May 1999
Virtual Private Networks May Push IP Voice Out Of Its
Tunnel
BY HOWARD MEYERS
Virtual Private Networks (VPNs) and VoIP solutions have a lot in common. The major
benefit of both technologies is their ability to save money on a very large scale, and
both are designed to replace existing telecommunications systems with cheaper IP-based
communications. VPNs are normally used to replace leased lines, or Remote Access Servers
(RAS) and banks of modems for data communications, while VoIP bypasses the PSTN for a
subset of a company's long-distance calls.
Consequently, anyone who is wise and adventuresome enough to pursue one of these
technologies is probably a good candidate for the other. The two technologies also
complement each other nicely, and VPNs can be used to secure VoIP transmissions. But
implementing both technologies can be more difficult than just the sum of the parts.
Luckily, by understanding the technologies, how they interact, and what to look for, any
problems that may arise by implementing them together can easily be avoided.
SECURITY REQUIREMENTS FOR VoIP
Proper security is critical in any VPN implementation, and verifying the strength of the
security is equally important. The only security testing that currently exists for VPNs is
through the National Institutes of Standards and Technology (NIST) with the FIPS 140-1
validation program. The entire list of validated devices (most of which are not VPNs) is
available at csrc.nist.gov/cryptval/140-1/1401val.htm. Soon, the Common Criteria Project,
also sponsored by NIST and several other countries, may also serve this purpose.
There are two main security risks for a VoIP network, and the first is control of the
system. Without proper security to protect controls, an unauthorized party can access a
system and use it for VoIP calls, or to disrupt communications. This can result in
improperly used bandwidth, unavailability of the system, and increased costs.
Second, there is a need to protect the VoIP data itself. Consider how damaging it would
be if a competitor or other party out to do damage to a company intercepted internal
company phone calls. H.323 provides for security through H.235, however, most
implementations of H.323 to date are what can be called Phase 1 implementations - used
primarily for compatibility, and sometimes for a marketing checkmark. They are not full
implementations, and rarely include H.235. It is likely that early implementations that do
include H.235 will suffer significant performance penalties, resulting in customers
turning off the feature - if the vendor allows them to. VPN vendors have been tackling
these issues for several years now, and are in a better position to provide the required
security today.
VPN AND VoIP COMPATIBILITY ISSUES
Latency
Latency is probably the number one enemy of VoIP. For voice, latency is really the
difference between when a word is spoken and when it is heard. Most of us have heard the
long delays associated with satellite calls overseas, as well as the echoes that can be
introduced. Luckily, VPNs should have no effect on echoes.
In a typical VoIP implementation, latency is introduced in two areas. The first is
network latency, and on the Internet, this can be quite unpredictable. The second source
of latency is in the VoIP equipment itself. The process of digitizing the voice,
compressing it, transmitting, receiving, decompressing, and returning the data to analog
takes a finite amount of time. The latency introduced by the VoIP system is usually quite
predictable, and VoIP vendors monitor these numbers closely, trying to reduce them at
every turn. If they go above a certain threshold, delays can be heard and the solution
starts losing its appeal.
Encryption is a very CPU-intensive task. The process of capturing a packet, encrypting
it, re-transmitting it, and then decrypting it on the other end can be very time
consuming. This delay will increase the latency of the packet, and thus, of the VoIP
solution. Many VPN vendors have implemented solutions using proprietary acceleration
hardware to overcome this problem. Therefore, it is possible to get a VPN solution that
introduces only a few milliseconds or less of latency. Latency in this range should be
negligible when compared to other sources, but any increase above this could contribute to
noticeable delays. Be aware that latency will also increase with packet size.
Unfortunately, most VPN vendors do not publish latency numbers.
Performance
For any network application, performance is an issue. VPNs received an initial black eye
in the network industry for their impact on performance. As a result, some people are
still afraid to implement VPNs, but this technology has come a long way just in the last
year. The use of proprietary hardware and accelerator cards, along with better designs,
has resulted in VPNs that can meet the demands of almost any network. Some VPNs have been
known to actually improve network performance in some instances due to compression,
efficient protocols, and packet buffering. While customers can not count on a VPN
providing improvement, it can minimize any degradation.
