In-Depth
Secure Connections
You need to cheaply connect users around the globe while keeping the rest of the world out. A VPN may provide an astonishingly quick ROI compared to your current solution.
From the mail clerk to the CEO, your users have come to expect constant, fast, reliable access to their corporate networks. That's true whether they're at their desks, in an airport or in a hotel room in Katmandu. And today's economics demand that you provide such access relatively cheaply.
Virtually anyone in IT management has wished data and users could be a bit closer at times, especially for those users who travel extensively, like salespeople and some executives. There's also the problem of that new branch office you're opening on the other side of the planet, half a world away from the central office and its data. Is a leased line truly the best way to connect?
Enter VPNs—Virtual Private Networks. By design, they provide secure information transfer over an insecure network. Although the details of VPN implementations and applications are almost limitless, here's the main point: There's a network already in place that connects New York, Los Angeles, London, Hong Kong and Mumbai. It's called the Internet, and we all depend on it daily. So why build your own environment when you can leverage this infrastructure to carry your company's private traffic? That's the idea behind VPNs.
Traditional Solutions
Traditionally, companies have used leased lines—ISDN connections, frame relay, Asynchronous Transfer Mode (ATM) and T-class lines (T1, T3)—for connecting distributed environments. Although there are inherent benefits to having "private" connection lines like these, there are also many disadvantages, especially related to implementation, administration and costs.
Leased lines are a traditional solution for remote access and connectivity between offices. For example, your enterprise may have chosen to build a bank of modems to support users via dial-up lines. Or maybe your division leases lines to carry traffic securely between branch offices using T1, ATM or frame-relay technologies. Although the solution is the "tried and true" method for connectivity, there are some problems with traditional means of Wide Area Network (WAN) connectivity.
Implementation headaches. Implementing a "modem bank" often involves choosing an expensive, proprietary solution from a single vendor. This vendor's device will support a specified number of "ports" (equal to the number of maximum concurrent connections possible). As business needs grow, the customer must obtain additional hardware from this vendor. Similarly, the enterprise will need specific hardware (and the associated expertise) to support ATM, frame relay, ISDN and other types of connections. Often, it requires calling many vendors (including telecommunications companies) to get the overall solution.
Complex administration. IT has come to realize that standardization is the key to manageability. However, maintaining traditional WAN solutions can be a painful and time-consuming process. As is the case for some remote access solutions, network administrators must maintain access permissions for remote users. In some cases, these permissions are not integrated with the rest of the organization's security system. Seamless integration into an organization's security architecture is vital for the success of any remote access solution.
Costs. Use of each connection incurs a monthly service charge for leasing the line and a connection charge for long-distance communications. For example, to support up to 300 concurrent connections via a modem bank, you'll need to lease an equal number of analog lines from the telephone provider. Most of these lines will remain idle except during peak periods, when the need is greatest. The same is true for WAN bandwidth. Although organizations try to predict their overall usage patterns for connectivity between offices and remote locations, doing so is difficult. And when bandwidth needs to be upgraded, it can be a painful process because many vendors may be involved. Also, consider the initial costs of purchasing modem banks and other types of connectivity hardware.
Performance and bandwidth issues. Bandwidth for each traditional point-to-point connection is fixed. That's a major technical limitation. When a user dials in at 28.8Kbps, he or she will be fully occupying that port. Whether the user is transferring data or not, no other user will be able to utilize the unused bandwidth. This problem can be overlooked if there are only a few users, but when many users are concurrently connected, the waste of time and money related to connection charges can be tremendous.
Overall, the costs, administrative requirements and reliance on proprietary hardware have made "traditional" remote access a difficult technology to implement and maintain.
VPN Solutions
A VPN is designed to allow secure transfer of data over any network. In most implementations, this network is the Internet, which is actually an "insecure network." Overcoming the weaknesses of this readily accessible worldwide network while leveraging its strengths is a primary goal in creating a VPN.
A VPN solution should be invisible to users, who shouldn't be able to determine (and shouldn't care) how data is being transferred. They just need to know their information is getting to and from other locations. And IT professionals should be assured of adequate data transmission security. The solution should also be easier to implement and maintain than the alternatives.
Remote Access
VPNs provide a remote access solution. Many organizations struggle with the task of providing access to corporate data for users located in hotel rooms across the world. One solution is the traditional "dial-up" method. However, the telecommunications charges alone can be dramatic. Internet access is often a far better solution.
Users can gain access to the Internet through a variety of means, including a modem-based dial-up to an Internet Service Provider (ISP), or through LAN-based Internet access. For home-based users, cable modems or DSL solutions will suffice. And for traveling users, hotel networks should meet the requirements as well. Don't count on your users having LAN-like performance. Although they'll have connectivity to your network resources, overall performance will be based on the quality of their Internet connections.
Once Internet access is established, the user can create a secure connection to the remote VPN server (which, in most instances, resides in a central office). The VPN server acts as a router or a "gateway," granting those with authorization access to LAN resources such as file servers, database systems and applications. The key is that the data transferred between the VPN client and the VPN server is encrypted, and is therefore useless if it's intercepted via the Internet.
