With traditional networks choking on data, Liz Biddlecombe
investigates the pros and cons of managing a VPN yourself or
offloading it onto a third party
An IP-based virtual private network or VPN is an ideal way to
provide cheap connectivity if you need to extend your IP-based Lan
out across the Wan. While Frame Relay and ATM-based VPNs are still
growing in popularity, an IP VPN handles multimedia applications
better and supports differentiated classes of service. You also get
better security as long as you use triple DES encryption and a good
firewall. And the ubiquity of the Internet means the VPN can
support global roaming access to the Lan when employees are
travelling.
"Network managers are always having to justify extensions to the
network," says Phil Barton, chairman of the European VPN Users
Association. "With an IP VPN you can decentralise some decisions as
to the level of quality so that if one site says it doesn't want to
pay more, then it will end up with worse service."
Alex Connor, business marketing manager at Energis, suggests
that companies use IP VPNs either as "a cheap and cheerful way to
connect offices around the world" or to send non-critical traffic
across the UK. "IP VPNs are ideal for industries such as retail or
travel where reliability isn't of primary importance but cost is,"
he says.
If you decide to implement an IP VPN, the big issue is whether
to run it yourself or buy in a managed service from a service
provider. With 84% of UK network managers voting for outsourcing
and only 16% intending to manage it themselves, according to a
recent survey by Infonetics Research, getting a third party in
seems to be the VPN strategy of choice in the UK.
Peter Judge of Infonetics points out that the big concern about
VPNs for UK organisations is the security aspect. "32% of those
surveyed were concerned about security," he says, "whereas 11%
cited difficulty of management as a barrier. This is classic
overconfidence. The figures should be reversed - VPNs are as secure
as they need to be."
On the other hand, installing and running a VPN isn't for the
uninitiated. Each VPN tunnel has to be set up individually,
requiring addressing schemes of both networks [CHECK], as well as
encryption and authentication algorithms and key exchange. Expert
knowledge of routeing protocols such as MPLS, BGP and OSPF is a
must although products are emerging with easy-to-use automated
configuration and management, which keeps down the management
headcount.
"VPN dial-ups are very important to minimise demands on
technical support," advises Steven McAdam of US-based Indus River.
"When looking at VPNs, people focus on the boxes but it's all about
management: technical support and managing service from ISPs are
the biggest problems."
At US-based Peak Technologies. a VPN connects more than 700
employees, 200 of whom are on the road. "The most difficult part is
working with ISPs on account setup and account issues," says IT
director Bill Wolf. He reckons the company has cut $15,000 from the
monthly cost (now $31,000) of accessing the corporate network via a
remote access dial-up system.
To ensure your technical support team isn't overwhelmed by user
problems, Judge advises "kicking the tyres on the client software".
The program should be intrusive enough to remind people they need
to launch it, but "shouldn't put up great barriers such as lots of
unfamiliar dialog boxes", he says.
With the help of such solutions, it is possible to reap some of
the benefits of a VPN. Top of the list of pros of managing your VPN
yourself is cost - all you need to spend money on is the kit and
Internet access.
Another plus is that you get control of your own security.
Denmark-based Lasat Networks, which makes VPN solutions mainly for
the SME market, says it is important to use European security
technology to ensure sensitive commercial information isn't
intercepted by the US-run Echelon spy network.
Not all choices are so dramatic. "You might want to control the
migration of users from radius passwords to token card," says Dave
Zwicker at Indus River. "You might want to use passwords rather
than PKI, or DES rather than triple DES. If you have a larger
network and enough support staff, you are likely to want to
customise how you allow access to applications. You want a higher
level of performance and sophistication. Managed services are good
for the lower end and simpler applications."
Another benefit of managing the VPN yourself is that it makes
you independent of the ISP for coverage and quality of service.
"You can mix and match ISPs to extend coverage around the world,
blending access by cable modem or DSL," says Zwicker.
On the downside, you need skilled people to set up and run a VPN
service. "Wizards may simplify and automate the download of
routeing tables to the routers, but 'simplify' means simple to a
capable person," says Barton.
