-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home >Technology > Full Story

The VPN advantage

Want to deploy a VPN for your organization? Here is all you ever wanted to know about VPNs the benefits, security, management, et al

The cost of management and upkeep of the VPN setup compared to owning and operating a private network infrastructure is drastically reduced

Virtual Private Network (VPN) is a network deployed using public shared infrastructure while adhering to the policies of a private network. Examples of this kind of networks would be traditional X.25, Frame Relay, ATM, IP technologies based network and so on. VPNs do not inherently change WAN requirements such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost effectively. A VPN can utilize the most pervasive transport technologies available today: the public ISP, IP backbones, as well as shared Frame Relay and ATM networks.

Why VPNs?
VPNs offer many advantages over traditional leased line networks. Some of the primary benefits are:

Lower cost than private networks
Elements of cost reduction include transport media, bandwidth, backbone equipment, and operations. According to industry research, site-to-site connectivity costs are typically reduced by 20-40 percent over domestic leased line networks. Cost reduction for client to site dial access is even greater, in the 60-80 percent range.

More flexible and scalable network architecture
Enabling enterprises to more easily and cost effectively communicate with remote offices, international locations, telecommuters, roaming mobile users, and external partners as business requirements demand.

Reduced management onus
The cost of management and upkeep of the network setup compared to owning and operating a private network infrastructure is drastically reduced. Enterprises may outsource some or all of their wide area networking functions to a service provider. This enables enterprises to focus on core business objectives, instead of managing a WAN or dial access network.

Apart from providing these cost related advantages, VPNs also help increase the productivity and improve working conditions for the enterprises.

Elements of a VPN
VPN solutions vary based on the breadth of features offered. A VPN platform must be secure from intrusion and tampering, deliver real time mission-critical data in a reliable and timely manner. At the same time it must be manageable across the enterprise. Unless each of these requirements is addressed, the VPN solution is incomplete.

The essential elements of a VPN can be segmented into four broad categories:
Security:
Tunneling, encryption, packet authentication, user authentication, and access control. The infrastructure should be capable of handling, reporting various security threats, hacking attacks.

Quality of Service (QoS): Queuing, network congestion avoidance, traffic shaping, and packet classification. These components are important for providing reliable and timely delivery of enterprise data. Also, they help define the Service Level Agreement (SLA) for various enterprise VPNs across the SP backbone.

Management: Enforcing security and QoS policies across the VPN. Once the SLA and security policies have been defined, the monitoring, reporting and management tools for the VPN have to be defined and implemented.

Scalability: Ability to adapt the VPN to meet changing bandwidth and connectivity needs. Moving forward based on the reporting and proactive monitoring of the VPN, the SP and the enterprise need to assess the VPN and plan for the scalability and future traffic and network growth.

Implementing these VPN components does not necessarily require replacement of existing WAN infrastructure. However, it does call for "VPN-capable" platforms. For example, for implementing a security component, the networking infrastructure should be capable of supporting some kind of security mechanisms such as IPSec etc.

Lets discuss about these different elements of a VPN in detail.

Security
Deploying WANs on a shared network makes security issues a prime concern. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Techniques such as encryption, authentication, and access control guard against these security breaches.

There are 4 key components of VPN security.

  • Tunnels and Encryption
  • Packet Authentication
  • Firewalls and Intrusion Detection
  • User Authentication

These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure.

Tunnels and Encryption: VPNs employ encrypted tunnels to protect data from being intercepted and viewed by unauthorized entities and to perform multi-protocol encapsulation, if necessary. Tunnels provide logical, point-to-point connections across a connectionless IP network, enabling application of advanced security features in a connectionless environment.

Encryption is applied to the tunneled connection to scramble data, thus making data legible only to authorized senders and receivers. In applications where security is less of a concern, tunnels can be employed without encryption to provide multi-protocol support without privacy.

Different technologies that VPNs employ today are IPSec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing Encapsulation (GRE) for tunnel support, as well as the strongest standard encryption technologies available, DES, and 3DES. Furthermore, for managing security and encryption administration, VPNs should support major certificate authority vendors, such as Verisign, Entrust, Netscape and so on.

Packet Authentication: While intercepting and viewing data on a shared network is the primary security concern for enterprises, data integrity is also an issue. On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information.

This kind of attack is also known as MiddleMan attack. For example, an intruder can modify an order placed to a supplier over an unsecured network, by, lets say, changing the order quantity from 10,000 to 10. Packet authentication protects against such tampering by applying headers to the IP packet to ensure its integrity. Components of IPSec, authentication header (AH) and Encapsulation Security Protocol (ESP), are employed in conjunction with industry standard hashing algorithms such as MD-5 and Secure Hash Algorithm (SHA) to ensure data integrity of packets transmitted over a shared IP backbone. Firewalls and Intrusion Detection: A critical part of an overall security solution is a network firewall that monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service.

Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted. An added element of insurance in perimeter security is intrusion detection. While firewalls permit/deny traffic based on source, destination, port and other criteria, they do not actually analyze traffic.

