IP VPN: compelling savings – compelling performance?

Briefing IP-based virtual private networks can offer compelling cost savings compared with leased lines, but how can they deliver enterprise-class security and performance?

A Virtual Private Network (VPN) enables organisations to use a shared network - typically the Internet or an IP backbone supplied by a network service provider - to connect remote sites or users together.

Instead of using only dedicated connections (such as a leased line), a VPN makes use of "virtual" connections routed across the shared network to link a company's private network to remote sites or employees. Leased lines may still be used to connect the customer site to the edge of the shared network or, for internet based VPN's ADSL or ISDN may be used to connect to the shared core.

The goal of a VPN deployment is to provide the organisation with the same capabilities as a dedicated Wide Area Network (WAN), but at a much lower cost. Typically WANs are built using leased lines, which become progressively more expensive as the number of branch offices, and the distance between them, increases.

VPNs represent a way to neatly avoid this cost without - subject to proper implementation - sacrificing the security associated with leased-line circuits.

So what's the catch? Security, in a word, or, to be more precise, lack of security, real and perceived, of data transported over VPNs. Many companies fear that security is sacrificed - certainly it is more of a challenge to protect VPNs than is the case with their entirely private counterparts. Worms such as Slammer and Blaster, along with the ever-present risk of denial of service attacks, illustrate the need to protect VPNs that use the internet as their core not just from eavesdroppers, but also from less sophisticated attacks. We shall return to the security issue, but let us first run through the benefits of VPNs, the market size and some of the technology.

Flexible friend

A VPN approach is cheaper and more flexible than WANs over leased lines. Teleworkers, along with mobile sales and support staff, can be supported effectively using the technology. Businesses can extend their private network to distant offices and remote users who traditionally ran up long distance charges when dialling into corporate resources.

The adoption of IP VPN (VPNs which use the Internet Protocol for routing packets) by corporates is expected to drive the worldwide IP VPN equipment market to $4.7 billion by 2006, according to Gartner Dataquest. The analyst firm believes the cost benefits of using the IP VPNs as a basis for a company's global communications (rather than traditional wide area network (WAN) access via a leased line, frame relay or asynchronous transfer mode) are considerable. Consensus analyst estimates are that IP VPNs are 20-40 per cent cheaper to implement and run than traditional VPNs.

A recent survey by In-Stat/MDR of 200 large businesses, each employing more than 1,000 people, revealed that 81 per cent currently use IP VPNs while nine per cent are preparing for adoption within two years. Around half of those who already have an IP VPN are also considering carrying voice traffic over it. Many of the In-Stat respondents also plan to extend IP VPN connectivity to staff who work with wireless devices outside the office.

Virtual services get real

Two standards are deployed in the majority of today's IP VPN services: Multi Protocol Label Switching (MPLS), a technology to speed up and manage network traffic; and IPsec, a set of security protocols.

Looking ahead, a third technology: SSL-based VPNs, is becoming a major area of growth. SSL VPN appliances allow enable to access corporate resources securely through a standard Web browser. The technology scores over earlier IPSec-based VPN technology by eliminating the need to install client software on worker's machines. Analyst firm Infonetics reckons the SSL-based remote access market will exceed $600 million by 2006.

Organisations have four basic choices when installing an IP VPN: to manage their own customer premise equipment (CPE); to get a provider to manage their CPE; to get the provider to host their IP VPNs on their own network; or adopt some combination of the above.

Only the biggest companies should consider managing their own CPE. But even the biggest companies today are looking for service providers to manage their IP VPNs. According to the In-Stat/MDR survey, 74 per cent of firms which now have VPNs in place will switch over to provider-managed services, on cost as well as management grounds.

Bandwidth management and Quality of Service (QoS) are complex technical challenges often more easily handled using VPNs built over a shared IP backbone belonging to a service provider, using MPLS.

Risk management

Most IP VPNs are secured by IPsec, a set of transport and tunnelling protocols which maintains security and privacy while using a shared public infrastructure. Transport mode is less secure as it encrypts only the data portion of each packet, leaving the header untouched. For enterprise-class security tunnelling is required. IPsec does this by encrypting data and sending it through a "tunnel" which cannot be entered by data that is not properly encrypted. For additional security, the originating and receiving network addresses, as well as the data can be encrypted. In practice, IPsec can secure an IPN VPN to a standard approaching that of a dedicated private network.

According to Henry Goldberg, senior analyst at In-Stat/MDR, many of the security worries attached to IP VPNs are unfounded:

"All of the forms of IP VPN services offer considerable security. The MPLS and Virtual Router over ATM network-based services are implemented over a service provider's closed or private IP infrastructure, and provide similar security to traditional Layer 2 Frame Relay or ATM service.

"Network-based IPsec services can be implemented in different ways. It provides highly secure encryption and authentication of traffic, and in some cases may be implemented in addition to the previous MPLS or Virtual Router over ATM solution for customers that want a high degree of security."

As the security concerns are addressed the IP VPN is beginning to be considered as viable for enterprise deployment. But carriers must do more to remove security fears, Caroline Jones, analyst for Gartner's worldwide telecommunications and networking group, says. "Security continues to be a major issue for the uptake of IP VPNs in every region and those business sectors where data is highly sensitive. To benefit from VPNs' great potential, service providers need to remember that a security solution for one region may not succeed worldwide." ®

This briefing note is sponsored by Telewest