Running a virtual private network can save you money on leased lines, but can also create a lot of work. Can managed VPN services save you the trouble?
There's nothing like your company's LAN and Internet access slowing to a crawl and then disappearing entirely to drive home the point that even if you are a good little Boy Scout/Girl Guide and keep all your PC patches and antivirus signatures up to date, some of your less-than-diligent colleagues can still cause you grief.
Corporate Virtual Private Networking (VPN), while being available for some time, now is still viewed sceptically by many systems engineers, particularly from a security viewpoint. While most routers and firewalls these days support some form of VPN capability or at least VPN pass-through, most companies do not have a VPN deployed, preferring to keep their expensive leased lines active or run their services via an inter-office ATM or such dedicated private link.
Lets not get ahead of ourselves here. We are assuming that people are aware of VPNs and the benefits that they can bring to businesses by reducing the need (and therefore cost) of having permanent dedicated private links between geographically distant business locations.
What most people are not aware of is the fact that they can be deployed to operate transparently over disparate network connections and are carrier independent. For example, a head office in Melbourne has its primary production plant in Sydney, and between these two buildings the company already has a dedicated link for voice and data transmissions. The company is facing increasing requests from its branch sales/support offices in Adelaide, Perth, Brisbane, Canberra, Hobart, and Darwin to connect up to the company's central servers and its production servers. Naturally the cost of dedicated lines to and from each location would be uneconomical, especially considering the data requirements would be relatively low between the offices and the central servers. Seeing each office has existing Internet links, albeit via different ISPs and on different carrier networks, the company has a perfect scenario for deploying a VPN solution between each office and the head office. Ultimately it would potentially be in the company's interest to even sever the dedicated link between the Melbourne and Sydney premises and get large local connections and set up a VPN between those links.
The other impediment to more businesses rolling out a VPN between their offices or clients is that of technical resources, either hardware or labour to run the link. While hardware is easy to overcome--and as already mentioned most companies already have the equipment that is capable of running these links or can purchase decent VPN-equipped routers for less than $5000 (which would easily pay for themselves within a short period once the previously dedicated links were removed). The issue here is labour, and that is what the vendors in this review are here for; they offer managed VPN services. So instead of handling all the setup, configuration, maintenance, monitoring, and support for the link within the corporate IT department, these companies provide all those services and more. At the end of the day they provide a "buck-stops-here" service for businesses wanting to network/connect two or more locations virtually.
And when you stop to think about it this is a smart way to go. Most organisations already entrust their business phone services to a managed party such as a telecommunications provider or a comms broker. While I am sure that it is physically possible, I certainly would not want to go out there and set up a telephone exchange and mobile towers just to make voice calls (talk about re-inventing the wheel).
Many managed VPN providers are already carriers with their own physical networks and use these VPN services to add value to their data products. Others are independent organisations that can provide VPN services over disparate links and also between different carriers--this is particularly beneficial if you have offices in very different locations and there may be different carriers at each end of the connection.
The security question
A few questions arise over VPN data security, particularly as in the case of this article, you are placing your company's VPN management into the hands of a third party. At the end of the day, these questions should be the same as those given to any service provider such as a telephone provider, who is capable of eavesdropping or tapping into your calls. Many people put IT security under intense scrutiny, and while there is nothing wrong with this, we also need to think of analogous services that we are all take for granted and give little thought to security.
The inherent concept of VPN places the emphasis on the "P" for Private. Therefore, as it is a point-to-point service, the encryption keys are negotiated and the data to be sent/received is encrypted transmitted and decrypted within that connection. This effectively opens a virtual dedicated tunnel over whatever communications medium supported/available to the equipment at either end of the link.
The vendors we contacted were: AAPT/Connect, AT&T, Avaya, Equant, Optus, Pacific Internet, Request, and Telstra. Unfortunately Avaya, Pacific Internet, and Telstra were unable to take part in this review.
We asked each vendor a range of questions including:
- What Service Level Agreements are offered?
- What access speeds are offered?
- How long does it take to set up a connection?
- What is the maximum number of clients the VPN can serve?
- What authentication does the managed VPN use?
- What encryption methods does the managed VPN use?
- What hardware and or software is required?