And Craig Field, a London-based IT consultant who has evaluated
both systems and managed service offerings for a number of clients,
reiterates the point that configuring an IP VPN is not for the
layman. "The trouble with wizards is that if you have a problem
with your system you have no idea what the wizard has done so it's
hard to troubleshoot," he says.
Field points to another issue with self-managed IP VPNs and
skilled staff. "If you're looking at running business-critical
applications you need someone who knows their stuff if the network
goes down," he says. "Uptime is the most important thing,
especially for financial data. If it's not mission-critical, then
the network going down for three days because of someone's
incompetence is no big deal." It all depends on what you want to do
with your VPN. Site-to-site and extranet VPNs are more complex than
remote access. "With an extranet," explains Judge, "you need trust
and PKI established. You have to start checking individually what
applications each person has access to."
What you shouldn't overlook is that dial-up access reduces
quality. "People are concerned about the poor performance of the
public Internet," says Judge, "and I can tell you they're right.
You need to reduce your expectations if you're doing it over the
public Internet. Dial-up delays over narrowband connections are
obvious, but there are no quality of service guarantees across the
public Internet."
However, it all depends on what you're doing. "Our VPN solution
had to be as good or better than the remote access server," says
Wolf . "The VPN has proved more reliable and has better throughput
because of compression."
A key advantage of going with a carrier-provided service is
reliability. Energis launched an IP VPN service in the summer,
which it runs over its own network using Cisco kit. "The
reliability and security issues don't exist because it isn't
running over the Internet," says Connor.
Another obvious benefit is that it avoids the need for legions
of skilled staff. This is clearly a concern for UK network
administrators since 25% of UK organisations in the Infonetics'
survey said they had too few IT staff to support a VPN. With a
managed service you get the benefit of handing over design,
installation, PKI management and day-to-day operation to someone
else. "All you need to do is throw traffic at the service provider
- even if you add more sites," says Barton. "The provider will then
provide the connection to the other sites. Buying in managed
services is scalable and costs less to manage."
Altough you may want to retain control of security procedures,
doing so may blow a hole in your budget. "A large proportion of UK
businesses want to keep security in-house but they will find that
when it comes to it that hiring security experts will demolish
their IT budgets," points out Judge. It may be better to
incorporate that cost in paying for a managed service.
The VPN service can also be bought as part of a package. Judge
thinks this is a good strategy. "If there's any problem, you won't
have finger-pointing between suppliers," he says. "And you have one
bill and one phone line to wait on when you need help." It's also
worth investigating whether your supplier will bundle in security
services such as firewall management. As usual, it's important to
choose a service provider with a good helpdesk.
But Jon Floyd, IP marketing manager for global carrier Equant,
dismisses claims that managed services are better for smaller
companies. "There are more problems associated with running IP VPNs
for larger companies than for smaller companies - you have more
sites and more users," he says. Equant also lets users choose their
preferred security and authentication technologies.
Users believe carriers offer a uniform product that isn't
tailored to individual company needs. Wolf at Peak Technologies
went for the DIY route because the company still uses NetWare's IPX
protocol. "No-one offered a managed VPN that would encapsulate
IPX," he says. And Field points out, "If you want to add on other
features such as VoIP or video streaming, service providers
generally won't do it. Big ISPs tend to stay away from anything too
technical because it causes more problems. If you want to add other
technologies, create your own system and manage it yourself."
If you don't know whether to do your own VPN or get one provided
by a carrier, you can get impartial advice from London-based Unica,
a virtual carrier that sources equipment and connectivity from a
range of suppliers depending on quality and price. "We can frame
the issue," says MD Noel Dunn. "We can sit down and talk through
the pros and cons. It doesn't matter to Unica which way you go -
we're agnostic. We get the same fee whichever way you go."
Whatever choice you make, you're unlikely to be alone. With
expenditure on VPN services and products forecast to increase
tenfold by 2004, according to Infonetics, the number of people
using IP VPNs is going to grow hugely.