates end users from intricate set-up and provides a transparent mechanism for dialing into corporate resources or ISPs. In addition, its box is remotely configurable through the Web.
Linux supports both PPTP and IPSec, and L2TP, as well. The Linux VPN server can talk to a Windows VPN client and vice versa, which is an advantage in heterogenous networking environments.
In short, Linux VPNs offer the typical advantages of the Linux world – reliability, low cost, speed and built-in networking. But, Linux Wizardry’s Linux Technology Officer, Bao Ha cites performance and security as top Linux benefits. "If you compare between Linux and other operating systems, Linux has better performance. If you are using IPSec, it’s alot more secure than the PPTP solution provided by Microsoft."
Judy Silver is a freelance technology writer for the Washington News Bureau.