Whenever I hear the word virtual, I remind myself that it means not
really. So, when I hear about virtual private networks (VPNs), Im torn. Does
the virtual pertain to private, in the sense that you neednt rely on private
networks to access private information that you can privately convey information
and transact business over facilities that are, in fact, public? Or does virtual pertain
to all those things we associate with the word private, things like security
and reliability?
A lot depends on the technology. If its sufficiently advanced, you get the best
of everything security and reliability on the one hand, and accessibility and
availability on the other. However, if the technology disappoints us, we may come toregard
virtual as a cruel joke, something that claimed it would collapse the
distinction between public and secure, but that ultimately left it intact.
REMOTE HOPE
When we leave the office, many of us miss feeling connected. Whether were at home or
on the road, we cant help but wonder what we might be missing. Of course, we could
check our voice mail once in a while. But what about our faxes? What about our e-mail?
When it comes to faxes, the best thing is to store them on your computer, preferably in a
universal inbox of some sort. Then, you can remotely access them as easily as your email.
Of course, when it comes to e-mail, you could content yourself with checking Internet
e-mail, by dialing into a local POP. This would help somewhat, but it would also introduce
different problems. For instance, you would have to deal with two separate message stores
one on the corporate PC, and another on the laptop. That would defeat the purpose
of having one universal inbox for all your new and legacy e-mails, and possibly your faxes
and voice mail (provided you were able to collect them in your e-mail system).
Another problem with Internet email access, as opposed to remote access, is that
youll have to do without the information resources of your corporate LAN. What if an
e-mail alerted you to the urgent need to send someone a particular document, a document
that happened to reside on your corporate PC? If you were to receive that email via
Internet e-mail to your laptop, you would simply be out of luck!
PROXIMATE FEAR
While a company may appreciate the advantages of granting remote access to employees, it
may also suspect a few drawbacks. That is, a company may fear remote access will bring
security breaches, high implementation costs, additional phone charges, and maintenance
headaches.
Security: To extend access to road warriors (for e-mail, say), a company needs
to make a hole in its firewall large enough to admit the good guys, but small enough to
exclude the bad guys. How small is small enough? Or, for that matter, too small?
Uncertainty over this issue inhibits action.
Implementation Costs: Some remote access solutions require that companies
purchase additional hardware and software. And some solutions demand expertise that is
lacking in-house. Thus, some companies may need to work with specialized VARs, thereby
incurring extra costs. (Aside from the cost issue, MIS personnel or network managers may
object to VARs simply because they are wary of having an outsider mess with
their LAN.)
Phone Charges: If a company installs a remote access server (RAS), the costs
dont end when the installation is complete. The company will have to pay for
dedicated lines to the RAS, as well as for all the phone charges that mount as employees
begin dialing in from all over the country, or even the globe. Maintenance: Any solution
that opens the corporate LAN to remote access requires constant maintenance. For example,
MIS must constantly update access passwords and logon IDs to keep up with employee
turnover.
ALTERNATIVE SOLUTIONS
Several remote access solutions are available. One alternative is to take advantage of the
wireless IP network. (For one excellent wireless solution, see the review of
AT&Ts PocketNet in this issue.) Another alternative is to put some modems in a
Windows NT RAS server. There are also turnkey RAS products which do not need Windows NT,
such as 3Coms OfficeConnect.
The latest craze, however, is VPN. (VPNs in private intranets will take off in the next
year or so; VPNs on the Internet will take off in two or three years.) If you doubt this
new market shows a lot of promise, take a look at all the companies scrambling to grab a
piece of it. In this space, contenders include industry heavyweights such as Cisco,
Lucent, Microsoft, and Newbridge Networks.
MORE ON THE VPN ALTERNATIVE
VPNs address many of the concerns that have prevented corporations from implementing
remote access. For example, with VPNs, cost becomes less of an issue, since you put
traffic onto the Internet. You can use an ordinary Web server, instead of investing in
leased lines and specialized hardware (which you many need to implement a RAS solution).
Also, you can save on phone charges since employees can dial into the nearest ISP point of
presence (POP), instead of directly dialing into a corporate server. To address the other
big bugaboo, security, VPNs offer IP tunneling. With IP tunneling, corporate traffic may
go onto the Internet, a public conveyance, but its movements are restricted. In a sense,
corporate traffic is confined to a tunnel (an encrypted link, if you will), where the only
outlets are VPN endpoints.
To set up a tunnel between a remote client and the corporate network, you can choose
between at least two options: client-transparent and client-initiated tunneling.
Client-Transparent Tunneling: The main advantage of this method is that the
remote client doesnt require any special software. However, the remote client will
need to dial into a tunnel-enabled access server, that is, an access server capable of
establishing an encrypted link with a tunnel server or gateway, which typically resides
behind the corporate firewall. Both the access server and the tunnel server will need
special software. The problem here is that the access server belongs to the ISP, and the
ISPs software must be compatible with yours. Also, the link between the remote
client and the ISP is not encrypted.
Client-Initiated Tunneling: This method requires tunneling software both on
the remote client as well as the tunnel server or gateway, but the ISP doesnt need
to support tunneling in any way. Instead, tunneling (establishing an encrypted link, based
on user ID or password authentication, or even a digital certificate) is left to the
remote client and the tunnel server. The ISP neednt intervene, or even be aware that
youve established an encrypted link. Also, the link is encrypted end-toend, from the
remote client to the tunnel server behind the firewall.