- Does the managed VPN operate over any link or does it have to be a managed private link?
- What service plans do you offer based on users and usage? What are the initial setup costs and what are the ongoing costs?
- What type of general support do you offer?
- Do you support VoIP in the VPN as well?
The answers for some questions were the same for all vendors, for instance, all the vendors said they supported an unlimited number of clients.
Some vendors operate their VPN service over a dedicated private link, such as AAPT and Equant. The others can manage the VPN service over any Internet connection, or offer a combination of private and third-party links.
All the vendors supplied us a list of points of presence, but this was far too long to include in this article; contact the vendors to see if your location is covered.
AAPT's IPVPN service offers a connection from each site into the AAPT national private IP network, allowing communication between sites. Additionally, a router is provided and managed by AAPT at each customer site for interconnectivity to the customer LAN (local area network).
- SLAs: AAPT/Connect offers a range of service level agreements based on pre-defined service and availability levels: service levels A through C and "Enhanced". Each service level has a preset availability level, from 99.2 percent at level C to 99.95 percent for Enhanced. The response time for repairing faults also varies depending on the service level. At service level C, response time is 24 hours in metro areas and 48 hours elsewhere. At the Enhanced level this drops to four hours in metro areas and six hours elsewhere. Customers can view Web-based reports to see how their service is performing.
- Connectivity: AAPT offers connectivity through a wide range of channels, from AAPT's fibre-optic network to wireless (LMDS), DSL, and a range of third-party options. Access speeds start at 64Kbps all the way up to 100Mbps Ethernet. Provisioning times range from 12 days to 45 days depending on the connection and your location.
- Authentication: AAPT uses private IP addressing on its MPLS-based network, so the company claims there is no need to use authentication such as CHAP or RADIUS.
- Encryption: AAPT relies on the privacy provided by MPLS and doesn't use encryption.
- Costs: AAPT's IPVPN is a managed service and the company bills customers a per-site charge for the service. There is a separate charge for installation at customer sites. This charge does not include Internet usage, which is billed separately, and AAPT prefers to negotiate rates with each customer rather than have pre-defined pricing structures.
- Support: AAPT offers phone, e-mail, and fax support 24x7. Onsite support is available depending on the SLA.
- VoIP: AAPT has three classes of service. Realtime supports voice and video, Interactive supports video streaming and interactive applications such as terminal services, while Business Data handles applications that can wait a while, such as e-mail and FTP.
- SLAs: AT&T says its SLA covers "site availability, site-to-site latency, site-to-site packet delivery, service restoration and support" and offers "99.99 percent availability guarantees as well as end-to-end quality of service".
- Connectivity: AT&T offers a range of connections including dedicated circuit, frame relay, ATM, private IP, private carrier-based MPLS, public Internet, and oc-48 and oc-192 interoffice trunks. Access speeds range from 64Kbps up to T3/E3. These can usually be provisioned in four to six weeks, depending on the complexity of the setup.
- Authentication: AT&T uses an internal application to manage the authentication of VPN user IDs, but also supports third-party authentication such as RADIUS or SecureID if you need it.
- Encryption: DES and 3DES.
- Costs: AT&T offers a number of service plans for customers, either including or excluding Internet access. Customers can choose to be billed per user or per usage. The managed Internet-based VPN charges include installation, access, and port charges. The MPLS-based VPN charges include all of the above plus bandwidth charges and class of service.
- Support: AT&T has a wide range of support options.
- VoIP: AT&T offers voice as a "customised solution".
- SLAs: Equant's basic SLA supports uptime and availability "with a variety of scenarios specific to enhanced access services". Equant also defines different classes of service.
- Connectivity: Equant offers access types up to 155 Mbps on leased line, frame relay, or ATM technology, DSL access where available, and dialup access through ISDN or regular phone network.
- Authentication: Equant says its MPLS-based VPN doesn't require authentication. The company says "MPLS capitalises on the scalability of routing as well as the speed and traffic shaping benefits of switches to create a powerful combination of routing and switching. Core devices concentrate on switching IP packets and edge devices concentrate on routing, policing, and prioritisation of IP packets. In addition, edge and core devices are both responsible for multilevel tag labelling." Customers can use their own internal IP addressing schemes, but they need to use specified IP addresses for the VPN connection.
