January 1999

The VPN Speaks

BY AGNES IMREGH

Voice over Internet Protocol (VoIP) is a growing market, and corporate users have been finding significant cost savings in their long-distance and international calling as a result of implementing Internet telephony in their phone systems. However, cost-effectiveness is just a part of the overall process of converging the voice and data networks. Like many convergence-related applications, VoIP is often presented and analyzed in isolation. Corporate users might want to slash their long-distance phone charges with Internet telephony, but they have some even more fundamental issues to consider.

The most basic of these is the evolving business communications architecture. Two huge changes in the corporate business model have led to this new architecture. First, we've moved into the world of the virtual corporation: distributed, dynamic, and always technology-reliant. Everything from daily operations to strategic planning is communicated among people who may never see each other. Second, distributed operational and planning groups are now formed, disbanded, and reformed in new configurations in a continuing, dynamic cycle.

Communications technologies are expected to effectively replicate the immediacy, reliability, and privacy of a boardroom session for a geographically independent workforce. To accomplish these goals, data communications has been elevated to peer status with voice communications (sparking the convergence movement), and the secure virtual private network (VPN) has been developed as a business communications architecture.

BUILDING SECURITY
The secure VPN runs on top of shared networks, such as the Internet or a corporate LAN. Using a combination of data encryption and user authentication, a secure VPN builds tunnels through the shared network that connect authorized users and prevent access by anyone else. Management software can allow these tunnels - also known as secure associations - to be set up and torn down in the time it takes to drag an icon across a management screen. Since the VPN uses the Internet and corporate LANs as media, most places on the globe can be easily integrated into this low-cost and secure communications environment.

The first uses of secure VPNs, like the first uses of the Internet, were for data communications. The next step has been to accommodate voice-data convergence, such as in VoIP, within the existing VPN architecture. In this context, the main advantages of VPN-based VoIP are as follows:

Privacy
Just as with data, voice business communications have an ideal environment within the secure VPN. The same encryption that protects other business traffic - from e-mail to corporate data access - protects VoIP communications within the secure VPN.

Authentication
The same authentication services are also effective. Business phone calls are frequently between people who don't know or recognize each other, yet they may have to conduct sensitive conversations. VPN-based authentication verifies that people are who they say they are, virtually the same process as checking a person's ID badge before letting them into a private office.

System sharing
An important consideration of VoIP within a VPN is that much of the hardware and media are often already part of the corporation's existing infrastructure. The current servers, routers, LANs, and Internet connections can be enhanced with encryption and authentication systems to build VPNs. When the VoIP capability is introduced, it uses the same system, even sharing some of the existing management functions.

New applications
Many emerging CTI applications can make use of a VoIP platform. For example, say that a VPN is established among a manufacturer and its major corporate customers. A customer can search for information or actually buy products using the manufacturer's e-commerce Web site. If the customer has a question, the application can give the customer a voice connection to a customer representative. Using the VoIP platform, the representative can immediately see where the customer has been on the Web site, where he or she is now, and efficiently answer questions. Such applications exploit the VoIP potential while at the same time protecting ordering and other business communications within the secure VPN.

Low-cost voice service
Finally we come to the cost savings. Internet telephony does eliminate the per-minute telephone usage charges, presenting a serious argument in favor of VoIP. And where corporations already have an underlying VPN architecture, the Internet telephony service gets all the secure VPN benefits for free.

SELECTING A VPN PLATFORM
All of these benefits of VPN-based VoIP, of course, come with a matching set of caveats. The VPN must be capable of handling VoIP with the performance, security, standards, cost, and installed-base compatibility that each user corporation demands.

A key design focus of the VPN is that the security functions be transparent to both users and applications. When that concept is implemented it allows the VPN to support VoIP and virtually any other packetized IP traffic on the network. In the case of VoIP, the voice signal is digitized and compressed within a telephony gateway. It is then routed through the VPN system, which sets up a secure tunnel and encrypts the packets for transmission. With this platform approach to VPN design, the VoIP digitization and compression processes occur externally to the VPN, which accepts and handles the VoIP packets as it does any other IP packets.

Security Versus Latency
The most widely discussed technical issue with VPN-based VoIP is throughput. Voice communications just don't work with even a modest amount of latency. But because secure VPNs encrypt data, they may create a throughput bottleneck when they process packets through their encryption algorithm. The problem usually gets worse as security is strengthened. For example, Triple DES (Data Encryption Standard) uses a long, 168-bit key. Triple DES requires that each packet be encrypted three times, effectively tripling the encryption overhead.

But VoIP can be secure and free of perceptible latency on a VPN. The solution is to optimize the encryption algorithm and the data path, and handle all processing in a dedicated encryption processor. Having a dedicated processor also ensures that encryption overhead isn't shifted to a host server, which might require an expensive upgrade in host hardware.

Security Standards
Another important consideration is standards support. A big communications standards hurdle was overcome when the Internet and most of the rest of the world embraced IP as the standard, global transport. The IP security protocol (IPSec) is now providing the same quality of standardization for VPNs. IPSec is a collection of security standards developed by the Internet Engineering Task Force (IETF), covering encryption, authentication, and key management. IPSec also sets up a tunnel through the Internet, manages the tunnel while the connection is in use, and removes the tunnel when it's no longer needed. Apart from its functions, IPSec's primary value is that it provides a robust standard for reliable VPN service, and it is also beginning to enable multi-vendor interoperability among IPSec-compliant systems.

Several different encryption algorithms are used on VPNs. By far, the most widespread and well supported is Data Encryption Standard (DES). DES is supported by IPSec and is available in several versions: 40-bit, 56-bit, and Triple DES (112-bit or 168-bit). In practice 40-bit DES provides privacy from casual readers, 56-bit DES protects data against serious attack, and Triple DES is stronger than any other standard encryption system on the market. Financial institutions, for example, have standardized on Triple DES.

International Issues
VoIP and either DES or Triple DES encryption are fully compatible assuming that the VPN delivers the necessary throughput. Internationally, however, corporations can run into other factors. The U.S. Department of Commerce places restrictions on the export of certain encryption technology. DES is usually exportable, while Triple DES is not. On the other hand, that generality takes numerous forms - from total export exclusions applied to a handful of countries to okays on Triple DES export for some specific industries and users. Most corporations whose VPNs will extend outside the United States should find out whether their VPN provider has exportable products and how export regulations will impact networks built with those products. (For more detail, check with the Dept. of Commerce or visit the RedCreek Web site, cited at the end of this article.)

CONCLUSIONS
That same, big picture assessment should also be the first step in considering VoIP itself. For corporations that are building a business communications architecture with secure VPNs, VoIP is a natural, highly cost effective, and now secure extension of their evolving communication system.

Agnes Imregh is vice president of marketing for RedCreek Communications. Founded in July 1996, RedCreek Communications, Inc., develops and markets the Ravlin family of network security products based on its CryptoCore architecture. Ravlin products give customers a wide range of network security hardware and software solutions that provide IPsec standard wireline speed without network degradation. For more information on RedCreek's VPN family of IP and Microsoft NT solutions, please visit their Web site at www.redcreek.com.