Weighing the VPN options
- By Steve Jefferson
- Dec 02, 2001
Although the Internet has proven invaluable to many government departments and agencies, most offices still rely on private networks to pass vital or private information from one location to another. Virtual private networks offer an alternative that capitalizes on both the versatility and ubiquity of the Internet.
Thanks to improvements in VPN technology — which provides a secure link across the Internet — you can now take advantage of the cost savings of using the communications backbone of the Internet without sacrificing security or performance.
Aside from direct cost savings, using a VPN can have secondary cost benefits, such as greater mobility. In the old days of dedicated, private lines connecting outlying offices, a remote or traveling worker was consigned to a laborious process of remotely dialing into the network. With VPNs, employees can connect from anywhere they can make an Internet connection and with the same procedures they use in the office.
What's more, if you're setting up a remote office, a telephone or Digital Subscriber Line is generally a lot quicker and less expensive to obtain than a T1 line.
Finally, consider the cost savings you can realize by standardizing on a single network protocol. With an IP-based VPN, you can maximize the talent of your support staff while keeping costs at a minimum. The Basics
VPNs are intelligent devices, generally placed at the edge of the local-area network and the beginning of the Internet. Their sole purpose is to create protected tunnels for authorized users and to encrypt and decrypt all traffic that travels through those tunnels.
A VPN uses three major protocols: IPSec (IP Security Protocol), L2TP (Layer 2 Tunneling Protocol) and PPTP (Microsoft Corp.'s Point-to-Point Tunneling Protocol). The IPSec standard includes both tunneling and encryption functions necessary to protect sensitive information while it traverses the Internet.
Because IPSec operates on the network layer — or Layer 3 — it is inherently more scalable than the other protocols, hence its growing popularity as the standard VPN protocol. Network-layer encryption prevents eavesdropping or tampering with data across a network during transmission.
In VPNs, data is encapsulated and encrypted and then sent to a specific destination at the other end of the tunnel. Not only can the receiving user and services be authenticated, but the use of data authentication and digital signatures can verify whether the information was received unaltered and not intercepted. Even if intercepted, encryption makes reading the material difficult or impossible. In fact, many VPN vendors argue that VPNs are more secure than traditional private networks, which rely on physical access to the line for their primary security rather than taking meas.ures to detect and prevent attempts to capture data.
Due to the nature of VPNs, tight integration with core networking components is critical for success. Firewall, routing and server functionality often overlap with other products, so it is important to make sure your VPN solution plays well with the others.
VPN solutions take four basic shapes: router-based, firewall-based, server-based or as a stand-alone VPN device. Here's a quick overview of each.
* The Router Add-on. A fairly simple approach, the router-based solution generally entails a quick download from a vendor's site and updating your router software. Typically, the software adds firewall, encryption and tunneling features to the router's functionality.
This approach does not require you to change any of the existing infrastructure to install your new VPN, which is a savings in itself. Also, your staff already knows how to work with the router, and because the VPN software is from the same vendor as the routers, maintenance and warranty options should be business as usual.
The biggest drawback is that many of the new functions (encryption, firewall and tunneling) are now software-based. Routing performance can take a significant hit because the device's processor is now busy with more work than it had before, especially if you decide to crank up the encryption to 256-bit.
All the major router manufacturers sell VPN capabilities as an add-on option.
* The VPN Upgrade. Unless you're ready to buy new routers with built-in VPN capabilities, you may want to consider upgrading your firewalls or buying new ones that offer VPN tools.
Buying a VPN solution from your firewall provider gives you some assurance of compatibility. Anyone who has ever set up a VPN can tell you that snags are usually caused by trying to get the VPN to work with the firewall's security features. If both come from the same vendor, that hurdle should be cleared before you unpack the box.
As with the router option, training and network infrastructure for the workers who handle the firewalls will remain the same. Unfortunately, unless the firewall was designed to include VPN capabilities, you can expect that the firewall's performance will take a hit, because encryption and tunneling have been added to the chore list of the firewall's processor.
As with routers, virtually every firewall vendor offers VPN services as an option.
* A Dedicated Solution. To get around the performance problems sometimes encountered by adding a VPN to existing routers and firewalls, some vendors have developed server-based software VPN solutions. The proposition is simple: Install the VPN software on a dedicated system and add processing power as needed without degrading the network's performance.
A server-based VPN also makes it possible to take certain functions of the server operating system — its management of users, groups and profiles — and adapt them for VPN usage. Authentication services can often be used, meaning no extra management is required when it comes to doing adds, moves or changes on the network.
Be sure, however, to choose a server beefy enough for present and future jobs, especially if that server is doing other work for your company, because VPN traffic can be demanding on processor resources. Installing the VPN software on your mail server, for example, would probably be a bad choice.
Most OS vendors, including Sun Microsystems Inc., Microsoft and Novell Inc., offer choices in this category. In addition, there are a number of third-party vendors, including Check Point Software Technologies Ltd., SafeNet Inc. and Fortress Technologies.
* A VPN from the Ground Up. This option involves devices that were built from the ground up to run numerous, concurrent VPN sessions. The key here is performance. Routers, firewalls and other applications running on a would-be server-based VPN will no longer get bogged down, regardless of how many tunnels are being used.
But that performance comes at a cost. First of all, because you are not "borrowing" existing hardware to run your VPN, dedicated systems require more maintenance and management, which makes it a more costly option.
And introducing a new device into your network means altering its configuration. Poor planning can lead to serious consequences, with problems sometimes showing up days or weeks after the change. Finally, this solution means training employees to manage the new devices.
Some of the leading vendors in the stand-alone category include Lucent Technologies and Avaya Inc.
For something as important as a VPN, management should be a key consideration when deciding which type of VPN to go with.
As a central part of a network, VPNs involve a lot of communication among other components of your network. Firewall and routing services each need to be carefully integrated to ensure optimal performance, reliability and scalability. For larger organizations, policy-based management is often a crucial factor in making a choice. Each VPN site is subject to the same additions, moves and changes that the rest of your network experiences. Policy-based management of VPNs has emerged as a significant improvement to allow managers to quickly and easily deal with what were previously monumental tasks when thousands of tunnels are involved.
Cisco Systems Inc., for example, uses Cisco Secure Policy Manager as a scalable policy management system to provide security services for firewalls and intrusion-detection system sensors, as well as for VPN routers, in a consistent manner. Such products allow managers to define, distribute, enforce and audit networkwide security policies from a central location, simplifying the deployment of security services throughout the network.
Smaller, less costly solutions, such as Symantec Corp.'s new Firewall/VPN line (see review, Page 38), are limited in management abilities. It is easy to set up and configure these VPNs, but management of each device has to be performed individually through a Web browser.
Balance the Scales
VPNs are, in short, a terrific way to maximize the virtually free communications backbone of the Internet without sacrificing the security of a private network.
A plethora of solutions is available to let you jump into the fray with minimum fuss and expense. Choosing the right VPN system, however, will take a bit of thought and planning.
Start by deciding what resources you have that can best handle the additional traffic of a VPN without sacrificing too much in performance. That will focus your search in the right product category: router-based, firewall-based, server-based or stand-alone. Next, consider what size VPN you want to run and with how many tunnels and devices. That will give you an idea of what management tools you need.
Jefferson is a freelance analyst and writer based in Honolulu who has been covering technology for several years.