They promise low-cost connectivity that could make conventional, expensive WANs a thing of the past. But can roll-your-own Internet VPNs really deliver?

Not too many years ago, no prudent businessman would have authorised a project that involved transmitting confidential data over the Internet.

The Internet, conventional wisdom had led many to believe, was a haven for viruses and would steal your credit card number, turn your hair green, and run your corporate secrets down the street to your biggest competitor. Such FUD was a major problem for business managers reluctant to open their chequebooks to fund projects based on such an uncertain technology.

Years down the road, the business community has grown up a lot. Its ubiquity, and singular compliance with the IP standard, has made it indispensable to all sorts of companies--and a lot more secure, thanks to the coalescence of the market for virtual private network (VPN) technology around the Secure IP (IPSec) standard.

Increasing familiarity with VPN technology, combined with the technological improvements of an industry that's been working hard to get its act together--have produced a wealth of products, both software and hardware, that have made it almost a no-brainer for even small companies to offer secured VPN access into their networks.

In typical scenarios--where a handful of executives might use VPN clients to check e-mail and read performance reports from home--the VPNs have proven inexpensive and easy to manage. The technology is secure, manageable, robust, and virtually invisible, making it a natural replacement for the legions of modem-filled remote access servers that used to be mandatory for providing remote access.

For just a few thousand dollars, it's now possible to pick up a commodity VPN-firewall appliance that supports a few dozen simultaneous VPN connections. Drop it into the network, set up the firewall, configure the remote client applications, and presto--you've got an instant secure Internet infrastructure that lets remote users get the security of a direct dial-up connection while piggybacking on any ISP's infrastructure.

The VPN's new clothes
IPSec-based VPNs work for supporting remote workers, and work well. But what good is security when it only covers a fraction of the whole enterprise network? Data mobility in today's businesses is about a lot more than telecommuting; companies see the Internet as a vital artery that brings in information from a whole universe of sources.

One of those sources is wireless, which has rocketed into the mainstream over the past year or so. That growth has been a boon for VPNs, which became standardised just before the world cottoned onto what have become notorious shortcomings in the security model of the WEP (Wired Equivalent Privacy) built into 802.11b-compatible devices.

WEP, which provides security mechanisms such as data encryption and user authentication, has been excoriated in the press since early 2001, when a team of researchers announced they'd identified four security holes that let them circumvent WEP's protections. Sensing an opportunity, VPN vendors quickly stepped in to point out that if users were running a separate encryption protocol over the wireless connection, it wouldn't matter whether the data was compromised since nobody would be able to read it anyway.

This makes sense, and the result has been a rapid convergence of VPN-firewall devices with wireless base stations. WEP is still used to secure the connection, but VPN runs on top of it to ensure that the data being passed can't be used by anyone but the intended recipient.

Ensuring the security of wireless connections will become a major new opportunity as businesses get serious about running important corporate applications over new devices--notebooks, wirelessly connected PDAs, tablet PCs, notebooks, or mobile phones, to name a few.

That growth has opened up a whole new realm of opportunities for VPN vendors, whose very success depends on their ability to get an IPSec-aware client application onto as many devices as they can. Mobile phones, which are becoming popular for data access thanks to their support for the mobile GPRS (General Packet Radio Service) data protocol, are a likely next target.

A different digital divide
VPNs have helped make both the Internet and wireless palatable for customers, to the point where it's no longer remarkable to access corporate data using either method. Yet with the spread of new network-based applications and customers' increasingly sophisticated communications requirements, Internet VPNs are being put to some completely new challenges--and they don't always measure up.

The problems arise when Internet VPNs are used for any kind of data that doesn't like the latency of the Internet. Consider the stereotypical road warrior, who's dialling into the corporate network via a secured Internet VPN. In theory, it's a great setup: she has seamless network access and, using Voice over IP (VoIP) technology, can even take her desk phone extension with her by having the IP-PABX forward calls to her notebook's IP address.