Intrusion Detection Systems (IDS) operate in conjunction with firewalls to extend perimeter security to the packet payload level by analyzing the content and context of individual packets to determine if the traffic is authorized. If a network's data stream experiences unauthorized activity, IDS automatically applies real time security policy, such as disconnecting the offending session, implementing access control lists on the fly to avoid similar attacks in future and notifies a network administrator of the incident. User Authentication: A key component of VPN security is making sure authorized users get access to the required enterprise computing resources, while unauthorized users are blocked off the network entirely. VPN solutions are built around authentication, authorization, and accounting (AAA) capabilities that provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in dial up access and extranet applications of VPNs. Most of the remote dial up access VPN solutions support RADIUS and TACACS+ user authentication platforms.

Managing Throughput: Quality of Service (QoS)
QoS is an essential component for efficient use of precious WAN bandwidth and ensuring reliable throughput of important data. The erupt nature of network traffic characteristically makes poor use of network bandwidth by sending too many packets into the network at once or congesting network bottlenecks. The result is two-fold:

  • WAN links are under-utilized a majority of the time, letting expensive bandwidth lie dormant.
  • Network congestion during peak times constrains throughput of delay-sensitive and/or mission-critical traffic.

QoS determines the network's ability to assign resources to mission- critical or real-time applications such as voice/video, while limiting resources committed to low priority traffic. QoS solves the fundamental issues of predictable performance and policy implementation for applications running on a VPN. Policies are used to assign network resources to specific users, applications, project groups, or servers in a prioritized way. QoS consists of following components with respect to Layer 2 and Layer 3 VPNs:

  • Packet Classification assigns packet priority based on enterprise network policy.
  • Committed Access Rate (CAR) guarantees minimum throughput levels to specific applications and/or users based on enterprise network policy.
  • Weighted Fair Queuing (WFQ) allocates packet throughput based on packet priority.
  • Weighted Random Early Detection (WRED) complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates.
  • Multi-Protocol Label Switching (MPLS) ensures continuity of packet priority across Layer 2 and Layer 3 VPNs.

These QoS mechanisms complement each other, working together in different parts of the VPN to create a comprehensive end-to-end QoS solution. QoS solutions must be integrated across all parts of the VPN to be effective; single point solutions

cannot ensure predictable performance. These QoS mechanisms are must for both service providers as well as enterprises to implement and monitor SLAs.

Operating the VPN: Network Management
VPNs integrate multiple security and QoS services in addition to the network devices themselves. Enterprises need to seamlessly manage these devices and features across the VPN infrastructure, including remote access and extranet users. Given these issues, network management becomes a major consideration in a VPN environment. A VPN WAN architecture, however, allows network managers the opportunity to outsource many aspects of network management. Unlike in a private network architecture, a VPN enables enterprises to define what level of network control they need to retain in-house, while outsourcing less sensitive functions to service providers.

Many companies choose to retain full control over deployment and daily operation of their VPN, and thus require a comprehensive, policy-based management system. Such a system extends the existing management framework to encompass WAN management functions unique to VPNs.

As the WAN is extended with VPN technology, a strict set of business requirements must be met for the enterprise network manager to be successful. These requirements include:

  • Minimizing Risk: Moving from a dedicated infrastructure to a shared infrastructure that utilizes WAN transport mediums, such as the public Internet, present the network manager with new security and auditing challenges. Network managers must be able to extend VPN access to multiple corporate sites, business partners, and remote users, while assuring the integrity of the corporate data resources.
  • Scale: The rapid addition of mobile users and business partners to the VPN requires network managers to expand the network, make hardware and software upgrades, manage bandwidth, and maintain security policies with unprecedented speed and accuracy.
  • Cost: To fully realize the cost benefits of a VPN, network managers must be able to implement new VPN technologies and provision additional network users without growing the operations staff at a proportional rate.

Looking to the Future—Scalability and Migration
When considering a VPN solution, enterprises should consider how VPN technology will integrate into their existing network infrastructure and how it will grow with the dynamic requirements of the enterprise network. VPNs are not an all or nothing network decision; VPNs can be phased into existing private network architectures offering a flexible migration path for the evolution of private networks.

Many organizations will likely deploy VPNs to augment their existing private WAN infrastructures. For such hybrid applications, VPNs can be implemented on existing VPN- capable routers. Additionally, existing VPN-optimized routers can utilize optional hardware components to increase security performance.

Implementing VPN solutions in such a way enables robust VPN
functionality without impacting existing network infrastructures, thus ensuring flexibility and growth necessary for the future.

The breadth of applications in today's networks, such as voice, video across the enterprise requires an end-to-end architecture that is fully aware of such applications and has the capabilities to support such requirements. Such an architecture will enable achieve the high degree of feature integration over the WAN, like common QoS functions across the service provider and enterprise networks.

VPNs can be divided into three categories based on their topology:

  • Remote dial access: Connects telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate computing resources.
  • Intranets: An intranet VPN connects fixed locations, branch and home offices of an enterprise across a WAN.
  • Extranets: An extranet extends limited access to enterprise computing resources to business partners, such as suppliers or customers, enabling access to shared information.

The remote dial access VPNs are also known as Client-to-Site VPNs and the extranet and intranet both can be termed as Site-to-Site VPNs.

Chandan Mendiratta is a Systems Engineer at Cisco India and can be reached at chandannm@cisco.com

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD