The VPN dilemma: in-house or outsourced?

With traditional networks choking on data, Liz Biddlecombe investigates the pros and cons of managing a VPN yourself or...

With traditional networks choking on data, Liz Biddlecombe investigates the pros and cons of managing a VPN yourself or offloading it onto a third party

While Frame Relay and ATM-based VPNs are still growing in popularity, an IP VPN handles multimedia applications better and supports differentiated classes of service. You also get better security as long as you use triple DES encryption and a good firewall. And the ubiquity of the Internet means the VPN can support global roaming access to the Lan when employees are travelling.

"Network managers are always having to justify extensions to the network," says Phil Barton, chairman of the European VPN Users Association. "With an IP VPN you can decentralise some decisions as to the level of quality so that if one site says it doesn't want to pay more, then it will end up with worse service."

Alex Connor, business marketing manager at Energis, suggests that companies use IP VPNs either as "a cheap and cheerful way to connect offices around the world" or to send non-critical traffic across the UK. "IP VPNs are ideal for industries such as retail or travel where reliability isn't of primary importance but cost is," he says.

If you decide to implement an IP VPN, the big issue is whether to run it yourself or buy in a managed service from a service provider. With 84% of UK network managers voting for outsourcing and only 16% intending to manage it themselves, according to a recent survey by Infonetics Research, getting a third party in seems to be the VPN strategy of choice in the UK.

Peter Judge of Infonetics points out that the big concern about VPNs for UK organisations is the security aspect. "32% of those surveyed were concerned about security," he says, "whereas 11% cited difficulty of management as a barrier. This is classic overconfidence. The figures should be reversed - VPNs are as secure as they need to be."

On the other hand, installing and running a VPN isn't for the uninitiated. Each VPN tunnel has to be set up individually, requiring addressing schemes of both networks, as well as encryption and authentication algorithms and key exchange. Expert knowledge of routeing protocols such as MPLS, BGP and OSPF is a must although products are emerging with easy-to-use automated configuration and management, which keeps down the management headcount.

"VPN dial-ups are very important to minimise demands on technical support," advises Steven McAdam of US-based Indus River. "When looking at VPNs, people focus on the boxes but it's all about management: technical support and managing service from ISPs are the biggest problems."

At US-based Peak Technologies. a VPN connects more than 700 employees, 200 of whom are on the road. "The most difficult part is working with ISPs on account setup and account issues," says IT director Bill Wolf. He reckons the company has cut $15,000 from the monthly cost (now $31,000) of accessing the corporate network via a remote access dial-up system.

To ensure your technical support team isn't overwhelmed by user problems, Judge advises "kicking the tyres on the client software". The program should be intrusive enough to remind people they need to launch it, but "shouldn't put up great barriers such as lots of unfamiliar dialog boxes", he says.

With the help of such solutions, it is possible to reap some of the benefits of a VPN. Top of the list of pros of managing your VPN yourself is cost - all you need to spend money on is the kit and Internet access.

Another plus is that you get control of your own security. Denmark-based Lasat Networks, which makes VPN solutions mainly for the SME market, says it is important to use European security technology to ensure sensitive commercial information isn't intercepted by the US-run Echelon spy network.

Not all choices are so dramatic. "You might want to control the migration of users from radius passwords to token card," says Dave Zwicker at Indus River. "You might want to use passwords rather than PKI, or DES rather than triple DES. If you have a larger network and enough support staff, you are likely to want to customise how you allow access to applications. You want a higher level of performance and sophistication. Managed services are good for the lower end and simpler applications."

Another benefit of managing the VPN yourself is that it makes you independent of the ISP for coverage and quality of service. "You can mix and match ISPs to extend coverage around the world, blending access by cable modem or DSL," says Zwicker.

On the downside, you need skilled people to set up and run a VPN service. "Wizards may simplify and automate the download of routeing tables to the routers, but 'simplify' means simple to a capable person," says Barton.