Technically, the infrastructure is there to make it happen: VoIP runs without a problem over an IPSec-secured VPN. But the underlying Internet architecture is as unpredictable as always, meaning that the usual performance issues--out-of-order routing, packet loss, and network congestion--remain problematic. If her system decides to retrieve new e-mails while she's connected, the phone call will suddenly become an exercise in frustration as the applications duel for bandwidth.

It might seem like such problems are only issues with slow dial-up modem connections, but as companies' needs scale up they are no less problematic over larger bandwidth pipes. Uncertainty about the quality they'll get, says Dimension Data national business manager of networking and communications Roland Chia, has kept most companies from venturing into pushing voice over Internet VPNs. And if voice is a problem, video--which takes the problem to the nth degree--is completely out of the question.

"The price has definitely come down, but people are still very cautious about pumping latency-sensitive traffic online," Chia says. "Behind the scenes, you're still definitely sharing bandwidth with other organisations. At this point, it's mostly data traffic. The telcos definitely have to innovate before we'll be able to push [rich content] over Internet VPNs. At the end of the day, if the underlying infrastructure is not ready to support up and coming applications, they're not going to work for anyone."

Taking it to the WAN
Performance issues inherent in Internet VPNs have, then, hampered companies' ability to deliver rich applications to workers in the field. That's compromised the benefits offered by the whole concept of Internet VPNs, whose value proposition is predicated on providing secure access over a cheap, ubiquitous form of network access.

Without some significant improvements in the Internet's predictability and bandwidth, Internet VPNs will continue to be focused on lower-bandwidth applications for remote workers. That's frustrated advocates of the technology, who once argued that the cost equation of Internet VPNs would make them a natural complement to broadband.

Simply running a VPN connection over a commodity ADSL (Asynchronous Digital Subscriber Line) broadband connection in a remote office, for example, would provide a secure, multi-megabit connection to the office for just a few hundred dollars a month. This way, companies can construct wide area networks (WANs) offering more speed and lower cost than conventional point-to-point ISDN, Frame Relay, Digital Data Service (DDS), and other dedicated wide-area network (WAN) technologies.

Those services require telecommunications carriers to dedicate an agreed-upon amount of bandwidth to customer traffic, providing enough performance and predictability to support applications that simply can't stand unknown latency. Even Dimension Data, which has built its business out of helping other companies take advantage of technology, has held back on adapting its internal network to take advantage of Internet VPNs. "We're talking about quite a bit of savings," Chia says. "But we are cautious."

Aiming to overcome that caution, carriers have been clamouring over themselves to offer what has become an appealing compromise: IP-VPNs, which use the same intrinsic technology as Internet VPNs but run over closed private networks where bandwidth can be much better controlled.

Although they could potentially cannibalise carriers' point-to-point connection revenues, IP-VPNs can nonetheless be found on every carrier's menu for one simple reason: their use of IP packets, as opposed to permanent virtual circuits, allows for far more efficient use of carrier's backbone networks.

That allows them to capitalise on economies of scale and increase the density of data traffic--and, therefore, the revenues that traffic generates. Better still for customers, the massive capacity of carriers' IP networks means that connections can quickly accommodate any changes in companies' WAN bandwidth requirements.

Within Australia, IP-VPN services are available from Telstra, Optus, Primus, and a host of first and second-tier ISPs. The key to their value lies in the predictability of the service they can deliver, and as such most carriers will be willing to back their IP-VPN services with service level agreements (SLAs).

Just watch out: it's easy to get a carrier to guarantee a certain level of performance, but if that level of performance won't maintain the performance of your applications, it's not going to be very helpful. Voice and video, in particular, require latencies in the tens of milliseconds--and don't forget to factor in the processing overhead necessary to encrypt and decrypt VPN packets.

Aiming to smooth the whole process, many carriers--particularly those offering global IP-VPNs--have deployed MPLS (Multi-Protocol Label Switching), a method of tagging data packets that allows the carriers to prioritise certain types of traffic over their networks. MPLS makes Quality of Service guarantees possible and, in so doing, removes the performance hit that can accompany IP-based VPNs. However, it's only useful when the carrier owns every bit of fibre from source to destination.

"Our focus is really on high-level performance for IP-VPNs, and MPLS allows us to provide classes of service for the customer and prioritise their applications on the network," says Richard Knott, managing director for Australasia with global network provider Equant.

