Home & Office

VPNs provide safe passage

Your data has to cross the Internet's treacherous waters to reach you. A VPN will help get it there.
Written by Karen J. Bannan, Contributor

Whenever the opposing team leaves the ice in a hockey game, a protective tunnel is created over the walkway, so the players can trundle from the ice to the dressing room without being mauled by the public. Virtual private networks (vpns) give businesses similar protection for their data when it travels across the Internet.

A VPN acts as a direct, secure connection between clients (usually an end user and a corporate location) or between two lans, over the public Internet. It can let remote workers access their companies' servers, connect a company's various sites, and be the underlying security architecture for extranets.

Since a VPN doesn't require a dedicated line, anyone with Internet access can use one. Once connected, employees can be given access to everything on the network that they would normally have if they were in the office. The best part? Although the VPN direct connection, sometimes called a tunnel, uses the public infrastructure, it contains security features that make hijacking data or gaining improper access to the wan very difficult.

vpns have several cost advantages over other remote-access methods. Since a VPN lets employees get into the company network without dialing in, modem banks can be scaled down or eliminated. Leased lines for site-to-site connectivity can also go. And productivity increases, because employees can take advantage of the fastest connections available rather than being forced to dial into a modem bank. These factors create a break-even point for companies in as little as six to nine months, says Bob Lonadier, an analyst with Hurwitz Group, a technology consultancy based in Framingham, Massachusetts.

These benefits are sparking a VPN boom. More than 56 percent of companies with 1,000 or fewer employees and 70 percent of larger companies already have VPNs in place or are in the process of installing them, according to a recent study by cio Insight magazine. Datamonitor projects that last year's $585 million in VPN sales will grow to reach $6 billion by 2005.


A VPN requires software at both ends that encrypts outbound traffic and decrypts inbound. The software may run on a dedicated hardware appliance or on a PC with a general-purpose operating system such as Linux, NetWare, or Windows.

In the server closet, we favor the hardware devices, often referred to as concentrators. PCs run so many unrelated processes that they're more likely to have security holes, and their moving parts make them more prone to fail.

Access control, authentication, and encryption are vital elements of a secure connection. The Point-to-Point Protocol (ppp) has long been used as the Internet's universal link layer for creating tunnel links between devices, but in more recent years, the Point-to-Point Tunneling Protocol (pptp) and Layer 2 Tunneling Protocol (l2tp) have prevailed.

lt2p is a combination of pptp and Cisco Systems' Layer-2 Forwarding (l2f). Aside from differences in authentication, l2tp has gained particular popularity by using IP Security (ipsec) for privacy. Today, IPsec has become the main security protocol for connecting two devices or networks. The only unanswered question was which cryptography scheme to use. Data Encryption Standard (des), for years a widespread choice, has been replaced by many system administrators in the late 1990s. Its 56-bit key did not pose much of a challenge for dedicated hackers using powerful home PCs. The current industry-accepted scheme, Triple des (3des), can provide triple encryption (168-bit) using three separate keys. These encryption methods need dedicated or high-powered processors.

Speed Bumps

Although the benefits of VPNs are tangible, other tools are still necessary for a seamless solution. Quality of Service (QoS), for example, which would let managers prioritize data packets to guarantee certain users or applications the bandwidth they need, is still several years away for VPN use. Today's switches can't determine what's in a packet to give one preference over another unless they decrypt it, which creates security problems. MultiProtocol Label Switching (mpls), a proposed network technology standard that labels packets so that routers know which ones are high-priority, shows promise for VPN and other forms of network traffic.

One VPN security issue that can be solved today is home user security. The home user's desktop can create a silent hole that hackers can slip in through, especially since many broadband connections such as cable modems and DSL are poorly protected. There is, however, a quick fix. Personal firewalls in the form of either hardware, such as that offered by some of the manufacturers in this story, or software, as with Network ice's BlackICE, Symantec's Norton Personal Firewall, and Zone Labs' ZoneAlarm, help close the backdoors into the company. Unfortunately, many people have ignored warnings or found such products too difficult to install.

Compatibility among VPNs has also been an unwieldy issue. Each VPN manufacturer's implementation of the specifications and protocols has been at least slightly different. There have simply been too wide a scope and too much wiggle room within standards to insure interoperability. If a company decides on one vendor today, it may be locked into working with that manufacturer at least until compatibility is no longer an issue--something that won't happen for at least two years, says Ian Williams, a managing analyst with Datamonitor.

There are further considerations when choosing a VPN. Because many products are sold based on the number of tunnels they support, those planning to implement VPNs need to have some idea of how many connections they may need in the future. Though buying a VPN that supports fewer tunnels is cheaper today, it can end up being a penny-wise, pound-foolish decision if the company's needs outpace the VPN's capabilities.

Getting remote users up and running on a VPN, which always requires a client-side installation, isn't very simple either. Technical users may be able to install the software on their own, but laypeople have much more difficulty. In a perfect world, a company's support staff could install all of the client software on their own, but that's rarely practical. Some companies such as Nokia simplify the process through wizards that help create a highly automated client-install package.

For this story, we asked seven VPN providers for products that would suit a medium-size business with a budget of $10,000 (some had a difficult time meeting this target) that needed a VPN for its central and branch offices. The central office would support 50 remote employees and maintain a permanent tunnel to the branch location. The new version of Checkpoint Software Technologies' VPN-1, a leading product that runs on hardware VPNs and PC servers, unfortunately shipped too late to meet our testing schedule, but we will review it in an upcoming issue.

Our contributors: Les Freed is a contributing editor of PC Magazine. Karen J. Bannan and Rob Schenk are frequent contributors. Carol Ellison is a freelance writer. Matthew D. Sarrel is a PC Magazine Labs technical director. Associate editor Davis D. Janowski and PC Magazine Labs project leader Oliver Kaven were in charge of this story.

Editorial standards