Unfortunately, assessing the speed of a VPN is a difficult task, and it is not one the
customer should undertake. VPNs are complicated solutions designed around typical network
traffic. Most tests, however, do not use or simulate typical network traffic. Some of the
best labs in the United States and top network service providers improperly test VPN
performance. Without fully understanding network behavior and VPNs, it is impossible to
configure a proper test.
The next problem is that there are no industry standards for measuring VPN throughput.
The old saying about "lies, damn lies, and statistics" could have been written
about VPN performance numbers. Most VPN vendors quote "encrypted throughput,"
but some only quote "throughput," which can be the result of turning off
encryption and just using authentication. This will dramatically improve any performance
numbers - but there is nothing realistic about the data. It is also important to
understand what type of encryption was used in the testing. Many vendors will test
throughput using 40- or 56-bit DES, even though most security experts recommend a minimum
of 128-bit encryption today. Those who quote speeds using algorithms such as IDEA or
triple-DES may pay a performance penalty in those tests, but they have tested their VPNs
in a configuration that can actually be used.
It is advisable to quiz any vendor on how they got their performance numbers. What type
of encryption was used? What was the content of the packets? Some packets are highly
compressible, increasing performance, while others are not. What was the size of the
packets? Large packets can yield better performance due to less overhead, but large
packets can also result in more packet fragmenting, degrading performance. Where is
encryption performed? Performance will be better if encryption is done at the network, not
the application layer. Is the measurement for half-duplex or full-duplex operation? This
affects performance by a factor of 2. And finally, what is the latency introduced? Once
customers understand the data, they can reach their own conclusions on whether the data
will apply to their particular implementation.
Dropped Packets
Dropped packets and receiving packets out of order are other significant problems for
VoIP. VPNs can further aggravate this if their performance is inadequate, becoming a
bottleneck in the network. If not addressed, this problem can result in the voice breaking
up. If the VPN causes packet collisions to increase, this problem will be aggravated. Some
VPNs use large packet buffers that can actually reduce this problem.
TCP/IP
Some VPNs can only protect TCP/IP. However, many VoIP applications use protocols other
than TCP, such as UDP over IP. While most VPNs will support this, customers should make
sure their vendor supports the protocol that their VoIP solution utilizes.
CHOOSING THE CORRECT VPN
VPNs can be implemented in a number of different ways, and some VPNs are software-only
implementations. For a VoIP implementation, this is not an advisable solution. Throughput
and latency issues are usually at their worst in such implementations. Likewise, some VPNs
are implemented together with another network device, typically a firewall. These also
tend to introduce large performance problems as one computer is asked to perform too many
CPU-intensive tasks.
Many vendors have implemented VPN solutions in hardware, which typically yield the best
performance and should be used in a VoIP environment. These solutions use software-only
versions for remote computer access back into the network, which is quite acceptable, but
they use hardware at the gateway - where performance is critical.
A final type of VPN is available from network service providers. These are actually not
VPNs at all, in that they provide little to no security for data. These are really
semi-private IP networks utilizing all of the applications, equipment, and protocols used
on the Internet, but with guaranteed availability, bandwidth, and latency. While they do
not have access to the Internet, customers are still sharing the network with thousands of
others, including competitors. Because of their advantages, these networks are excellent
for use in a VoIP implementation, but use of a "real" VPN is still necessary to
get the appropriate level of security.
CONCLUSION
Unfortunately, most VPNs today are not interoperable, and standards in this area are still
evolving. While many vendors claim interoperability, this has not been a major design
goal. Typically, this means that the units can be forced to interoperate, but getting
there is an ugly process. While interoperability is currently not a realistic goal, all is
not lost.
Customers should select a vendor who will upgrade their systems as part of the normal
maintenance contracts, as standards evolve and interoperability becomes easier. For today,
users should make sure they choose a VPN that can connect to both protected and
unprotected sites automatically. This will allow their VoIP implementation to connect
securely to all nodes in the network that can be controlled, and to connect without
benefit of VPN security to those sites outside the network that can not be controlled.