"In an old infrastructure, bringing up new sites [on the WAN] was relatively complicated because it had cascading effects on other parts of the network. With an IP VPN it's really just a question of loading IP addresses into the VPN and getting the access port increased. We've found that very powerful in talking to customers, particularly those involved in mergers and acquisitions."

Offloading the grunt work

As competition pushes the price of basic access services down, carriers are relishing the opportunity to recoup revenues from other types of offerings. That's made IP-VPN services a big hit, since they're typically billed as a per-user, per-month charge on top of the basic Internet connectivity sold by carriers.

In many cases, customers are calling on carriers to expand their roster even further by assuming day-to-day management of PABXes and IP telephony, video distribution, user authentication, and other network-related tasks. Another common service is end-user VPN access, which allows remote users to securely dial into the corporate network through the carrier's network of dial-in points of presence.

Recognising an opportunity, non-carrier providers are jumping on the bandwagon with managed VPN services that leverage their own specific strengths: RSA Security, for example, combines VPN technologies with its Keon Certificate Authority (CA) service to provide a secure VPN offering that integrates strong user authentication capabilities. Competitor VeriSign has taken a similar approach, recently launching its Safe Secure Access service combining VeriSign CA technology with Check Point VPN software.

"The VPN market has added another wave of growth to an already growing and strong business," says RSA Asia-Pacific vice president Richard Turner.

The managed VPN model offloads the complexity of everyday management whilst building on the flexibility of IP to improve the services that can be run over this new-age WAN. Since it's based on IP, companies can also integrate IP-VPN services with other IP-based offerings--for example, storage outsourcing or network monitoring--allowing construction of a best-of-breed array of services that complement VPNs' basic encrypted data carriage.

The end result is a predictable, flexible, accountable data service that can be easily shaped to accommodate current and future needs. It may be a bit more expensive than the roll-your-own approach that's made Internet VPNs so popular, but for companies requiring anything more than basic applications, IP-VPN services represent a more than adequate compromise.

Managed services also bring in the expertise of companies that do this for a living, which can be invaluable in its own right. "The back end always has lots of good challenges associated with it," says Peter Geale, group product manager with CITEC, which recently launched a managed VPN service costing AU$25 per user per month (authentication, via RSA SecureID hardware token, costs an extra $25 per user per month).

"For a lot of people doing VPNs themselves, it may work well for 30 to 40 users, but when people have 500 to 600 concurrent users they begin to see quirks in the systems. Because we manage for so many users, we've been able to really test those environments."

The innovation around IP-VPN services doesn't mean Internet VPN providers are down for the count. The market for VPN appliances continues to grow, with companies happy to risk the Internet's performance in order to provide low-cost VPN services. And as improvements in technology improve the Internet's data shaping capabilities, VPN providers will be working to bring even more advanced capabilities to the humble Internet VPN.

"We're still only about a third of the way to where VPNs will be as a standard platform in the future," says Randy Prado, ANZ regional manager with VPN provider SONICwall. "In the future, we'll incorporate Quality of Service, voice over VPN and the like. Those are the types of things we'd like to be aiming for."

Executive summary: getting connected

VPNs aren't just for the big guys. VPN appliances simplify the process of building and managing VPNs, and vendors are now offering models with support for just a handful of users that weigh in at around $1000--putting them well within reach of small businesses.

Ownership is everything. It's impossible for a service provider to guarantee a particular quality of service if they depend on someone else to carry your data for them. If you want to move to a full IP solution from your current WAN, make sure you go with a provider that owns its own network. If performance is an issue, find out how their network traffic is routed between the cities you need to reach.

Thinking VPN? Think firewall. It's no good providing encrypted connections to your network if you can't manage the entire life of those connections. Consider an integrated VPN and firewall, which provides consistent management of both external connections (VPNs) and internal resources (firewall).

Encryption is not the problem. Early VPN providers liked to throw around key lengths like they were money, particularly given now-relaxed US export regulations on strong encryption. Today's VPNs have at least based around Triple-DES or AES (Advanced Encryption Standard) and virtually any system will provide more than enough encryption for your needs.

