Archived from Sun's Dot-Com Builder Web Site
This content is archived from Sun's Dot-Com Builder Web Site.
These are the Best Practices > How To's archives.
Some of these pages may contain links that are no longer available.
If you see these, you can report it through the Suggestions link
and we will remove the link and leave the name (for reference).
What to Look for When Deploying a VPN (Virtual Private Network) November 28, 2000
by James Mendelsohn
If you're looking for ways to build communication among employees or among employees and customers, virtual private networks (VPNs) can be a cost-effective means of
extending the workplace to remote users in a readily scalable manner;
communicating quickly with employees who are away from the home network;
gathering information from those communications into your home network immediately;
securely accessing the Internet while away from the enterprise network;
developing an e-commerce and m-commerce channel for designated customers and suppliers.
Defining VPNs
VPNs create secure, private networks over the Internet by establishing authenticated and encrypted tunnels of communication between an Internet access point where a user is (a local POP) and a tunnel terminating device at the corporate network. Alternatively, the tunnel can link a branch office network and a home network. In either case, the tunnels are not permanent, dedicated lines but networks created on demand over the Internet. In effect, the tunnels extend a business LAN into a WAN.
Differing Abilities in VPN Solutions
There are various solutions for creating VPNs, but they are not created equal. They vary substantially in
their configurations;
their ability to integrate with an existing IT system;
their demand upon a business;
the ease and speed with which they provide access to an enterprise network.
Ensuring Basic Capabilities of a VPN
To function securely and privately, be sure your VPN performs these four basic functions in a manner compatible with your network:
Authentication ensures users are legitimate.
Does the VPN authenticate users at the local access (POP) they dial? Does it do so using user names and passwords? Secure tokens? Digital certificates?
Does the VPN authenticate an incoming connection at the home network?
Does it provide a second layer of authentication, confirming that each packet of information sent over the Internet is legitimate?
Encapsulation of all data packets into other TCP/IP packets ensures they can be sent through the tunnels.
Does the VPN use a security form of encapsulations? Does it use the IPSec standard, which allows for packet-to-packet authentication and end-to-end encryption? Does it use the weaker, but sometimes adequate PPP security protocol?
Does it use L2TP for support of multiple protocols, such as IPX or Appletalk?
Encryption scrambles all data before transmission.
Does the VPN support several different kinds of encryption, including IPSec? Does it allow network managers to decide which level of security a particular transmission requires?
Policy-based filtering, a form of packet filtering, controls access to designated sites or services on the enterprise network.
Does the VPN allow you to permit or to deny such access according to the user or group of users, as you choose?
Selecting the Kind of VPN: Service Provider-Dependent versus Service Provider-Independent Systems
You will immediately find yourself facing a choice between two kinds of VPNs that differ in the degree to which they outsource. They are as follows:
Provider-dependent systems
User-independent systems
A cautionary note: The list of advantages and disadvantages that follows will help you determine which system fits your needs. But it may help to read through the entire checklist before making that assessment.
Provider-dependent systems outsource the VPN as much as possible, typically to an ISP. Each time a remote user seeks access, the ISP authenticates that the user should have access to the VPN and then creates the tunnel to a remote VPN server on the user's enterprise network. These systems have the following advantages and disadvantages:
Advantages
Ease of access -- To access the VPN, users simply dial a local access number for the provider from wherever they are (A business must choose an ISP that has widespread POP locations).
Low demand on IT resources -- The ISP ensures the free flow of information and handles all technical difficulties.
Capital expenditures -- The system minimizes the amount of capital spent deploying a VPN (although recent estimates assign ongoing costs as 80 percent of VPN expenses).
Transparency -- Users often see nearly the same interface as when dialing up remotely. They do not need to learn about additional technology.
Port availability and performance -- A business can contract with an ISP that guarantees port availability and performance.
Scalability -- An ISP can easily scale to meet its customers' needs.
Disadvantages
Security
Outsourced security can be difficult to use or inflexible. The ISP controls remote access to the network.
IS managers cannot monitor the network.
Users may need to remember different passwords and other security protocols.
You may be required to set up a RADIUS proxy on the service provider's network.
Encryption may restrict protocol traffic to IP or unregistered IP addresses.
While the VPN creates secure lines of communication, you still trust an ISP with potentially sensitive information in one configuration.
Cost
Even if capital outlays are less, you pay for services you might well save money on by doing yourself.
Control
You must depend upon the provider to respond quickly to technical problems.
Billing/Cost control
You do not control billing and can fully analyze where and how you are incurring expenses, which affects your ability to cut costs.
Flexibility
End users can contract only with those providers whose VPN ability is compatible with the users' network.
Often, the ISP cannot easily customize its offerings on demand to meet the individual needs of a business.
User-independent systems have the ability for a business to originate the tunnel in the
Internet itself, which is essentially a difference at the client or remote user end.
A VPN-enabled business would have the tunneling software installed directly onto the
equipment of the remote user, be that equipment laptops of employees or servers behind
firewalls at a branch office.
Advantages
Expanded access and flexibility
You are not dependent on your ISP to create a link to the VPN. So long as users can find access to the Internet (via any traditional POP), users can create a link to the VPN and the home network.
Security
You no longer give confidential information to your ISP. Instead, you control who has access to the information sent over the VPN by designating who may use it.
IS managers can optimize their own hardware to make the VPN more secure and more scalable.
Customization/Enhanced Performance
You can repeatedly configure the tunnel terminating device to optimize it for your network.
Speed of implementation
Not all ISPs enable tunneling; the independent solution does not require the ISP to have that ability for a business to establish its network.
Disadvantages
Port availability and network performance -- Remote users depend on whatever availability and performance exist on the POP they find.
Demand on resources -- You must manage and deploy the technology at both the user and network ends.
