What You Can't See Can Hurt You

VPN Management

In a recent report entitled VPN Hardware Market Share Service done by InfoneticsResearch, Inc. (San Jose, Calif.) it states that, "Dedicated VPN hardware revenuestotaled $37 million in 1Q99 -- more than double 4Q98 revenue -- and are forecasted to growto $156 million by 4Q99." The study also predicts that the worldwide market for VPNproducts and services will reach $32 billion by 2003, up from $2.4 billion this year.

Another Infonetics study found that while 37% of respondent ISPs offer VPNs now, 73%plan to by 2000, and they expect a fifth of all their business accounts to use VPNs bythat time. With a growth rate that steep, it seems that the question is not "Do Ineed a VPN?" but "When will I install one?"

Even though an IT manager may view their VPN as one component in their overallenterprise, that manager can't use the same management tools and techniques to controlthat VPN as they might any other device on their WAN. That's because SNMP and its relatedcapabilities such as discovery, "thresholding" and remote configuration do notyet exist in the lexicon of VPN management.

Those managers who once were able to see a new network device automatically appear on amanagement console graphic or configure that device from the same console have been forcedto turn those tasks over to the ISP providing the link. The VPN appears to them as anill-defined, amorphous shape in their enterprise diagram similar to the cloud used tosignify the carrier in a voice network. In that scenario, the network manager only sees asmuch of their VPN as the ISP lets them see.

In fact, unlike an enterprise network where security, network and device managementconcerns are similar, but separate titles, in the enterprise mosaic, management aspects ofa VPN from a client perspective are almost entirely thought of as authentication andaccess control.

"There have really been three generations of VPN security solutions," saysAndreas Schreyer, vice president of marketing and product management for InternetDynamics, Inc. (Westlake Village, Calif.) a provider and integrator of VPN technology andmanufacturer of the Conclave VPN product line. "VPN vendors are primarily focused ondata privacy with encryption. Access control has not been a big component of VPNsolutions."

The first generation, he says, were point products such as firewalls and authenticationdevices. The second evolved into integrated network security that combined functions andoffered a single management capacity.

"The third generation, where Conclave is now, is policy-based informationmanagement, which is a high level way to administer network management," he explains."Instead of managing network devices and IP addresses which are more low level,[policy-based management] lets you know who has access to what, when they have access andhow they have access."

Building a VPN is as much about building a trusted relationship with an ISP as buildinga link between end points, says Bill Sudlow, senior director of marketing and R&D forHP's Internet Security Division. "It's just like buying anything online," hesays. "You've got to make sure you trust the ISP you're connecting to"

A client's first concern should be to authenticate who a user is on the other end andwhat resource they should have access to. "That authentication could range fromminimal user ID and password to being able to see where the connection is comingfrom," says Sudlow.

In the traditional enterprise management scenario that concept may seem simple enough,but in the reality of connecting a VPN through an ISP it becomes much more complex.Typically, that ISP may be hosting VPNs for any number of clients across a single T3connection to a POP. In that case, says Sudlow, a client needs to be concerned with howthat ISP maintains a separation of applications and data for multiple businesses that mayshare the same links.


In an article entitled The Road to Safe and Effective VPN Solutions that appeared in Telecommunications Magazine, May 1999, Internet Dynamics' Schreyer points to several pitfalls to avoid in establishing a VPN.

  • Do not apply fixed encryption strength to a connection. Wasteful encryption techniques result in performance bottlenecks or the need for expensive hardware accelerators.
  • Eradicate the network-centric administration paradigm. It forces every communication circuit you want to allow at every point to your private network to be described in "IP language."
  • Avoid VPNs that force you to define a different set of rules and config- uration parameters for each network entry point. All entry points should automatically share a database representing a complete view of the network.
  • Automate route and key management instead of configuring every point-to-point connection between routers at all VPN entry points. Implementation scalability makes adding the 100th site to your VPN as easy as the first, not 10,000 times more work to achieve full-mesh routing as is currently the norm.
  • Move from centralized to distributed administration. Instead of one person managing everything at any one time, many people can manage assigned parts of a security policy at the same time.


Even though security and access control have been the defining force behind VPNmanagement to date, SNMP concepts are beginning to infiltrate the technology.

HP has chosen to work with ISPs to develop their network-management needs and provide acustomer-centric point-of-view of the VPN. HP OpenView Customer Views for Network NodeManager (NNM), an add-on product to NNM 6.0, allows those service providers to manage andview network resources and events as they relate to the resources offered to individualcustomers.

"An ISP may have various customers with various service level agreements [SLAs]that guarantee to give a particular level of service required [to each customer],"says Rick Whitner, an architect on HP's NNM team. "[Customer Views] helps ISPspartition their network to make an association with resources on the network and thecustomers who access them."

Whitner explains that the ISP sees the details of the network: routers, switches andlinks. Customer Views lets the ISP associate a resource to a physical device such that acustomer may be associated with a particular router and the router on the other end. TheISP can then track what resources across the network a customer most depends on.

A Customer Views utility reads customer information from the ISP's database and exportsthat data to the NNM database. This combination of data sharing and device monitoring letsthe ISP establish a relationship between a physical device on its network and theassociated customer resources that may be affected should that device fail.

Customer Views notwithstanding, Whitner still sees a need to open up the VPN to acustomer's view. "We still need more SNMP type recognition," he says."There's a level of discovery that needs to be added. We want to give the ISPs thecapacity to let their customers see the network and what's going on. That means moreaudits, more reports and physical layouts."

The intent, Whitner says, is to help the ISPs streamline the process to let them dealwith their network on a per customer basis. That will help them provide information toeach customer as to exactly what resources and services the ISP is providing, define SLAsmore tightly and track those SLAs back to the ISPs physical network.

While Internet Dynamics' Conclave VPN already offers some SNMP-like functions such asthresholds and alerts as they pertain to security violations, Schreyer sees the need toextend that functionality to application control. "We now control all the enforcementpoints in the enterprise. Instead of an access control list for each application andnetwork device, we should have a unified policy environment for the enterprise."Support for LDAP directories is crucial to that endeavor, he says.

Schreyer points to a large insurance company, a client of Internet Dynamics, that he isworking with to extend the number and types of applications that will be policy-enabled.The technique, he says, is similar to an ODBC call that allows the application to querythe policy server as long as the user information resides in an LDAP directory. That willprovide a true single sign-on capacity and a high-level security policy that spans allresources in the enterprise.

Whitner says that in order to do a better job of traffic management, there is a need tobetter define metrics for reading encrypted data to determine the effect it's having onthe link. "We can do a much better job interpreting unencrypted data."

In a related area, Schreyer sees a trend towards interoperability of the IPSEC standardacross VPN vendors. "That will make VPN interoperability real," he says."The best example was at Networld+Interop '99 where they demonstratedinteroperability between 13 different VPN vendors' products. That's critical forbusiness-to-business e-commerce."

And Schreyer sees the standard moving from the server-to-server level where it is nowdown to the client level with Internet Key Encryption (IKE) clients, which is the protocolthat allows usage of shared secret keys and certificate-based authentication and keyexchange. "In the next 12 months we'll see the emergence of IKE clients so desktopscan play into IPSEC-compliant VPNs," he says.