White Paper on remote networking alternatives for the enterprise

Feature

White Paper on remote networking alternatives for the enterprise

Ascend Communications is a respected authority on remote networking solutions. Its recent white paper on remote networking answers many questions

Contents:

Introduction

Remote networking implementation alternatives

The private network

Wholesale remote Ac

The virtual private

Choosing the best remote networking option

Compatibility

Security

Privacy of information

Availability

Distance decides

4. Remote networking building blocks

5. Appendix: Ascend product information

1. Introduction

Driven by pressing business needs and shifting social trends, more and more workers are roaming further from their offices. You can find them everywhere - staffing small sales offices in far-off locations, laboring late at night on home computers, and working from hotels, convention halls, conference rooms and traffic jams.

All of these workers are part of a booming trend called remote access networking, or simply remote networking. Essentially, remote networking is a method of extending a company's resources to workers in the field using telecommunications technology. The "field" can be anywhere from across town or across the country to the other side of the world. The remote workers can be your company's branch office employees, full or part-time telecommuters, traveling professionals, customers, suppliers or business partners.

Remote networking cuts across industry lines and international borders, affecting a growing number of workers that includes executives and engineers, secretaries and salesmen, doctors and delivery truck drivers. This diverse group has one thing in common: the need to communicate with colleagues and business associates in other locations and to access critical information housed on the corporate network. Today's sophisticated digital technologies and advanced communications services meet these needs - faster, easier and less expensive than ever before. According to companies with remote networks already in place, the long list of benefits includes:

( Increased sales

( More effective customer support

( Faster response to customer needs

( Quicker project completion

( Increased job satisfaction

( Expanded presence in regional areas

( Improved corporate communications

( Better employee retention

( Faster product development cycles

Source: Infonetics Research, San Jose, California

Remote networking trends

Recent business, social and technological trends are helping to fuel the rapid growth of remote networking.

Business trends

Over the last decade, changes in the economy, the workforce and the business environment have all increased the need for remote networking. In response to competitive pressures and the extensive travel demands of today's business world, companies are experimenting with telecommuting and sales force automation to increase productivity around the clock - and around the globe.

Social trends

Changing attitudes about work and leisure time are placing increasing importance on flexibility in daily life. Telecommuting or working from branch offices closer to home lets employees enjoy less-structured lifestyles, live where they want or where housing is affordable, and accommodate child or elder-care responsibilities.

Technology trends

For years, analogue phone lines and modem technology have limited the work employees could perform from remote sites. For workers with demanding requirements - service representatives, computer programmers, engineers or graphic artists, for example - sluggish modem speeds have limited productivity or made it impossible for them to work remotely, at all.

Telecommuting facts

Telecommuting, or teleworking, is one of the fastest-growing segments of the remote networking phenomenon. It includes executives, managers, customer support representatives, sales professionals, editors, programmers and other information workers who access their enterprise network from home. Here are just a few of the facts about telecommuting:

( Telecommuting results in an average work time increase of two hours per day per worker (Gartner Group)

( Telecommuters at Pacific Bell exhibited 25 percent less absenteeism than other employees. Companies save from £1,800 to £3,000 per year per telecommuter on facilities costs (Gartner Group) ???????

The number of telecommuters will continue to increase at the rate of more than 10 per cent per year (Link Resources) With the benefits and advantages, the main issue with remote networking today is not "if", but "how". The traditional analog modem bank is on the path to obsolescence with advances in technology and deregulation in the telecommunications industry. Organisations now have three far more capable and affordable options to the modem bank: private networks with digital access concentrators, "outsourced" wholesale access arrangements with network service providers, and the Internet-based virtual private networks (VPNs).

Each of the alternatives is highlighted in section 2. Section 3 compares and contrasts all three, indicating the best fit for each. In general, distance determines which alternative is the most cost-effective. Long-distance remote networking needs, especially for a company's cross-country and international users, are best served by a VPN. Private networks and wholesale arrangements make more sense for local remote networking needs, such as telecommuting programs. Section 4 outlines the three fundamental building blocks of any remote network, and provides guidance for selecting the best services and equipment.

