Proceed with caution

Dave Dengler, CIO for Keane Inc.

On the other hand, Dengler knew his dial-up charges would skyrocket as remote usage went up, since the fees were based on per-minute usage time. And that was not a happy thought. Dengler had already seen his costs increase 400% from the beginning to the end of 1998. So, he began to look for alternatives to using the dial-up radio server service from Sprint Communications Co.

The idea of building a virtual private network (VPN) soon presented itself as the answer to his prayers. Dengler had been thinking about VPNs for a few years and had some familiarity with the concept. So when he saw how his dial-up bills were skyrocketing, he decided to look into VPNs more closely. With a VPN, Dengler could eliminate the per-minute usage fees and give his nomadic users a reliable, friendly way to access their files, e-mail, and intranet content.

VPN’s Advantages Forrester Research asked IT managers from 22 large companies in late 1997 why they chose a VPN over other network approaches. The response: Source: Forrester Research Inc., late 1997 report

“It had to be easy to use. It had to be secure. And it had to be cost effective,” says Dengler. After evaluating products from AT&T Corp., GTE Corp., and other vendors, he decided to build a VPN based on the RiverWorks family of products from Indus River Networks Inc. of Acton, Mass. The RiverWorks suite comprises a tunnel server (which creates the tunnel and encrypts the traffic), a management server (for network management capability), and the RiverPilot Universal Access Manager (client remote-access software). Now, nearly 2,500 Keane consultants and salespeople access the intranet via the VPN, making it one of the larger installations from any vendor in the country. The payoff: Dengler’s Sprint bill dropped $10,000 from April to May of this year, and he expects to reduce his remote-employee access costs by two-thirds once all the road warriors are using the VPN. “This caps my costs. That’s the most important thing,” says Dengler. Now, he wholeheartedly welcomes an explosion in remote access usage.

Virtual private nirvana

Loosely defined, a VPN is a private, secure tunnel through the Internet, which companies can use as a WAN to connect geographically dispersed users, customers, and business partners. Companies can build their own VPNs using a wealth of products (from vendors such as Check Point Software Technologies Inc., Cisco Systems Inc., Indus River, Network Associates Inc., and 3Com Corp.) or elect to outsource the VPN to a carrier (such as AT&T and MCI WorldCom USA).

Common applications are connecting corporate branch offices, giving mobile employees intranet access, and linking a corporation’s trading partners on an extranet. The second of these, connecting remote employees to the corporate intranet, is the biggest growth area today, says Jay Chaudhry, executive vice president and general manager of VeriSign Inc., a Mountain View, Calif., vendor that helps companies evaluate and deploy VPN products.

As the Keane example shows, cost is the clearest reason to choose a VPN over other networking alternatives. VPNs boast cost savings of between 20% and 80% over dial-up, Frame Relay, and leased-line access, according to Infonetics Research Inc., a market research company in San Jose, Calif. Ted Julian, an analyst at Forrester Research Inc., compares accessing the corporate network via leased lines to driving to work in a tank, an undoubtedly expensive proposition. “VPNs are the Honda Civic. They’re much more cost effective,” says Julian, at the Cambridge, Mass., headquarters of Forrester.

Future VPN Use The majority of IT managers at 22 large companies estimated VPN use would grow over the next two years. Source: Forrester Research Inc., late 1997 report

Cost isn’t the only advantage, however. VPNs in theory are easier to manage than the other alternatives, making it a snap to add and remove users. And at its best, the technology is transparent to the end user, with no additional training required.

Keane’s Dengler says RiverPilot, the RiverWorks dialer, is particularly user friendly. It can figure out where the user is calling from and automatically choose the most cost-effective number to call to get into Earthlink, Keane’s ISP. The dialer has embedded intelligence that allows it to prescribe a solution if there’s a problem–for instance, if the modem cable is unplugged. Users applaud this capability, says Dengler.

Access control is a problem

When implemented properly, VPNs are more secure than conventional WANs. With most implementations, all data going through the tunnel is encrypted and users are authenticated prior to being allowed through the VPN gateway. But security is one of the trickiest VPN issues. The stakes are high, since all the data is flowing over a public network (i.e., the Internet), which is inherently totally insecure. So, users must implement VPNs in conjunction with strong firewalls and encryption and authentication products.

“Security is an extremely critical piece of it,” says VeriSign’s Chaudhry. Choosing a firewall, a VPN gateway, and strategies for encryption and authentication of users are the biggest headaches of the VPN implementation, he says. VeriSign sells a product that authenticates users via Public Key Infrastructure (PKI) digital certificates, a newly developed security standard.