Branch Offices
Another IT point of pain is connecting remote offices. Instead of using dedicated leased lines to connect remote offices, a VPN allows you to use the Internet to perform the same functions.
The benefits can be dramatic. The basic requirement is that each office has access to the Internet. The methods of Internet access don't have to be identical. For example, a remote sales office might be limited to a dial-up Internet connection, or perhaps an ISDN. Larger offices may use a T1 connection. And medium-sized offices may take advantage of low-cost broadband connections such as cable modem and DSL technology. The delivery system isn't important: Once the offices have Internet connectivity of any sort, they can establish secure VPN connections between each other. For the technical details, see the sidebar titled "VPNs and Security: Back to Basics" on page 53, but basically, each connection point needs a VPN router, server or gateway. This device is responsible for authenticating and encrypting all traffic that's sent between the sites over the Internet.
Outsourcing VPNs
Another option is to outsource the VPN, which allows you to forget about the implementation details. An ISP will provide support and is responsible for encrypting data that travels on its network. Systems administrators and users alike will be happy to hear that no client or server reconfiguration is required. For many environments, this can be a major plus, but this solution can sometimes be costly. First connect-time charges and a surcharge for the added security might apply. These costs can quickly add up and eat into the benefit of having a VPN at all. Overall, however, an outsourced VPN may be a good solution if you already have a relationship with an ISP with points of presence in all of the locations you need to support.
Other Uses of VPNs
Because VPNs are designed to provide security over insecure networks, that leads to more options. One example is the creation of a VPN in a LAN environment. Although many people associate VPNs with WAN connectivity, you can also use a VPN within your corporate office to ensure that communications between human resource databases and its users, for example, are kept secure. By creating a VPN that runs over a LAN, all sensitive traffic is automatically authenticated and encrypted to prevent packet-sniffing.
A VPN can also add security to a wireless network environment. Standards such as 802.11b make wireless networking standards available for mainstream use. However, there are security-related problems with the standard. When wireless access points are deployed, one of the major defenses—physical security—may not apply. It's possible for a hacker to sit in the parking lot and attempt to access network resources. The Wireless Encryption Protocol (WEP) standard was designed to prevent eavesdropping on wireless network communications, but it's notorious for providing weak security. Fortunately, VPNs can provide authentication and data encryption.
A VPN application also works for an extranet that requires a secure mechanism for transferring XML data for b-to-b applications. There are several technologies to handle data transfers, but a VPN is one that can work independently of the application. Developers therefore don't need to worry about issues related to network authentication and encryption.
Business Benefits
For many organizations, the decision to implement a VPN is an easy one. From a business standpoint, the benefits include cost savings, scalability through the use of the Internet instead of leased lines, built-in support for new technologies (such as cable modems, DSL and other broadband solutions), and the flexibility to create and change a WAN infrastructure without concern for the underlying technologies. Furthermore, VPNs can be very easy to implement. For example, a basic VPN client and server can be set up in about 15 minutes using a Windows 2000 Server.
IT managers have to closely examine one particular issue: costs. The implementation of a VPN can provide an astonishingly quick return on investment (ROI) and can have a much lower total cost of ownership (TCO) when compared to the solutions they replace. Table 1 provides an example of cost savings that can be realized from replacing a traditional remote access solution with a VPN-based solution. The implementation costs are low because this solution takes advantage of VPN technologies that are already included as free implementations on common systems (check with your OS vendor for details).
| 1a: Comparison of (One-Time) Setup Costs |
| Setup Cost | "Traditional" Remote Access | PPTP (for VPN access) |
| Phone Line Group Setup (200 lines @ $20/each) | $4,000 | n/a |
| Modem Bank (75 ports @ $100/each) | $7,500 | n/a |
| Total (one-time cost) | $11,500 | $0 |
| 1b: Monthly (Recurrent) VPN Costs |
| Monthly Cost | "Traditional" Remote Access | PPTP (for VPN access) |
| Phone Line Maintenance (75 lines @ $15/month/line) | $1,125 | n/a |
| ISP Charges for Internet Access (200 total users) | n/a | $4,000 ($20 per user, unlimited use) |
| Long distance charges† | $18,720 | n/a
(assumed local dialing) |
| Total (per month) | $19,845 | $4,000 |
| Note: The above calculations do not include these items as they are similar in both cases: Internet connectivity (line and adapter cost), server hardware, installation and setup, and modem costs for clients. †Based on the assumption that, on average, each user will spend 12 hours per month connected to the network, and the cost for long-distance charges averages $.13 per minute ($7.80/hour). |
This comparison assumes use of Microsoft Windows operating systems, which supports Point-to-Point Tunneling Protocol (PPTP). Similar comparisons can be made for costs related to connecting remote offices. In many cases, a VPN can be implemented in just a few days, and the solutions can run alongside other WAN links. The result is a quick ROI and low TCO.
Choosing a VPN Protocol
When it comes to working with network protocols, most organizations support a majority of the following: TCP/IP, DNS, DHCP, WINS (for Windows-based environments), SNMP, SMTP and HTTP.
