Digital Common Sense

2/28/2005

The Beginnings of VPNs

(Note: Please note that this paper was written in 2000. It’s pretty much obsolete as of 3/30/07)
By: Ken Camp

Companies are realizing that remote access isnâ€™t just a tactic enabling workers to stay in touch with their offices. Remote access is a strategic weapon in the increasingly competitive global economy and companies are scaling remote access capability to all levels of the organization. Corporations began installing toll-free numbers for corporate network access. The drawback to this solution is that the costs associated with toll and long distance charges are variable, making the task of managing expenses a nightmare. Additionally, companies must provide network access capacity for all employees, in essence, becoming service providers.

If the corporation is to become the service provider, why not find a way to use the Internet? It has points of presence allowing users to make local phone calls for access from anywhere in the world. Using global networks, people who are traveling can access the Internet through phone calls to a local point of presence (POP). The convergence of “ubiquitous” Internet access and the need for global access to corporate resources is driving the market segment called virtual private networking (VPN).

VPNs use secure paths, or tunnels, allowing transmission of sensitive corporate data over a public network facility, such as the Internet. Vendors now offer a wide array of VPN products that tunnel and encrypt data for secure transmission over shared data networks. Although people have been reluctant to use the Internet for their corporate network access because of security and performance concerns, the next generation of VPN technology will solve these problems.

The Economics of VPNs

Remote access economics are really driven by the company and where the calls originate. A company based entirely within a metropolitan area might not realize a significant cost savings because employees are already making mostly local calls. Flat rate tariffs have been long established in the public switched telephone network (PSTN), and local phone calls can be very cost effective. On the other hand, if the workforce is widely dispersed, or comprised of traveling employees, those telecommunications costs quickly spiral. Companies can take advantage of Internet access flat rate pricing schemes ($19.95 “all-you-can-eat” is very common) to stabilize costs, giving a high degree of consistency and predictability to monthly operating costs.

Thereâ€™s another advantage companies gain when shifting to the VPN environment. Network redundancy and survivability are always critical issues for the IT department, but very expensive to deploy. Because of the Internet’s scalability and numerous redundant paths already built and maintained by ISPs, the company can rely on this robust, survivable network to provide access in the event of random link failure. Routing algorithms will continue to find paths through the network in spite of failures. And the customer doesnâ€™t have to pay extra. Itâ€™s just how IP works in the Internet.

VPNs consist of authenticated and encrypted tunnels over a shared or public data network. Typically, these are IP networks, the Internet being the most common example. The tunnels are set up between some form of client software and a security gateway on the destination network.

The client software encapsulates packets the mobile user sends and the data travels securely over the shared network. Current implementations use protocols such as Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec) to accomplish this, neatly packaging the data for Internet travel.

VPN Security Solutions

Current VPN security solutions focus on two areas: user authentication and data security. User authentication is best performed at the destination network, by the same security solution providing the customer’s local authentication, thus ensuring the user database need not be exported to a service provider. The VPN design must accommodate the customer’s current security solution. The most basic authentication simply validates passwords using various methods of encryption such as Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). More secure solutions involve token cards with time-synchronized keys (i.e., the SecurID card), or the emerging X.509 digital certificate technology supported by players like Entrust Technologies, Baltimore, or VeriSign.

Data security ensures that the destination network receives the information the dial-up user sends. This security comes at the cost of overhead on each packet, however. IPSec attempts to address this tradeoff. It is a standards-track protocol providing for different levels of security with the accompanying overhead costs. A lightweight implementation, for example, provides strong authentication of each packet and ensures data integrity, while a higher overhead implementation adds encryption of the data in the payload. Different encryption methods can be used with this protocol, including Data Encryption Standard (DES), Triple DES, The CAST-128 Encryption Algorithm, Simple Key management for Internet Protocols (SKIP), International Data Encryption Algorithm (IDEA), and Blowfish. IPSec standards were written with the open capability to support new encryption algorithms, such as the newer elliptic curve methods, as they are developed.

VPN Implementations

VPNs have been implemented for three different reasons:

Telecommuter or remote access requires client software on the end-user computer and provides a secure connection from the end-user to the corporate LAN. As VPNs have gained in popularity, this has been the primary reason for their implementation. The cost savings in this model can be tremendous.
Intranets use the VPN tunnel to connect a remote location over the Internet as a transport network. While this solution represents a colossal cost savings over the traditional private line approach, frame relay pricing and availability make it a popular solution for many companies. The only drawback with frame relay might be the additional functionality required integrating the Internet into the corporate network. A company that is highly Internet-centric in business dealings might find this a handicap.
Extranets have been very successful in the manufacturing segment, where improvements in supply chain management can lead to shifts in profitability and delivery time. Many vertical markets and industry segments are trying different extranet solutions because of the fundamental new business model they provide. Whether the business relationship is with a vendor/supplier, a trading partner, or a contracted resource, the gains in providing cost-effective, controlled, secure network access is an area many companies need to explore further.

VPNs and the E-Commerce Phenomenon

With the colossal growth of e-commerce, the last few months have shown a new variation begin to emerge.

As shown in the following picture, Internet users can connect to Web sites located anywhere. This consumer connectivity is the critical component in retail e-commerce where no predefined customer association exists. As many e-commerce companies return their focus to core competencies of retail sales and merchandising, the value of an ISP, and more recently, application service providers (ASP), increases dramatically. Many of the dot-coms are learning that it isnâ€™t necessarily good business to dilute the focus on retail sales with a focus on being a technology company too.

Rather than connecting directly to the merchant, the Web site is hosted in an ISP/ASP facility as an outsourced technology. Traditional retail companies often donâ€™t have the time or resources to become e-commerce-aware, or have a programming guru necessary to host a really eye-catching site. In this new environment, a VPN is used in conjunction with the hosted site. The secure tunnel (shown by the dotted line) is between the hosting provider and the actual end-merchant.

The benefits of this VPN implementation are many. The ISP or ASP can provide a level of service and support to the Web site that many companies cannot provide for themselves. The end-merchant maintains total control of their proprietary information, only allowing the access necessary for transaction processing from the ISP/ASP. The consumer never even knows thereâ€™s an intermediate company involved.

As we often see, technologies find new niches as end-users create new techniques for implementing them. This is one example of how VPNs are becoming popular. Weâ€™ll see others as the technology matures; particularly as the X.509 certificate mechanism becomes more widely accepted and deployed.

Comments are closed.

Ken

Ken Camp - Contact Info

ken@ipadventures.com

Voice (Anywhere): (360)545-4050

Voice (Mobile): (360)464-7713

kencamp@gmail.com

Other Places I Blog

Stardust Global Ventures

Professional Affiliations

Consultant Registry
Round Table Group
Hill Associates
InfraGard

Site Navigation

Internal Pages

Online Reference Documents

	Internet Key Exchange
	Best Current Practices in Security is a compilation of information from a variety of sources
	A timeline comparison of the Internet vs. Rock & Roll
	A paper on the Implications of HIPAA on the telecommunications industry
	VoIP Glossary
	VoIP Primer

Realtime Community Documents

	A Look at H.323
	A Look at SIP
	VoIP Security

www.flickr.com

This is a Flickr badge showing public photos from kencamp. Make your own badge here.