Table Of Contents

  

 

Virtual Private Networking

Introduction
Identification of the Technology
Virtual Private Networking Service
Virtual Private Network Technology
Applications of VPN Services and Technology
Identification of Major Players
 

Introduction

Virtual Private Networking (VPN) is one of the most widely used and most misunderstood terms in the Information Technology industry today. This paper will attempt to remove some of the mystery behind VPNs and identify the primary applications and limitations of this technology.

Identification of the Technology

The term Virtual Private Networking (VPN) has its origin in voice telecommunications. In fact, Virtual Private Networking is a trademarked voice service offered by Sprint and GlobalOne. VPN has also been used as a generic name to refer to AT&T's Software Defined Network and MCI Communication's VNet service. However, in the late 1990s VPN terminology was recast in the world of Data Networking.

Virtual Private Networking nomenclature, when applied to Data Networking, is an inexact term. In fact, the term VPN is used to refer to vendor provided network service offerings while at the same time it is used to describe a set of specific networking technologies. We will briefly discuss the definition of Virtual Private Networking used by companies like AT&T and UUNet to market and sell data networking services. However, we will devote the majority of our attention to the technology components collectively comprising Virtual Private Networks and applications for this technology.

Table Of Contents

Virtual Private Networking Service

Large network service providers such as Compuserve, IBM Global Services, AT&T, Sprint and MCI have begun to offer VPN services to large and small businesses. These services are typically defined by the providers as managed TCP/IP networks with strict access controls and some level of network privacy. Successful VPN service providers leverage their vast network transport facilities (e.g. Public Switched Telephone Network [PSTN], Synchronous Optical Networks [SONET], Frame Relay Networks, and Asynchronous Transfer Mode [ATM] Networks) across a wide client base to transmit customer data more cost effectively. The value proposition for the customer is created by the providers passing on these efficiencies in the form of lower costs while offering the advantages of a private or dedicated networking.

Internet Service Providers (ISPs) already use the model of shared TCP/IP based networks to deliver low cost transport services. ISPs are using VPN technology to provide a greater degree of privacy and access controls to their Internet-based networks. These privacy enhancements are targeted at corporate customers who feel the public Internet is too risky for their mission critical corporate data.

Table Of Contents

Virtual Private Network Technology

In addition to the VPN services discussed previously, there is a collection of technology components, both hardware and software, emerging to provide greater privacy over unsecured and public networks. These technologies primarily apply to IP-based networks but in some cases have extended to Apple Computer networks (based on AppleTalk communications protocols), Novell's Internet packet Exchange protocols (IPX) and Network Basic Input/output System (NetBIOS) Extended User interface (NetBEUI).
Virtual Private Networking technologies are implemented at the network level and typically provide tunneling, encryption, security key exchange and authentication services. Before proceeding it is important to have a good understanding of what these technologies provide.

Tunneling: Tunneling is a term referring to the technology used to allow information to pass from a private data network across a shared or public network transparently (e.g. maintaining the appearance of one logical network). In other words, from the end users' perspective, they are simply a node on the private network. They would have the same IP addressing structure and network access as if they were directly connected to the network in their office. Tunneling technology does not necessarily provide security services such as encryption and authentication. However, these services can be bundled in vendor provided VPN solutions.

lock.gif (3115 bytes)Encryption: Encryption technology, in this context, is essentially used to encode data at or prior to transmission so it cannot be read as clear text by unauthorized entities. The receiver typically decodes the data using a program and a decryption key upon receipt. Encryption can be applied at a file level for secure data files using programs such as Pretty Good Privacy (PGP) and 56-bit Data Encryption Standard (DES). It can also be applied at the network level to secure the transmission link (IPSec, PPTP, L2F or L2TP), the session level using Secure Sockets Layer (SSL) or at an application level to secure specific applications like Email (S/MIME) and Web applications (S/HTTP).

Authentication: Authentication can be achieved using a variety of technologies and techniques including X.509 certificates, UNIX login and password, and token-based one-time pass codes. This is essentially a method for identifying users and authorizing their access to the network and specific applications on the network.

Using VPN technology as a method for securing data transmissions at the network level provides a distinct advantage over other methods. For example, application-level encryption techniques such as Secure Multipurpose Internet Mail Extension (S/MIME), used to encrypt Simple Mail Transfer Protocol (SMTP) Email attachments, or Secure Hyper Text Transfer Protocol (S/HTTP), used to secure Web traffic, are very specific point solutions. Network level services associated with VPN technology can support multiple applications using the same security method. VPN authentication and encryption services remove the requirement for application specific security. Therefore communications are trusted between a secure client and the VPN server for all applications.

