Extending the Edge of the Enterprise
Clients, vendors and employees look for fast and reliable remote access to corporations' networks and files while out of the office.
Remote Access continues to be one of the fastest growing areas in networking, with small-business and enterprise users relying on the technology for fast, reliable and secure connections to their corporate networks from locations outside of the traditional office. The worldwide remote access market, worth about $720 million in 1994, is projected to be worth $4.4 billion in 1998 (Infonetics). The primary driving force behind this tremendous growth has been the proliferation of Internet use and the advent of corporate intranets. Corporations, facing increasingly competitive environments, are turning to access technologies to facilitate closer partnerships with suppliers and customers, as well as in keeping employees in touch with corporate resources, while at home or on the road. This article will provide an introduction to remote access technology and will examine some recent developments, and their impact on remote access approaches and public service offerings.
The principle of remote access is as old as host-based computing itself. Classical host-based solutions involve terminals that are either directly connected to a host computer or indirectly connected via cluster-controllers over wide area connections (dial, leased lines or X.25) to the central data-centers. Characteristic of this remote control scenario is that program-logic, data management and presentation are all carried out on the host system with the terminals simply acting as a user-interface, thus the term "dumb-terminal." With the advent of Personal Computers, it wasn't long before a whole new generation of remote control programs emerged. Examples of PC-based remote control applications are pcAnywhere by Symantec or Winframe by Citrix Systems. Remote control programs require that applications reside and run on a host PC on the office LAN (Local Area Network), with the remote or "controlling" PC acting as a user-interface extension of the host application. Since user applications are actually run on the office-based workstation, the only data that is transferred over dial lines are keyboard input, mouse movements and display updates. All file system related application data remains on the LAN. The advantages to this approach are that I/O bandwidth intensive operations remain on the "host" side and do not have to be transferred over slow communications links. One of the major disadvantages of remote control is that application data is not locally available to the mobile user, making any form of off-line work impossible. In addition, PC based remote control is not scaleable, due to the requirement of dedicated host machines, which can realistically only handle a small number of remote control clients each.
Remote Node Technology
The requirement for a user-transparent and universally applicable approach to remote access lead to the development of remote node technology, which forms the basis for Internet and corporate remote access of today. Remote node technology, as the name suggests, permits a remote user (or client) to act as a true node on the network with access to all the same network resources, as if locally attached. Access to the corporate network is provided by an access server typically connected to the Public Switched Telephone Network (PSTN). A remote user connects to the server via dial circuit and establishes a Point-to-Point Protocol (PPP) connection through which multi-protocol LAN traffic can flow.
At the core of the remote node client is a software-based network adapter, rather than a physical LAN adapter, which appears and acts as a true network interface to the above network protocol stacks. The remote client also contains a PPP-dialer, which, in addition to connection control (set-up and tear-down of the connection, authentication and compression), is also responsible for the transfer of data-packets over the PSTN based WAN (Wide Area Network). Remote access clients suitable for corporate remote access applications should include support for all commonly used network protocols including TCP/IP, IPX and NetBEUI, as well as LLC (802.2) for SNA-based host access. The client should possess a GUI (Graphical User Interface) to guide a user through the call set-up and tear-down, as well as providing convenient configuration of all parameters, such as network login and support for third-party security systems. While older operating systems required the installation of a separate remote-client which had to be integrated with the existing networking environment, operating system vendors have in the meantime become very aware of the importance of remote node technology and have integrated this functionality into their operating system products. Examples of integrated remote access clients are Windows 95 Dial-Up Networking or OS/2 LAN Distance.
On the corporate LAN, the access server acts as the single interface between the public communications network (PSTN) and the corporate LAN. The server participates in the critical authentication, authorization and accounting services while performing the translation of WAN-side PPP traffic back into native LAN protocols. In general, access servers are either software based or dedicated hardware solutions. Software based solutions such as Windows NT RAS or Novell NetWare Connect, are installed as additional services on Windows NT or Novell server platforms. Given the direct integration of these software-based access components into the network operating systems and the possibility of using available general purpose hardware, it comes as no surprise that this has become a very popular approach to remote access for small and medium businesses with homogenous network environments. One issue associated with this software-based approach is that it does not scale well. The specialized communications adapters which must be integrated with existing general purpose platforms, place unique performance demands on such systems in the form of the numerous interrupt requests generated by a large number of WAN connections to be managed. Other issues are related to the support of the numerous additional hardware components required to make up a remote access system and possibile incompatibilites given the different components which will typically come from multiple vendors.