2. Remote networking implementation alternatives

There are three fundamental ways to implement a remote networking solution: a private network, an outsourced "wholesale" network or a virtual private network (VPN). An enterprise-wide remote networking solution may involve only one or a combination of two or all three configurations.

The private network

A private network solution is the traditional form of remote access. Historically, the configuration involved a modem bank and remote access server at the central site; remote users dialed in directly via the Public Switched Telephone Network (PSTN). With this approach, a complete solution needed not only the modem bank, of course, but also terminal adaptors for ISDN lines, channel and digital service units for leased lines and frame relay services, a multi-port terminal server, a router and lots of cables to interconnect everything. Managing such chaos was an error-prone and expensive process.

Once the PSTN converted from analog to digital communications, the troublesome modem bank could be replaced with the more capable and affordable WAN access switch, also known as a digital access concentrator. The WAN access switch integrates all necessary technologies into a single, cohesive product, which is easier to install, operate and manage. The switch interfaces to the PSTN over high-speed T1/E1 or ISDN Primary Rate Interface (PRI) lines.

Each line supplies 24 (T1) or 30 (E1) channels or "ports" that support the full spectrum of WAN technologies, including analog modems, ISDN Basic Rate Interface (BRI), Frame Relay and Switched 56 services. Consolidating these diverse forms of remote networking eliminates the headaches of piecemeal configurations, improves security, and lets a single dial-in telephone number serve all users.

Another advantage of the WAN access switch is its integral digital modem technology. Digital modems:

( Deliver up to 56 Kbit/s throughput downstream to remote users (Conventional analog modem performance peaks at 33.6 Kbit/s.)

( Accommodate the full spectrum of analog and digital modem protocols

( Protect the investment in switch capacity with a software-based implementation that can keep pace with emerging and future modem standards

The private network alternative has the advantage of being inherently secure, and gives complete management control to the enterprise. The main disadvantage is its relatively high cost of operation compared to that of a VPN or a wholesale arrangement.

Wholesale remote access

A wholesale arrangement essentially relocates the access ports from the enterprise premises to a network service provider's (NSP's) point of presence (POP). Remote users dial into the POP(s), where the traffic is routed to the enterprise over a high-speed link.

The primary advantage of wholesaling is improved price/performance. Indeed, wholesale access takes economies of scale to the next level with carrier-class WAN access switches supporting thousands of ports and tens of thousands of users. Individually, very few organisations can justify such an expenditure. But collectively, through wholesaling arrangements with network service providers, enterprises can obtain a more feature-rich and cost-effective remote networking solution.

The primary disadvantage of wholesale access is lack of availability. But the "presence" of wholesale access is expected to increase substantially over the next few years with regulatory reform permitting both new forms of carriers and increased competition among all carriers.

The virtual private network

A virtual private network, or VPN, is a private network that utilises the next-generation public network to carry all traffic in the WAN. The most widely available, least expensive and high-speed public network is the Internet.

Perhaps the most compelling argument for VPNs is that, if users are already "on" the Internet, why not take full advantage of the connection for other applications? Over one-third of the organisations polled by Infonetics Research said their remote sites needed access to the Internet. In a remote access VPN, the headquarters and every individual telecommuter and mobile worker has a local link to the Internet. The VPN supports IP-based applications, of course, and can also handle most non-IP applications via IP tunnelling. Local connections to local NSPs - leased lines, Frame Relay or dial-up ( eliminate all long-distance charges.

