Advantages of VPN
VPNs promise two main advantages over competing approaches -- cost
savings, and scalability (that is really just a different form of cost
savings).
The Low Cost of a VPN
One way a VPN lowers costs is by eliminating the need for expensive
long-distance leased lines. With VPNs, an organization needs only a
relatively short dedicated connection to the service provider. This
connection could be a local leased line (much less expensive than a
long-distance one), or it could be a local broadband connection such
as DSL service.
Another way VPNs reduce costs is by lessening the need for
long-distance telephone charges for remote access. Recall that to
provide remote access service, VPN clients need only call into the
nearest service provider's access point. In some cases this may
require a long distance call, but in many cases a local call will
suffice.
A third, more subtle way that VPNs may lower costs is through
offloading of the support burden. With VPNs, the service provider
rather than the organization must support dial-up access for example.
Service providers can in theory charge much less for their support
than it costs a company internally because the public provider's cost
is shared amongst potentially thousands of customers.
Scalability and VPNs
The cost to an organization of traditional leased lines may be
reasonable at first but can increase exponentially as the organization
grows. A company with two branch offices, for example, can deploy just
one dedicated line to connect the two locations. If a third branch
office needs to come online, just two additional lines will be
required to directly connect that location to the other two.
However, as an organization grows and more companies must be added to
the network, the number of leased lines required increases
dramatically. Four branch offices require six lines for full
connectivity, five offices require ten lines, and so on. Mathematicans
call this phenomenon a combinatorial explosion, and in a traditional
WAN this explosion limits the flexibility for growth. VPNs that
utilize the Internet avoid this problem by simply tapping into the
geographically-distributed access already available.
Disadvantages of VPNs
With the hype that has surrounded VPNs historically, the potential
pitfalls or "weak spots" in the VPN model can be easy to forget. These
four concerns with VPN solutions are often raised.
1. VPNs require an in-depth understanding of public network security
issues and proper deployment of precautions.
2. The availability and performance of an organization's wide-area VPN
(over the Internet in particular) depends on factors largely outside
of their control.
3. VPN technologies from different vendors may not work well together
due to immature standards.
4. VPNs need to accomodate protocols other than IP and existing
("legacy") internal network technology.
Generally speaking, these four factors comprise the "hidden costs" of
a VPN solution. Whereas VPN advocates tout cost savings as the primary
advantage of this technology, detractors cite hidden costs as the
primary disadvantage of VPNs.
VPN technology is based on a tunneling strategy. Tunneling involves
encapsulating packets constructed in a base protocol format within
some other protocol. In the case of VPNs run over the Internet,
packets in one of several VPN protocol formats are encapsulated within
IP packets.
VPN Security
VPNs work hard to ensure their data remains secure, but even its
security mechanisms can be breached. Particularly on the Internet,
sophisticated hackers with ample amounts of free time will work
exceptionally hard to "steal" VPN data if they believe it contains
valuable information like credit card numbers.
Most VPN technologies implement strong encryption so that data cannot
be directly viewed using network sniffers. VPNs may be more
susceptible to "man in the middle" attacks, however, that intercept
the session and impersonate either the client or server. In addition,
some private data may not be encrypted by the VPN before it is
transmitted on the public wire. IP headers, for example, will contain
the IP addresses of both the client and the server. Hackers may
capture these addresses and choose to target these devices for future
attacks.
VPN Protocols
Several interesting network protocols have been implemented for use
with VPNs. These protocols attempt to close some of the security holes
inherent in VPNs. These protocols continue to compete with each other
for acceptance in the industry.
Point-to-Point Tunneling Protocol (PPTP)
PPTP is a protocol specification developed by several companies.
People generally associate PPTP with Microsoft because nearly all
flavors of Windows include built-in support for the protocol. The
initial releases of PPTP for Windows by Microsoft contained security
features that some experts claimed were too weak for serious use.
Microsoft continues to improve its PPTP support, though.
PPTP's primary strength is its ability to support non-IP protocols.
The primary drawback of PPTP is its failure to choose a single
standard for encryption and authentication. Two products that both
fully comply with the PPTP specification may be totally incompatible
with each other if they encrypt data differently, for example.
Layer Two Tunneling Protocol (L2TP)
The original competitor to PPTP in VPN solutions was L2F -- a protocol
implemented primarily in Cisco products. In an attempt to improve on
L2F, the best features of it and PPTP were combined to create new
standard called L2TP. L2TP exists at the data link layer (layer two)
in the OSI model -- thus the origin of its name.
Like PPTP, L2TP supports non-IP clients. It also fails to define an
encryption standard. However, L2TP supports non-Internet based VPNs
including frame relay, ATM, and SONET.
Internet Protocol Security (IPsec)
IPsec is actually a collection of multiple related protocols. It can
be used as a complete VPN protocol solution, or it can used simply as
the encryption scheme within L2TP or PPTP. IPsec exists at the network
layer (layer three) in OSI.
IPsec extends standard IP for the purpose of supporting more secure
Internet-based services (including, but not limited to, VPNs). IPsec
specifically protects against "man in the middle attacks" by hiding IP
addresses that would otherwise appear on the wire.
SOCKS Network Security Protocol
The SOCKS system provides a unique alternative to other protocols for
VPNs. SOCKS functions at the session layer (layer five) in OSI,
compared to all of the other VPN protocols that work at layer two or
three. This implementation offers advantages and disadvantages over
the other protocol choices. Functioning at this higher level, SOCKS
allows administrators to limit VPN traffic to certain applications. To
use SOCKS, however, administrators must configure SOCKS proxy servers
within the client environments as well as SOCKS software on the
clients themselves.
VPN Hardware and Software
Literally dozens of vendors offer VPN-related products. These products
sometimes do not work with each other because of the choice of
incompatible protocols (as described above) or simply because of lack
of standardized testing.
Some VPN products are hardware devices. Most VPN devices are
effectively routers that integrate encryption functionality. Other
types of VPN products are software packages. VPN software installs on
top of a host operating system and can require significant
customization for the local environment. Many vendor solutions
comprise both server-side hardware and client-side software designed
for use with the hardware.
Conclusion
An amazing amount of development effort has been invested in VPN
technologies. Yet the task of choosing and deploying a VPN solution
remains far from simple. It may prove helpful to train users in at
least the basics of VPN clients to help them migrate to new VPN
deployments.
The most common public network used with VPNs is the Internet, but
traffic congestion and router failures on the Net can adversely impact
the performance of these VPNs. When building a Net-based VPN, it will
be important to choose a high-quality service provider. |
