VPN's: Ready for More than Simple Remote Access?
Although mission critical applications are waiting in the wings, VPN deployments still revolve mainly around remote access. Security and other management issues are things to be reckoned with, though, regardless of the type of VPN implementation.
"Network managers are accustomed to running data over private networks. They're looking at VPNs and saying, 'I'm only going to use them for remote access," says Kathryn Korostoff, president of analyst firm Sage Research.
Ultimately, many companies want to save costs by running mission-critical applications over secure IP networks that are "as reliable as frame relay," concurs Louis Detroia, director of global VPN services at AT&T Business.
To reach that goal, however, many organizations will need to either replace or integrate existing "hodgepodges of different equipment and different methodologies" or outsource VPNs to service providers, according to Detroia.
"You can almost say that every multinational is in a position where they can use help," Detroia said, during the recent Internet World show in Los Angeles.
Beyond the mission-critical and remote access categories, other VPN applications in varying stages of deployment include VoIP, wireless LANs, Internet access, and business partner trading extranets.
For remote access, VPN appliances with built-in multitiered security are typically more than adequate to do the job, suggests Andrew Savage, senior product manager, alignment and security, in Avaya's WAN Wireless Security Group. Administrators can configure levels of encryption and authentication according to the sensitivity of the data.
"The security doesn't have to be 'James Bond, where you hit an eyeball scanner," Savage observes.
Even with remote access applications, though, many consultants are advocating increased security. Jonathan Spira, chief analyst for the Basex Group, points to the need for firewall and intrusion detection hardware or software at remote end points, including telecommuters' home PCs or laptops.
For telecommuters with always on connections, Detroia "highly recommends a very comprehensive firewall," so as to prevent intruders from compromising secure tunnels and possibly "wreaking havoc" on corporate nets.
Firewalls are particularly crucial for end users accessing VPNs through cable networks, as opposed to dial-up or DSL connections, notes John O'Keefe, CEO and CTO for Fine Point Technologies, Inc.
Wireless LANs also need extra protection, according to Spira. Wireless protocols such as WEP, LEAP, and TLA amount to "garbage mechanisms" without the addition of IPsec, Savage agrees.
Increasingly, VPN appliances are integrating firewalls and intrusion detection. Administrators can also use turn to separate software packages from companies like ZoneLabs and NetScreen.
For mission critical and VoIP deployments, though, network administrators are still looking for "proof points," according to Sage's Korostoff, a speaker at the recent Service Networks conference.
"You can talk to network managers all you want about tunnelling and IPsec. They're just fundamentally uncomfortable about putting proprietary information over anything that's shared. Network managers also have lingering concerns about performance issues. The quality of their work life depends on how many angry phone calls they get," she said afterward. Sage conducts ongoing research among network managers.
Outside of security and performance, other management issues include usability, IPsec interoperability, and administration of distributed VPNs. "Interoperability has been a big deal within IPsec for a long time," according to Avaya's Savage.
At this point, products certified by groups such as ICSA Labs and the VPN Consortium are largely interoperable, Savage says. Still, some tweaking might be required in more complex deployments, such as those relying on Triple DES encryption.
For distributed VPN management in larger VPN implementations, some vendors now sell VPN switching solutions. Advantages can include greater VPN uptime; scalability; and "intelligent movement between flows of traffic," maintains Radware COO Vik Desai.
AT&T is now teaming with Radware in an offering called AT&T Managed Internet Service with Access Redundancy. The solution integrates Radware's LinkProof multi-link traffic manager.
For usability's sake, AT&T has redesigned its VPN client. With version 5 of its dialer, AT&T's intent is to "shield end users from the magic" of cable, DSL, IPsec, and firewalls, according to Detroia. AT&T's firewall software is available as an add-on.
Usable interfaces can also help to cut costs for customers, by minimizing the need for employee training. "People just want to 'click,' and that's it. You don't want to have to retrain your staff," Savage says.
SLAs constitute the best kind of proof point for running mission critical data over VPNs, according to Korostoff. "The SLA is just about the only thing a service provider can do. Through the SLA, (the provider) can show you that you're getting private network-like performance, or that your data is secure."