In-Depth

VPNs for Everyone: Next-Generation QoS Delivers Reliability in Today's VPN World

• By Suketu Pandya
• 12/01/2000

After years of evaluation and industry talk, businesses are now deploying Virtual Private Networks (VPNs) at a rapid rate, as users become more distributed and the demands on corporate computing resources goes 24x7. There is little argument that VPNs are an effective way to connect external users to enterprise resources quickly. They use a widely-available and cost-effective conduit, the Internet. And, with built-in VPN support now a part of the Windows 2000 operating system, they are more easily implemented than ever before.

Because VPNs rely on the public Internet as a delivery mechanism, VPN managers must address two key issues: data security and reliable, consistent application delivery. While both of these issues can be addressed individually, resolving the two issues on a single VPN can be like trying to mix oil and water.

This article explains these key VPN issues, and shows you how you can implement both security and reliability on your VPN with the implementation of next-generation Quality of Service (QoS), also known as Application Service Quality (ASQ).

VPNs help companies get connected. Take, for example, an insurance company with a corporate main office, three regional offices and a roaming sales force equipped with laptop computers. An enterprise network at the main office contains the bulk of the company’s applications and data. The three regional offices all run their own LANs, but need to connect to the main office, and to each other, as well. The roaming sales force needs to be able to connect their laptop computers to both the main office and their respective regional offices, for document submission and claims processing.

Without VPN technology, this company would need to invest in costly leased lines to connect the main and regional offices together. In addition, they would need to maintain their own costly dial-up equipment and phone lines at each location, so that the sales force could stay in touch.

By implementing VPNs, these connections can be made at a much lower cost, with greater efficiency. Using inexpensive dial-up accounts, the roaming sales force can connect to a local Internet Service Provider (ISP), and then use VPN protocols to "tunnel" across the Internet to the main office, or to any of the regional offices. Likewise, the three regional offices can use high-speed DSL or T-1 Internet links and VPN tunneling protocols to connect to the enterprise network. Through VPNs and the public Internet, company employees can always have access to their network resources.

The decreasing cost of Internet bandwidth, along with the explosion of VPN support at the desktop, have put VPNs within reach of virtually every organization. With Windows 2000, VPNs have achieved a huge leap forward in market acceptance and ease-of-use. All versions of Windows 2000 are VPN-ready, and include a built-in Internet Protocol Security (IPSec) protocol stack. With sales estimates for Windows 2000 already at three million (Microsoft), the VPN-ready world seems to be getting a lot bigger. And, Network Interface Card (NIC) vendors now offer on-board IPSec encryption for Windows 98 and Windows NT (in addition to Windows 2000).

Based on these developments, the sale of VPN products is expected to more than triple in the next four years, to $3.8 billion by 2004 (Infonetics Research).

Data security is a huge concern on VPNs, because enterprise data must regularly pass through an unprotected conduit, the public Internet, where data can easily be intercepted and potentially misused. Security is also a serious issue inside the corporate network. According to a 1999 survey, 55 percent of corporate computer-related crimes were carried out by company employees (FBI/CSI, 1999). For VPNs to be effective, they must include a solution for securing enterprise data moving across the network.

To secure enterprise data from theft or misuse, VPNs rely on data encryption. Encryption protocols are used to encode data prior to delivery across the VPN, and then to decode the data at the receiving end. The most commonly used standard for secure Internet communications is IPSec.

Through widespread adoption of the IPSec standard, and the growing prevalence of desktop-based encryption, the issue of data security on VPNs has been solved.

But what about VPN reliability? The Internet and the Internet Protocol (IP) are inherently "best effort" delivery systems. While powerful for connectivity, they lack the consistent and reliable performance required for the effective delivery of business applications.

The term "Quality of Service" (QoS) refers to attempts to ensure delivery across these unreliable IP networks. Today, two different approaches to QoS exist: the traditional, network-centric approach, and the next-generation, application- centric, approach.

Traditional network-centric QoS solutions address the problem of delivery on a packet-by-packet basis. These solutions seek to improve the delivery of each individual packet through differentiated treatment at a router, or other QoS appliance.

Next-generation, application-centric QoS solutions extend the traditional idea of QoS. Instead of focusing on packets, application-centric QoS focuses on applications and application delivery as experienced by users. Proponents of these next-generation QoS solutions have adopted the name Application Service Quality (ASQ), to indicate their focus on the delivery of the application, rather than the delivery of the packet.

Traditional, network-centric QoS involves packet-by-packet processing at a QoS-enabled router, or within a stand-alone QoS appliance. Inside the router or appliance, packets are prioritized using information contained within individual IP packet fields. The IP fields that are used to determine priority include the IP destination address, IP source address, protocol (i.e., TCP or UDP), source port and destination port. Together, these five fields are referred to as the "5-tuple." The 5-tuple fields most commonly used for packet prioritization are the protocol, source port and destination port.