There have been several VPN protocol developments that could have an impact on technical decisions in implementing VPNs. Protocols now provide strong support for authentication (ensuring that data is coming from a trusted source) and encryption (protecting data during transit). The choices include:
Point-to-Point Tunneling Protocol (PPTP): Originally designed by Microsoft, 3Com and a host of other vendors, PPTP remains a quick and easy solution for providing VPN-based remote access connectivity. PPTP is well-supported by many hardware vendors and is included in various operating systems.
Layer 2 Forwarding (L2F): L2F is a standard developed by Cisco for providing secure transmissions between routers. It's mainly used for router-to-router connectivity, but is being superceded by other standards.
Layer 2 Tunneling Protocol (L2TP): L2TP provides the best features of PPTP (including authentication support and easy setup), with those of L2F (including protocol independence). Although it's more difficult to implement than PPTP, it provides significantly stronger security.
IPSecurity (IPSec): Part of the standard security mechanism for IP (and a part of the IPv6 standard), IPSec provides secure connectivity through the protocol stack. IPSec works in two modes: Voluntary tunneling (also called "IPSec transport mode") is usually done between a client and a server; compulsory tunneling (also called "IPSec tunnel mode") is designed for connecting routers or servers. Both modes provide strong security through the use of state-of-the-art security mechanisms for authentication and data encryption technology. The additional security comes at a price though. Since IPSec works through a system of policies that must be negotiated between the client and the server, it can be much more complicated to implement, deploy and troubleshoot enterprisewide.
L2TP/IPSec: L2TP can be used over IPSec connections. This solution combines the inherent security benefits of IPSec for ensuring strong data encryption, coupled with the authentication and manageability of L2TP. This solution is implemented in some current operating systems and is also available from various third-party vendors.
Table 2 below shows a summary of the various features and benefits of these protocols.
| Table 2: A Comparison of VPN Protocol Features |
| Protocol | IETF RFC #
www.ietf.org | Implementation Method
(most common) | Pros | Cons |
| PPTP | 2637 | Windows-based operating systems; third-party software. | Most compatible; quick to set up; easy to implement and administer. | Not the most secure. |
| L2F | n/a | Routers (encryption is handled at the network level, transparent to clients). | Can be set up without client reconfiguration. | Hardware-only solution. |
| L2TP | 2661 | Software or hardware. | Protocol-independent, includes authentication mechanisms. | Supported only on Windows 2000 clients. |
| IPSec | 2401-2409 | Software or hardware. | Provides strongest security; part of the IPv6 specification; potential cross-platform support. | Most difficult to set up; lack of complete interoperability between vendors. |
| L2TP/IPSec | See RFCs for L2TP and IPSec. | Software or hardware. | Provides strong security (IPSec) plus authentication mechanisms (L2TP). | Difficult to set up. |
VPN Best Practices
Before implementing a VPN solution, plan an overall network design. Think about network areas that could benefit from a VPN solution. As with any technology, it's important to note potential drawbacks. A well-developed VPN plan for an enterprise environment takes several factors into account.
Network map. Start with a map of your current environment. Define the locations of all links between and within sites, including the amount of bandwidth available at each site, the quality of the links and the costs. Use this information to determine where a VPN solution might be worthwhile.
Prioritization and benefits analysis. Identify pain points before seeking technical solutions. For example, does a WAN link to the Hong Kong office pose significant expenses for the organization? Is the Chicago office using only a small portion of its available bandwidth? Are telecommuting users clamoring for cable modem and DSL connection support? If so, start thinking about VPN alternatives and potential cost advantages.
Administration requirements. Is it necessary to completely control the VPN, or is outsourcing parts of it a comfortable solution? How centralized is the IT infrastructure? If an IT organization exists in each remote office, solutions should provide strong management and configuration capabilities. Also, if minimizing client configuration is a priority, a router-to-router solution is a viable alternative.
Long-term goals. Take into account the organization's future goals. Will there be close partnerships with other organizations? Will the company be adding remote sales offices throughout the world?
Performance and Reliability
When using the Internet for transferring mission-critical information, you are at its mercy to get your data to its destination. It's difficult to depend on a public infrastructure for transferring mission-critical information. It's sort of like driving across town during rush hour—you know you're going to get there, but it's difficult to predict exactly how long it'll take. Make no mistake—performance and reliability are definitely potential trade-offs, ones that IT leaders should keep in mind when making decisions about implementing VPNs. For example, slow modems or high-latency broadband connections can result in a pretty slow connection for end users. Especially when using VPNs for mission-critical operations, implementers must take into account these risks.
Can the risks and drawbacks be mitigated? Yes. The Service Level Agreement (SLA) from your ISP is critical. Be sure that the ISP has designed a fault-tolerant network that takes advantage of multiple backbones to the Internet. Also get meaningful SLA terms for performance and bandwidth availability. Make sure that you can measure an ISP's performance (either through your own monitoring or through reports that the ISP regularly provides). Finally, provide alternatives for mission-critical data transfers. For small offices, a backup ISDN connection might be all that's needed. Choose a backup ISP in case problems arise with the primary ISP. All of this might be challenging, but it can be well worth the effort.