MPLS is nice, but not necessary. Of course, that depends on who you're talking to. Either way, MPLS has proved to be complicated to implement and won't work on traffic that crosses any non-MPLS compliant network. Although it can improve the handling of time-sensitive traffic such as voice and video, some service providers argue that having enough bandwidth can have the same effect. Try out the performance of your apps with various service providers to see whether you need such a highly granular level of control.

Talk can be cheap. Vendors point to voice over VPN as another example of convergence, but over the Internet it can be a hit-or-miss proposition. For now, private IP networks are the best way to ensure you've got enough bandwidth to push voice over a VPN.

Scaling VPNs can be tricky. Particularly when you're using software VPNs; encryption overheads and irregular bandwidth consumption patterns can produce unpredictable performance. The more users you add, the harder it gets. This is one of the nice things about appliances: their chip-based encryption is designed to grow.

Weigh up your authentication. Many VPN service providers are combining VPN connectivity with user authentication via certificate authority or hardware token. Since VPNs are often used to access sensitive information, consider an authentication solution to make sure the person on the other end of the line is the right person.

Set useful SLAs. No SLA is worth the paper it's written on if your apps won't work with that much latency. Since the performance of VPNs depends on the robustness of the underlying network, monitor performance carefully; increased congestion, and overheads from things like encryption and decryption, change the dynamics of calculating bandwidth consumption.

Make them work for your money. Outsourcing VPNs is an easy way to get the advantages of security without the management headaches. If you go that route, make sure you consider what other relevant services they can offer you.

Case study: curing HealthLink's EDI woes

Computerisation of individual general practice clinics may have improved doctors' management of patient data, but New Zealand-based HealthLink has much bigger plans in store for the Australasian market.

Founded in 1996, the company currently acts as a facilitator for the exchange of health-related messages, which are encoded using the industry-standard HL7 data protocol and transmitted between nearly 4000 practices, laboratories, hospitals, and community healthcare organisations using secure electronic document interchange (EDI) technology. HealthLink's infrastructure supports the transfer of up to 35 million messages a year.

Although the current infrastructure works well, chief executive Tom Bowden says technical constraints and the expense of participation in an EDI network, as well as the company's desire to provide features that were impossible using EDI, recently drove the company to look for an easier way to link participants.

"Most of the work we do is to assist the flow of information in the general business of medical consultation," says Bowden. "EDI is fine for delivering lab results and discharge summaries, but it's not good for the interactive applications we're trying to promote."

The Internet was a natural choice for connectivity--but with security a major concern, HealthLink needed a technology that would guarantee patient privacy whilst capitalising on the Internet's broad reach.

That solution was a private VPN, created over the Internet using SonicWALL Internet security appliances installed on each participant's network. Each appliance manages an encrypted connection to the Internet, which leverages HealthLink's own certificate authority for user authentication and uses the appliances' 128-bit encryption for the secure transfer of data between network participants.

With the Internet handling connectivity and the VPN handling security, the solution will ultimately allow any healthcare provider in Australia and New Zealand to communicate; this capability is intended to provide easier flow-through of treatment records as patients move between healthcare providers. HealthLink is also planning to offer other services including online prescribing, ordering of tests, access to clinical information databases, and other incentives that will encourage clinics to upgrade to broadband.

HealthLink acts as service provider for the project, managing the technical infrastructure as well as delivery of the applications. SonicWALL's Global management System software allows the company to continually monitor each appliance to quickly resolve any problems.

"The new style is online connections, firewalls, ADSL, and wireless links," says Bowden. "It's an upscaling of what we do, and it's a big deal to set up the systems and get them right. But we've been going at it methodically and carefully. It's good not to have to become computer security experts to have an outsourced service. We see ourselves as one large VPN."

Subscribe now to Australian Technology & Business magazine.

VPSN links storage around the world

One company that has found the solution valuable is Inventes, a change management software development company with offices in the United States and India. Inventes uses the VPSN to coordinate its development teams and to share data. If the experience of Inventes is any indication of the solution's potential, many international organisations can take advantage of the VPSN to improve collaboration and keep communications costs under control.

