TMCnet - World's Largest Communications and Technology Community




FeatureArticle.gif (14230 bytes)
November 1998

Virtual Private Networking: Real Technology Now


Remote network access is a fact of corporate life today. Even medium-sized companies have several branch offices scattered around the country or the world. Field sales people utilize remote access to take advantage of corporate network resources. Intranets and extranets allow suppliers to strengthen their bond with customers, and consultants can remove more barriers between their services and their clients. In addition, corporations can now hire telecommuting professionals from a talent pool far beyond their local area. Virtual Private Networking (VPN) lets IT staff eliminate costly dial-up circuits, leased lines, and administration-intensive modem banks, using local Internet Service Providers as a gateway to the wide-area network.

VPN is already making its mark. Infonetics Research estimates that the percentage of corporate employees requiring remote LAN access will climb from 8 percent in 1997 to 22 percent in 1999. With markets constantly expanding, remote offices also require access to the central network. Internet access is now ubiquitous, and the cost of high-speed corporate Internet connections is falling, encouraging IT departments to employ T1 or greater speeds. This combination of supply and demand only strengthens the business case for VPN.

While there is no standard definition for VPN, most network analysts agree that a "real" VPN solution features:

  • Use of a public network such as the Internet.
  • Tunneling, or the establishment of a secure data path using a protocol such as IPSec or PPTP (Point-to-Point Tunneling Protocol).
  • Authentication, encryption, and a method of controlling access privileges.
  • VPN management software.

The benefits of VPN technology come in the form of cost savings -- 30 percent to 75 percent of traditional WAN and RAS systems -- simplified maintenance, and ease of adding or modifying user accounts. In a VPN remote access application, remote users or LANs connect to a local ISP. Once connected, remote users and sites access the central network via TCP/IP tunnels.

There are four basic types of VPN solutions, Hardware, Software, Firewall add-ons, and VPN Services from ISPs.

Hardware solutions employ dedicated processors and client software to create a VPN connection. These products are generally the most performance-driven in the category, often including dedicated encryption processors and other performance enhancements.

Software solutions run on existing server platforms. Software lowers the cost of entry, but places additional demands on the server's processor, degrading performance, and also creates a single point of failure.

Firewall Add-Ons
Firewall add-ons were the pioneers of VPN access. However, these products first require a specific type of firewall, creating a single-vendor situation that can limit options. Configuration and management of firewall-based VPNs tends to be difficult, utilizing the same complex interface as the firewall software itself. Again, the VPN tasks must share a processor with the server running the firewall.

ISP VPN Services
VPN services from Internet Service Providers, who offer "turnkey" managed services by utilizing hardware-based or firewall-based VPN products housed at their own facility. The major consideration with managed VPN services is that your company's security infrastructure will not be directly under your control.

VPN vendors create secure multiprotocol links across the Internet through a process called tunneling. Think of the tunnel as a "channel" opened inside the public network, in this case the Internet. Once connected, a remote user can utilize the tunnel to exchange information and access servers and services on the corporate network.

No matter the VPN technology, tunneling works by performing three basic operations -- Encapsulation, Authentication, and Encryption.

In order to transmit information securely over the Internet, VPNs encapsulate standard IP packets inside "protected" packets. The protected packet can then be routed through the Internet to its destination, where the encapsulation is stripped off, leaving the original data.

Several tunneling protocols have surfaced, most notably PPTP (Point-to-Point Tunneling Protocol) and IPSec. For security reasons, many vendors have moved to the more robust IPSec protocol, preferring its Layer 3 performance and strong authentication encryption and key management routines to the Layer 2 operation of PPTP.

Authentication & Encryption
While encryption gathers the most security ink, authentication is actually the most important security element of an IP tunnel. Authentication ensures that tunnels will only be established between verified tunnel partners. IPSec authenticates each packet that passes through an established tunnel. Under this method, each packet is authenticated using encrypted secrets in order to prevent session "spoofing," in which an authenticated session is taken over by an outside agency. PPTP, by contrast, authenticates only the session request, using traditional PAP (Password Authentication Protocol) and CHAP (Challenge/Handshake Authentication Protocol) routines.

