Whenever the opposing team leaves the ice in a hockey game,
a protective tunnel is created over the walkway, so the players
can trundle from the ice to the dressing room without being
mauled by the public. Virtual private networks (vpns) give businesses
similar protection for their data when it travels across the
A VPN acts as a direct, secure connection between clients (usually
an end user and a corporate location) or between two lans, over
the public Internet. It can let remote workers access their
companies' servers, connect a company's various sites, and be
the underlying security architecture for extranets.
Since a VPN doesn't require a dedicated line, anyone with Internet
access can use one. Once connected, employees can be given access
to everything on the network that they would normally have if
they were in the office. The best part? Although the VPN direct
connection, sometimes called a tunnel, uses the public infrastructure,
it contains security features that make hijacking data or gaining
improper access to the wan very difficult.
vpns have several cost advantages over other remote-access
methods. Since a VPN lets employees get into the company network
without dialing in, modem banks can be scaled down or eliminated.
Leased lines for site-to-site connectivity can also go. And
productivity increases, because employees can take advantage
of the fastest connections available rather than being forced
to dial into a modem bank. These factors create a break-even
point for companies in as little as six to nine months, says
Bob Lonadier, an analyst with Hurwitz Group, a technology consultancy
based in Framingham, Massachusetts.
These benefits are sparking a VPN boom. More than 56 percent
of companies with 1,000 or fewer employees and 70 percent of
larger companies already have VPNs in place or are in the process
of installing them, according to a recent study by cio Insight
magazine. Datamonitor projects that last year's $585 million
in VPN sales will grow to reach $6 billion by 2005.
A VPN requires software at both ends that encrypts outbound
traffic and decrypts inbound. The software may run on a dedicated
hardware appliance or on a PC with a general-purpose operating
system such as Linux, NetWare, or Windows.
In the server closet, we favor the hardware devices, often
referred to as concentrators. PCs run so many unrelated processes
that they're more likely to have security holes, and their moving
parts make them more prone to fail.
Access control, authentication, and encryption are vital elements
of a secure connection. The Point-to-Point Protocol (ppp) has
long been used as the Internet's universal link layer for creating
tunnel links between devices, but in more recent years, the
Point-to-Point Tunneling Protocol (pptp) and Layer 2 Tunneling
Protocol (l2tp) have prevailed.
lt2p is a combination of pptp and Cisco Systems' Layer-2 Forwarding
(l2f). Aside from differences in authentication, l2tp has gained
particular popularity by using IP Security (ipsec) for privacy.
Today, IPsec has become the main security protocol for connecting
two devices or networks. The only unanswered question was which
cryptography scheme to use. Data Encryption Standard (des),
for years a widespread choice, has been replaced by many system
administrators in the late 1990s. Its 56-bit key did not pose
much of a challenge for dedicated hackers using powerful home
PCs. The current industry-accepted scheme, Triple des (3des),
can provide triple encryption (168-bit) using three separate
keys. These encryption methods need dedicated or high-powered
Although the benefits of VPNs are tangible, other tools are
still necessary for a seamless solution. Quality of Service
(QoS), for example, which would let managers prioritize data
packets to guarantee certain users or applications the bandwidth
they need, is still several years away for VPN use. Today's
switches can't determine what's in a packet to give one preference
over another unless they decrypt it, which creates security
problems. MultiProtocol Label Switching (mpls), a proposed network
technology standard that labels packets so that routers know
which ones are high-priority, shows promise for VPN and other
forms of network traffic.
One VPN security issue that can be solved today is home user
security. The home user's desktop can create a silent hole that
hackers can slip in through, especially since many broadband
connections such as cable modems and DSL are poorly protected.
There is, however, a quick fix. Personal firewalls in the form
of either hardware, such as that offered by some of the manufacturers
in this story, or software, as with Network ice's BlackICE,
Symantec's Norton Personal Firewall, and Zone Labs' ZoneAlarm,
help close the backdoors into the company. Unfortunately, many
people have ignored warnings or found such products too difficult
Compatibility among VPNs has also been an unwieldy issue. Each
VPN manufacturer's implementation of the specifications and
protocols has been at least slightly different. There have simply
been too wide a scope and too much wiggle room within standards
to insure interoperability. If a company decides on one vendor
today, it may be locked into working with that manufacturer
at least until compatibility is no longer an issue--something
that won't happen for at least two years, says Ian Williams,
a managing analyst with Datamonitor.
There are further considerations when choosing a VPN. Because
many products are sold based on the number of tunnels they support,
those planning to implement VPNs need to have some idea of how
many connections they may need in the future. Though buying
a VPN that supports fewer tunnels is cheaper today, it can end
up being a penny-wise, pound-foolish decision if the company's
needs outpace the VPN's capabilities.
Getting remote users up and running on a VPN, which always
requires a client-side installation, isn't very simple either.
Technical users may be able to install the software on their
own, but laypeople have much more difficulty. In a perfect world,
a company's support staff could install all of the client software
on their own, but that's rarely practical. Some companies such
as Nokia simplify the process through wizards that help create
a highly automated client-install package.
For this story, we asked seven VPN providers for products that
would suit a medium-size business with a budget of $10,000 (some
had a difficult time meeting this target) that needed a VPN
for its central and branch offices. The central office would
support 50 remote employees and maintain a permanent tunnel
to the branch location. The new version of Checkpoint Software
Technologies' VPN-1, a leading product that runs on hardware
VPNs and PC servers, unfortunately shipped too late to meet
our testing schedule, but we will review it in an upcoming issue.
Our contributors: Les Freed is a contributing editor of
PC Magazine. Karen J. Bannan and Rob Schenk are frequent contributors.
Carol Ellison is a freelance writer. Matthew D. Sarrel is a
PC Magazine Labs technical director. Associate editor Davis
D. Janowski and PC Magazine Labs project leader Oliver Kaven
were in charge of this story.