Virtual private network

An Internet-based remote access VPN offers compelling advantages:

1) Saving money

( Eliminate long-distance switched calls (PSTN or ISDN)

( Pay only for actual usage with no idle lines or wasted Frame Relay commitments

( Use the same equipment for both Internet access and the VPN

( Minimise network design and management responsibilities

2) An ability to exploit the Internet infrastructure

( Low-cost public bandwidth

( Worldwide presence with ISPs in nearly every city

( Voice over IP and multicast for "multimedia" applications

( Mesh redundancy and fault tolerance

( User familiarity simplifies training and support

3) A way to enhance flexibility ???????????????

( Add and delete connections instantly

( Provide periodic or temporary connectivity almost effortlessly

( Integrate third-party users easily, including customers, suppliers and business partners

( Select appropriate access rates from 28-128 Kbit/s and beyond with DSL. The cost-savings of VPNs over equivalent private networks are substantial - and real. Here are estimates by three leading industry analyst firms. Infonetics Research estimates a savings of 60-80 per cent for remote access VPNs. Gartner Group expects VPNs to offer savings of at least 50 per cent for remote access and, owing to this substantial savings. ??????????? Expenses

Choosing the Best Remote Networking Option

Affordability often determines the best option for a remote access network. But the most cost-effective alternative must still satisfy three general requirements: compatibility, security and availability.

Compatibility

Application compatibility is generally not an issue with private and wholesale remote access networks. The "raw" nature of the dial-up links accommodates any and all applications, including those with unusual protocols.

Remote access VPNs may require special provisions, however. Applications that use registered IP addresses can operate via the Internet "as is" with the addition of readily available security measures. To make non-IP or "private IP" applications compatible with the Internet, a company has three choices: ???????

( Convert the application to IP - an endeavour that is usually easier said than done

( Make use of special gateways that convert other protocols to IP

( Employ tunnelling or encapsulation techniques to package other protocols in IP for transit across the Internet

The best choice depends on what options are available for specific applications and the organisation's long-term networking objectives. But unless the application is so old or so unusual, chances are at least one of these three options will work. Normally the most straightforward choice is tunnelling, which works with the widest variety of client/server and legacy applications. Some ISPs can now even offer a fully outsourced VPN solution, which requires no special customer premises equipment or other investment.

Tunnelling: Making the virtual paths in virtual private networks

Tunnelling applies proven technology to Internet-based VPNs. A tunnel is a special IP "envelope" that makes non-IP and private IP applications compatible with the Internet, and is unnecessary for clients and servers with registered IP addresses. The tunnelling process occurs at both ends of the connection: encapsulation at the source places the original packet in a special IP packet; decapsulation at the destination removes the special IP packet, leaving the original intact. Here is a list of the most popular tunnelling and encapsulation protocols: ???????

( The Point-to-Point Tunnelling Protocol (PPTP), created by Microsoft and Ascend Communications, is an extension to the Point-to-Point Protocol (PPP) for Windows NT and NetWare client/server environments ???????

( The Layer-2 Tunnelling Protocol (L2TP) is a proposed industry standard that will combine the best features of PPTP and Layer-2 Forwarding (L2F) to accommodate IP, IPX, AppleTalk, NetBIOS, NetBEUI and other PPP-supported protocols ???????

( The Ascend Tunnel Management Protocol (ATMP), supporting both PPTP and GRE (Generic Routing Encapsulation as defined in RFCs 1701/1702) can be used for "private IP", IPX and NetBIOS/NetBEUI applications ???????

( Data Link Switching (DLSw), originally defined by IBM and now an industry standard, encapsulates SNA traffic (the LU 6.2 protocol) in IP.

( IP Security (IPSec), which adds packet encryption and authentication to other tunnelling protocols, also has a Tunnel Mode of operation to provide basic tunnelling on its own.

Security

There are three Ps that, together, constitute total network security: ???????

( Protection of resources through a dynamic firewall defense

( Proof of identity through both user and packet authentication

( Privacy of information through snoop-proof packet encryption

All three Ps are equally important in any enterprise networking application, including remote access. Exclusively private networks may use only simple passwords for proof of identity, and take for granted both protection of resources and privacy of information. But any time a private network interfaces to a public network, such as the Internet, none of the three P's can be taken for granted. So in any wholesale arrangement or VPN, a firewall should exist at every interface to the public network, every user should be fully authenticated, and encryption should be available as needed on an application-by-application basis.

