As businesses work at adding more security to company communications, VPNs
(virtual private networks) are getting a lot of play. If you’ve seen one
VPN, though, you haven’t necessarily seen them all. Just for starters, some
network managers are implementing VPNs in-house, whereas others are
outsourcing to service providers.
Industry seers expect VPN sales to boom along for years to come. Still,
though, the VPN industry is fraught by market confusion and hype. Lots of
vendors claim they’re trying to de-mystify VPNs by simplifying products and
services. To many systems administrators, however, the letters “VPN” don’t
exactly spell “trust.”
Earlier this month, Gartner predicted the worldwide IP VPN
equipment market to show a compound annual growth rate (CAGR) of 12.2
percent from 2002 through 2006, reaching $4.5 billion by 2005. IDC
projects the US market for IP VPN services to grow from over $5.4
billion in 2001 to almost $14.7 billion in 2006, for a 22 percent
CAGR.
Agreement is hardly unanimous, however, over what the VPN acronym even
means.
“Some people in the carrier market still regard a VPN as a fixed
connection, such as a frame relay link. Coming from the world of voice,
they don’t necessarily think of a VPN as something that includes security,”
says Mark Stevens, senior VP of network security for WatchGuard
Technologies.
“If you’re from an Internet background, though, a VPN means that data is
being encrypted in some way — and also that authentication is present, to
verify that data hasn’t been messed with even if it’s already been
encrypted,” according to Stevens.
Some people might consider other security features, such as anti-virus
protection or intrusion detection, to be essential components of a VPN.
Meanwhile, vendors such as NetScreen and SonicWall have been integrating
VPNs with firewalls.
VPN complexity, of course, is a related issue. Corporate administrators and
ISPs can get caught up in an endless maze of technical quandaries. “We are
trying to get a VPN working using IPX and Novell’s client 32. We got it
working a number of times, but recently upon making the connection the
client computer will not reboot itself,” complains one systems
administrator, in an Internet news group.
“Situation: Client has a laptop, uses Microsoft PPTP VPN remotely to access
some resources,” according to another Internet posting. “This has worked
fine, though slowly, over his dialup modem (using) ISDN solution. Now, he
has a cable modem. We can connect, but are unable to log in. After
troubleshooting, it appears the problem is due to the remote VPN and his
local network both having the same IP subnet.”
Another frustrated administrator wonders whether something’s gone wrong
with access permissions. “One of the (people) experiencing the problem can
access files and network resources from her workstation in the office, but
not via VPN from home. If this was an access permission problem, wouldn’t
she not be able to access files locally as well?” the administrator asks.
For simplified implementation and management, VPN appliances have been
gaining ground. “For the most part, appliances are much easier to use than
VPN software,” according to Stevens. Appliances do have their limits,
though, since their capabilities are circumscribed by vendors.
A fairly well populated subset within the VPN product space specializes in
“e-mail VPNs.” Examples include Tumbleweed and now, CipherTrust. “We are
focused exclusively on e-mail solutions,” contends CipherTrust President
and CEO Steve Raber.
According to Raber, CipherTrust’s IronMail appliance concentrates on “multitiered,
multi-layered defenses” that have managed to escape the attention
of mainstream VPN providers.
“In the (new) IronMail with Mail-VPN, one of the things we’ve included us
the ability to use SSL tunneling for e-mail. If you put an SSL card into a
messaging server, though, you’ve only solved part of the problem. It could
still get hacked,” Raber observes.
“Most VPNs only use packet-level defenses for mail. Instead, we look at the
entire message. We also understand what a password means, relative to email.
We’re doing things like mail IDS and blocking ping attacks. We
understand that port 25 is typically left open, so that anything directed
against Microsoft Exchange, for example, will pass through the perimeter
defense,” he adds
“We’re enforcing all the RFCs for mail standards such as IMAP, POP, and
HTTP. To guard against denial of service attacks, we throttle the
connections so you won’t have too many messages from any particular e-mail
address. Then we throttle them again, as they go out the back.”
The IronMail device also includes mail-oriented firewall, virus scanning,
and content filtering systems.
Outsourcing services to a provider is another way to simplify the VPN
situation. “VPN services take away the hassle for customers by hiding the
complexity,” according to Stevens.
“VPNs can be complex to implement, and enterprises that assume there is a
simple definition for a VPN will usually be disappointed with the results,”
concur Gartner analysts, in one recent report. “As VPN projects expand, the
prospect of outsourcing to a carrier or Internet service provider becomes
desirable.”
Giant service providers like AT&T and Genuity are increasingly active in
the VPN market. Their size, established names, and experience with network
management lends them an edge with some customers.
Earlier this year, for instance, AT&T debuted three new managed services:
Enterprise VPN Services Portfolio; High Availability and Security Services;
and Enhanced Managed Hosting Services. The VPN portfolio combines IPsec
VPNs and MPLS (Multiprotocol Label Switching) with several layers of
management from AT&T.
For many customers, however, cost is a key criterion. “We used to work with
AT&T. I’ve seen the bills, and they’re ridiculous,” charges J. C. Chatpar,
president and CEO of Cyber Digital, Inc. Cyber Digital produces digital
voice switching systems for network operators, in addition to IP routers,
gateways and firewalls.
Chatpar, though, says he now wants to help export “the ‘commodity’ concept,
introduced by Dell in the PC market, over to the VPN market.” Cyber
Digital’s new business model combines VPN services with factory-configured
appliances and Web-based product ordering.
After selecting from “7,000 features,” and getting the boxes shipped from
the factory, network managers will be able to install the boxes by
themselves. Administrators will then decide whether to manage the VPN
themselves, or to outsource management to Cyber Digital. Even if they go
the outsourcing route, network managers can still retain control over key
management, Chatpar says.
Cyber Digital’s VPN appliances will priced at about $1,000 to $12,000 each.
Services will start at around $20 per month.
“Users have concerns over privacy, too. Most companies don’t want to be in
the VPN business. The critical element, however, is dependence on the
consultant, who is integrating the VPN with their equipment. Many of them
don’t trust an external person to do this,” according to Chatpar.