Encryption is simply a method of "scrambling" data before transmitting it onto the wide-area link, in this case the Internet. At the remote end, the data is de-coded using a private "key." Most VPN technologies include DES (Data Encryption Standard) or Triple DES encryption services to prevent "sniffers" from picking up data transmissions.

Unlike traditional modem banks, VPN servers can be deployed behind or parallel to the corporate firewall. In these applications, network managers can filter out all traffic except packets containing the destination address of the VPN server. This provides a double layer of security. There are fewer holes in the corporate firewall, and packets must be authenticated again at the VPN server before being allowed on the network.

As security issues become better known and understood, performance issues rise to the top of the network manager's list of concerns. While your VPN configuration and needs depend greatly on your specific application, there are a few guidelines you should always follow.

  • Choose an ISP with nationwide coverage. A national ISP -- or a regional one that provides access points nationwide -- will allow you to take full advantage of local calling for remote access connection. You should also ask potential ISPs about technical support policies, internal network benchmarks, and optional services such as bandwidth reservation.
  • Use filtering. More than 80 percent of all network security breaches are caused by unauthorized access that proper filtering configuration would have prevented.
  • Assess the criticality of the data to travel the VPN link and configure for performance. Know what kind of traffic your remote users will generate and ask your ISP for their recommendations in optimizing the network link. Set internal policies regarding the transfer of mission-critical or highly confidential data.
  • Integrate VPN into existing remote access systems. VPN is the remote access technology of the future. If you already provide remote access, add VPN on a departmental basis. Look for VPN products that incorporate full VPN routing, allowing you to scale the rollover from traditional connection to VPN.
  • Choose a VAR or ISP will full support capabilities. Even an easy-to-use networking solution can be tough to configure and manage. Look for help from a reputable networking VAR in your area or from the service arm of your ISP.

If your business relies on a number of remote users, VPN technology may well be the answer for you. VPNs are also excellent choices for providing access to corporate intranets and extranets.

The best advice is to do a thorough assessment of your remote access and intranet/extranet needs. How many users do you need to support? What information do they need to access? How confidential or mission-critical is the data that will be sent and received over the VPN link? Then do the math. You'll be surprised at the savings VPN can offer.

Tom Ferrell is director of corporate communications at Compatible Systems Corporation in Boulder, CO, a manufacturer of VPN solutions for networks of all sizes. The company's award-winning Internet connectivity products are found on thousands of networks worldwide, from SOHO and branch offices to large enterprises and ISPs. For more information, visit the company's Web site at www.compatible.com.

Virtual Private Networking Glossary

Authentication: A process that requires users to securely identify themselves through the use of passwords or, in the most secure VPN protocols, encrypted "secrets" prior to the establishment of a VPN connection.

Client: A computer or software program that requests a service of another computer system or processor (a server). For example, a workstation running a VPN client can create a network connection through a VPN server.

Digital Signature: A coded message added to a document or data that guarantees the identity of the sender. Used during authentication of some VPN links.

Encryption: The "scrambling" of data to prevent anyone other than the intended recipient from reading the information. Encryption protects data during actual transmission across the public network.

Firewall: A collection of components that supervises all traffic in and out of a network, permitting only traffic which is authorized by local security policy to pass.

IPSec: An IP security protocol that provides for encapsulation of standard IP packets into Type 51 IP, allowing firewalls to recognize and admit encapsulated, encrypted data.

Policy-Based Filtering: A process that determines who is given access to what services after an authenticated VPN link has been established.

Server: A computer or software that provides resources, such as files or other information, to client software running on other computers.

Tunnel: A secured, private "path" connecting two points through a public network.

VPN (Virtual Private Network): An Internet-based system for information communication and enterprise interaction. A VPN uses the Internet for network connections between people and information sites. However, it includes stringent security mechanisms so that sending private and confidential information is as secure as in a traditional closed system. 


Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.


© 2020 Technology Marketing Corporation. All rights reserved | Privacy Policy