Components Of A Secure VPN: VPN gateway (server, router, or firewall) VPN client software VPN PKI (Public Key Infrastructure) encryption strategy VPN client software Encryption accelerators X.509 authentication certificates Certificate authority Directory services (e.g., LDAP) Transport connections (private or public) Source: VeriSign Inc.

But Forrester’s Julian says access control–rather than encryption and authentication–is the biggest piece of the VPN security puzzle. “Authentication and encryption are just the beginning. We need a way not just to figure out who someone is and make sure the data is safe, but also to make subsets of applications available to user groups. There’s no good way to do that today,” he says. No one has yet figured out a way for companies to let employees into the piece of the SAP R/3 financials application that applies to them, for example, rather than giving them access to the whole application. Says Julian, “Today, you’re either in the application or you’re not.”

Leslie Stern, product marketing manager for Check Point, acknowledges that the company’s VPN products are not currently integrated with enterprise applications like R/3, so the application would automatically recognize the user’s access rights and let him see only appropriate data. This level of integration will require much work on the part of the enterprise application vendors, according to Stern. “For that to happen, there’s a certain amount of sophistication that will have to be on the application vendor’s side,” she says. “We attack part of the process but the application vendors will have to do their part, too.”

Many companies today are choosing to protect a single application server with Check Point’s VPN gateway/firewall product, adds Stern. This allows them to avoid many access control problems by filtering out unauthorized users with extra-strong authentication just prior to entering the application. “[Using the application server firewall,] we can create classes of users with varying access levels. Then it’s up to the application to deliver precisely the right information to the user.”

Julian calls access control relative to security the “missing link” of VPN technology, although he expects the gap to be filled relatively soon.

Keeping Intruders Out Companies employ different security measures to protect their VPNs. Some install and manage their own VPN security, while others outsource security to a third-party service provider. Source: Forrester Research Inc., late 1997 report

This will hamper companies’ ability to build extranet VPNs. After all, no company wants its business partners–no matter how close–to have unfettered access to their data. Access control remains thorny. Several start-up companies are working to address this problem, but none has succeeded to date, according to Julian.

E-commerce in general and VPNs in particular put a company’s security organization in a whole new light, says Julian. “Security people have never had the opportunity to have such a strategic impact on the organization. The challenge is to find a way to open up more of the corporation while still keeping it secure,” he says.

Richard Karon, a security analyst for Perot Systems Corp., agrees. Perot uses the Check Point VPN-1 gateway to let consultants access the corporate intranet from the road. When he was preparing the business case to justify buying the Check Point product, Karon relished the opportunity to show a clear return on investment. “This is the first time where I’ve ever seen a security product that could help lower your costs,” says Karon, at Perot headquarters in Dallas.

Not a done deal

Lessons Learned Don’t skimp on user education. Dave Dengler, CIO of Keane Inc., which has a large VPN, says he would spend a lot more time preparing the users if he had the project to do over again. Especially where the remote users are spread out geographically, it’s important to educate them via e-mail, newsletters, and the like on what to expect. Dengler has now teamed up with his corporate marketing department to get the word out on VPN usage. Take stock. Dengler recommends doing a complete inventory of remote users’ hardware prior to implementing a VPN. You’ll need to know configuration information on all the laptops when planning your VPN rollout.

VPNs have been the subject of much interest–and much hype–in the past year or two, but that doesn’t mean the technology is necessarily ready for prime time. “Many people see VPNs as nirvana, solving all their remote-access problems, but it’s not. [This approach] has its own problems,” admits VeriSign’s Chaudhry, who sells VPN technology. For example, all VPNs require some software to reside on the client. Most VPN clients today are “fat” rather than lightweight and easy to manage.

Many early adopters are proceeding with caution. Ellen Van Cleve, director of data communications for The New York Times, has been researching VPNs for more than two years. She’s attracted to the idea of giving Times employees easy and cheap access to the intranet while away from the office. But she worries about–among other things–the reliability of the Internet, the transport protocol for VPNs.

“We won’t place mission-critical applications on a [VPN-based] intranet without a readily available fallback to non-Internet access methods–not yet, anyway,” says Van Cleve, in New York City. Her team is conducting rigorous testing of Internet security and reliability. These users are “beating up” on the VPN to see if they can uncover security holes and testing mission-critical applications to see if the reliability is adequate.

The truth is VPN technology is not quite there, says Forrester’s Julian. “It’s not really happening now. VPNs are too complex for a mass of people to be doing them at this point. You find tire-kicks for the most part.” But if you’re eyeing your dial-up bills with despair, start checking out your VPN options now. Julian expects most issues to be resolved within six months to a year. //

Lauren Gibbons Paul is a contributing editor and monthly columnist for Datamation. She writes frequently on intranet and e-commerce issues. You can reach her at laurenpaul@mediaone.net.