VPNs can connect offices together at a fraction of the cost of a leased line, and can allow workers to connect anywhere, any time.

A Virtual Private Network (VPN) is a private tunnel that connects two networks through a public network (usually the Internet). Using a virtual private network involves encrypting data before sending it across a public network and decrypting it at the receiving end.

Security features differ from product to product, but VPNs generally include encryption, authentication of remote users or sites, and mechanisms for disguising information about the private network from the public network. VPN functionality is often part of a firewall, so many of the appliances tested include varying amounts of firewall functionality.

A virtual private network is now often being used to replace a system of expensive owned or leased lines that a company uses. The idea of the VPN is to give the company the same capabilities at lower cost by using the shared public network (Internet) rather than a private one.

How is the data secured?

The IPSec protocol suite provides a complete secure communications suite; with authentication, integrity and confidentiality, and makes key exchange practical even in larger networks. The end result is that with IPSec-compliant products you can build a secure VPN in any existing IP-based network.

The basic building blocks of IPSec, the encapsulating security payload (ESP) and the authentication header (AH), use cryptographic techniques for ensuring data confidentiality and digital signatures for authenticating the data's source.

The IP packet, is the fundamental unit of communications in IP networks. IPSec handles the encryption at the packet level. The protocol it uses is called ESP. ESP supports pretty much any kind of symmetric encryption.

The default standard built into ESP that assures basic interoperability is 56-bit DES. Most of the appliances tested are capable (and were tested at) triple DES.

How do I set one up?

Setting up a VPN is not easy. Even once you have some experience, some of these units can take days to configure. There is a variety of experience needed, from networking (TCP/IP) to general security, firewalls, and the VPN specifics. The best way forward is often to have your reseller configure everything for you, and teach you along the way, then get some further training.

Connecting to a VPN from a remote site is much simpler, at least. All versions of Windows since Windows 2000 have a VPN client built in and a patch is available for Windows 98.

Make sure you upgrade your encryption to 128-bit, though. Configuring and using the Windows clientis no more complicated than a regular dial-up connection, and can be handled exactly the same way by the OS. VPN clients for Linux and Mac OS are also available.

An unmonitored VPN/firewall is little better than no VPN/firewall at all. You need to be watching the logs and keep an eye on what is happening inside and outside your network.

Configuration software

All the units we reviewed, except the Watchguard, used a browser-based client to configure and monitor the appliance. The Watchguard used a proprietary Windows application.

The Nortel Contivity made heavy use of Java, which in addition to its slower Celeron processor and many layered interface, made the box rather frustrating to use. We were often forced to wait for configuration changes to happen and the next screen to appear.

Are we there yet?

Of the appliances tested, only the SonicWALL and Watchguard units gave a clear visual indication that a VPN link was up and active. The other units required you to look though what could be pages of (often undecipherable) log entries to find out if the connection was live, or to play around with ping commands that were often frustratingly filtered out by the firewalls built into the units.

Managed VPNs

But as we've noted, it isn't easy. A very popular option, which all the major telcos and many other service providers are currently pushing very heavily, is to outsource the whole deal using a managed service.

Managed VPN services are also being used to replace vastly more expensive dedicated leased lines.

"Customers come to us when they want someone they can work with over time as a technology partner who will enable them to move from one innovation to the next without having to skill up on new technologies as they change," says Richard Knott, Australasian head of global networking provider Equant. "They'd rather focus on their business."

Managed VPNs can provide many advantages, including productivity gains, reduced hassle for tech staff, improved connection quality and uptime, the ability to more easily add new services, and cost savings.

Managed Service Provider Bulletproof Networks' director of sales and marketing Lorenzo Modesto believes that allowing workers to connect remotely can be a big productivity gain. "The gains in productivity born out of avoiding travel time and the added flexibility of working either from home or a remote location for travelling reps are invaluable."

The combination of a broadband connection and a VPN service "allows any size business to have the sort of Wide Area Network connectivity that large corporates have enjoyed for years. The technology is finally paying off in terms of increased productivity," he says.

A managed service provider can ensure that VPN devices are correctly configured and up to date with patches, and can monitor them 24 hours a day.

"If issues arise with the VPN service, we usually know about it before the client does due to the monitoring and we're on the case to diagnose and fix it," says Modesto.

"A non-managed VPN service would mean that if there are any issues then the customer has to stop what they are doing to call a consultant, wait for them to respond, book a time to come out and fix it and generally suffer greater down-time. Our customers usually can't afford that in terms of lost productivity or expenses."

I gotta have more

Once a managed VPN is in place, it greatly speeds up the process of adding new services between offices, says Knott. "There's a strong interest in having a technology partner who will integrate new technologies into the service offering."

"The fundamental IP VPN technology is not in flux. We launched it two years ago and it's a very stable platform. What is changing is what you can do with it," he says.

"You might one day be talking about data storage or disaster recovery. The next month you might want to have an SAP application. As the technology changes--such as with the introduction of IP telephony--there are new appliances and applications, but they hang off the same infrastructure."

"If you have a managed IP VPN network, once it's set up you don't have to reconfigure the network part of it, just add new IP addresses," he says.

"Our flagship is IP VPN using an MPLS (multi-protocol label switching) product going all the way to the edge. That enables us to have quality and class of service so you can prioritise different applications. Then as new technologies come along, such as a video over IP class of service, or IP telephony, we can put that in for the customers without them having to invest in new hardware. They want to buy a service level and a commitment from the provider."

"Saving money is a key driver behind the growth of managed services, according to Bruce Hampel, chief operating officer of telecommunications service provider Panaseer (www.panaseer.com.au). "For some people, it directly reduces their internal costs, or sometimes they achieve a new business outcome they weren't able to previously."

Knott doesn't think a managed service will save money in the short term, but it can realise significant long-term savings. "If you imagine a customer wanting to do it on their own, they'd have to buy the equipment, learn about the technology and how it interfaced with their infrastructure, they'd have to train their staff, and develop procedures. There's a big organisational investment and time investment in doing it yourself.

"For a customer to build their own network, it's a risk, especially if they want to be at the bleeding edge of advances. If you can pass those costs on to a technology partner as part of their managed services, then it's a significant cost saving."

Too small?

"For small enterprises, it's very hard to attract a genuine expert who understands all these issues in the first place, and then it's even harder being able to afford and retain their services," says Panadeer's Hampel.

"Outsourced managed VPNs are the real hunger we're seeing in the SME marketplace, because SMEs just can't do it all. These organisations might have one or two IT professionals and no one specialised in communications."

However, many businesses aren't aware these services are even available.

"There's an education process; no-one calls us," says Hampel. "We find confused CEOs and CFOs so focused on running their business and frustrated because they're not taking advantage of deregulation."

They feel they're getting ripped off by Telstra because they haven't seen any price reductions. They haven't got anyone advising them of new technologies and new capabilities. It's very much a question of showing them the art of the possible and that it needn't cost them that much."

How to buy, how to configure

We asked security consultant Jan Zeilinga of First Point Global what are the most important things to look for when buying and configuring VPN appliances.

Things to look for:

• Does it plug straight into your link, or will you need a router as well?

• What is the encryption strength? (No point if it's just 56bit DES, Triple DES is pretty much a minimum.)

• Authentication methods--can it tie into your existing password systems?

• Filtering/firewall capability. (Sure the users have authenticated, but do you really trust them?)

• Does it provide useful audit logs?

• Will users require special client software?

• How many users and how much bandwidth can it handle?

• Cost, both for the server and any client software.

• Ease of use--for admins and users.

Configuring your appliance: