It's a VPN thing.
Some are finding IP VPNs an effective way to provide a dispersed and mobile workforce with readily available and inexpensive access to the corporate LAN. Some are using IP VPNs as a less costly and more flexible alternative to leased lines for interconnecting LANs at different sites, while others are leveraging the ability of IP VPNs to connect partners, suppliers, and customers in a supply-chain extranet.
Remote access for mobile workers traveling worldwide is a particularly attractive use of VPNs. Rather than place a long-distance call to the corporate facility, the traveler simply dials the local Internet service provider's (ISP's) closest point of presence to access the Internet and communicate via the company's VPN. Even compared with dial-in 800/888 service for domestic users, VPNs can save as much as 60% of the line costs.
When used to replace leased lines, the savings with VPNs can be equally large. VPNs are also useful for shortening the time to establish new connections, especially abroad. And, since VPNs use Internet standards and technology, organizations can readily use them to create extranets for communications and sharing of information with members of the supply chain.
Looking ahead, with the growth of services such as Internet telephony and video over IP, enterprise VPNs could become the vehicle for integrating all forms of traffic onto a single, scalable IP network that maximizes bandwidth efficiency and simplifies policy-based management.
In implementing a VPN, companies can buy carrier-provided services with varying degrees of management, or they can build one with hardware and software from a number of vendors.
Given the challenge of integrating the required hardware and software, outsourcing some or all of the VPN to a service provider is an attractive option. Less equipment must be purchased and maintained, and the service provider takes responsibility for implementation and end-to-end management. Even so, most organizations still prefer to keep at least part of the VPN implementation in-house, if only to retain internal control of security and such functions as user authentication.
In its global 1999 survey of WAN managers, International Data Corp. of Framingham, Mass., found that, of the companies with VPNs, only 20% had outsourced the service totally. Over 43% had implemented managed firewall or security solutions as a supplement to Internet access, while more than 26% were using VPN hardware and/or software.
VPNs employ a process called tunneling to create a virtual, dedicated path over the shared Internet or IP backbone. Various security services are then used to keep the data private. Security includes authentication, which validates that the source of the data is the one claimed, and access control, which restricts unauthorized users from gaining access to the network. Beyond that, the VPN needs to ensure confidentiality and data integrity by preventing anyone from reading, copying, or tampering with the data as it traverses the Internet or IP backbone.
Three popular tunneling protocols have emerged: Microsoft's Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Tunneling Protocol (L2TP), and the IP Security Protocol (IPSec), backed by the Internet Engineering Task Force (IETF).
PPTP creates tunnels for transporting multiprotocol traffic over the Internet, but encryption is weak and its capabilities are more limited than IPSec's. L2TP supports multiple, simultaneous tunnels for a single client and provides better user authentication. However, IPSec is the most comprehensive protocol. Besides encryption and tunneling, IPSec provides for user authentication and automated key management with a standardized scheme known as Internet Key Exchange (IKE).
In the battle for VPN equipment market share, network companies are adding security features to their products, including provisions for authentication and administration. At the same time, firewall and security companies are moving to provide turnkey VPN solutions for remote access, LAN-to-LAN, or extranet connectivity.
Not surprisingly, Cisco Systems is building its VPN strategy for both service providers and enterprises around its routers, effectively putting full VPN functionality in one box.
For enterprises, Cisco recently unveiled the new 7100 series of routers, which integrate high-speed routing with six key VPN components: tunneling, data encryption, security, firewall, advanced bandwidth management, and service-level validation. The router also comes with embedded WAN and Fast Ethernet interfaces to permit a turnkey VPN solution. Cisco argues that this approach reduces network cost and complexity compared with deploying numerous single-purpose devices.
Task-specific service modules handle VPN functions, such as encryption and tunneling, freeing the central processor to handle the high-speed routing. An optional integrated services module expands the router's VPN scalability, supporting up to 2,000 simultaneous VPN tunnel sessions with Triple DES encryption at full DS3 speeds.
3Com approaches VPNs on several fronts: with standalone VPN appliances, such as its PathBuilder tunnel switches; with added functionality in remote access concentrators and routers; and with policy-management elements embedded in its Transcendware management platform. The company recently announced plans to beef up its VPN capabilities by integrating encryption coprocessor chips from VLSI Technology into its network interface cards and, eventually, into its routers and other networking gear. In addition, 3Com will equip its cards with 32-bit RISC (Reduced Instruction Set Computing) technology from Advanced RISC Machines to segment TCP packets and make it easier to add tunneling, encryption, and other security features to the data for transport over a VPN.
3Com has also enhanced its multiservice network infrastructure to enable the deployment of wireless VPNs. The Interworking Function within its Total Control access platform now supports the L2TP and PPTP tunneling protocols, extending the reach of wired VPNs to mobile workers.
