More users are finding DSL a bargain for VPNs

By Michael Martin
Network World, 10/02/00

One drawback of DSL is that its static, always-on connection lacks security. Firewalls only protect access to an endstation, not transmissions over public networks. As a result, users have been turning to DSL VPNs for added peace of mind.

There are several ways companies and remote teleworkers can set up VPNs with DSL: with the same VPN software and hardware used for dial-up security; with native network-based VPNs offered by network services companies; or by setting up a private, point-to-point network, similar to a frame relay VPN.

Taking DSL to school
Subscribe to the VPN newsletter

Kathy Hackler, an analyst with San Jose consultancy Dataquest, says most companies using VPNs over DSL lines are doing so for teleworkers.

"I think you could go with just a firewall for security," she says, "but if your teleworkers are dealing with something like sensitive database information, you probably want a VPN."

Tony Aiuto, who heads the server team for Cambridge, Mass., start-up Popupnotes. com, is one such teleworker manipulating sensitive data over a DSL line. From his home in New York, Aiuto accesses a Popupnotes.com server in Cambridge so he can work on code for the company's service, which will let people make annotations on Web pages.

Aiuto says he isn't too concerned about the security of his DSL connection because he has a firewall. But he says he doesn't like sending clear text across any network, so he uses Open BSD's Open SSH Secure Shell, free open source software for Unix boxes, to encrypt any data traveling between his home and the Cambridge office. All Aiuto has to do is log onto the Cambridge office through Open BSD, and he has full run of the network.

"I'm happy with it," he says. "The performance is good. I know we're not sending anything in clear text, and it beats having to fly to Cambridge every week."

So far Aiuto hasn't had any reason to move to a hardware-based VPN. No one needs to access his site, and he doesn't need direct access to file servers, he says. However, this could change in the near future when Popupnotes.com launches. Popupnotes.com's servers will be housed at a collocation facility, and the company will set up a hardware-based VPN between its Cambridge office and the facility where the servers are housed. Aiuto would probably also be given a VPN box so he could access the collocation site remotely.

While a software encryption tool is fine for what he's working on now, Aiuto believes a hardware-based VPN will offer better security.

"We feel some of the router-based stuff is probably less prone to being attacked," he says. "Someone could post a secure shell exploit tomorrow and make every system vulnerable."

The most secure DSL VPNs are truly private point-to-point connections, according to Eric Moyer, director of product marketing for Covad Communications. A point-to-point VPN is ideal for companies with remote offices, Moyer says.

To set up a corporate DSL VPN, a firm would need a DSL connection from each remote office pointing directly back to corporate headquarters and a connection at the corporate headquarters large enough to handle the traffic coming back to it - possibly a T-1 or T-3. Moyer says such a network is relatively cheap to set up when compared to frame relay VPNs.

"Because you're using DSL, you're using low-cost access mediums to get connected, and you can put together truly private networks for a fraction of what it would have cost you in the old days with frame relay or even dial-up through a remote access server," he says. A DSL connection from a remote office back into a corporate headquarters could cost as little as $60 per month, according to Moyer.

School Administration Unit 29, which represents seven school districts in southwest New Hampshire, is one organization that's taken advantage of DSL to create a VPN between nine of its buildings.

To create the VPN, the administration unit required five circuits - three DSL lines and two T-1s. The circuits run back into a cage owned by Vitts Networks, the provider of the VPN, at a Verizon central office. The VPN is separated from the Internet by a firewall. Each building also has a VPN box to encrypt any data sent over the network.

Dean Hollatz, the administration unit's director of technology, says the T-1s were necessary because one building needed a full 1.5M bit/sec of bandwidth that it couldn't get with DSL, and another building was 1,000 feet outside the three-mile DSL limit of the local central office.

The school district implemented the VPN, Hollatz says, so the buildings could swap sensitive information. The relatively low cost of DSL was what made the VPN possible, he says.

"We couldn't afford to drop a T-1 into our smaller schools, so when DSL and the price point came along it was something we could roll out to our smaller schools," he says.

In addition to software-based VPNs for remote workers and point-to-point VPNs, companies should soon be able to purchase network-based VPNs from service providers. These VPNs would be enabled by devices located within a service provider's network - such as Nortel Network's Shasta boxes, or gear from Cosine and Cisco.

Broadwing, which launched a VPN service for dedicated local loop and analog dial-up users in June, is working on extending the VPN offering to DSL.

Justine Lupul, Broadwing's director of IP services, says the provider should have a network-based VPN-over-DSL service available before year-end once it overcomes technology-related hurdles. Broadwing deploys its VPN service over circuits running frame signaling, and Lupul says most DSL vendors have not yet certified DSL for frame relay interoperability.

Once Broadwing's service is up and running, Lupul believes it will appeal to remote workers, but doesn't expect the service to replace any private line networks.

"With DSL as an upgrade to dial-up or ISDN, there's a high expectation you're going to be achieving good customer satisfaction," she says. "When DSL is being used as a replacement for private-line access, because it has to travel through a public frame relay cloud, there's not as high a chance of meeting or exceeding customer expectations."