They promise low-cost connectivity that could make conventional, expensive WANs a thing of the past. But can roll-your-own Internet VPNs really deliver?
Not too many years ago, no prudent businessman would have authorised a project that involved transmitting confidential data over the Internet.
The Internet, conventional wisdom had led many to believe, was a haven for viruses and would steal your credit card number, turn your hair green, and run your corporate secrets down the street to your biggest competitor. Such FUD was a major problem for business managers reluctant to open their chequebooks to fund projects based on such an uncertain technology.
Years down the road, the business community has grown up a lot. Its ubiquity, and singular compliance with the IP standard, has made it indispensable to all sorts of companies--and a lot more secure, thanks to the coalescence of the market for virtual private network (VPN) technology around the Secure IP (IPSec) standard.
Increasing familiarity with VPN technology, combined with the technological improvements of an industry that's been working hard to get its act together--have produced a wealth of products, both software and hardware, that have made it almost a no-brainer for even small companies to offer secured VPN access into their networks.
In typical scenarios--where a handful of executives might use VPN clients to check e-mail and read performance reports from home--the VPNs have proven inexpensive and easy to manage. The technology is secure, manageable, robust, and virtually invisible, making it a natural replacement for the legions of modem-filled remote access servers that used to be mandatory for providing remote access.
For just a few thousand dollars, it's now possible to pick up a commodity VPN-firewall appliance that supports a few dozen simultaneous VPN connections. Drop it into the network, set up the firewall, configure the remote client applications, and presto--you've got an instant secure Internet infrastructure that lets remote users get the security of a direct dial-up connection while piggybacking on any ISP's infrastructure.
The VPN's new clothes
IPSec-based VPNs work for supporting remote workers, and work well. But what good is security when it only covers a fraction of the whole enterprise network? Data mobility in today's businesses is about a lot more than telecommuting; companies see the Internet as a vital artery that brings in information from a whole universe of sources.
One of those sources is wireless, which has rocketed into the mainstream over the past year or so. That growth has been a boon for VPNs, which became standardised just before the world cottoned onto what have become notorious shortcomings in the security model of the WEP (Wired Equivalent Privacy) built into 802.11b-compatible devices.
WEP, which provides security mechanisms such as data encryption and user authentication, has been excoriated in the press since early 2001, when a team of researchers announced they'd identified four security holes that let them circumvent WEP's protections. Sensing an opportunity, VPN vendors quickly stepped in to point out that if users were running a separate encryption protocol over the wireless connection, it wouldn't matter whether the data was compromised since nobody would be able to read it anyway.
This makes sense, and the result has been a rapid convergence of VPN-firewall devices with wireless base stations. WEP is still used to secure the connection, but VPN runs on top of it to ensure that the data being passed can't be used by anyone but the intended recipient.
Ensuring the security of wireless connections will become a major new opportunity as businesses get serious about running important corporate applications over new devices--notebooks, wirelessly connected PDAs, tablet PCs, notebooks, or mobile phones, to name a few.
That growth has opened up a whole new realm of opportunities for VPN vendors, whose very success depends on their ability to get an IPSec-aware client application onto as many devices as they can. Mobile phones, which are becoming popular for data access thanks to their support for the mobile GPRS (General Packet Radio Service) data protocol, are a likely next target.
A different digital divide
VPNs have helped make both the Internet and wireless palatable for customers, to the point where it's no longer remarkable to access corporate data using either method. Yet with the spread of new network-based applications and customers' increasingly sophisticated communications requirements, Internet VPNs are being put to some completely new challenges--and they don't always measure up.
The problems arise when Internet VPNs are used for any kind of data that doesn't like the latency of the Internet. Consider the stereotypical road warrior, who's dialling into the corporate network via a secured Internet VPN. In theory, it's a great setup: she has seamless network access and, using Voice over IP (VoIP) technology, can even take her desk phone extension with her by having the IP-PABX forward calls to her notebook's IP address.
Technically, the infrastructure is there to make it happen: VoIP runs without a problem over an IPSec-secured VPN. But the underlying Internet architecture is as unpredictable as always, meaning that the usual performance issues--out-of-order routing, packet loss, and network congestion--remain problematic. If her system decides to retrieve new e-mails while she's connected, the phone call will suddenly become an exercise in frustration as the applications duel for bandwidth.
It might seem like such problems are only issues with slow dial-up modem connections, but as companies' needs scale up they are no less problematic over larger bandwidth pipes. Uncertainty about the quality they'll get, says Dimension Data national business manager of networking and communications Roland Chia, has kept most companies from venturing into pushing voice over Internet VPNs. And if voice is a problem, video--which takes the problem to the nth degree--is completely out of the question.
"The price has definitely come down, but people are still very cautious about pumping latency-sensitive traffic online," Chia says. "Behind the scenes, you're still definitely sharing bandwidth with other organisations. At this point, it's mostly data traffic. The telcos definitely have to innovate before we'll be able to push [rich content] over Internet VPNs. At the end of the day, if the underlying infrastructure is not ready to support up and coming applications, they're not going to work for anyone."
Taking it to the WAN
Performance issues inherent in Internet VPNs have, then, hampered companies' ability to deliver rich applications to workers in the field. That's compromised the benefits offered by the whole concept of Internet VPNs, whose value proposition is predicated on providing secure access over a cheap, ubiquitous form of network access.
Without some significant improvements in the Internet's predictability and bandwidth, Internet VPNs will continue to be focused on lower-bandwidth applications for remote workers. That's frustrated advocates of the technology, who once argued that the cost equation of Internet VPNs would make them a natural complement to broadband.