Since this 5-tuple approach is not sufficient for many newer applications that use variable port numbers, the industry is working to extend network-centric QoS to end systems, with a standard known as Differentiated Services (DiffServ). With DiffServ, packets are classified based on importance, and then marked accordingly. Each packet receives treatment at a router or appliance based on its marking. High-priority packets are placed in high-priority queues, and low-priority packets go into low-priority queues.

The network-centric QoS approach, using in-line network devices to process individual packets, is simple in nature and has some definite advantages. Using dedicated QoS appliances, implementation can be accomplished through a "drop-in" installation that doesn’t disturb or change any part of the network. The network manager simply plugs in the appliance, defines some rules for packet delivery, and the installation is complete. When using QoS-enabled routers, even a new device on the network isn’t necessary. The network manager simply enables a QoS module on the router, sets up the rules for packet prioritization, and the job is done.

But despite these ease-of-use features, there is a critical incompatibility between traditional QoS and VPNs. Traditional QoS relies on the use of individual IP packet fields to differentiate and prioritize packets. VPNs, meanwhile, must rely on IPSec encryption to protect data, which by design makes most of the IP packet fields unreadable. Can traditional QoS operate in encrypted VPN environments, using only the three fields IPSec does leave readable: IP source address, IP destination address and protocol?

The IP source address might be used to differentiate packets by user. But just because the user is important, that does not necessarily mean that all of their traffic should receive the same priority. And, as many IT professionals know, an IP address is not always the same thing as an user identity. Dynamic Host Control Protocol (DHCP) addressing makes identifying users by source address very difficult.

Classifying traffic by the IP destination address is also a problem. In VPN networks, packets are generally addressed to a gateway, rather than an individual host. Since large numbers of packets will have the same IP destination address, this field really doesn’t provide sufficient differentiation with which to classify packets.

As for protocol, encrypted packets will always contain "IPSec" in this field. Using the protocol field, you could classify packets based on whether they are encrypted or unencrypted, but this provides very little granularity with which to determine the proper service level for a packet.

Even though traditional QoS offers advantages for non-VPN environments, its inability to prioritize encrypted packets makes it virtually unusable in VPN environments. VPN deployments require a new approach to QoS – one that can beat the encryption trap.

Application Service Quality (ASQ) takes a different approach to QoS. ASQ focuses on application delivery as experienced by the user, and considers this the most important QoS metric.

From this new perspective, ASQ does not look at individual packets. Instead, ASQ controls the flow of application traffic at the client, where traffic originates. Through an "agent" running at the workstation, ASQ solutions interact with applications directly, providing virtual session-layer control of application traffic. The agent controls traffic by allowing applications with higher priorities to send and receive traffic at a higher rate than lower priority applications.

To determine the priority of each application traffic flow, agents rely on instructions from a central policy server. The policy server tells the agent the relative priority of each application, and the agent controls the applications based on these priorities. By applying session-layer control, ASQ solutions can prioritize the delivery of each application flow, without having to worry about controlling each individual packet.

From the perspective of the VPN manager, this client-based approach to QoS is an important breakthrough, because it occurs prior to encryption. ASQ’s session-layer control of applications occurs before traffic is encrypted by IPSec. By implementing QoS before encryption, the ASQ approach completely avoids the issue of having to prioritize encrypted packets. Yet, ASQ still delivers an application-centric QoS that is much more powerful than the packet-by-packet approach.

By controlling application traffic at the source, ASQ provides another major benefit – ASQ completely avoids, rather than simply manages, network congestion. Traditional QoS solutions, because they deal with packets already on the network, do nothing to prevent congestion from happening. They only try to prioritize what is already out on the cable. If the cable itself is already overloaded, then packets will have a difficult time getting through, regardless of their priority. ASQ, on the other hand, controls network traffic at its source, the application, and thus prevents network congestion from occurring.

VPN rollouts are occurring at a blistering pace. Encryption to the desktop, increasing numbers of remote users, and the decreasing cost of Internet bandwidth are all contributing to the growing use and importance of VPNs. Because they rely mainly on the IP protocol and the Internet, VPNs by themselves are also "best effort" delivery systems and require some additional help to ensure consistent, reliable application delivery.

If you already have or are planning a VPN and need QoS today, evaluate a client-side, Application Service Quality approach to QoS. With these next-generation solutions, you can now ensure the effective delivery of critical applications as they flow across your VPN. To meet the challenges of today’s distributed world, you can finally combine a higher level of reliable application delivery with the security of a VPN. About the Author: