Executive summary: getting connected
Thanks to years of technology development, virtual private networks are now standards-based and easier than ever to implement--whether over the Internet or via private networks. But they're not for everybody. Here are some things to remember when making your connection:
VPNs aren't just for the big guys. VPN appliances simplify the process of building and managing VPNs, and vendors are now offering models with support for just a handful of users that weigh in at around $1000--putting them well within reach of small businesses.
Ownership is everything. It's impossible for a service provider to guarantee a particular quality of service if they depend on someone else to carry your data for them. If you want to move to a full IP solution from your current WAN, make sure you go with a provider that owns its own network. If performance is an issue, find out how their network traffic is routed between the cities you need to reach.
Thinking VPN? Think firewall. It's no good providing encrypted connections to your network if you can't manage the entire life of those connections. Consider an integrated VPN and firewall, which provides consistent management of both external connections (VPNs) and internal resources (firewall).
Encryption is not the problem. Early VPN providers liked to throw around key lengths like they were money, particularly given now-relaxed US export regulations on strong encryption. Today's VPNs have at least based around Triple-DES or AES (Advanced Encryption Standard) and virtually any system will provide more than enough encryption for your needs.
MPLS is nice, but not necessary. Of course, that depends on who you're talking to. Either way, MPLS has proved to be complicated to implement and won't work on traffic that crosses any non-MPLS compliant network. Although it can improve the handling of time-sensitive traffic such as voice and video, some service providers argue that having enough bandwidth can have the same effect. Try out the performance of your apps with various service providers to see whether you need such a highly granular level of control.
Talk can be cheap. Vendors point to voice over VPN as another example of convergence, but over the Internet it can be a hit-or-miss proposition. For now, private IP networks are the best way to ensure you've got enough bandwidth to push voice over a VPN.
Scaling VPNs can be tricky. Particularly when you're using software VPNs; encryption overheads and irregular bandwidth consumption patterns can produce unpredictable performance. The more users you add, the harder it gets. This is one of the nice things about appliances: their chip-based encryption is designed to grow.
Weigh up your authentication. Many VPN service providers are combining VPN connectivity with user authentication via certificate authority or hardware token. Since VPNs are often used to access sensitive information, consider an authentication solution to make sure the person on the other end of the line is the right person.
Set useful SLAs. No SLA is worth the paper it's written on if your apps won't work with that much latency. Since the performance of VPNs depends on the robustness of the underlying network, monitor performance carefully; increased congestion, and overheads from things like encryption and decryption, change the dynamics of calculating bandwidth consumption.
Make them work for your money. Outsourcing VPNs is an easy way to get the advantages of security without the management headaches. If you go that route, make sure you consider what other relevant services they can offer you.
Case study: curing HealthLink's EDI woes
Computerisation of individual general practice clinics may have improved doctors' management of patient data, but New Zealand-based HealthLink has much bigger plans in store for the Australasian market.
Founded in 1996, the company currently acts as a facilitator for the exchange of health-related messages, which are encoded using the industry-standard HL7 data protocol and transmitted between nearly 4000 practices, laboratories, hospitals, and community healthcare organisations using secure electronic document interchange (EDI) technology. HealthLink's infrastructure supports the transfer of up to 35 million messages a year.
Although the current infrastructure works well, chief executive Tom Bowden says technical constraints and the expense of participation in an EDI network, as well as the company's desire to provide features that were impossible using EDI, recently drove the company to look for an easier way to link participants.
"Most of the work we do is to assist the flow of information in the general business of medical consultation," says Bowden. "EDI is fine for delivering lab results and discharge summaries, but it's not good for the interactive applications we're trying to promote."
The Internet was a natural choice for connectivity--but with security a major concern, HealthLink needed a technology that would guarantee patient privacy whilst capitalising on the Internet's broad reach.
That solution was a private VPN, created over the Internet using SonicWALL Internet security appliances installed on each participant's network. Each appliance manages an encrypted connection to the Internet, which leverages HealthLink's own certificate authority for user authentication and uses the appliances' 128-bit encryption for the secure transfer of data between network participants.
With the Internet handling connectivity and the VPN handling security, the solution will ultimately allow any healthcare provider in Australia and New Zealand to communicate; this capability is intended to provide easier flow-through of treatment records as patients move between healthcare providers. HealthLink is also planning to offer other services including online prescribing, ordering of tests, access to clinical information databases, and other incentives that will encourage clinics to upgrade to broadband.
HealthLink acts as service provider for the project, managing the technical infrastructure as well as delivery of the applications. SonicWALL's Global management System software allows the company to continually monitor each appliance to quickly resolve any problems.
"The new style is online connections, firewalls, ADSL, and wireless links," says Bowden. "It's an upscaling of what we do, and it's a big deal to set up the systems and get them right. But we've been going at it methodically and carefully. It's good not to have to become computer security experts to have an outsourced service. We see ourselves as one large VPN."
Subscribe now to Australian Technology & Business magazine.
VPSN links storage around the world
Organisations with widely distributed offices often turn to VPN as a secure and inexpensive means of communicating and sharing resources. Now that same technology is being extended to storage. Targeted at international organisations, WebOffice's (www.webofficenow.com) Virtual Private Storage Network (VPSN) pulls distributed storage into the picture with the goal of facilitating data sharing among offices in different physical locations.One company that has found the solution valuable is Inventes, a change management software development company with offices in the United States and India. Inventes uses the VPSN to coordinate its development teams and to share data. If the experience of Inventes is any indication of the solution's potential, many international organisations can take advantage of the VPSN to improve collaboration and keep communications costs under control.
How it works
A management box called an ISERVer and one or more storage units called ILANds make up the VPSN solution. The ISERVer is a storage unit, too, but it manages the networked ILANd boxes, which act much like NAS systems at the distributed offices.
"Fundamentally, it's a sort of VPN server that is also useful for shared storage across a distributed environment," says Vijay Sankaran, Inventes' cofounder and vice president of products and engineering.
The ISERVer requires a routable static IP address and can be placed anywhere to manage the ILANd units. It receives regular updates from the distributed storage boxes on their status, capacity, and any task requests. The ISERVer then stores data about each ILANd in a relational database that allows it to locate each one and to provide routing for boxes behind firewalls.
Each remote location in an organisation has an ILANd that communicates with the ISERVer to gain access to the storage group sharing data across the entire network. The system supports dynamic, static, or PPPoE IP addressing, and both the ISERVers and ILANds act as DHCP servers. Each also includes a seven-port 10/100 Ethernet switch and built-in firewall. To attach more than seven PCs to the devices, you can connect another switch to an uplink port on each. You can attach up to 253 PCs to the VPSN storage units.
Once the devices are set up, all connected PCs can access storage within the VPSN via a browser. Resources on the PCs themselves can also be shared with the proper access rights. This enables users to collaborate more easily and access storage that may reside thousands of kilometres away.
As a software development company, the data Inventes shares is its code base. "We have a core repository that we share between operations here in the US and our operations in India," Sankaran says.
Inventes has to ensure that the code repositories in India remain in sync with those in the United States. One option for accomplishing this, Sankaran says, was to have one code repository act as the master and the other act as a mirror or backup. This setup allows Inventes to better coordinate development efforts between its widely separated offices.
"Files that need to be synchronised can be scheduled for synchronisation at preset times, so it's sort of a hassle-free deployment and management of storage for us."
Sankaran commented that the VPSN scheduling interface currently is not very intuitive, but Inventes is offering WebOffice feedback for further improving the interface.
Why VPSN?
Sankaran says one of the aspects of the system that attracted Inventes was that it operates on the same basic premise as a VPN and doesn't require anything beyond a standard broadband Internet connection such as DSL or T1.
"You're basically just getting a local ISP connection on both ends, as opposed to having to invest in dedicated lines."
Sankaran says that to address connectivity reliability issues, many Indian companies doing business with overseas counterparts purchase International Private Lease Circuits (IPLCs), which provide dedicated end-to-end broadband network links to guarantee the reliability of communications.
"Telco service providers offer what they call 'landings' at a significant cost. Companies then back that up with a satellite uplink as well."
This option, Sankaran says, would have been Inventes' best alternative to the VPSN approach. But although this effectively solves the connectivity issues, the costs are still very high.
"We quickly realised that we would be better off just getting a couple of DSL lines--one primary, one backup--and using the VPSN to achieve the same goal at one-third the cost of IPLC."
The ease of managing the storage is another reason Inventes likes the VPSN solution. And Sankaran says that mapping data is nearly transparent in WebOffice.
Mapping to data based in India is the same as if it were on a local server, which promotes a collaborative work environment that is flexible and easy to work with. Inventes can deploy its development servers in India and access them from its US offices as if the data were stored locally. The VPSN establishes reliable links to the two locations, allowing them to share data without having to pay the costs of more expensive options, such as leased circuits.
VPSN can also be used across different platforms since it uses standard Windows networking protocols--although it runs on Linux.
"Everything is running on Samba. The current platform is a pure Linux implementation."
Final analysis
WebOffice's VPSN solution offers intriguing potential for distributing shared storage over great distances and giving users secure and reliable access to those storage pools. WebOffice claims that the system is self-provisioning, which eases management and can potentially lower the TCO. Organisations with international offices may, like Inventes, look at the VPSN as a means of sharing storage space, synchronising files, and backing up data while avoiding the high costs of dedicated lines.
WebOffice offers products aimed at organisations of varying sizes and needs, so its products may be worth a look for those searching for an alternative means of linking important data resources between remote offices.
Ray Geroski, TechRepublic. TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
