Virtual private networks
Virtual private networks<@VM>Planning a VPN? This sampling of hardware and software products can help you connect
By Mark A. Kellner
Special to GCN
Take a look outside your office at the nearest freeway. If it's packed, you'll see why analysts say that virtual private networks are on the verge of a major boom. (If it's not, wait a few weeks.)
The link between data networking and road traffic might not be as far-fetched as it first appears. Many cities are under Transportation Department mandates to reduce the amount of traffic, which means reducing the number of people who drive to the office.
At the same time, the dynamics of today's work and family situations are making telecommuting more attractive'and that is one of the prime reasons for growth in VPN demand.
Employees who telecommute can save their employers thousands of dollars in reduced absenteeism and job-retention costs, according to research reported last month by the International Telework Association & Council, a Washington nonprofit organization that counts the General Services Ad-ministration, AT&T Corp. and software maker Symantec Corp. of Cu-pertino, Calif., as sponsors.
The survey found that employers can save 63 percent of the cost of absenteeism per telecommuting employee, or $2,086 per worker per year.
The amount was based on the average salary reported combined with the average number of days on which telecommuters were absent but still were able to work part of the day from home. That's because telecommuters who need to spend part of a day attending to personal business often are able to work half a day after completing those tasks, whereas in-house employees usually would need to take a full day off, the group said.
For many telecommuters, however, access from home has been gained over dial-up lines at 56-Kbps or slower speeds. Trying to access the office network at that rate can be frustrating, and telecommuters often need special software [GCN/Shopper, August, Page 34]
. For other telecommuters, access can be through a leased line, which is expensive and drains agency resources.
Remote access extends beyond individual telecommuters to branch offices and the telecommuting centers being opened by GSA and other agencies [GCN, Aug. 23, Page 9]
Connecting smaller offices to a central network has almost exclusively meant high leased-line costs.VPNs are here
The arrival of VPNs'for which the Internet takes the place of leased lines or dial-up connections'has changed the landscape of remote access.
Although about 1 million Americans have broadband Internet access, the number of subscribers to digital subscriber line and cable modem Internet access is growing.
DSL is expected to expand rapidly during the next two years, and cable modem growth is likely to be equally strong.
'When people see these fast connections and realize that they can, with VPN software and hardware, get very fast connections that are far-and-away superior to remote-access dial-up, they get excited,' said Stuart Moore, a VPN product manager with Lucent Technologies Inc. who telecommutes via a VPN from his Silver Spring, Md., home.
The Intel LanRover VPN Gateway is a tunnel server with full authentication, encryption, routing and firewall features. The LanRover is priced at $6,200.
'To give you an idea, Lucent has 150,000 employees. We're in the early parts of a VPN deployment, and in our company people keep calling me up and asking about getting into these trials,' he said.
According to market research firm Inter-national Data Corp. of Fram-ingham, Mass., the remote- and mobile-employee segment of the U.S. work force will jump from 35.7 million this year to 47.1 million by 2003.
'U.S. corporations are investing information technology dollars in building an infrastructure that supports a growing remote and mobile work force because companies that leverage remote and mobile technologies have an advantage over others and can reduce their rate of attrition,' said Stephen Drake, senior analyst with IDC's remote intranet software research program. 'As a result, the corporate culture is changing, and many companies are instituting optional or mandatory telecommuting for their employees.'
According to Infonetics Research of San Jose, Calif., dedicated VPN hardware revenues totaled $59 million in the second quarter this year, a 59 percent increase from the first quarter. Revenues are expected to reach $293 million by the second quarter of 2000. Sales of routers enabled for VPNs hit $512 million in the second quarter this year and are expected to hit $757 million during the same period next year.
At the same time, creating and managing VPNs is becoming easier for large enterprises and organizations, said Shannon Pleasant, a manager with Cahners In-Stat Group of Newton, Mass.
'It's definitely easier now than it was 12 or 24 months ago,' Pleasant said. 'We now have the emergence of true VPN gateways, and not the daisychaining of existing hardware together. There's less struggle for users with things such as encryption.'
All this combines to make VPNs more economical for users who are strapped with high leased-line costs, said Lori Cramer, a VPN product manager at Intel Network Systems of Bedford, Mass.
'Customers say VPN pays off in a month or two; the actual rate depends on alternative solutions and connectivity,' Cramer said. 'We had one customer who was connected to a site overseas via private lines; that paid off in 45 days.
