With companies looking for simple, cost-effective solutions to enable their businesses, it comes as no surprise that the popularity of Virtual Private Networks (VPNs) is on the rise. Understanding the types of VPNs, how they’re implemented, and some of the drivers behind VPN technology is essential
to making sure companies get the tailored solution they need, while allowing technology providers to capitalize on this growing market.
In general, there are two types of Virtual Private Networks (VPN). The first type is known as site-to-site or LAN-to-LAN, and is typically used to connect Local Area Networks (LANs) at remote locations to corporate networks through the Internet. The Internet is transparent to the LAN-to-LAN user, since the VPN “”tunnel”” provides a secure connection to the other side. This tunnel is created and maintained by a VPN gateway at the remote site, and a VPN concentrator at the main location.
The second type of VPN is the Remote Access VPN, which connects individual tele-workers to corporate networks. The difference between a LAN-to-LAN VPN and a Remote Access VPN is the point where the tunnel terminates at the user side. The Remote Access VPN tunnel terminates at the user workstation and is maintained by VPN client software running on that workstation, while the LAN-to-LAN VPN tunnel ends at a VPN gateway, typically connected to an Internet Service Provider’s (ISP’s) router.
The setup of a VPN doesn’t end once the hardware and software has been implemented. Companies must also consider the management of the network, including such things as a help desk for users, software distribution methods for updates, and a form of monitoring for security reasons.
Implementing a VPN can be a complicated process. Companies need to know what they need, where they need it, and why they need it to get the job done right. IBM, for example, takes a four-step approach when implementing VPNs to achieve the best results possible and ensure companies get the setup they need.
The first step is to evaluate a company’s strategy. What is the goal the company hopes to achieve through the use of a VPN? It may be growth, cost reduction, application enablement, or a combination of those things. Knowing the strategic foundation and the priorities of a company is the first step in successfully implementing a VPN.
The second step is to assess the company’s architecture. Are there standards in place that govern network design and product selection? Determine how the company is set up, what areas need to use the VPN, how much security is in place already or how much more is needed.
The answers you get from the first two steps will lay a foundation for the third step: designing the VPN. When designing a VPN you need to consider the structure of a company. Is there a clearly defined headquarters or are offices distributed and fully meshed? Does the company require connections from branch offices to headquarters only, or is branch-to-branch communication necessary as well? Do remote offices or remote users, require access to Internet sites and secure corporate Web sites simultaneously? Security concerns such as firewall placement will also come into play. Overall, the architecture dictates the design based on the strategy.
Finally, after all of this, it’s time to think about the implementation. There are quite a number of equipment options available. Be sure you know what features you need before you start comparing platforms. After the hardware and software have been chosen, companies then need to think about the implementation and management of their new VPN, the process and tools needed, and whether they have what it takes or whether they’ll need to farm it out. The management costs of a VPN are often overlooked, especially when dealing with a large number of remote users (or remote sites).
Some companies are very well suited for VPN. Dealer networks such as insurance brokers, car dealers, and franchise offices lend themselves well to LAN-to-LAN VPN. Prior to VPN these remote offices typically were connected back to the “”mother ship”” by dedicated ISDN or Frame Relay links. Without a direct connection to the Internet, and driven by the growing demand for business content from the Internet, organizations would provide Internet access for their remote offices through their central firewall (not the most practical solution). We have also seen remote offices maintain their own ISP connections, in addition to dedicated links back to head office, to get to business content on the Internet. At this point a VPN becomes highly feasible. Organizations with a distributed workforce are also good prospects for Remote Access VPNs; especially those that currently have a legacy remote access solution
These examples illustrate the number one driver of VPN technology today: cost reduction. Other drivers include: higher levels of security, increased mobility, better quality of service and increased access to information.
With the increase in VPN popularity also come pressures towards standardization. Most VPNs today are based on IPSec, with some using the SSL security protocol. Encryption is based on DES-3 with some movement towards AES (Advanced Encryption Standard). Users can be assured that VPN technology is secure. To ensure that your VPN solution is secure, however, you have to focus on more than the technology. Processes have to be implemented and followed for secure keys, directory services and network management. Again, do not overlook the costs of these network management components in your business case for VPN.
Companies face a number of options in selecting a VPN solution. There are managed VPN services, hardware-based solutions from reputable vendors, and, more recently, we are seeing customers going the “”do-it-yourself”” route, and building their own VPN solutions with software-based components. Linux offers open-source VPN code that provides the same level of functionality as packaged solutions, with added flexibility. Users now have the ability to customize a VPN solution for their environment which might include firewall capabilities, Web server capabilities, and more, all in one device running Linux.
A popular VPN solution is X.25 replacement. X.25 is an older network protocol used in a variety of applications including most Point of Sale (POS) devices such as card swipers for debit and credit card transactions. X.25 connections are not cheap, running in the range of $200-$400 per month each and with the ability to handle only a few POS devices per connection, a large store or supermarket may need three or four X.25 connections to operate. Tunneling an X.25 connection using VPN technology is a cost-effective alternative to dedicated X.25 lines as the operating costs would consist of only an Internet connection and the related VPN management.
VPN also provides security across private networks. Universities use VPN to secure faculty resources from students, and wireless networks use VPN clients to ensure that there is no unauthorized “”snooping”” from outside their property.
It is hard to determine the size of the VPN marketplace, since there is no way to measure the number of VPN tunnels that crisscross the Internet at any given time. But be assured that this technology is here to stay. In a time when privacy is in the forefront of many business and regulatory decisions, there is little question as to the value of VPNs and their place in the forefront of network technology.
Rod Joyce is a network principle, Virtual Private Networks at IBM Global Services (Canada) in Markham, Ont.