BEYOND REMOTE ACCESS: CTI AND INTRAOFFICE CONNECTIVITY
Most CTI products use some sort of network functionality, whether its transmitting
caller ID information, enabling remote access, sending fax/voice/video and other data to
your inbox (unified messaging), distributing calls among multiple call centers, or even
transmitting call control commands. These CTI technologies all rely on some sort of
network topology. The more elaborate solutions usually require a private leased line.
If there were a low-cost alternative to leased lines, one that delivered security and
performance, developers would use it. In my opinion, VPNs are one such solution to the
problem of expensive leased lines or even remote access servers with a rack of modems.
Of course, VPNs have yet to equal the performance of leased lines, but theyre
getting better. In the meantime, VPNs could help out with lots of applications that rely
on non-critical, non-realtime data. One such application is unified messaging, which could
easily become an economical remote access solution via VPN. For example, a road warrior
could access messages by dialing a local POP instead of incurring longdistance charges to
the companys 800 number.
VPNs are also attractive in other areas. Examples include accessing the corporate LAN
and network files, browsing the Internet, and engaging in text chat with employees
all on one inexpensive Internet connection.
VENDOR APPROACHES
Many vendors are introducing VPN solutions, and all are grappling with the basic challenge
of combining universal availability and quality of service. Some vendors emphasize IP in
their solutions, and hence availability. Others emphasize ATM, with its builtin quality of
service (QoS) capabilities. Several are attempting to work with both. Below, we take a
look at what a few vendors are doing.
MICROSOFT AND CISCO
Not long ago, Microsoft and Cisco announced they would collaborate on a VPN method called
Layer Two Tunneling Protocol (L2TP). This new protocol is supposed to combine the merits
of Microsofts Point-toPoint Tunneling Protocol (PPTP) and those of Ciscos
Layer Two Forwarding (L2F). (Microsofts PPTP performs client-initiated or
client-transparent tunneling by wrapping PPP packets in IP, which is a Layer Three
protocol. Ciscos method, on the other hand, accomplishes tunneling via Layer Two
protocols, such as Frame Relay and ATM.)
L2F requires support in the access servers as well as the routers; thus, the ISP needs
to support L2F. Is this a problem? Well, we can suppose that L2F will enjoy wide support
simply because 7580 percent of the Internet and corporate intranets use Cisco
routers. Even so, you could, at any time, run across a non-Cisco router, one that
doesnt support L2F. Then youre out of luck.
The potential for such mishaps means that L2F will be used at first primarily on
intranets, or by highspeed Internet backbone providers. L2F does have an advantage over
PPTP in that it supports authentication for the tunnel endpoints, for instance between the
access server (ISP POP) and the tunnel server (corporate site).
It used to be that you could perform PPTP only from a Windows NT client (workstation)
to a Windows NT server. However, with Microsofts update to Dialup Networking v1.2
(which is downloadable), you can attain VPN/tunneling capabilities from Windows 95
clients.
LUCENT
Lucent has gone beyond the IP world of VPNs with its OneVision network
management system. The OneVision system can create and define service objects that
represent VPNs and map them to ATM virtual circuits, which have QoS built-in. This will
help the ISPs and backbone providers, but will probably have little effect on the client
end, since most client networks are IPbased.
NEWBRIDGE NETWORKS
Not content to choose between IP and ATM, Newbridge Networks is working with both
protocols. With its Multi Protocol Over ATM (MPOA) approach, Newbridge uses different
routing servers for each VPN, segregating them from one another and the public Internet.
When an MPOA agent requests that an IP address be decoded into an equivalent ATM address,
the VPN figures out which routing server will handle the conversion. The usage of ATM
virtual circuits results in better QoS management as well as support for IP addresses at
the desktop.
CONCLUSION
VPNs make a lot of promises availability, security, quality of service.
Availability would seem assured, given that VPNs rely on the Internet. However,
availability could be limited to the extent it conflicts with specific methods for
delivering security and quality of service.
Tunneling, for example, is designed to create secure, encrypted links. But what if your
company implements client-transparent tunneling, and you dial into an ISP that lacked
tunneling software compatible with your companys tunneling server?
And what about tunneling schemes that rely on the Resource Reservation Protocol (RSVP)?
RSVP only works if ISPs are in a position to fulfill user requests for given service
levels. At present, few ISPs can support RSVP. Unless (or until) RSVP catches on,
were left with ATM, which means interworking between IP and ATM, which raises
compatibility issues, MPOA notwithstanding.
For VPNs to fulfill their promise, well need to see some progress on the
standards front, particularly with respect to RSVP and ATM (and possibly TAPI
see the sidebar). In addition, a lot depends on the ISPs. Personally, Ill
believe that VPNs provide QoS and security when I find an Internet connection that has
perfect service, that is, a connection that is always up, is never slowed on account of
bottlenecks, and is immune to interception.
Maybe the Internet of my dreams delivers perfect service, but certainly not the one
were using today. It is getting better, however. Perhaps, once RSVP is implemented
in all Internet routers, the perfect Internet wont be such a pipe dream after all!
Of course, for most remote access applications, we neednt wait for Internet
perfection, particularly since VPN-oriented remote access solutions offer so many benefits
today. They are more secure than most private networks, and they provide ubiquitous
networking. Best of all, they are reasonably priced.
|