'We're seeing an increase in the deployment of VPN,' she said. 'The market has gone from the innovator stage to the early adopter stage.'
Another factor moving VPNs forward is the rapid rise of business-to-business internetworking, Cramer said.
'We're also seeing an increase in business-to-business e-commerce, which is driving the need for companies to communicate business to business as well as with their customers,' she said. 'All of this is driving the demand for VPN, since the communications link has to be trusted.'
The biggest factor, Cramer and Pleasant agree, is that using VPN is much cheaper than leased access.
A cheaper tab
Motorola's Vanguard 6425, a multiservice router designed for branch offices, can combine fax and analog voice with data traffic. It's priced at $2,760.
Whereas a leased T1 line can cost $20,000 per month, Pleasant said, the addition of equipment and charges for management and maintenance can drive the first-year expense to about $300,000.
Using a VPN can decrease that tab, Cramer said. A VPN decreases monthly line charges to $12,000, Pleasant said. 'There's no management fee; hardware is about $20,000 up front. So the first-year cost is about $150,000,' she said.
'The caveat is how many remote sites you have to manage and how often they need to be connected to you,' Pleasant said. 'If you have a lot of remote users or if you want to establish an intranet or extranet environment, a VPN is a great way' to go.
|Tips for buyers|
Here are five crucial words to remember about VPNs:
Broadband. End-user access, from homes and remote offices, can often be achieved via broadband services such as cable modems, which usually are residential, and digital subscriber lines, used from both residential and business locations. Each can, optimally, supply sufficient bandwidth for data trans-missions at speeds far surpassing those of 56-Kbps modems and Integrated Services Digital Network lines.
Firewall. To safeguard your network and data from unauthorized users, a firewall is an essential component of VPN access. Authorized users can get in; those without access privileges are kept out. Many manufacturers offer firewalls as part of a VPN router package.
IPSec. Internet Protocol Security is a standard created to deal with TCP/IP network security.
Public key. The key in a dual-key authorization scheme that can be widely distributed is a public key. They are used to encrypt data sent over a network. Only the device holding the secret, private key of this pair will be able to decrypt it.
Tunneling. This is how a network sends its data via another network's connections; for instance, the connection of a LAN to a remote user via the Internet. This is accomplished by encapsulating a network protocol within packets carried by the second network.
Lucent's Moore said users will want to have a broad selection of equipment from which to choose when setting up VPNs at their headquarters and remote sites.
'One size fits all is not what customers want,' Moore said. 'In a typical VPN application, you have a headquarters site with high bandwidth needs, and then link up DSL users around the country and a couple of small offices. If you take one device and try to fit in, that doesn't work well.'
Users also need to be able to scale their systems in a hotel room, Moore said.
'When I do some simple math, I've gotten up to 480 Kbps with Triple Data Encryption Standard back to Lucent, which is probably 15 times the speed of dial-up,' Moore said. 'With 100 colleagues, that's close to 45 megabits at a peak connection rate. The implication of widespread VPNs for remote access is you need high bandwidth on the back end, both in service provider pipes and in back-end products.
'The most important thing to look for is management software capabilities. The hardware is not that complicated, but being able to administer 1,000 users if you don't have the right infrastructure in place' is a challenge.
Moore suggested that although there are good management tools available in the traditional remote-access world, the situation is mixed for VPN users.
Buyers need to be careful, Moore said.
At the same time, security is a factor, particularly in government applications.
Almost all major VPN products support the Internet Protocol Security encryption standard, and most can accept triple DES encryption.
Some products can be configured to support specific security protocols already in use at agencies (see story, below).
With the increased popularity of VPN services, is this the beginning of the end for leased lines?Shift is on
'It's the beginning of a shift in dominance,' Moore said. 'I think the economics make it desirable to shift. If you're paying $1,000 per month for a leased 56-Kbps line or $200 a month for DSL, the economics are very powerful.'
Said Pleasant: 'The next stage for VPNs is deployment. We will now see a migration from home-grown VPN solutions to network-based ones where the service provider has hardware and you pay for service.' Mark A. Kellner is a free-lance technology writer in Marina Del Rey, Calif. He can be reached via e-mail at firstname.lastname@example.org.
| Vendor|| Product|| Platforms|| Description|| Price|
| Acotec |
| VPN Client Manager|| Win9x, NT|| Works with Acotec Remote Client manager to handle VPN connections|| $20 |
| Check Point Software Technologies Ltd. |
Redwood City, Calif.
| VPN-1 Gateway|| NT, Solaris|| Integrated software combines Check Point's Fire-Wall 1 security suite with its encryption module (Triple DES); supports public-key infrastructures|| $3,495|
| Cisco Systems Inc. |
San Jose, Calif.
| Cisco 7120 VPN Router|| Platform-independent|| Is scalable to support up to 2,000 simultaneous VPN tunnel sessions with Triple DES encryption throughput at full-duplex T3 speeds; operates on T1 to T3 circuits|| $14,900 |
| Cisco 7140 VPN Router|| Platform-independent|| Integrates firewall, encryption, tunneling features, with autosensing 10/100-Mpbs Fast Ethernet plus two WIC slots, AUXPort|| $1,395 |
| Information Resource Engineering Inc. |
| SafeNet/Soft-PK client software|| Win9x, NT|| Is IPSec-certified, interoperable VPN software for secure client-to-client or client-to-gateway communication|| $79|
| SafeNet/Speed|| Platform-independent|| VPN Gateway features SafeNet DSP Internet security system on a chip; is IPSec-compliant|| $1,295 up|
| SafeNet/Enterprise|| Platform-independent|| Single unit combines an Internet gateway and a centralized security management system|| $7,000 up|
| Intel Network Systems Inc. |
| LanRover VPN Express|| Platform-independent|| End-to-end VPN product offers firewall, 233-MHz Pentium chip with MMX, 32M RAM, PC Card Adapter Drive with 16MB Flash card and two 10/100-Mbps Ethernet interfaces|| $3,495|
| LanRover VPN Gateway|| Platform-independent|| VPN tunnel server offers full authentication, data encryption, routing and firewall features|| $6,200|
| LanRover VPN Gateway Plus|| Platform-independent|| Is similar to Gateway product but includes a Crypto accelerator card of dedicated application-specific integrated circuits to accelerate standard and Triple DES encryption|| $9,250|
| Lucent Technologies Inc. |
Murray Hill, N.J.
| Lucent VPN Gateway|| NT, Solarist|| Includes VPN Gateway Appliance, Security Management Server software, Lucent IPSec client software, and a license for 100 simultaneous VPN sessions|| $9,995|
| Hardware Accelerator Encryption Card|| Platform-independent|| Add-on to VPN Gateway|| $3,495|
| Motorola Inc. |
| Vanguard 6425 Router|| Platform-independent|| Multiservice router optimized for small branch offices has dedicated or switched X.25, IP, Frame Relay, Point-to-Point, Multipoint, ISDN and Nx64K (FT1/FE1) connections|| $2,760|
| Nortel Networks Corp. |
| Contivity 4500 Extranet Switch|| Platform-independent|| Provides for encryption and authentication; supports Routing Internet Protocol, X.509 standard and a variety of tunneling standards; integrates Check Point Fire-Wall 1|| $34,194 GSA|
| Radguard |
| cIPro-VPN|| Platform-independentt|| VPN gateway and system provides encryption and authentication on a standalone platform; compatible with IPSec and X.509 standards|| $6,450|
| cIPro-FW|| Platform-independent|| Standalone hardware firewall supports links up to 100 Mbps; includes remote user authentication and supports all IP applications|| $4,950|
| Technologic Inc. |
| InstaGate Internet Appliance|| Platform-independent|| Combines Web server, e-mail server, DNS server, firewall, built-in router and office-to- office VPN features|| $3,995|
| Interceptor Firewall|| Platform-independent|| Remote-user VPN includes management reporting, real-time alerts, web-based secure interface|| $3,745 |
| 3Com Corp. |
Santa Clara, Calif.
| VPN Client|| Win9x, NT|| Supports Ethernet NICs, desktop and PC modems (including V.90), cable and DSL|| Ranges from $65 per seat for up to nine users to $40 per seat for more than 500 users|
| Pathbuilder S-500|| Platform-independent|| Router supports up to 2,000 VPN tunnels; includes dual LAN configuration and Triple DES encryption|| $15,995 |
| Pathbuilder S-400|| Platform-independent|| Router supports two fixed 10/100-Mbps Ethernet ports, two FlexWAN serial ports, with two optional slots for single-port telcom connections and three slots for four-port voice|| $5,195, with Triple DES encryption software|
| OfficeConnect NetBuilder|| Platform-independent|| Small-office router offers WAN protocols including Frame Relay, X.25, PPP, ISDN, ATM and SMDS; supports VPN applications|| $1,695 including encryption software|