- Encryption: 3DES as an overlay when using IPSec.
- Costs: Equant did not supply specific pricing or cost structure information.
- Support: Equant offers 24x7 support with five support centres around the world providing help in over 32 languages.
- VoIP: Equant says voice over IP is supported in its network using "end to end Class of Service".
Optus delivers a wide range of VPN services, available in Australia and across the Asia-Pacific region.
Optus offers three broad types of VPN products:
- Private IP VPNs: These are private VPNs managed across the Optus core network to the customers' premise equipment (CPE). Typically these services include reporting and management of the VPN itself but does not include the management of the CPE.
- Managed Private IP VPNs: The Managed VPN service is also a private VPN, managed across the Optus core network and it also includes the management of the customer CPE.
- Secure IP VPNs: These secure VPN solutions are based on IPSec authentication and encryption.
As for the details of Optus service:
- SLAs: Optus also offers different classes of service but these are based on the applications the service is used for. For instance, the top class "Gold-Voice" is intended for voice traffic, while "Gold-Data" is for critical data, with Silver and Bronze classes for less critical applications. These have predefined conditions for network statistics such as delay, jitter, and packet loss. Optus' service level agreement has some serious teeth, setting parameters for rebates, depending on the severity of the problem and how long it takes to get fixed. These are, in a word, complicated. Optus offers Web-based reporting for its service levels.
- Connectivity: Optus' range of connections is very broad indeed, encompassing PSTN, ISDN, frame relay, ATM, Ethernet, a range of DSL flavours, and satellite. The standard lead time for all these connections is nine working days, with a few caveats. Connection speeds vary from 56Kbps dialup to gigabit Ethernet. Due to its partnership with SingTel, Optus has access to undersea cables and satellite networks for a range of international connections as well.
- Authentication: Optus' private IP VPNs use different authentication depending on the connection type. Its dialup and DSL connections use RADIUS at the back-end, which is delivered through a PAP or CHAP mechanism. Its broadband connections all use MPLS. For its secure VPN products, a range of options including shared key, RADIUS, and smart card-based certificates using a public key infrastructure are available.
- Encryption: None as standard for the private VPN service, but the secure VPN service offers DES56, 3DES, and AES.
- Costs: Optus offers a range of billing options depending on the service and the connection type. For its private IP VPNs, customers generally pay a cost per megabyte, with different charges depending on the class of service. Its secure VPNs are usually billed by the number of VPN tunnels or users.
- With its wide range of options comes a mix of upfront and per-month costs, which are simply too complex to detail here. To be fair, Optus sent us a great deal of information about what "hidden" costs users could come up against. We suggest you speak to Optus directly about your needs.
- Support: Optus provides a 24x7 support desk. Customers can also access billing, network reporting, and fault tracking information via the Web.
- VoIP: Optus says VoIP is fully supported and around 30 percent of its customers currently use this facility.
Request offers three grades of VPN service:
- RequestVPN Premium
Request takes its VPN services to market through more than 150 channel partners.
- SLAs: Request's service level agreement offers an uptime target of 99.9 percent. If you add in the extra cost of an ISDN backup channel, this can be increased to 99.98 percent. Request offers a statistics and reporting package that provides data on link availability and utilisation.
- Connectivity: Request offers the majority of its services over DSL broadband with speeds ranging from 256Kpbs to 2Mbps. A range of other connections, including dialup, ISDN, and Ethernet over fibre are also available. Request claims an average 12-day turnaround for connections to be set up, and its SLA offers rebates if it takes longer than 17 days.
- Authentication: Request uses CHAP authentication with a RADIUS back end.
- Encryption: Request relies on the privacy provided by MPLS and doesn't use encryption.
- Costs: Request's VPN pricing does not cover Internet access costs. Installation costs include the link, the VPN client, a DSL router, and the VPN server. Ongoing costs include the price of the Internet link and the VPN client fees.
- Support: Request's standard service provides support 7am-9pm Mon-Fri and 9am-5pm Sat. 24 x 7 coverage is available.
- VoIP: Request offers a high-quality "Premium" service that fully supports VoIP.
Subscribe now to Australian Technology & Business magazine.