The VPN game: Who controls your network?

virtual Private Networks

You know you want an IP virtual private network, but you face a difficult choice: Build your own or buy a VPN service. Your decision depends on how much you want to pay and how fast and reliably you want the network to perform.

For many, the overriding concern is maintaining data integrity. If that is the case, you want to check out the inherent security of a service provider network.

Contrary to their name, IP VPNs may in fact run over carrier-owned backbones based on frame relay or ATM, not IP. Customers send IP traffic into a network, but carrier gear wraps it up in frames or ATM cells for transport across the network.

On the other hand, a service provider network could be router-based and run native IP throughout or a mix of routed and switched technology. A provider network could even use the Internet.

Experts say it is important to know the kind of network that is supporting a corporate VPN. An IP VPN service that is run over a frame relay or ATM switched backbone is as secure as a frame relay or ATM service made up of virtual circuits, according to Tom Nolle, president of CIMI Corp. in Voorhees, N.J.

It also is important to know what a carrier's backbone is because customers could ultimately pay extra for security when they don't need it, he says.

Experts consider routed networks to be less secure than switched networks because there are no virtual circuits. Routed networks, including the Internet, leave the customer open to spoofing and other forms of attacks.

In routed networks, the legitimate users of one customer's VPN are separated from users of other customers' VPNs by closed user groups. Users are allowed to connect to only a select group of IP addresses.

But experts say that is not strong enough security.

"I don't know that I would be happy just having a closed user group as a means to secure my re-sources," says Dave Kosiur, an analyst for The Burton Group in Reston, Va.

"That's router-level security. Anybody that could find an IP address for the corporation could camp there with a sniffer and wait for messages," says Eric Paulak, an analyst for Gartner Group in Stamford, Conn.

VPNs running over such networks need strong authentication and encryption to ensure privacy. Those added measures can be controlled either by the customer or service provider.

For example, the emerging standard for VPN security is IP Security (IPSec), which includes encryption, authentication and security management keys.

IPSec can shore up the weaknesses of the Internet or other routed networks.

"If you're using IPSec, you are assuming people can get to your traffic. And if you are using triple-DES encryption and authentication packet by packet, it will still be secure," says Eric Zines, an analyst with TeleChoice, a consultancy in Boston.

When money is an object

Many customers get into VPNs as a way to save money.

"We cannot afford the cost of trying to build a WAN through leased lines or direct dial-up. I would need more support people than I have now," says Gene Donlan, IT director for FormFactor in Liver-more, Calif.

"In almost all cases, it should be cheaper to outsource," Zines says, adding that the savings might not be obvious right away, because there are hidden costs beyond the hardware, software and communications links.

For example, setting up digital certificates and a certificate authority to authenticate users requires expertise many enterprises don't have. So they have to train people and divert them from whatever other work they were doing for the company. That is a cost, Zines says.

In addition, making the various pieces of a VPN - authentication, firewall, certificate management, encryption - work together is no small feat, Kosiur says. And dealing with users as they get new hardware and software and learn to use the VPN can hike up help desk bills, Zines says.

"The simple way is for the service provider to do it," Kosiur says.

Balancing and budgeting

In the real world, though, customers sometimes have to trade off between cost and features. For example, Enno Becker, director of Technology Infrastructure for Forum, an international management training firm, oversees three VPNs: one interconnecting offices that had been connected by frame relay; one for dial-up remote access via the Internet; and an extranet for suppliers to dial up Forum network resources.

The VPN simply saves Forum money. For example, a Forum ISDN link between Hong Kong and San Francisco cost $6,000 to $9,000 per month. A VPN connection plus a firewall costs about $3,000 per month, Becker says.

He has chosen to keep management of all the networks in-house and uses Check Point VPN gear to secure traffic as it goes over the Internet. Maintaining control lets him change access rights and passwords quickly, he says.

Other users want to maintain control of their networks, so they don't feel locked in to a single service provider.

"As it is today, we use three different primary ISPs. We have the ability to switch ISPs without reconfiguring thousands of desktop and laptop systems," says Bill Brown, vice president of customer and technical services for Apartment Investment & Management Co. (AIMCO) in Greenville, S.C.

AIMCO bought Shiva VPN gear to run its dial-up VPN over the Internet. "With VPNs, once the initial hardware and software is purchased you can easily budget an ISP connection because that is a fixed cost," Brown says.

As you can see by the accompanying charts, corporate users are adopting VPNs for a variety of reasons and basing them on different backbones. But Zines has a telling piece of data from a recent survey he performed that indicates VPNs managed by service providers might be winning the day.

Among customers who already have VPNs, the split between in-house and outsourced is about 50-50, he says. But among those who built their own, about one in five say they will move to a managed service.