February 1998

Subject:  Remote Access Via Virtual Private Networks: Pipe Dream Or Real?

BY Tom Keating

Whenever I hear the word “virtual,” I remind myself that it means “not really.” So, when I hear about virtual private networks (VPNs), I’m torn. Does the virtual pertain to private, in the sense that you needn’t rely on private networks to access private information — that you can privately convey information and transact business over facilities that are, in fact, public? Or does virtual pertain to all those things we associate with the word “private,” things like security and reliability?

A lot depends on the technology. If it’s sufficiently advanced, you get the best of everything — security and reliability on the one hand, and accessibility and availability on the other. However, if the technology disappoints us, we may come toregard “virtual” as a cruel joke, something that claimed it would collapse the distinction between public and secure, but that ultimately left it intact.

REMOTE HOPE
When we leave the office, many of us miss feeling connected. Whether we’re at home or on the road, we can’t help but wonder what we might be missing. Of course, we could check our voice mail once in a while. But what about our faxes? What about our e-mail? When it comes to faxes, the best thing is to store them on your computer, preferably in a universal inbox of some sort. Then, you can remotely access them as easily as your email.

Of course, when it comes to e-mail, you could content yourself with checking Internet e-mail, by dialing into a local POP. This would help somewhat, but it would also introduce different problems. For instance, you would have to deal with two separate message stores — one on the corporate PC, and another on the laptop. That would defeat the purpose of having one universal inbox for all your new and legacy e-mails, and possibly your faxes and voice mail (provided you were able to collect them in your e-mail system).

Another problem with Internet email access, as opposed to remote access, is that you’ll have to do without the information resources of your corporate LAN. What if an e-mail alerted you to the urgent need to send someone a particular document, a document that happened to reside on your corporate PC? If you were to receive that email via Internet e-mail to your laptop, you would simply be out of luck!

PROXIMATE FEAR
While a company may appreciate the advantages of granting remote access to employees, it may also suspect a few drawbacks. That is, a company may fear remote access will bring security breaches, high implementation costs, additional phone charges, and maintenance headaches.

Security: To extend access to road warriors (for e-mail, say), a company needs to make a hole in its firewall large enough to admit the good guys, but small enough to exclude the bad guys. How small is small enough? Or, for that matter, too small? Uncertainty over this issue inhibits action.

Implementation Costs: Some remote access solutions require that companies purchase additional hardware and software. And some solutions demand expertise that is lacking in-house. Thus, some companies may need to work with specialized VARs, thereby incurring extra costs. (Aside from the cost issue, MIS personnel or network managers may object to VARs simply because they are wary of having an outsider “mess” with their LAN.)

Phone Charges: If a company installs a remote access server (RAS), the costs don’t end when the installation is complete. The company will have to pay for dedicated lines to the RAS, as well as for all the phone charges that mount as employees begin dialing in from all over the country, or even the globe. Maintenance: Any solution that opens the corporate LAN to remote access requires constant maintenance. For example, MIS must constantly update access passwords and logon IDs to keep up with employee turnover.

ALTERNATIVE SOLUTIONS
Several remote access solutions are available. One alternative is to take advantage of the wireless IP network. (For one excellent wireless solution, see the review of AT&T’s PocketNet in this issue.) Another alternative is to put some modems in a Windows NT RAS server. There are also turnkey RAS products which do not need Windows NT, such as 3Com’s OfficeConnect.

The latest craze, however, is VPN. (VPNs in private intranets will take off in the next year or so; VPNs on the Internet will take off in two or three years.) If you doubt this new market shows a lot of promise, take a look at all the companies scrambling to grab a piece of it. In this space, contenders include industry heavyweights such as Cisco, Lucent, Microsoft, and Newbridge Networks.

MORE ON THE VPN ALTERNATIVE
VPNs address many of the concerns that have prevented corporations from implementing remote access. For example, with VPNs, cost becomes less of an issue, since you put traffic onto the Internet. You can use an ordinary Web server, instead of investing in leased lines and specialized hardware (which you many need to implement a RAS solution). Also, you can save on phone charges since employees can dial into the nearest ISP point of presence (POP), instead of directly dialing into a corporate server. To address the other big bugaboo, security, VPNs offer IP tunneling. With IP tunneling, corporate traffic may go onto the Internet, a public conveyance, but its movements are restricted. In a sense, corporate traffic is confined to a tunnel (an encrypted link, if you will), where the only outlets are VPN endpoints.