Protection of resources

Firewalls are essential any time a private network interfaces to a public network. A firewall passes only authorised traffic for all trusted users, and blocks everything else. In other words, all attempts at access by unknown or untrusted users are stopped, and the two-way traffic of trusted users is screened to ensure it is expressly permitted.

This important form of protection must be provided for every user and site, because like a chain, a network system is only as strong as its weakest link, so too is a network security system. The biggest single limitation of most firewalls is that securing every single connection becomes cost-prohibitive, thus negating the cost-saving advantages of a wholesale arrangement or VPN. The ideal firewall solution, therefore, should meet all of the following criteria:

( It should be integrated with the remote networking equipment to make the protection both effective and affordable

( A low-cost, software-only version should be available for individual users with ordinary analog modems

( The firewall should strictly enforce a policy of "that which is not expressly permitted is denied

( The design should employ state-of-the-art dynamic stateful inspection for maximum protection

( The International Computer Security Association (ICSA) must certify the offering

An optional unprotected "de-militarised zone" (DMZ) LAN interface should be available, on the Internet side of the firewall, for Web and other public servers.

Proof of identity

Various forms of authentication are available to establish proof of identity. The most basic form of authentication involves entering a simple password during logon, such as with the Password Authentication Protocol (PAP). The Challenge Handshake Authentication Protocol (CHAP) is a little more sophisticated, but still fairly easy to circumvent. Even for private networks, such rudimentary methods are increasingly insufficient. Token cards, by contrast, offer virtually "bulletproof" authentication with single-use passwords.

Private networks can take advantage of calling line ID (CLID) and callback for telecommuters, where each user is associated with a permanent telephone number. CLID requires the local carrier to provide calling line information, but is transparent to the user. With callback sessions, the user's initial logon is terminated, and the session is re-established from the central site. Some ISPs may offer this advanced form of authentication for wholesale arrangements and VPNs.

The ultimate form of authentication validates each and every packet with a digital signature. Packet authentication validates source addresses and provides integrity by ensuring that data has not been altered during transmission.

Privacy of information

IP Security, or simply IPSec, is outlined in a series of standards (RFCs 1825-1829) that add data authentication, integrity and confidentiality to any IP-based network, especially VPNs. There are two aspects to IPSec's protection: the Authentication Header (AH) and the Encapsulating Security Payload (ESP), which can be employed individually or in combination.

Availability

Availability has three equally critical dimensions - uptime, throughput and latency - and both private networks and wholesale arrangements offer inherent assurances for all three. For VPNs, uptime assurances are generally covered by a Service Level Agreement (SLA), while throughput and latency are normally elements of Quality of Service (QoS) provisions. SLAs guarantee that network uptime will exceed 99 per cent, for example, with money-back guarantees when the service provider fails to deliver. Meeting such stringent service levels with a private network or wholesale arrangement is relatively straightforward; the Internet, however, presents a different situation for VPNs. QoS comes in three levels or classes: best effort, relative and absolute. Best effort is, essentially, the absence of QoS; neither throughput nor latency is assured. Most users of the Internet today receive best effort service, which is often adequate for remote networking needs. Relative QoS prioritises traffic using the Type of Service (ToS) field in the IP header. The Internet's ability to deliver on such a request depends on two factors: the current network load and the percentage of traffic requesting prioritisation. Hence the reason this service is relative. And even when higher priority is granted, relative QoS has no provision for minimising latency. Absolute QoS guarantees delivery of both sufficient bandwidth and a not-to-exceed latency with no ifs, ands or buts-in other words: absolutely. Unfortunately, Absolute QoS is not available in the Internet today.

