With traditional networks choking on data, Liz Biddlecombe
investigates the pros and cons of managing a VPN yourself or
offloading it onto a third party
While Frame Relay and ATM-based VPNs are still growing in
popularity, an IP VPN handles multimedia applications better and
supports differentiated classes of service. You also get better
security as long as you use triple DES encryption and a good
firewall. And the ubiquity of the Internet means the VPN can
support global roaming access to the Lan when employees are
travelling. "Network managers are always having to justify
extensions to the network," says Phil Barton, chairman of the
European VPN Users Association. "With an IP VPN you can
decentralise some decisions as to the level of quality so that if
one site says it doesn't want to pay more, then it will end up with
worse service." Alex Connor, business marketing manager at Energis,
suggests that companies use IP VPNs either as "a cheap and cheerful
way to connect offices around the world" or to send non-critical
traffic across the UK. "IP VPNs are ideal for industries such as
retail or travel where reliability isn't of primary importance but
cost is," he says. If you decide to implement an IP VPN, the big
issue is whether to run it yourself or buy in a managed service
from a service provider. With 84% of UK network managers voting for
outsourcing and only 16% intending to manage it themselves,
according to a recent survey by Infonetics Research, getting a
third party in seems to be the VPN strategy of choice in the UK.
Peter Judge of Infonetics points out that the big concern about
VPNs for UK organisations is the security aspect. "32% of those
surveyed were concerned about security," he says, "whereas 11%
cited difficulty of management as a barrier. This is classic
overconfidence. The figures should be reversed - VPNs are as secure
as they need to be." On the other hand, installing and running a
VPN isn't for the uninitiated. Each VPN tunnel has to be set up
individually, requiring addressing schemes of both networks, as
well as encryption and authentication algorithms and key exchange.
Expert knowledge of routeing protocols such as MPLS, BGP and OSPF
is a must although products are emerging with easy-to-use automated
configuration and management, which keeps down the management
headcount. "VPN dial-ups are very important to minimise demands on
technical support," advises Steven McAdam of US-based Indus River.
"When looking at VPNs, people focus on the boxes but it's all about
management: technical support and managing service from ISPs are
the biggest problems." At US-based Peak Technologies. a VPN
connects more than 700 employees, 200 of whom are on the road. "The
most difficult part is working with ISPs on account setup and
account issues," says IT director Bill Wolf. He reckons the company
has cut $15,000 from the monthly cost (now $31,000) of accessing
the corporate network via a remote access dial-up system. To ensure
your technical support team isn't overwhelmed by user problems,
Judge advises "kicking the tyres on the client software". The
program should be intrusive enough to remind people they need to
launch it, but "shouldn't put up great barriers such as lots of
unfamiliar dialog boxes", he says. With the help of such solutions,
it is possible to reap some of the benefits of a VPN. Top of the
list of pros of managing your VPN yourself is cost - all you need
to spend money on is the kit and Internet access. Another plus is
that you get control of your own security. Denmark-based Lasat
Networks, which makes VPN solutions mainly for the SME market, says
it is important to use European security technology to ensure
sensitive commercial information isn't intercepted by the US-run
Echelon spy network. Not all choices are so dramatic. "You might
want to control the migration of users from radius passwords to
token card," says Dave Zwicker at Indus River. "You might want to
use passwords rather than PKI, or DES rather than triple DES. If
you have a larger network and enough support staff, you are likely
to want to customise how you allow access to applications. You want
a higher level of performance and sophistication. Managed services
are good for the lower end and simpler applications." Another
benefit of managing the VPN yourself is that it makes you
independent of the ISP for coverage and quality of service. "You
can mix and match ISPs to extend coverage around the world,
blending access by cable modem or DSL," says Zwicker. On the
downside, you need skilled people to set up and run a VPN service.
"Wizards may simplify and automate the download of routeing tables
to the routers, but 'simplify' means simple to a capable person,"
says Barton. And Craig Field, a London-based IT consultant who has
evaluated both systems and managed service offerings for a number
of clients, reiterates the point that configuring an IP VPN is not
for the layman. "The trouble with wizards is that if you have a
problem with your system you have no idea what the wizard has done
so it's hard to troubleshoot," he says. Field points to another
issue with self-managed IP VPNs and skilled staff. "If you're
looking at running business-critical applications you need someone
who knows their stuff if the network goes down," he says. "Uptime
is the most important thing, especially for financial data. If it's
not mission-critical, then the network going down for three days
because of someone's incompetence is no big deal." It all depends
on what you want to do with your VPN. Site-to-site and extranet
VPNs are more complex than remote access. "With an extranet,"
explains Judge, "you need trust and PKI established. You have to
start checking individually what applications each person has
access to." What you shouldn't overlook is that dial-up access
reduces quality. "People are concerned about the poor performance
of the public Internet," says Judge, "and I can tell you they're
right. You need to reduce your expectations if you're doing it over
the public Internet. Dial-up delays over narrowband connections are
obvious, but there are no quality of service guarantees across the
public Internet." However, it all depends on what you're doing.
"Our VPN solution had to be as good or better than the remote
access server," says Wolf . "The VPN has proved more reliable and
has better throughput because of compression." A key advantage of
going with a carrier-provided service is reliability. Energis
launched an IP VPN service in the summer, which it runs over its
own network using Cisco kit. "The reliability and security issues
don't exist because it isn't running over the Internet," says
Connor. Another obvious benefit is that it avoids the need for
legions of skilled staff. This is clearly a concern for UK network
administrators since 25% of UK organisations in the Infonetics'
survey said they had too few IT staff to support a VPN. With a
managed service you get the benefit of handing over design,
installation, PKI management and day-to-day operation to someone
else. "All you need to do is throw traffic at the service provider
- even if you add more sites," says Barton. "The provider will then
provide the connection to the other sites. Buying in managed
services is scalable and costs less to manage." Although you may
want to retain control of security procedures, doing so may blow a
hole in your budget. "A large proportion of UK businesses want to
keep security in-house but they will find that when it comes to it
that hiring security experts will demolish their IT budgets,"
points out Judge. It may be better to incorporate that cost in
paying for a managed service. The VPN service can also be bought as
part of a package. Judge thinks this is a good strategy. "If
there's any problem, you won't have finger-pointing between
suppliers," he says. "And you have one bill and one phone line to
wait on when you need help." It's also worth investigating whether
your supplier will bundle in security services such as firewall
management. As usual, it's important to choose a service provider
with a good helpdesk. But Jon Floyd, IP marketing manager for
global carrier Equant, dismisses claims that managed services are
better for smaller companies. "There are more problems associated
with running IP VPNs for larger companies than for smaller
companies - you have more sites and more users," he says. Equant
also lets users choose their preferred security and authentication
technologies. Users believe carriers offer a uniform product that
isn't tailored to individual company needs. Wolf at Peak
Technologies went for the DIY route because the company still uses
NetWare's IPX protocol. "No-one offered a managed VPN that would
encapsulate IPX," he says. And Field points out, "If you want to
add on other features such as VoIP or video streaming, service
providers generally won't do it. Big ISPs tend to stay away from
anything too technical because it causes more problems. If you want
to add other technologies, create your own system and manage it
yourself." If you don't know whether to do your own VPN or get one
provided by a carrier, you can get impartial advice from
London-based Unica, a virtual carrier that sources equipment and
connectivity from a range of suppliers depending on quality and
price. "We can frame the issue," says MD Noel Dunn. "We can sit
down and talk through the pros and cons. It doesn't matter to Unica
which way you go - we're agnostic. We get the same fee whichever
way you go." Whatever choice you make, you're unlikely to be alone.
With expenditure on VPN services and products forecast to increase
tenfold by 2004, according to Infonetics, the number of people
using IP VPNs is going to grow hugely.