To set up a tunnel between a remote client and the corporate network, you can choose between at least two options: client-transparent and client-initiated tunneling.

Client-Transparent Tunneling: The main advantage of this method is that the remote client doesn’t require any special software. However, the remote client will need to dial into a tunnel-enabled access server, that is, an access server capable of establishing an encrypted link with a tunnel server or gateway, which typically resides behind the corporate firewall. Both the access server and the tunnel server will need special software. The problem here is that the access server belongs to the ISP, and the ISP’s software must be compatible with yours. Also, the link between the remote client and the ISP is not encrypted.

Client-Initiated Tunneling: This method requires tunneling software both on the remote client as well as the tunnel server or gateway, but the ISP doesn’t need to support tunneling in any way. Instead, tunneling (establishing an encrypted link, based on user ID or password authentication, or even a digital certificate) is left to the remote client and the tunnel server. The ISP needn’t intervene, or even be aware that you’ve established an encrypted link. Also, the link is encrypted end-toend, from the remote client to the tunnel server behind the firewall.

BEYOND REMOTE ACCESS: CTI AND INTRAOFFICE CONNECTIVITY
Most CTI products use some sort of network functionality, whether it’s transmitting caller ID information, enabling remote access, sending fax/voice/video and other data to your inbox (unified messaging), distributing calls among multiple call centers, or even transmitting call control commands. These CTI technologies all rely on some sort of network topology. The more elaborate solutions usually require a private leased line.

If there were a low-cost alternative to leased lines, one that delivered security and performance, developers would use it. In my opinion, VPNs are one such solution to the problem of expensive leased lines or even remote access servers with a rack of modems.

Of course, VPNs have yet to equal the performance of leased lines, but they’re getting better. In the meantime, VPNs could help out with lots of applications that rely on non-critical, non-realtime data. One such application is unified messaging, which could easily become an economical remote access solution via VPN. For example, a road warrior could access messages by dialing a local POP instead of incurring longdistance charges to the company’s 800 number.

VPNs are also attractive in other areas. Examples include accessing the corporate LAN and network files, browsing the Internet, and engaging in text chat with employees — all on one inexpensive Internet connection.

VENDOR APPROACHES
Many vendors are introducing VPN solutions, and all are grappling with the basic challenge of combining universal availability and quality of service. Some vendors emphasize IP in their solutions, and hence availability. Others emphasize ATM, with its builtin quality of service (QoS) capabilities. Several are attempting to work with both. Below, we take a look at what a few vendors are doing.

MICROSOFT AND CISCO
Not long ago, Microsoft and Cisco announced they would collaborate on a VPN method called Layer Two Tunneling Protocol (L2TP). This new protocol is supposed to combine the merits of Microsoft’s Point-toPoint Tunneling Protocol (PPTP) and those of Cisco’s Layer Two Forwarding (L2F). (Microsoft’s PPTP performs client-initiated or client-transparent tunneling by wrapping PPP packets in IP, which is a Layer Three protocol. Cisco’s method, on the other hand, accomplishes tunneling via Layer Two protocols, such as Frame Relay and ATM.)

L2F requires support in the access servers as well as the routers; thus, the ISP needs to support L2F. Is this a problem? Well, we can suppose that L2F will enjoy wide support simply because 75–80 percent of the Internet and corporate intranets use Cisco routers. Even so, you could, at any time, run across a non-Cisco router, one that doesn’t support L2F. Then you’re out of luck.

The potential for such mishaps means that L2F will be used at first primarily on intranets, or by highspeed Internet backbone providers. L2F does have an advantage over PPTP in that it supports authentication for the tunnel endpoints, for instance between the access server (ISP POP) and the tunnel server (corporate site).

It used to be that you could perform PPTP only from a Windows NT client (workstation) to a Windows NT server. However, with Microsoft’s update to Dialup Networking v1.2 (which is downloadable), you can attain VPN/tunneling capabilities from Windows 95 clients.

LUCENT
Lucent has gone beyond the “IP world” of VPNs with its OneVision network management system. The OneVision system can create and define service objects that represent VPNs and map them to ATM virtual circuits, which have QoS built-in. This will help the ISPs and backbone providers, but will probably have little effect on the client end, since most client networks are IPbased.