Distance decides

Despite the various tradeoffs outlined above for compatibility, security and availability, affordability often dictates the solution. And it is distance that makes the most profound difference in cost of all three alternatives. For local remote networking applications, especially for telecommuters, the private network or wholesale arrangement is comparable in cost. As the distance between remote users and the central site increases, as is the case with traveling workers, the VPN alternative becomes more attractive. As the number of distant users increases, the advantages of the VPN become quite compelling.

The reason distance is often the primary decision criteria lies in the cost breakdown of a typical remote network. The initial equipment expenditure and implementation constitute only about 20 per cent of the total three-year cost of ownership. Surprisingly, this capital expense is similar for all three alternatives. In fact, equipment for remote users is often identical with all three. The central site requires either a WAN access switch, for the private network, or a router for both the wholesale arrangement and the VPN. But because a "bare bones" WAN access switch is actually a router with special remote networking features, it is normally the most capable and flexible choice for all three alternatives.

With VPNs looming as an inevitable element of enterprise networking, the WAN access switch lets organisations build "VPN ready" private networks or enter into "VPN ready" wholesale arrangements with complete investment protection. When ready to migrate in whole or in part to a remote access VPN - now or in the near-term future - the switch's VPN-specific options, such as a firewall, tunnelling and IPSec provisions, can be added through software and memory upgrades to the router.

The on-going operating expenses of the remote network are what constitute the remaining 80 per cent of the total cost of ownership. The two major on-going expenses are WAN services and network management. Local WAN access charges, at both the central site and for all remote users, are almost identical among the three alternatives. The real difference is in the distance. Private networks incur long-distance charges for any call originating from beyond the central site's local calling area. The "local" reach of wholesale configurations can be as large as an entire metropolitan area, depending on the service provider's infrastructure. VPNs, with local connections for all users and sites, eliminate all long distance charges.

On-going management costs are typically higher with the private network configuration. With wholesale and VPN solutions, service providers are responsible for most of the infrastructure, and even handle some of the user support - especially the potentially troublesome basic network connection.

4. Remote networking building blocks

There are three fundamental building blocks in any remote network: network services, access equipment and a management system.

Network services

Network services include local access for all sites and users, along with long-distance services for a private network solution, and network/Internet service providers for wholesale and VPN solutions.

Local access services

These are required for all sites and users. The traditional provider of such services is the Regional Bell Operating Company (RBOC) or Incumbent Local Exchange Carrier (ILEC). Deregulation has created a new entrant to this market called the Competitive Local Exchange Carrier or CLEC. Both ILECs and CLECs offer essentially two broad choices for local access: Dial-up services, such as analogue modems and ISDN, which are best for travelling employees and telecommuters, respectively. ???????

Continuous forms of access, including that provided by leased lines or Digital Subscriber Lines (DSL), are required for the central site and may be cost-effective for "power" users or multi-user small office/home office environments. Beyond these two fundamental options, choosing the best alternative is really only a matter of speed: how much throughput does the user or site need?

While most local access services incur a fixed monthly fee, some may have a variable usage charge, such as per-minute fees for ISDN. Sometimes a fixed rate leased or digital subscriber line is less expensive than the combined fixed and variable charge of a dial-up service, especially for full-time telecommuters.

Digital subscriber lines

DSL technology increases the throughput of ordinary twisted pair wiring in the local loop. Voice telephone services use this same wiring, but employ analogue signalling methods that severely limit bandwidth. DSL technologies achieve higher transmission speeds ( up to 7Mbit/s ( by utilising advanced digital signal processing techniques, similar to those used for ISDN and T1/E1 today. A DSL link, in effect, creates a high-speed "leased line" between the central office and the user site, which is ideal for full-time telecommuters and other "power" users. Of the numerous DSL technologies available, these three most effectively utilise existing twisted pair wiring to deliver both voice and data services: ???????