And Craig Field, a London-based IT consultant who has evaluated both systems and managed service offerings for a number of clients, reiterates the point that configuring an IP VPN is not for the layman. "The trouble with wizards is that if you have a problem with your system you have no idea what the wizard has done so it's hard to troubleshoot," he says.

Field points to another issue with self-managed IP VPNs and skilled staff. "If you're looking at running business-critical applications you need someone who knows their stuff if the network goes down," he says. "Uptime is the most important thing, especially for financial data. If it's not mission-critical, then the network going down for three days because of someone's incompetence is no big deal." It all depends on what you want to do with your VPN. Site-to-site and extranet VPNs are more complex than remote access.

"With an extranet," explains Judge, "you need trust and PKI established. You have to start checking individually what applications each person has access to."

What you shouldn't overlook is that dial-up access reduces quality. "People are concerned about the poor performance of the public Internet," says Judge, "and I can tell you they're right. You need to reduce your expectations if you're doing it over the public Internet. Dial-up delays over narrowband connections are obvious, but there are no quality of service guarantees across the public Internet."

However, it all depends on what you're doing. "Our VPN solution had to be as good or better than the remote access server," says Wolf . "The VPN has proved more reliable and has better throughput because of compression."

A key advantage of going with a carrier-provided service is reliability. Energis launched an IP VPN service in the summer, which it runs over its own network using Cisco kit. "The reliability and security issues don't exist because it isn't running over the Internet," says Connor.

Another obvious benefit is that it avoids the need for legions of skilled staff. This is clearly a concern for UK network administrators since 25% of UK organisations in the Infonetics' survey said they had too few IT staff to support a VPN. With a managed service you get the benefit of handing over design, installation, PKI management and day-to-day operation to someone else. "All you need to do is throw traffic at the service provider - even if you add more sites," says Barton. "The provider will then provide the connection to the other sites. Buying in managed services is scalable and costs less to manage."

Although you may want to retain control of security procedures, doing so may blow a hole in your budget. "A large proportion of UK businesses want to keep security in-house but they will find that when it comes to it that hiring security experts will demolish their IT budgets," points out Judge. It may be better to incorporate that cost in paying for a managed service.

The VPN service can also be bought as part of a package. Judge thinks this is a good strategy. "If there's any problem, you won't have finger-pointing between suppliers," he says. "And you have one bill and one phone line to wait on when you need help." It's also worth investigating whether your supplier will bundle in security services such as firewall management. As usual, it's important to choose a service provider with a good helpdesk.

But Jon Floyd, IP marketing manager for global carrier Equant, dismisses claims that managed services are better for smaller companies. "There are more problems associated with running IP VPNs for larger companies than for smaller companies - you have more sites and more users," he says. Equant also lets users choose their preferred security and authentication technologies.

Users believe carriers offer a uniform product that isn't tailored to individual company needs. Wolf at Peak Technologies went for the DIY route because the company still uses NetWare's IPX protocol. "No-one offered a managed VPN that would encapsulate IPX," he says. And Field points out, "If you want to add on other features such as VoIP or video streaming, service providers generally won't do it. Big ISPs tend to stay away from anything too technical because it causes more problems. If you want to add other technologies, create your own system and manage it yourself."

If you don't know whether to do your own VPN or get one provided by a carrier, you can get impartial advice from London-based Unica, a virtual carrier that sources equipment and connectivity from a range of suppliers depending on quality and price. "We can frame the issue," says MD Noel Dunn. "We can sit down and talk through the pros and cons. It doesn't matter to Unica which way you go - we're agnostic. We get the same fee whichever way you go."

Whatever choice you make, you're unlikely to be alone. With expenditure on VPN services and products forecast to increase tenfold by 2004, according to Infonetics, the number of people using IP VPNs is going to grow hugely.

Read more on Antivirus, firewall and IDS products