Dedicated hardware-based remote access servers, on the other hand, are specifically designed with the requirements critical to corporate remote access in mind, such as high availability, performance, security and scalability. Dedicated remote access platforms will generally provide support for token-based authentication schemes, such as SecurID by Security Dynamics. Another critical function provided by access servers is accounting, which involves the tracking, auditing and reporting of security and usage activity. In addition to required billing capabilities, these features also enable network administrators to identify and report usage patterns and unusual activity by authorized or unauthorized users. Dedicated network access platforms intended for small offices will typically offer support for a fixed number of individual analog or ISDN lines on the WAN side. As port requirements grow beyond a few dozen ports, however, a more practical solution is a chassis-based access concentrator. Concentrator class access servers obtain their WAN side connection from higher capacity digital T1/E1 or ISDN PRI service, rather than individual analog lines. These servers will typically support multiple T1 lines and include integrated modems for the support of hundreds of connections with a single chassis. Additional capabilities of remote access concentrators include the automatic discrimination of analog and ISDN call types, thus permitting transparent access for all classes of users via a single access number.
Remote Node Performance
Although the intent of remote node technology is in providing a LAN access experience that is "as good as being there," the one fundamental difference that remains is in the connection bandwidth available to the remote user. While a standard Ethernet LAN offers data rates of up to 10 Mbps, dial connections are typically limited to 33.6 kbps for analog dial or 64 kbps for an ISDN "B" channel. So all the above mentioned connection technologies offer less than 0.01 times the bandwidth of a conventional ethernet LAN connection. While compression schemes may promise significant performance gains, actual results will be highly dependent on the nature of the data being transmitted so compression alone is not sufficient to account for the huge bandwidth discrepancy.
Remote access system vendors have succeeded in working around the bandwidth limitation through intelligent bandwidth management schemes designed to maximize link utilization and available bandwidth. For example, the local spoofing of network keep-alive traffic improves the effectiveness of dial links by eliminating the transfer of non-essential traffic. Other bandwidth management techniques include packet prioritization and scheduling techniques, such as the piggy-backing of routing table updates. These techniques help to further minimize latency and maximize the bandwidth available to application data.
The nature of the network-based applications have perhaps the most major impact on remote access performance. Typical network applications simply treat the network as an extension of a local file system. While the "network as file system" model may be the most effective approach to application development, this approach typically involves excessive data transfers which drastically reduce performance in environments where bandwidth is at a premium. Performance of such inefficient applications can be greatly improved through the use of caching agents operating at the network file system level of a client workstation.
In the majority of remote access applications, analog modems are used to transmit modulated data traffic over the voice channels of the PSTN. Analog modem technology continues to have great importance for mobile users as it can provide access to a remote LAN from wherever a telephone line exists, that is from roughly 600 million locations worldwide. Current modulation standards, such as ITU (International Telecommunications Union) Recommendation V.34, achieve data rates of up to 33.6 kbps (a rate surprisingly close to the theoretical limit) using only 3.3 kHz of voice bandwidth. As the "last mile" extension of the digital phone network, ISDN provides switched digital access with guaranteed QoS (Quality of Service) and much greater bandwidth than analog. Basic rate ISDN services provide for two B (or Bearer) channels providing 64 kbps each (for a total of 128kbps) plus a D channel used for signaling.
The recent trends to connect remote access servers directly to the digital phone networks have led to a hybrid digital and analog access technology commonly known as "56K." The first 56K based products introduced to the market were based on one of two vendor specific "standards." The requirement for an industry standard to guarantee multi-vendor interoperability has lead to the ITU Recommendation V.90. All 56K approaches take advantage of a digital connection at the server which permits the downstream transmission using PCM (Pulse Code Modulation), at rate up to 56 kbps, over analog phone lines. Unlike ISDN however, the transmission scheme is rate adaptive allowing it to work (albeit slower) on analog lines with less than optimal conditions. Voice band filtering and A/D (Analog to Digital) conversion that take place on the upstream end of an analog connection prohibit the use of PCM for upstream transmission. The upstream component must be handled using conventional (analog) V.34 modulation, limited to 33.6kbps.