Howard Myers is the business development manager for Fortress Technologies, Inc.
Fortress is a leading supplier of VPN products designed for speed, ease of use, and
security. The company has partnered with Clarent Corporation to provide an optimal
solution for the combination of VoIP and VPNs. For additional information, visit Fortress'
Web site at www.fortresstech.com.
|
VPNs In The
Marketplace BY LAWRENCE GASMAN
The market for VPN software clients has evaporated, according to a recent market
research report from Communications Industry Researchers, Inc. (CIR). The report analyzes
main VPN technology trends, market drivers, and applications, and profiles the leading
vendors and service providers operating in this space. It also offers ten-year forecasts
of the markets for VPN hardware, software, and services.
The report notes that Microsoft (whose VPN client is bundled with Windows 95, 98, and
NT), and Cisco (which offers clients priced between $5 and $8 per user), have driven out
the profit for VPN software client packages. The days of the $250 VPN client are over, and
in fact, the report concludes that the forces shaping the VPN business have less to do
with new technology and protocols than with marketing and management issues. As far as the
former is concerned, CIR expects the market for VPN equipment to be dominated by companies
that can supply a complete end-to-end solution.
Those companies include Cisco, Lucent/Ascend, 3Com, and Nortel, vendors that have
already locked down the critical service provider sales channel. For service providers,
VPNs offer a unique opportunity to create value in the form of a customized solution for
large end users. This is important at a time when bandwidth is becoming a commodity, and
most ISPs are losing money. CIR believes that end users will look to service providers to
do much of the implementation of VPNs, which are still far from being plug and play.
THE RELIABILITY ISSUE
IP networks are still not quite as reliable as leased line or even frame relay services,
and successful implementation of large-scale VPNs involves some other tricky issues:
Security, certification and authentication, interoperability, network management, and (in
some cases anyway) availability. Difficulties with implementation are especially acute
when a VPN serves several firms, and database integration and sophisticated security
systems are required.
Failing to address these points significantly limits the benefits of a VPN. But,
according to the report, while VPNs are usually considered money-savers for the companies
that use them, they also potentially benefit users by enabling new applications that would
not be possible through other means. In particular, they enable small remote locations
(including teleworkers) to share sophisticated applications across a network, without the
need and expense of a nailed-up connection (leased line or permanent virtual circuit).
ADDING VOICE
Today, almost all VPN applications are data-oriented, but CIR believes that a large
minority of VPN users will also want to put voice on their networks in the next few years.
Special issues face the voice VPN. For example, software-based VPNs may introduce latency,
and voice quality could become degraded. This is especially important in an IP
environment, where some continue to question the quality of voice in any case. Above all,
the ability of VPNs to carry voice will depend on their support of an end-to-end quality
of service (QoS) protocol. CIR believes that the most likely candidates for such a
protocol are DiffServ and MPLS.
Initially, VPN users will bring voice on to their VPNs in emergencies, when their main
voice networks are overloaded or out of service. But if the cost of packet bandwidth on
the VPN falls below that of the current typical circuit-switched infrastructure used by
voice, then wholesale migration of voice to VPNs will occur. The report states that such a
migration will not happen for some time, however. At present, there is more talk about
voice on VPNs than action. It is being hyped by vendors and service providers who hope it
will attract corporate customers to the VPN concept in general. Players in the current VPN
marketplace must talk about offering support for voice in order to win mindshare, but they
are far less likely in the short term to win orders for VPNs that actually support voice.
Lawrence Gasman is president of CIR. CIR is an independent marketing research firm
serving the needs of the telecommunications and data networking markets. CIR's new report
is called Virtual Private Networks: Market Opportunities and Implications for Service
Providers and their Suppliers. Further details on this report can be obtained on the CIR
Web site at www.cir-inc.com, or from Robert Nolan at [email protected] or 617-923-7611. |