In some cases this has the added advantage of relieving the user from having to perform file level encryption using tools like Pretty Good Privacy (PGP). This reduction in user intervention is usually desirable. It can be an advantage when security could be compromised by an incorrect encryption step executed by a novice user. To summarize, VPN technologies provide a secure transport for multiple applications and limit the end user intervention in the security process.

We have discussed the basic technology underlying VPNs at a high-level and some advantages of the technology. However, today much of this technology could be considered leading edge, in spite of what the vendors may lead you to believe.

Currently, a few vendor-specific or de facto standard solutions have emerged to create VPNs. Point-to-Point Tunneling Protocol (PPTP) is one such solution typically used for dial-up networking in a Microsoft environment. Another widely used solution for tunneling between two pieces of network equipment is Layer 2 Forwarding (L2F). A hybrid of these two has emerged called Layer 2 Tunneling Protocol (L2TP). Although large vendors such as Microsoft and Cisco Systems sponsor these solutions, they have limited interoperability and known security weaknesses. IPSec, on the other hand, is an emerging framework the Internet Engineering Task Force (IETF) has largely defined to standardize VPN technologies. This framework provides the mechanisms used to select session keys, select encryption algorithms and transport encrypted information. Many vendors have pre-standard IPSec implementations and have participated in interoperability testing with some success. This is a positive sign, but IPSec is still not a mature and stable standard.

The bottom line is today most Virtual Private Networking vendors will require you install some unique piece of code on the client desktop either as an addition to the TCP/IP stack or at the Network Driver Interface Specification (NDIS) layer. In the future IPSec will likely be embedded in Microsoft's operating system and most firewall products. VPN technology is relatively immature, with vendor specific implementation lacking interoperability. On the positive side, there are distinct advantages to using VPN technology such as user transparency, after the initial installation, and multi-application support. In addition, IPSec is a possible standards based solution to the current interoperability issues.

Table Of Contents

Applications of VPN Services and Technology

Figure 1.1 below models two traditional types of data connections, dedicated connectivity and dial-up networking (also referred to as remote access). ). Dedicated connectivity in the U.S. is typically in the form of a T1 connection (1.544Mbps), fractional T1 (NX64kbps), or 56kbps service. These connections have an access component (FCC Tariff 11) and a Private Line component (FCC Tariff 9). The access component is the transmission line from the customer facility to the Bell operating company's central office (CO) and the private line component is the "long-distance" carrier facility. The pricing for each of these components is typically distance sensitive. In other words, the longer the circuit the more it costs. This distance sensitive pricing model is very similar to the dial-up environment, also depicted in figure 1.1. Local phone calls are essentially free after paying a flat rate for local telephone service (e.g. there is no additional cost on a per call basis for local calls). However, we pay some amount per minute above our basic service fee for long distance. Furthermore this per minute charge varies based on where you are calling.

As we look at figure 1.2 we see three very interesting advantages to introducing a shared network transport and VPN services. First the "long-distance" component of the dedicated service is eliminated and replaced by the shared VPN service. Second, the dial-up connections can be shifted from a long-distance or 1-800 number to a local call. The third advantage is subtler, but we have been able to move from a point-to-point to a point-to-multi-point connectivity model. This allows a facility to share a single physical access connection across many virtual point-to-point connections and allows for any user to communicate to any other user without having a dedicated connection specifically between each pair of end points.

The cost savings are particularly evident in the dial-up or remote access environment, since corporate employees will be able to dial a local number to access their corporate data back at the home office. As previously mentioned, the typical method for remote access today involves dialing up to a central modem pool at the headquarters office via a 1-800 number. This can be quite expensive for companies that are widely distributed and having large mobile sales or support organizations.

Figure 1.1

Figure 1.2

As stated previously the primary drivers for Virtual Private Network Technology are:

  • Remote Access Costs

      According to Gartner Group research, by the year 2003 10 to 15 percent of the global work force will telecommute at an annual cost of more than $1 trillion. Most enterprises today have built remote access facilities allowing their users to dial into a central site within the enterprise and gain access to network resources. The resulting usage base pricing can amount to hundreds of thousands of dollars per month. These expenses are very unpredictable and difficult to budget. In addition to recurring dial-up costs, corporations are faced with the constant churn of access and modem technology (e.g. XDSL, cable modems, V.90, ISDN, etc.). This has forced companies to budget for periodic large capital investments to upgrade their modem pools as well as additional expense to provide training to their staffs to support the newer technologies.