( ISDN Digital Subscriber Line (IDSL), pioneered by Ascend, delivers 128Kbit/s performance and offers compatibility with existing ISDN access equipment.

( Symmetric Digital Subscriber Line (SDSL) furnishes 768Kbit/s of throughput as a cost-effective alternative to leased lines.

( Rate-adaptive Asymmetric Digital Subscriber Line (RADSL) integrates lifeline analogue voice (to power the telephone) with high-speed digital data for a total communications solution on a single pair of wiring.

( RADSL is available in Carrier Amplitude/Phase (CAP) and Discrete Multi-Tone (DMT) options that provide 64-640Kbit/s in the upstream direction (from the subscriber) and 1.54-6.14Mbit/s in the downstream direction, where bandwidth is needed the most.

Long-distance services

These are required for private networks, and may be needed for extending the reach of wholesale arrangements to remote metropolitan areas. Inter-eXchange Carriers (IXCs) were the only option for long-distance services until recently, with regulatory reform opening up this market to ILECs and CLECs, especially for intra-state needs.

Network/Internet services

These include both wholesale access providers, which are generally CLECs, and Internet service providers (ISPs). They are covered together here as providers of primarily data services. Many ILECs and IXCs are also ISPs, and some may even offer wholesale access in select markets.

Selecting a network service provider

Selecting the right network service provider is critical to the success of the remote networking solution. Whether your organisation wants to use a national provider or multiple local ones, consider each to be a strategic partner. A checklist of considerations for selecting the best possible service provider follows:

( Support for the full spectrum of WAN options (analogue modems, cellular, ISDN, Frame Relay, Switched 56, T1/E1/PRI, X.25 and DSL)

( Digital modem technology for improved link reliability and support of an open architecture for the latest in 56Kbit/s analogue modem technology

( Multilink Protocol Plus (MP+) advanced dynamic bandwidth management to accommodate

( Telecommuter integrated access devices ???????

( Standards-based compression (bandwidth on demand and compression work together to deliver optimal throughput as needed, and only as needed, to minimise service fees) ???????

( Comprehensive security provisions, especially Proxy RADIUS and IPSec, and a reputation for administering security ???????

( Support for L2TP, PPTP, ATMP and IPSec tunnelling to accommodate existing protocols and applications ???????

( High-speed backhaul links to the Internet backbone for good performance ???????

( Redundancy to assure adequate uptime for mission-critical needs ???????

( Service Level Agreement (SLA) uptime guarantees and confirmation reporting ???????

( Tiered Quality of Service (QoS) options ranging from "best effort" to an "absolute" guarantee of throughput and latency ???????

( End-to-end monitoring, operating and troubleshooting capabilities ???????

( Value-added features, such as Voice over IP (VoIP), IP multicast and IP faxing ???????

( Value-added services, including consulting, network design, systems integration, on-going support, user help desk, extranet management, data backup, Web hosting, electronic commerce, etc

( POP locations near all users and sites, or national/international "roaming" agreements with other service providers, to minimize or entirely eliminate long-distance fees ???????

( Call Detail Reporting (CDR) to track usage by all users ???????

( Central site or distributed pricing and billing arrangements, including bundled and managed service offerings ???????

( Long-term financial stability and viability

Access equipment

Remote network access equipment comes in two categories: the WAN access switch for the central site and systems for all remote users and sites. The WAN access switch is the heart of any remote network. While an ordinary router may be suitable for wholesale arrangements or VPNs, the slight additional cost of a software-upgradeable WAN access switch (with built-in routing) provides excellent investment protection.

Make sure your switch has support for the most cost-effective WAN option desired, such as T1/E1, ISDN PRI/BRI, DSL, Frame Relay and ATM

Readers are directed to the Ascend Communications website at ascend.com for the fifth part of this white paper, which

deals with Ascend product information.

Compiled by Will Garside

(c)1998 Ascend Communications, Inc

8

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in July 1999

 

COMMENTS powered by Disqus  //  Commenting policy