VOLUME 1, NUMBER 4 | WINTER 1998

Virtual Private Networks: Can Benefits Match the Hype?

By Dr. Ed Harrison
Executive Consultant and Director
IBM Global Services


The explosive growth of the Internet has led to a surge in the number of companies exploring real e-business opportunities. Once company executives have experienced the advantages of allowing business partners and suppliers access to corporate data, they often want to expand those initial forays into e-business. For many companies, a virtual private network (VPN) appears to be a compelling solution.

What is a VPN and who should use it? The word private is the operative term, since a VPN essentially provides a corporate WAN (wide area network) capability through a private connection over the Internet (or other public network). In many ways, VPNs are a natural evolution of networking systems delivering solutions for business.

Simply stated, a virtual private network extends a company's private intranet across the Internet, creating a secure connection through a private "tunnel." With a VPN, a company's resources can be accessed through the Internet by remote users, such as telecommuters, branch offices across the globe, and the company's business partners and suppliers.

Some of this sounds similar to an extranet, but it differs in the level of security associated with a VPN's infrastructure — the use of a tunnel and data encryption, for example. For some medium-sized businesses, the promise of virtual private networks seems irresistible, especially for those with little or no current networking capability. VPNs can give them an immediate global reach on the Internet. Other companies may consider replacing their existing WAN with a VPN for better performance and lower total cost of ownership.


Weighing the Benefits

The appeal of a virtual private network is in its lower operational and capital equipment costs, the limited technical resources needed, the ease of setup, and of course, the lure of the worldwide reach of the Internet.

Established companies with an existing network can lower costs because less equipment is required for a VPN, and a multi-vendor environment is not a problem. For example, those with existing dial-in infrastructure can eliminate modem pools and remote access servers and thereby reduce operational expenses. Internet service providers (ISPs) can offer all VPN users cost-effective access to the Internet via local telephone numbers or direct lines, eliminating current frame relay and expensive leased lines.

A 1997 VPN Research Report by Infonetics Research Inc. estimated savings from 20 to 47 percent of wide area network costs by replacing leased lines to remote sites with VPNs. And for remote access VPNs, savings can be 60 to 80 percent of corporate remote access dial-up costs. When one considers that Internet access is available worldwide, the price/performance gain can be quite dramatic.

Another consideration for evolving companies is that implementing a VPN requires only minimal setup and limited in-house technical resources. With many companies experiencing limited technical expertise, especially in networking, outsourcing this piece of the network can be a viable option.


VPN Drawbacks

For all its perceived advantages, there are several performance issues to consider when exploring whether a VPN is right for your business. Some questions involve the Internet itself:

  • Availability and functionality: The Internet is not yet an industrial-strength network. Failures in ISP networks and the Internet itself can play havoc, as frequent press reports of Internet outages demonstrate. The ISP industry is attempting to improve network reliability to prevent these outages.

  • Service Level Agreements: Most ISPs now guarantee 99.6 percent availability, and some are offering service level agreements that provide for credits or refunds if network availability falls short. However, service level agreements today are only for the service provider's network and generally don't apply once data crosses to other networks.

  • Latency: Currently, no ISPs offer service level agreements for latency transmission delays related to VPN traffic, although latency agreements are expected soon.

  • Viruses and security: While viruses and security breaches can still be an issue, a number of new, robust technologies are available which can provide a measure of confidence.


Where Are VPN Standards?

Standards for VPNs — essentially tunneling protocols — are another important issue, and are just becoming available. The most promising is Internet Protocol Security (IPSec), an open, Internet Engineering Task Force (IETF) chosen standard that provides secure communications transparency with no changes required to existing applications. IPSec offers cryptography-based protection for all data at the IP layer of the communications stack. IPSec's industry-standard network security framework is for use in both the IPv4 and IPv6 environments.

IPSec protects data traffic in three ways, using robust techniques:

  • Authentication: The identity of a host or end point is verified.

