VPN in a Box

Back in its early days, the Internet was viewed as a great liberator for small- and medium-size businesses. Traditionally, companies of this size rarely used a corporate network to tie together their remote offices or to connect to their business partners. The cost and operational complexity to set up and maintain such a network was typically outside their means.

The Internet, however, offered small- and medium-sized businesses access to a networking infrastructure that easily rivaled that of the most sophisticated Fortune 500 company. The early vision held that these smaller companies would come to view the Internet itself as their enterprise network. Working alongside Internet service providers (ISP), these companies envisioned that they would -- over time -- leverage the technology of the Internet and the expertise of the ISPs to put in place Internet-based enterprise networks that offered the same benefits that large companies had enjoyed for years.

In this early model, security was not viewed as a serious problem. People thought that only the biggest of the medium-sized companies would have an interest in using advanced technologies to secure their privacy. In effect, the operative assumption was that most businesses in these segments would be comfortable sending their business information and data over the public, open and not-so-secure Internet.

This assumption proved to be wrong or, at least, wildly optimistic on the part of those who were enthusiastic about finding new ways to use the Internet. In fact, it turned out that only the smallest of small-sized businesses were cavalier about using the public Internet as their unsecured enterprise network.

Virtual private networks (VPN) were, of course, the obvious solution to the problem that was keeping small- and medium-sized businesses off the Internet. VPNs would allow these companies to use the public Internet, but in a manner that would restrict information delivery to those in a closed user group. At first, this solution seemed to be the best of both worlds. Smaller businesses could access a network rich in complexity beyond their wildest dreams, but operationally use the network as if they had set up their own private enterprise network.

The fly in the ointment of this solution was cost. VPNs once again introduced the critical element that had kept small- and medium-sized business from setting up private networks in the first place. VPNs demanded infrastructure investment and maintenance. Firewall and security products had to be piece-part integrated and installed at different locations. Policy management over security had be established and maintained, and all of these elements had to be managed. Small and medium-sized business may have had only a few sites to include in their VPNs, but they were burdened by the fact that they had comparably few internal resources to dedicate to VPN care and feeding.

In recent days, however, the wheel has turned again as the magic of the market recognized this problem keeping smaller and businesses off the Internet. Two solutions have emerged that offer these business a way out of their cost dilemma with regard to implementing VPNs. One solution comes from a new category of equipment that allows businesses to easily create and maintain VPNs over the public Internet. The other comes from new class of service offerings from ISPs and carriers that give companies access to closed and private IP networks.

The new-equipment category could be called VPNs in a Box. As the name suggests, out-of-the box, integrated functionality is the key benefit for small- and medium-sized businesses. These boxes come preconfigured with the firewall and encryption technologies already integrated by the manufacturer. In addition, they also offer integrated authentication services, URL blocking, spam filtering and e-mail server capability. And the entire VPN can be monitored and controlled by Web browser-based management features. In short, the raison d'etre of this new product category is to give companies a hardware/software solution that has a collection of features that delivers a sophisticated VPN capability without the need for expensive piece-part integration and management. As might be expected, manufacturers both large and small are jumping into this business. RedCreek Inc. (San Jose, Calif., www.redcreek.com), TimeStep Corp. (Kanata, Ontario, www.timestep.com), Internet Devices Inc. (Sunnyvale, Calif., www.internetdevices.com) and -- on the big side -- Bay Networks Inc. (Santa Clara, Calif., www.baynetworks.com) are just some of the suppliers offering such products.

VPN packages from ISPs and carriers are the other solution for small- and medium-sized businesses that have need for a VPN capability but lack the resources to do the job internally. These service packages give companies access to a closed and private IP network. Connections can be made via dial-up or dedicated local loop access, with speeds ranging from 64 Kbps to T1 rates. Service-level agreements (SLA) are often available to guarantee end-to-end latency. And many of the package offerings include services features for the management of any router, firewall or encryption devices installed at different sites. Concentric Network Corp. (Cupertino, Calif., www.concentric.com), ANS Communications Inc. (Purchase, N.Y., www.ans.com), AT&T Corp. (Basking Ridge, N.J., www.att.com), MCI Telecommunications Corp. (Washington, www.mci.com), UUNet Technologies Inc. (Fairfax, Va., www.uunet.com) and Sprint (www.sprint.com) are just some of the companies that have introduced secure VPN services in recent months.

Security risks jeopardized the early vision of the Internet as a boon to small- and medium-sized businesses. In recent months, product and services offerings have emerged to eliminate these concerns and restore the promise that these companies will deploy Internet-based enterprise networks. --Sam Alunni is vice president of networking at Sterling Research (Sterling, Mass.). Contact him at alunni@sterlingresearch.com.