How it works
A management box called an ISERVer and one or more storage units called ILANds make up the VPSN solution. The ISERVer is a storage unit, too, but it manages the networked ILANd boxes, which act much like NAS systems at the distributed offices.

"Fundamentally, it's a sort of VPN server that is also useful for shared storage across a distributed environment," says Vijay Sankaran, Inventes' cofounder and vice president of products and engineering.

The ISERVer requires a routable static IP address and can be placed anywhere to manage the ILANd units. It receives regular updates from the distributed storage boxes on their status, capacity, and any task requests. The ISERVer then stores data about each ILANd in a relational database that allows it to locate each one and to provide routing for boxes behind firewalls.

Each remote location in an organisation has an ILANd that communicates with the ISERVer to gain access to the storage group sharing data across the entire network. The system supports dynamic, static, or PPPoE IP addressing, and both the ISERVers and ILANds act as DHCP servers. Each also includes a seven-port 10/100 Ethernet switch and built-in firewall. To attach more than seven PCs to the devices, you can connect another switch to an uplink port on each. You can attach up to 253 PCs to the VPSN storage units.

Once the devices are set up, all connected PCs can access storage within the VPSN via a browser. Resources on the PCs themselves can also be shared with the proper access rights. This enables users to collaborate more easily and access storage that may reside thousands of kilometres away.

As a software development company, the data Inventes shares is its code base. "We have a core repository that we share between operations here in the US and our operations in India," Sankaran says.

Inventes has to ensure that the code repositories in India remain in sync with those in the United States. One option for accomplishing this, Sankaran says, was to have one code repository act as the master and the other act as a mirror or backup. This setup allows Inventes to better coordinate development efforts between its widely separated offices.

"Files that need to be synchronised can be scheduled for synchronisation at preset times, so it's sort of a hassle-free deployment and management of storage for us."

Sankaran commented that the VPSN scheduling interface currently is not very intuitive, but Inventes is offering WebOffice feedback for further improving the interface.

Why VPSN?
Sankaran says one of the aspects of the system that attracted Inventes was that it operates on the same basic premise as a VPN and doesn't require anything beyond a standard broadband Internet connection such as DSL or T1.

"You're basically just getting a local ISP connection on both ends, as opposed to having to invest in dedicated lines."

Sankaran says that to address connectivity reliability issues, many Indian companies doing business with overseas counterparts purchase International Private Lease Circuits (IPLCs), which provide dedicated end-to-end broadband network links to guarantee the reliability of communications.

"Telco service providers offer what they call 'landings' at a significant cost. Companies then back that up with a satellite uplink as well."

This option, Sankaran says, would have been Inventes' best alternative to the VPSN approach. But although this effectively solves the connectivity issues, the costs are still very high.

"We quickly realised that we would be better off just getting a couple of DSL lines--one primary, one backup--and using the VPSN to achieve the same goal at one-third the cost of IPLC."

The ease of managing the storage is another reason Inventes likes the VPSN solution. And Sankaran says that mapping data is nearly transparent in WebOffice.

Mapping to data based in India is the same as if it were on a local server, which promotes a collaborative work environment that is flexible and easy to work with. Inventes can deploy its development servers in India and access them from its US offices as if the data were stored locally. The VPSN establishes reliable links to the two locations, allowing them to share data without having to pay the costs of more expensive options, such as leased circuits.

VPSN can also be used across different platforms since it uses standard Windows networking protocols--although it runs on Linux.

"Everything is running on Samba. The current platform is a pure Linux implementation."

Final analysis
WebOffice's VPSN solution offers intriguing potential for distributing shared storage over great distances and giving users secure and reliable access to those storage pools. WebOffice claims that the system is self-provisioning, which eases management and can potentially lower the TCO. Organisations with international offices may, like Inventes, look at the VPSN as a means of sharing storage space, synchronising files, and backing up data while avoiding the high costs of dedicated lines.

WebOffice offers products aimed at organisations of varying sizes and needs, so its products may be worth a look for those searching for an alternative means of linking important data resources between remote offices.

Ray Geroski, TechRepublic. TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2003 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.