NEWBRIDGE NETWORKS
Not content to choose between IP and ATM, Newbridge Networks is working with both protocols. With its Multi Protocol Over ATM (MPOA) approach, Newbridge uses different routing servers for each VPN, segregating them from one another and the public Internet. When an MPOA agent requests that an IP address be decoded into an equivalent ATM address, the VPN figures out which routing server will handle the conversion. The usage of ATM virtual circuits results in better QoS management as well as support for IP addresses at the desktop.

CONCLUSION
VPNs make a lot of promises — availability, security, quality of service. Availability would seem assured, given that VPNs rely on the Internet. However, availability could be limited to the extent it conflicts with specific methods for delivering security and quality of service.

Tunneling, for example, is designed to create secure, encrypted links. But what if your company implements client-transparent tunneling, and you dial into an ISP that lacked tunneling software compatible with your company’s tunneling server?

And what about tunneling schemes that rely on the Resource Reservation Protocol (RSVP)? RSVP only works if ISPs are in a position to fulfill user requests for given service levels. At present, few ISPs can support RSVP. Unless (or until) RSVP catches on, we’re left with ATM, which means interworking between IP and ATM, which raises compatibility issues, MPOA notwithstanding.

For VPNs to fulfill their promise, we’ll need to see some progress on the standards front, particularly with respect to RSVP and ATM (and possibly TAPI — see the sidebar). In addition, a lot depends on the ISPs. Personally, I’ll believe that VPNs provide QoS and security when I find an Internet connection that has perfect service, that is, a connection that is always up, is never slowed on account of bottlenecks, and is immune to interception.

Maybe the Internet of my dreams delivers perfect service, but certainly not the one we’re using today. It is getting better, however. Perhaps, once RSVP is implemented in all Internet routers, the perfect Internet won’t be such a pipe dream after all!

Of course, for most remote access applications, we needn’t wait for Internet perfection, particularly since VPN-oriented remote access solutions offer so many benefits today. They are more secure than most private networks, and they provide ubiquitous networking. Best of all, they are reasonably priced.

Most people view TAPI as a highlevel telephony function API, rather than a low-level data transmission API. Hence, most people wouldn’t think of TAPI within the context of VPNs, which, to date, have emphasized ordinary data networking.

In essence, the common view of TAPI is correct. TAPI, through its layer of APIs, performs call control and other features over (in most cases) an IP network topology. However, since the Internet is IP-based, it will be interesting to see if TAPI 3.0 or any future release of TAPI will incorporate VPN-like features. As it turns out, Microsoft’s TAPI 3.0 white paper does indeed suggest that TAPI will incorporate certain VPN-like features. Like VPNs, TAPI 3.0 will:

• support quality of service (QoS).
• support encryption to ensure a secure connection.
• transmit data over the Internet, in the sense that Internet telephony involves encapsulating voice streams within data transmissions.
• feature built-in multicasting, which means TAPI must reach down to the (IP) protocol level.

Eventually, TAPI could do more than support telephony. It could support the transmission of generic data as well, particularly in applications that involve whiteboarding and application sharing, such as Microsoft’s NetMeeting. It is possible that TAPI will compliment VPNs, and use them for the transmission of TAPI calls and other data. But knowing Microsoft and its predisposition to “converge” separate technologies, I wonder if we’ll see VPN functionality, the NetMeeting SDK, and other protocols/codecs/standards all rolled into TAPI. Now that would be one big happy TAPI!

Whats Hot! Perking Up Customer Self-Service With Javabeans

PERKING UP CUSTOMER SELF-SERVICE WITH JAVABEANS

Chordiant Software and Sun Microsystems have recently announced a major effort to show how Java can improve consumer-to-businessinteractions, by giving customers greater flexibility and control over self-service applications. Designed with call centers and large consumer-type businesses in mind, Chordiant’s Customer Communications Solutions (CCS) product can process up to 10,000 call center and consumer requests per day. Using CCS, a customer can submit a service request via their phone, fax, e-mail package, or Web browser. The CCS system will then process the request, regardless of the communication type, and apply customizable business rules to determine a course of action.

Chordiant Software’s product, which uses JavaBeans, not only displays the customer’s history on the agent’s screen, it can also display similar (or the same) information on the customer’s Web browser. This is a unique and very useful feature that allows two-way customer interaction with the agent.

Chordiant claims to be one of the first companies to develop an enterprise-class implementation using JavaBeans. CCS, which can be customized on-the-fly using the builtin drag-and-drop application generator, can be set up to keep track of all customer interactions, whether they are conducted via e-mails, faxes, and/or phone calls. While many call center products specialize in just one of these three areas, CCS has them all, in one centralized application.