Simply running a VPN connection over a commodity ADSL (Asynchronous Digital Subscriber Line) broadband connection in a remote office, for example, would provide a secure, multi-megabit connection to the office for just a few hundred dollars a month. This way, companies can construct wide area networks (WANs) offering more speed and lower cost than conventional point-to-point ISDN, Frame Relay, Digital Data Service (DDS), and other dedicated wide-area network (WAN) technologies.
Those services require telecommunications carriers to dedicate an agreed-upon amount of bandwidth to customer traffic, providing enough performance and predictability to support applications that simply can't stand unknown latency. Even Dimension Data, which has built its business out of helping other companies take advantage of technology, has held back on adapting its internal network to take advantage of Internet VPNs. "We're talking about quite a bit of savings," Chia says. "But we are cautious."
Aiming to overcome that caution, carriers have been clamouring over themselves to offer what has become an appealing compromise: IP-VPNs, which use the same intrinsic technology as Internet VPNs but run over closed private networks where bandwidth can be much better controlled.
Although they could potentially cannibalise carriers' point-to-point connection revenues, IP-VPNs can nonetheless be found on every carrier's menu for one simple reason: their use of IP packets, as opposed to permanent virtual circuits, allows for far more efficient use of carrier's backbone networks.
That allows them to capitalise on economies of scale and increase the density of data traffic--and, therefore, the revenues that traffic generates. Better still for customers, the massive capacity of carriers' IP networks means that connections can quickly accommodate any changes in companies' WAN bandwidth requirements.
Within Australia, IP-VPN services are available from Telstra, Optus, Primus, and a host of first and second-tier ISPs. The key to their value lies in the predictability of the service they can deliver, and as such most carriers will be willing to back their IP-VPN services with service level agreements (SLAs).
Just watch out: it's easy to get a carrier to guarantee a certain level of performance, but if that level of performance won't maintain the performance of your applications, it's not going to be very helpful. Voice and video, in particular, require latencies in the tens of milliseconds--and don't forget to factor in the processing overhead necessary to encrypt and decrypt VPN packets.
Aiming to smooth the whole process, many carriers--particularly those offering global IP-VPNs--have deployed MPLS (Multi-Protocol Label Switching), a method of tagging data packets that allows the carriers to prioritise certain types of traffic over their networks. MPLS makes Quality of Service guarantees possible and, in so doing, removes the performance hit that can accompany IP-based VPNs. However, it's only useful when the carrier owns every bit of fibre from source to destination.
"Our focus is really on high-level performance for IP-VPNs, and MPLS allows us to provide classes of service for the customer and prioritise their applications on the network," says Richard Knott, managing director for Australasia with global network provider Equant.
"In an old infrastructure, bringing up new sites [on the WAN] was relatively complicated because it had cascading effects on other parts of the network. With an IP VPN it's really just a question of loading IP addresses into the VPN and getting the access port increased. We've found that very powerful in talking to customers, particularly those involved in mergers and acquisitions."
Offloading the grunt work
As competition pushes the price of basic access services down, carriers are relishing the opportunity to recoup revenues from other types of offerings. That's made IP-VPN services a big hit, since they're typically billed as a per-user, per-month charge on top of the basic Internet connectivity sold by carriers.
In many cases, customers are calling on carriers to expand their roster even further by assuming day-to-day management of PABXes and IP telephony, video distribution, user authentication, and other network-related tasks. Another common service is end-user VPN access, which allows remote users to securely dial into the corporate network through the carrier's network of dial-in points of presence.
Recognising an opportunity, non-carrier providers are jumping on the bandwagon with managed VPN services that leverage their own specific strengths: RSA Security, for example, combines VPN technologies with its Keon Certificate Authority (CA) service to provide a secure VPN offering that integrates strong user authentication capabilities. Competitor VeriSign has taken a similar approach, recently launching its Safe Secure Access service combining VeriSign CA technology with Check Point VPN software.
"The VPN market has added another wave of growth to an already growing and strong business," says RSA Asia-Pacific vice president Richard Turner.
The managed VPN model offloads the complexity of everyday management whilst building on the flexibility of IP to improve the services that can be run over this new-age WAN. Since it's based on IP, companies can also integrate IP-VPN services with other IP-based offerings--for example, storage outsourcing or network monitoring--allowing construction of a best-of-breed array of services that complement VPNs' basic encrypted data carriage.
The end result is a predictable, flexible, accountable data service that can be easily shaped to accommodate current and future needs. It may be a bit more expensive than the roll-your-own approach that's made Internet VPNs so popular, but for companies requiring anything more than basic applications, IP-VPN services represent a more than adequate compromise.
Managed services also bring in the expertise of companies that do this for a living, which can be invaluable in its own right. "The back end always has lots of good challenges associated with it," says Peter Geale, group product manager with CITEC, which recently launched a managed VPN service costing AU$25 per user per month (authentication, via RSA SecureID hardware token, costs an extra $25 per user per month).
"For a lot of people doing VPNs themselves, it may work well for 30 to 40 users, but when people have 500 to 600 concurrent users they begin to see quirks in the systems. Because we manage for so many users, we've been able to really test those environments."
The innovation around IP-VPN services doesn't mean Internet VPN providers are down for the count. The market for VPN appliances continues to grow, with companies happy to risk the Internet's performance in order to provide low-cost VPN services. And as improvements in technology improve the Internet's data shaping capabilities, VPN providers will be working to bring even more advanced capabilities to the humble Internet VPN.
"We're still only about a third of the way to where VPNs will be as a standard platform in the future," says Randy Prado, ANZ regional manager with VPN provider SONICwall. "In the future, we'll incorporate Quality of Service, voice over VPN and the like. Those are the types of things we'd like to be aiming for."
