May 1, 2002 12:00 PM, By Kevin McNamara, CNE
In the past, providing access to a company’s computer network for its employees and others that worked outside of the office was handled in one of three ways.
The first was by providing a simple dial-in access telephone number that allowed a certain level of access into the company network. Unless the remote employees were located in the local toll area, the company generally provided toll-free dial-in numbers.
The second way was by installing a dedicated leased data circuit into the remote location, which would permit a full-time connection into the network. While services such as Switched 56 and ISDN were offered in many areas, they were expensive and difficult to maintain. Likewise, more traditional leased data transport options such as T1 (or fractional T1) and Frame Relay can provide quick and reliable connections, but can also be expensive and are not widely available.
The third method is by creating internal company extranets or intranets that let authorized users access custom Web pages, reports and forms through the Internet. This method perhaps the easiest and most cost-effective to access; however, while it is possible to configure an extranet to permit direct access of files, they are generally used to serve information as a Web page.
VPNs allow a company to extend its connectivity to remote users with the same reliability and security of those attached locally.
While all of these methods worked well, and in many cases still do, they suffer from a number of drawbacks including speed, security, high recurring costs and time to deploy. The dependence of company e-mail is growing at a rapid rate. The number and size of each e-mail message is also increasing, placing importance on the speed and reliability of the connection for the remote user.
The underlying technology behind a Virtual Private Network (VPN) has been around for several years, but the wide-scale availability of low-cost, dedicated broadband Internet access such as cable and DSL has companies, large and small, rethinking their remote access strategy.
What is a VPN?
A VPN allows private connections between two machines using any shared or public Internet connection. VPNs permit a company to extend connectivity to remote users with the same reliability and security of those attached locally. The need for leased point-to-point links is eliminated because the VPN can function from any Internet connection.
VPNs are based on a concept called tunneling, a method of encapsulating data into encrypted packets that can travel over IP networks securely and be delivered to a specific address.
VPNs are created using one of four possible protocols: Layer 2 Tunneling Protocol (L2TP), Layer 2 forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP) and IP Security Protocol (IPSec). These protocols define methods to create a VPN over many connection types. The VPN was created prior to the availability of cable or DSL Internet access as a means to establish an on-demand private network between a network server and a dial-in remote user.
When dialing-in to any Internet point-of-presence (POP) using the basic 56kb/s (or slower) modem, the connection is probably made using the Point-to-Point Protocol (PPP). L2TP, L2F and PPTP are VPN protocols that were created primarily to work inside of PPP. These protocols support several authentication methods used in PPP including the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), a variation of which is used in Microsoft NT-based operating systems called MS-CHAP. Each of these protocols operates at layer 2 on the OSI layer, allowing them to handle a variety of protocols such as IP, IPX (Netware) and NetBEUI (Microsoft). The L2F protocol adds a two-step authentication process, one from the user and one from the ISP, as well as the ability to create more than a single connection. L2TP enhances and improves upon the security shortcomings of PPTP and L2F through the use of stronger encryption and its support of a multitude of transport methods in addition to PPP.
IPSec is currently the leading protocol used in corporate VPNs. The IPSec protocol was created exclusively for use over IP networks, to be used with the emerging IP standard called IPv6. IPSec also uses a host of features that ensure a high degree of security and data integrity.
The costs associated with implementing a VPN must be justified against the current operational expenses incurred with the support of remote offices and users. A good place to start would be the Cisco VPN Savings Calculator (see sidebar), which provides a thumbnail view of the savings one might expect.
It is necessary to capture those expenses directly related to remote access including leased line costs, toll and monthly recurring charges used for any dial-in services, and the time required to support those users. The hardware requirements for implementing a VPN are minimal and can be handled by a single VPN-specific router. A good, properly configured hardware firewall device is also recommended. In addition, if the remote location is an office, the cost for the hardware, typically a VPN-enabled router, must be included. If the remote access is from individual users (clients), then a copy of VPN client software will be loaded on each machine. This software is typically provided free with the purchase of the VPN hardware. Finally, take into consideration those costs that might be reimbursable to an employee, such as the monthly fees for the cable or DSL service; this typically costs around $40.
With the advent of VPN-specific routers, creating a VPN for your company has been simplified. Installation of the hardware is similar to that of any other device on the LAN; however, configuring the router can be tricky. If you are not comfortable with setting up routers and firewalls, this task should be outsourced.
VPNs are a viable alternative to expensive leased lines and dial-access systems. Whether a network supports five or 500 remote users, VPNs offer a reliable and cost-effective solution. Consider also that VPNs permit system administrators the flexibility to manage remotely located computers and perform tasks such as remote diagnostics and software updates from a central location.
McNamara, BE Radio’s consultant on computer technology, is president of Applied Wireless Inc., New Market, MD.
The Cisco VPN Savings Calculator can be found at www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/vpn_calc/vpnstart.html.