VPNs: Six burning questions
- 23 July, 2008 09:57
VPNs are well established as essential tools for corporate communications, but they are not all created equal. Here are six questions and their answers that can help you make decisions about which VPN technology to use.
1. Are Multi-protocol Label Switching (MPLS) VPNs the way to go?
For many corporate network needs the answer is yes, absolutely, and the transition to MPLS is well underway.
Look at the data. MPLS VPNs have been eating away at frame relay for years, and within the next 18 months there will be more MPLS VPN connections than frame relay connections in the United States. according to Vertical Systems Group. By 2011, there will be more than 1 million MPLS VPN connections in the United States, Vertical says.
That means that businesses - in many cases prompted by their service providers - are buying MPLS connections as their connectivity needs expand and they need to connect new sites. But even more of them are migrating from frame relay altogether as the providers themselves make the transition to MPLS, says Rosemary Cochrane, an analyst with Vertical Systems Group. The number of frame relay connections in use is actually declining.
Worldwide, MPLS services reaped US$13 billion last year, a growth of 20 per cent in revenues, according to Infonetics.
The reasons are many. MPLS VPN services offer fully meshed networks as a matter of course; any site connects to any other site. To do the same with frame relay means expensive virtual circuits laid out between every site and every other site. MPLS lets customers shed complexity and cost.
MPLS also supports multiple qualities of service at varying prices to give business customers options to buy less-expensive VPN services for less-critical traffic.
Sprint has just announced it is installing a 40Gbps optical backbone to carry its increasing load of IP traffic that is generated by MPLS services and Internet traffic, the company says.
2. Will MPLS VPNs save me money?
Probably not. If you do an even swap-out MPLS for frame relay, the costs of the lines may in fact drop, says Cochrane, but not the price of the service in aggregate. "When companies make that switch the overall price might not go down but the ability to connect to more sites and the flexibility to manage the network may go up," Cochrane says. "We do not see tremendous price declines in going to MPLS from frame, simply because you're using T-1 access and then you start adding on features like security and management and voice."
T-1 access costs about US$435 per month in the United States, according to Nemertes Research, but other access methods can cut that price significantly. For instance, New Edge Networks offers DSL service to carrier MPLS backbone networks that support five qualities of service and business-class service-level agreements for about US$240 per month. Repair-time guarantees and symmetrical bandwidth are more readily available with T-1 services, but the price difference may be worth the trade-off.
"Companies like these services because they offer considerably more bandwidth with little or no increased WAN costs compared to their legacy counterparts - frame relay, ATM, private lines," says Michael Howard, principal analyst with Infonetics.
That is prompting customers to boost the bandwidth they buy for their MPLS VPN connections above the T-1 speeds that are typically the top size for frame relay connections.
"The demand for higher speeds is going up, and that's a function of availability and pricing, depending on who the provider is," Cochrane says. "Is it an incumbent that is cannibalizing its own [frame relay base] or is it a competitive provider offering lower-price access?"
Hands-on customers stand to save more on monthly bandwidth costs building their own MPLS VPNs and shopping around for the best bandwidth costs, she says. "In that case because you're not limited to one provider, you can shop for the best price in each of your locations and then make the connections yourself with hardware and software you own," Cochrane says.
3. Should I build my own VPN?
If you do, you won't be alone, but prepare to spend time and develop expertise in-house.
According to Cochrane, more WAN connections are made over build-your-own VPNs - where businesses buy their own VPN gear and attach it to WAN connections they have purchased separately - than are made over MPLS VPN services.
This can range from installing and configuring MPLS gear at each site - an expensive proposition - or using site-to-site IPSec equipment that is often packaged with firewalls and is generally less expensive.
The trade-off vs. VPN services is the do-it-yourself part. Businesses have to provide the time and expertise to design, install, maintain and troubleshoot the VPN, says Mark Lewis, a networking design consultant and blogger for Network World. And that means training. Without it, troubleshooting VPNs can be "random, time consuming, and will often not resolve your problem at all - it might even exacerbate it," he writes.
