Terminologies such as frame relay, packet switching and dial-up modem have largely been consigned to the "weren’t they quaint" cabinet of terms we used to talk about in the 1980s and 1990s.
They were, however, all instrumental strata in the formation of remote connectivity and the point-to-point connections that have allowed us to build an affordable generation of enterprise networking technologies.
With prehistoric beasts like the X.25 protocol mostly a thing of the past, we have evolved our use of networks logically through internet-based channels to create data connections where we want them and how we want them.
Where the internet opened up interconnectivity to all, it also enabled the creation of dedicated connectivity of a more cloistered corporate nature. The concept of the virtual private network (VPN) actually works across any public communications, or indeed telecommunications infrastructure; the internet just happens to be quite a convenient and functional transport protocol.
In practice, a VPN is used to connect remote points – users, databases or whole offices – to an organisation’s central secured network. Cheaper than a dedicated leased line connection, the option to deploy a VPN is now a completely practicable and affordable option for the average small to medium-sized enterprise (SME) that wants that extra layer.
Security inside a VPN comes through functions or disciplines, including tunneling protocols and encryption. Data is encrypted at either end of the tunnel before it is transported and network addresses at either end can also be disguised. Without entering into a history of the 7-layers of the Open System Interconnection networking framework model, layer-2 is where the encoding and the synchronisation happens for your common-or-garden VPN.
While the VPN may be established, there are still many questions to be answered for companies looking to embrace them. Let’s start with the three basic types:
You can think of IPSec as the standard VPN in that it is flexible and configurable in terms of its ability to connect two networks (or a single computer) to a network. Traffic carried through this type of VPN is encrypted and authenticated to protect it against undetected alteration. Because IPsec operates at the network Internet Protocol (IP) layer, it works with any protocol carried by IP. This makes it an ideal general-purpose VPN.
One important caveat, however, is although we refer to IPSec as "standardised", different implementations may sometimes have difficulty interoperating. IPsec is ideal for single-supplier implementations, or where an organisation has IT staff to support it.
Type two is the SSL VPN, which links a single computer to an application gateway on a corporate network. Because SSL VPNs use the client's web browser as an interface, additional software is often not needed on the client machine. This means installation and support of client computers is simplified and the client can run any operating system (OS) that supports a browser and SSL.
The disadvantage here is that, to avoid extra client software and realise OS independence, SSL VPNs are restricted to proxying web pages, so are limited to HTML/HTTP-aware applications. By adding a small amount of software on the client, SSL VPNs can perform application translation, but adding more client software limits platform independence, meaning it may make more sense to use an IPSec VPN.
Third is the mobile option. We know that mobile VPNs are integral to certain industry use cases, such as in public safety and emergency services. In terms of form and function, mVPNs differ from traditional VPNs as the endpoint is not fixed. The mVPN has to retain the user’s connection while dealing with the logins to each new endpoint, using a client to do so.
Read more about VPNs
Check Point Software Technologies’ technical director Tom Davison says modern VPN deployments can be extremely flexible and are usually integral to the company’s main security gateway.
“As we know, security today comes from the IPSec Internet Protocol (IP) technology suite as it works to encrypt data on the VPN channel,” Davison said. “This adds security between the remote server or PC and the main gateway at the firm’s main office location.”
“Between offices, the VPN is usually set up between two gateways: the main office gateway and a smaller, branch office device. For individuals, clientless approaches offer great flexibility, as users don’t need to download and manage software, or have an authentication token, as this can be provisioned centrally.”
For VPN access from smartphones and tablets, Check Point is one company that offers a free downloadable app for iOS and Android. IT teams can then provision access centrally, then users load the app onto their device which manages the VPN connection.
Choosing the VPN to meet the needs of the business
It is important to realise that firms, even SMEs, come in all shapes and sizes. This means that a good VPN deployment may not be based upon the physical size of the company, but be more closely related to how the business works.
Network engineer at PEER 1 Hosting Liam Enticknap says that a customer requiring secure access to its servers from anywhere may prefer a VPN solution over and above security through firewall policies or rule sets.
“We consider this a client-to-site VPN and this allows the user to install a VPN client on machines and connect up from anywhere,” Enticknap said. “The limitation in this is that depending on the model of firewall you've purchased with your hosting depends on how many connections can be had at any one time.
“Another VPN option is site-to-site where a tunnel is built statically between a client's site and their hosted firewall. This means users pass secure traffic, but can only initiate it when at the specified location(s). You can run both of these together offering a more dynamic option depending on your business needs.”
So the rationale for creating a VPN installation comes from a need for security, a need for dedicated data control, a need for mobile data management (MDM) and a need for corporate (and/or smaller scale SME-level) cloud-driven device access connections.
Timico CTO Trefor Davies argues while, in one sense the VPN has not changed in years, in another it has been superseded by mobile and internet/cloud technologies that provide a better and more reliable connection.
“The proliferation of high-performance tablets and smartphones has led to increased use of mobile VPNs that need careful application of device security policies,” Davies said. “A mobile VPN traditionally encrypts data and sends it through a tunnel across the internet to the corporate firewall. A MAM (mobile access management)-based mobile VPN runs over a private network and never touches the internet.”
Read more about cloud
“MAM therefore doesn’t require encryption, which can traditionally add significant packet overhead to a conventional mobile VPN connection. So a MAM-based mobile VPN connection is faster because it doesn’t need to tunnel and encrypt its data.
Davies adds: “Historically, MAM has been the domain of big businesses that could afford the set up fees. However these days, some internet service providers have their own large data pipes into the mobile operators networks and are able to subdivide the MAM into segments that are affordable to smaller businesses.”
The elephant in the room
We know by now there are several types of VPNs and dedicated mobile data channels and then there is cloud. But is cloud the elephant in the room for future VPN services? Juniper Networks senior director of solutions marketing Paul Gainham highlights the fact that many SMEs will have been enticed by the promise of cloud services from the likes of Amazon and Microsoft.
“The application agility and pay-as-you-grow business model, combined with the outsourcing of some aspects of IT management are indeed compelling and have seen impressive uptake,” Gainham said. “But are these open, uncontrolled public cloud services at odds with the guaranteed, secure, single supply benefits of VPN services that many SMEs have become used to.”
“The reality is these two worlds are beginning to come together. A number of VPN service providers (OBS VPN Galerie as an example) are now beginning to offer integrated public cloud services as part of their VPN offer so that the SME gets the best of both worlds – access to public cloud services through the guaranteed, secure, single service supply that they enjoy through their current VPN.”
Growing into your VPN
Looking ahead is Duncan Higgins, director of product and marketing at Virgin Media Business. Higgins warns SMEs it is about making sure you have access to technology that gives you room to grow, both in the short term but also in the long term. There’s no point in paying up front for VPNs that will be redundant in a year’s time.
“We undertook some research last year into the VPN upgrade habits of UK-based CIOs and discovered that over a third needed to upgrade their VPNs every year, costing on average £30,000 each time,” Higgins said.
“SMEs simply can’t afford to be constantly battling to find the finance to undertake yearly upgrades; they need VPNs that give them the room to grow and innovate, which is what SMEs do best.”
As established or seasoned as the VPN model is, it is the very existence of the web itself which gives VPNs their IP transport mechanism but also presents alternative data conduits in their own right.
VPNs are unlikely to go away anytime soon, but we may yet witness the birth of the cloud-centric VPN 2.0 as the traditional desk and cubicle office space model of the last half-decade crumbles into new remote workflows.
This was first published in August 2013