      The growing mobile user base, high usage-based costs, and the rapid changes in modem technology has led enterprises to push modem pools to the service providers to manage. This has led to the introduction of VPN technologies and services to provide authentication, access control, and privacy for these connections.

  • Low cost augmentation of Corporate Intranets (or Wide Area Networks)

      VPNs are not expected to replace corporate Wide Area Networks (WAN) due to scalability concerns, complexity, and stability. However, for small sites which could not cost justify a dedicated T1 or Frame Relay connection to the corporate WAN, VPN services and technologies may offer a low cost alternative to augment WAN infrastructure.

  • Extranet (or inter-company communications)

      Currently, direct inter-company data communications are achieved by two primary methods. First, Value Added Networks (VANs) are used to establish, manage and intermediate data exchange between two entities. VANs are often used to facilitate Electronic Data Interchange (EDI) connections and transactions. However, this method of transferring information is typically billed at a per character, per message or kilobyte rate and is relatively expensive. The second method is to provide direct network connections or direct dial-in access to the corporate private network. These connections may terminate directly into a host or mainframe computer to allow customers or suppliers access to a particular application, or it may provide broader access to network resources. Security is controlled on a case by case basis and each connection is unique from a connectivity and facilities stand point.

      In its current state, Virtual Private Networking technologies offers little more than the advantages discussed in the remote access and corporate WAN extensions section above when applied to inter-company communications. However, as the technology matures there is a potential to lower transports costs and greatly simplify the extranet communications components. With the emergence of standard tunneling and security protocols such as IPSec, the public Internet or similar large scale IP-based networks may become viable as a common transport facility. This may in-turn reduce the need for creating unique connections to business partners on a case by case basis.

  • Increased data transmission security within a company

      The use of Virtual Private Network services and technology within a private corporate network is probably the least developed application for VPNs and the most susceptible to failure. As networks become more accessible and tools to capture data on the network become increasingly embedded in the operating systems (NT 4.0 has a built in network protocol analyzer), sensitive data will need to be secured even when crossing private networks. VPN technology has been suggested as a method for providing authentication and network privacy within a corporation. The issues associated with this today include the performance of tunneling protocols when operating at LAN speeds, complexity, costs of the desktop VPN applications, and their lack of user transparency. These technical barriers make internal company security an unlikely but possible application for VPN technology.

Table Of Contents

Identification of Major Players

From a pure technology perspective there are several key vendors that either are or will be delivering products in the VPN space.

CYLINK.GIF (1086 bytes)MICROSOFT.JPG (9040 bytes)CHECKPOINT.GIF (1206 bytes)NORTEL.GIF (2685 bytes)LOGO-TAGLINE.GIF (1231 bytes)

  • CheckPoint - CheckPoint is a key player in the firewall product space who has captured 43% of the global firewall market. CheckPoint currently has a software-based VPN solution which can be bundled in with its firewall product.
  • Cisco Systems - Has partnered with Cylink and Red Creek for most of its VPN technology solutions but it has a huge install base in the network equipment space it can leverage to push its products into the market.
  • Microsoft - Microsoft currently has fairly weak product offerings but will play a critical role in the VPN client technology at the desktop.
  • Information Resource Engineering (IRE) - The SafeNet product from IRE is a hardware-based virtual private networking and authentication product that is well positioned and available today.
  • Cylink - A long-standing encryption engineering company with a wealth of technical expertise in the area of data security.
  • Nortel/Bay Networks - With Bay Networks' acquisition of New Oak Communications, it has become a player in the VPN space.
  • RedCreek - RedCreed is providing a hardware based VPN card that will run in a standard NT server as an off load processor allowing for a large number of concurrent tunneled sessions. This technology is also being integrated in to Cisco's PIX Firewall.

References:

  • Georgia-Pacific Internal Technology Plan: June 1998 (input from various technology vendors)
  • Gartner Group Research Note: VPN Technology: Define It Before Designing It (13 October 1998 ), J. O'Reilley
  • Gartner Group Strategic Analysis Report: Virtual Private Networking: Finding Opportunity Amid Immaturity, 28 September 1998 - J. O'Reilley, M. Zboray, E. Paulak, C. Smith
  • Cisco Systems Publication; The New World of Virtual Private Networking Services Posted: Mon Aug 31 13:50:21 PDT 1998

Table Of Contents