4. Should I use IPSec or Secure Sockets Layer (SSL) for remote access VPNs?
SSL. In almost all cases, SSL VPNs can be set up to deliver the same access that IPSec VPNs do. And SSL offers more options.
SSL VPNs offer application-layer secure access over the Internet using capabilities common to most browsers, which means not having to distribute and maintain client software on remote machines. The limitation is that browsers access only Web-based or Webbified applications.
By pushing Java or Active X SSL VPN plug-ins to the remote machines on the fly, SSL VPNs can create network-layer connections comparable to IPSec, without having to distribute dedicated VPN client software.
SSL can also give more-detailed control of the resources remote users have access to. Whereas IPSec gives full network access, SSL can restrict access based on applications more readily.
If access to Web applications or Webbified applications is all users need, then the only client software required is a compatible browser. This means users can connect from home machines, borrowed machines or those found in business-center kiosks.
"SSL VPNs have superseded IPSec as the easiest choice for casual and ad hoc employee VPN access requests and for business partners, external maintenance providers and retired associates," says Gartner analyst John Girard. While the sales of SSL VPN gear grew 43 per cent between mid-2006 and mid-2007 to hit US$340 million, the annual growth rate is expected to slow down, resulting in a projected average annual growth rate of 13.8 per cent through 2011.
A separate study by IDC finds that IPSec VPNs accounted for more than half the US$1.27 billion taken in with VPN appliance sales in 2007, but IPSec's share of that revenue actually dropped as a percentage by 9.8 per cent, IDC says. Sales of SSL VPNs went up 18.2 per cent in the same time period.
Still, customers are finding use for IPSec remote access in conjunction with SSL. Sales of Hybrid SSL/IPSec gear are lower , but growing faster, than SSL or IPSec gear alone, IDC says.
The top-selling VPN appliance vendors in order are Cisco, Juniper, Nokia, Safenet and Alcatel-Lucent, IDC says.
5. Are VPNs good for VoIP?
MPLS VPNs can provide quality of service that guarantees delivery of VoIP packets on time for better voice quality.
MPLS also scales to accommodate very large numbers of sites fully meshed, so phoning among corporate sites via VoIP shouldn't be a problem.
Using an SSL VPN to carry VoIP over TCP actually improves voice quality, testing by Network World has found. Because TCP reorders packets and rebroadcasts packets that get lost, it can actually boost quality of the received call. If bandwidth is sufficient to accommodate the VoIP channel plus the rebroadcasts, it can improve quality.
VPNs can also provide security for VoIP calls running over Wi-Fi networks or wired networks, blocking eavesdropping.
VPNs are also used to protect data from smartphones and other handheld devices, including iPhones, although management for that is still rudimentary.
6. Can I use VPNs in virtual environments?
Yes, and doing so may enhance VPN security.
Many vendors are coming out with versions of their VPN software that run on virtual server platforms. This is desirable for businesses in the midst of virtualization of servers as a way to reduce the number of devices and the electrical power expended in data centers.
The trade-off is that means not using VPN appliances, which are a popular means of deploying VPN gateways because they are separate devices managed separately.
On the client side of the VPN, a remote machine can help improve VPN security, according to VMware.
Users can configure remote virtual desktops so that they must access corporate sites via a VPN gateway. At the same time, the physical host that the virtual desktop runs on can be barred from the VPN.
So the virtual machine becomes the entity that joins the VPN, meaning that any compromises of the host machine itself are isolated on the physical machine and cannot spread through the VPN into the corporate network.
Virtual machine policies can restrict virtual desktops so they can access nothing but the VPN, making them insulated from attacks originating outside the VPN. "You isolate the virtual machine from everything except the corporate VPN server," VMware says.
Further virtual machine policies can encrypt all data in the virtual machine and block the data from being transferred out of the virtual machine, making it even less likely that data accessed via VPN can be compromised.
Virtual machine expiration policies can further secure VPNs. If a contractor, for example, is granted corporate VPN access via a virtual desktop on the contractor's own machine, the virtual machine can be configured to expire at a certain time, say, the date the contract runs out, VMware says.