Virtual
private networking is becoming an integral part of today's data
networks. Virtual private network (VPN) drivers range from
securing corporate communications to reducing costs by replacing
leased lines. But for those who have not yet deployed a VPN, the
options can be daunting. There are several approaches and dozens
of products and services from which to choose, each with its own
pros and cons.
Let's take a look at the
various solutions and how they apply to different environments.
There are two types of VPN
technologies used on the Internet today: the trusted VPN and the
secure VPN. Trusted VPNs are provisioned and managed by Internet
service providers by defining paths through their networks to
ensure that customers' traffic is routed over a trusted path. A
customer might choose a trusted VPN because there is no
equipment to buy, it's completely managed by the service
provider and thus requires no maintenance, and they often
include service-level agreements. Typically, trusted VPNs are
less expensive upfront but more expensive over time.
Secure VPNs, on the other hand, protect traffic and provide
privacy, authentication and data integrity through cryptographic
algorithms. Secure VPNs can be managed by the user or the
service provider. Trusted and secure VPNs can also be used
together in a hybrid VPN. Because trusted VPNs are always
purchased from service providers and the customer has few
options on the configuration and deployment of the VPN, the
remainder of this article will focus on secure VPNs.
Implementing a secure VPN
There are several different
ways to implement a secure VPN, and the best choice depends on
the environment in which it will be deployed. The two most
common environments involve connecting remote-office networks to
one another (site to site) and connecting remote users to one or
more office networks (remote access).
When the users and offices are
all part of the same company, the VPN is called an intranet VPN.
When the users and offices include nonemployees, such as
customers or business partners, the VPN is called an extranet
VPN. The same technologies can be used to create intranet and
extranet VPNs, but the configuration is typically different
because nonemployees are usually restricted to accessing only
certain network services.
Before implementing a VPN, you
should do an assessment of your requirements. Many products can
support any combination of these environments, but some cannot.
Here are some questions to raise:
- Are you connecting multiple
offices with the VPN (site to site)?
- Are they company offices
(intranet) or business partners (extranet)?
- Are you connecting remote
users to the VPN (remote access)?
- If yes, are they company
employees (intranet) or customers (extranet)?
Different VPN solutions will
provide different features and functions. Having an
understanding of the many options and how they apply to your
requirements is important before selecting a solution. While all
secure VPN products will provide encryption and authentication,
there are still varying degrees of security strength available.
The industry-standard protocol
for secure VPNs is known as IPsec (short for IP Security) and is
supported by most vendors today. IPsec supports a variety of
encryption algorithms, but triple Data Encryption Standard
(3DES) is the most common. It provides 156-bit encryption, which
is considered secure enough for military use. The new Advanced
Encryption Standard has recently been adopted as the replacement
for single DES in government use because it's as strong as 3DES
but can provide better throughput performance. Also popular is
Microsoft's Point-to-Point Tunneling Protocol (PPTP), which uses
64- or 128-bit RC4 encryption. 64-bit encryption is considered
weak by today's standards, so 128-bit is preferred.
Just like with encryption,
there are multiple options for authenticating VPN members.
Network VPN gateways typically authenticate each other through
certificates or pass phrases, while remote-access users are
authenticated through user names and passwords. You should
decide how you want to authenticate remote-access users and make
sure the products you're considering support your environment.
For example, you may use a
Windows NT domain controller, Windows 2000 Active Directory or a
RADIUS server. As a fallback, most VPN products also support
their own proprietary authentication database. Another option
for authenticating VPN members is through digital certificates.
Digital certificates can provide the strongest form of
authentication, but certificate distribution and management can
be another challenge. Public-key infrastructure (PKI) products
provide a solution for certificate management but can also be an
additional expense to a VPN deployment.
How will the VPN be managed?
Another important consideration
when evaluating VPN solutions is management. You should decide
whether you have the resources to manage the VPN yourself or
whether you need to contract with a VPN service provider.
There are VPN products designed
to be easily managed by users, and many Internet service
providers also offer managed VPN services. Some products provide
global management tools so the entire VPN can be managed from a
single console, whereas other products require each VPN member
to be configured independently. Larger VPN deployments can be
greatly simplified through global management tools.
Other management issues include
interfacing with authentication or PKI servers, and logging and
reporting. If the VPN includes remote-access users, then VPN
client distribution and management must also be considered.
Microsoft includes PPTP and IPsec support in its operating
systems but does not provide global management tools. If global
management is required, then look for products that provide easy
distribution and management of their client software. Another
option to consider is so-called clientless VPN products, which
use a secure Web browser for access. Because Web browsers are
ubiquitous, client management may not be an issue, but these
products typically support a limited set of Web applications.
What to expect to pay
Pricing varies based on
features and performance, but generally, small businesses (fewer
than 100 employees) should expect to pay from $500 to $2,000 per
VPN gateway. Midsize businesses (up to 500 users) should expect
to pay $2,000 to $10,000 per gateway. Customers should also
expect to pay between $50 and $100 per user for VPN client
software. Managed services generally don't require equipment
purchases but instead charge monthly or annually (based on the
number of offices and users) for the duration of the service.
Managed services also can be less expensive upfront but more
expensive over time.
As you can see, there are a
variety of options to consider when purchasing a VPN solution.
Make sure you understand your environment and requirements
before starting your search. Evaluate only the products that
appear to meet your requirements and then test them to see which
one is the best fit for your network and budget.