  • Integrity checking: Ensures that no modifications were made to the data while in-transit across the network.

  • Encryption: Protects information while in-transit across the network to ensure privacy.

Other standards include Point to Point Tunneling Protocol (PPTP) developed by Microsoft, and Layer 2 Forwarding (L2F), developed by Cisco, both for remote access. Microsoft and Cisco are working with the IETF to merge these protocols into a standard called Layer 2 Tunneling Protocol (L2P2). The intent is to use IPSec for tunnel authentication, privacy protection and integrity checking.

In any event, in the rush by some to create VPNs, some non-standard tunneling protocols are being created. This can create a dilemma for ISPs later, since the lack of uniformity may make it difficult to extend these initial solutions.


Communicating Across the Network

Three typical scenarios can help explain how a VPN can be used:

  • Business Partner/Supplier: With a VPN, a parts supplier can have global, online access to the manufacturer's inventory plans and production schedule at all times. A frame relay service or leased lines used today for this interaction is more expensive, and the geographic reach may be limited.

    VPN Solution: VPN provides an alternative cost-effective approach. Tunneling is needed between the client and server in the different intranets. Authentication and encryption is needed between client and server in the different intranets.

  • Branch office connection: The branch office scenario,unlike the business partner/supplier, securely connects two trusted intranets within the organization. This is a key difference, since the security focus is both protecting the company's intranet against intruders and securing the company's data while it flows over the public Internet.

    VPN Solution: Security focuses on ensuring data is protected as it travels between the two intranets. Tunneling is needed only between the firewalls, since both intranets are trusted. No IPSec solution is needed since the intranets belong to same company.

  • Remote access: A remote user, whether at home or on the road, needs to be able to communicate securely and cost-effectively back to the corporate intranet. While many still use expensive long distance and toll-free telephone numbers, the cost can be greatly minimized by using the Internet via a VPN.

    VPN Solution: Access to VPN is via dial-up to ISP using a local telephone number. An authenticated and encrypted tunnel is needed between the remote user and the firewall, at the company intranet boundary.


Assessing a VPN

Today, many enterprises are evaluating VPNs, and some are in test mode. One federal agency, for example, has been planning to link its various locations across the country with its own WAN. Now, they've held that up while a task force assesses whether a VPN can do the job more efficiently. A major retailer is also assessing whether a VPN can serve as its global network.

The question now is, what hurdles will have to be overcome before VPNs move from pilot testing to wide-range deployment? Performance and security are the biggest obstacles, as well as scalability and the establishment of standards. A VPN also requires more than technology. When assessing the strengths of a VPN, it's important to work with a vendor who understands the issues of deploying a VPN. There's no question that the vendor's networking experience plays heavily into the equation.

At this time, VPNs look like very good, cost-effective solutions, but they are not yet mature enough to see widespread deployment. And with the Internet's often inconsistent performance levels, it's not clear, for example, whether some companies with complex corporate data resources, such as banks, financial services companies and insurance companies, will ever rely on a public IP network like the Internet to move information.

There's also the issue of the delivery system — the ISPs themselves. As Internet usage continues to grow dramatically, one wonders if they have the bandwidth to maintain satisfactory service since a VPN is just one in an expanding list of IP services they are providing.

Even the Gartner Group's research in early 1998 concluded that, while attractive, VPNs are still new emerging technology that need further testing. Indeed, VPNs show great promise, but it remains to be seen whether this potential can be fully realized in the near future.

Dr. Ed Harrison ABOUT THE AUTHOR
Dr. Ed Harrison is the practice leader of the IBM U.S. Networking Consulting Practice.



Web Site © Copyright 2020, 1999 by Lionheart Publishing, Inc.
All rights reserved.


Lionheart Publishing, Inc.
2555 Cumberland Parkway, Suite 299, Atlanta, GA 30339 USA
Phone: +44 23 8110 3411 |
E-mail:
Web: www.lionheartpub.com


Web Design by Premier Web Designs
E-mail: [email protected]