The growing requirements for multi-megabit connections, to support bandwidth intensive multimedia applications, have driven the development of a whole new generation of high speed access technologies. The most promising of these technologies is the family of xDSL (Digital Subscriber Line) services already being offered by some North American carriers. These xDSL technologies promise to deliver data rates up to multiple T1 speeds (1.544 Mbps) over traditional copper phone lines. Unlike circuit switched ISDN, xDSL is currently being offered as a point-to-point service. That is, xDSL customers order "permanent" connections to desired sites, such as their office network or ISP, that are "up" all the time. Another key feature of xDSL, is that the service is provisioned for support of the 4 kHz voice channel required for self powered POTS (Plain Old Telephone Service) operation. Since voice and data transmission bands operate independently, there is no requirement for an additional analog voice line with xDSL. A further incentive to the carriers in deploying xDSL, is that the technology may help to address the current congestion issues on the PSTN. Since the PSTN was originally provisioned to handle voice calls with an average hold-time of a few minutes, the voice network is clearly unprepared for the current explosion of "unlimited access" Internet use. With xDSL, the access connection is terminated at the carrier's CO (Central Office), where voice and data channels are de-multiplexed. The voice channel is routed onto the PSTN as usual, while data traffic can be handed off to existing Frame-Relay or ATM networks, thus off-loading the PSTN.
Virtual Private Networks
Recent advances in VPN (Virtual Private Network) technology promise a new generation of remote access solutions of unprecedented flexibility and scalability. The VPN can be defined as an extension of a private corporate intranet across a public network such as the Internet. The building of VPNs is made possible through standards based tunneling approaches such as L2TP (Layer-2 Tunneling Protocol) and IPSec (IP Security), which permit the creation of a secure point-to-point connection or "tunnel" through a public network. The immediate benefit from a VPN approach to remote access is the flexibility that results from the leveraging of a service provider's local presence, since access to the VPN is available wherever public network access (or Internet access) exists. In addition, there are obvious savings for mobile dial users, since all long distance calls can be replaced by local calls. Another advantage to corporations is the tremendous outsourcing potential of any or all components of a corporate remote access service to a carrier or ISP. There are two basic approaches to VPN-based remote access:
In the first scenario, a user establishes a dial-up session to a local POP (Point of Presence) where the NAS (Network Access Server) of the service provider authenticates the user. Based on the authorization of the user, the NAS establishes a secure tunnel through the public network to the edge of the user's corporate network and assigns a private IP address for communication on the corporate LAN. The user's secure packets are encapsulated in a tunneling protocol, such as L2TP by the NAS and routed to the corporate home gateway, beyond which the secure packets are once again visible on the network. Advantages of this approach to a corporation are that line access, end-user support and accounting can be effectively outsourced to the service provider.
In the end-to-end scenario, the user's PC is equipped with client networking software that has built-in VPN capabilities. In this case, a dial-up session is first established to a local POP where the user is authenticated strictly for public network access. The authenticated user is assigned a public IP address by the NAS and establishes an L2TP-based tunnel between the client workstation and the corporate home gateway. Upon final authentication by the corporate home gateway and the assignment of an unregistered or private IP address for the secure "session," tunneled PPP traffic flows end-to-end. Advantages to end-to-end approach are that it is service provider independent, since the ISP is simply providing Internet access and no tunneling services. However, since the ISP is not aware of the tunnel, there is no opportunity for value added services. Other disadvantages to this approach are the additional bandwidth required by additional encapsulation over the point-to-point link.
Major changes are taking place in the remote access landscape. New standards-based tunneling technologies, such as L2TP combined with the high access speeds promised by xDSL ideally position the carriers and ISPs as the major providers of remote networking products and services. The carriers are at the same time working frantically to alleviate the potentially severe congestion problems on the PSTN (a network originally designed to carry voice traffic), caused by the explosive growth of Internet traffic. These problems may be alleviated through the deployment of xDSL access technologies, which will help to offload network traffic from the circuit switched PSTN to packet-switched networks better suited for network data. With the telecommunications companies working in close partnership with corporations on these challenges, we can expect to see an entirely new generation of highly flexible and pervasive remote access solutions destined to becoming the next essential competitive business tool.
About the Author:
Mark Kuepper is responsible for the Canadian technical marketing support of IBM's family of network access products at IBM Networking Systems in Markham, Ontario, Canada. He can be reached at (905) 316-8074 or via e-mail at firstname.lastname@example.org.