Intel has simplified configuration setup with the latest release of its Shiva LanRover VPN gateway and client. It has also enhanced security by using the protocol and port number to limit the type of network traffic that may enter a tunnel. In addition, the company has unveiled a 50-simultaneous-tunnel version of the gateway for small and medium-sized companies that provides remote access, LAN-to-LAN, and extranet connectivity. The Shiva LanRover VPN Express supports IPSec tunneling, X.509 digital certificates, up to 168-bit encryption, and automated key management. X.509 specifies not only the format of public key certificates but also the conditions under which they are created and used.
Check Point Software Technologies, the leader in firewall-based VPNs, claims to have surpassed 17,000 installations with its VPN-1 gateway. Two years ago, only one of 12 firewall sales included a VPN, the company says. Today, the figure is one in two.
The company recently unveiled a five-point technology roadmap for enhancing its VPNs, including adding broader PKI (Public Key Infrastructure) support and integrated QoS capabilities. Check Point will also provide transparent failover or transfer of VPN connections without loss of connectivity, and will allow VPN communications to be distributed among multiple VPN-1 gateways for improved performance and scalability.
Compatible Systems has worked on hardware-based VPN technologies since 1991. Its IntraPort family of VPN access servers provides Internet-based, IPSec-compliant remote-access and LAN-to-LAN connectivity, with anywhere from 64 to 40,000 simultaneous sessions. The company recently integrated the IKE protocol into its client software to simplify setup, configuration, and maintenance at the remote-user site. It also upgraded its access servers with encryption and public key processors from Hi/fn. In addition, Compatible Systems is partnering with Netrix Corp. to deliver toll-quality, secure voice traffic over its VPN.
Altiga Networks uses a purpose-built communications platform to provide VPN remote-access capabilities, including support for wireless, cable, DSL, and other broadband connections. Its VPN Consentrator rator series can support from 50 to 5,000 concurrent sessions. The platform comes with redundant encryption modules and power supplies and a suite of monitoring and configuration functions, including the ability to change all system parameter without rebooting.
RADGUARD also uses a dedicated hardware platform for its cIPro family of VPN and network security devices. Its latest product is a combined VPN and cerificate authority (CA) gateway, which employs token-based X.509 certification to authenticate different sites on the enterprise's secure network, while providing full IPSec/IKE protection to transmitted data. With cIPro-HQ, companies can introduce multiple security layers into their network. Also, compatibility with public CAs allows the cIPro-HQ to create secure tunnels with parties beyond the corporate intranet, including members of supply-chain extranets.
RedCreek Communications recently added the top-of-the-line Ravlin 7100 to its family of VPN products based on its patented CryptoCare architecture. Intended for applications requiring Fast Ethernet speeds and a large number of site-to-site and remote-access connections, the 7100 provides full IPSec functionality with DES encryption at 44 Mbps and Triple DES at 22.5 Mbps. Built on dedicated hardware, the 7100 supports hub-to-spoke and mesh topologies and drops transparently into a corporate network without requiring modifications.
In a simplified approach to secure Internet communications, Internet Appliance has introduced a suite of all-in-one VPN appliances which can establish a secure connection within 15 minutes using point-and-click procedures. The InternetPro servers come with a firewall and advanced IPSec encryption for secure gateway-to-gateway and host-to-gateway communications. A companion Virtual Tunnel VPN software application provides automatic key management, access control, authentication, and data privacy for improved security with mobile and remote users.
Indus River Networks has taken a different approach to simplicity, introducing a three-step process to speed deployment of its RiverWorks remote-access VPN solution. Known as RiverStart, the process uses electronic distribution and self-installing features that enable firms with global user communities to quickly provision a VPN infrastructure without touching the remote desktops. The company has also enhanced RiverWorks with policy-management capabilities to create "virtual private communities" of users. The system includes a secure management console, a centralized policy database, policy agents running in a tunnel server, and client software to enforce policy.
Information Resource Engineering is also aiming to simplify the installation and configuration of remote access VPNs with its IPSec-compliant SafeNet/Soft-PK client software. The software provides automatic certificate enrollment and features turnkey installation/de-installation and upgrade and easy-to-use security policy activation/deactivation. Security services offered include encryption, packet integrity, and authentication via keyed hash, and identity authentication via digital signatures and X.509 certificates.
Edwards is a data communications consultant who writes about network computing technology and its business use.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Technology Information|
|Comment:||Remote access for mobile workers traveling worldwide is a particularly attractive use of VPNs.|
|Date:||Aug 1, 1999|
|Previous Article:||NEW PRODUCTS.|
|Next Article:||Reach out and manage someone.|