Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Microsoft IE exploit code unreliable, but more coming
Microsoft begins paving path for IT, cloud integration
Ciena will pay $769M for Nortel's metro Ethernet business
Malware enlists jailbroken iPhones for botnet
Check Point tackles Web 2.0 apps and social-site widget control
Cisco's free iPhone app grabs security feeds
New attack fells Internet Explorer
Global warming research exposed after hack
The broadband gap: Is FCC grabbing for the wrong tool?
Verizon suit a 'gamble worth taking' for AT&T, says IP lawyer
IBM smartphone software translates 11 languages
Intel: Don't look for one device to do it all
Google adding IPv6 to YouTube
Atlantis astronauts: Final spacewalk, preparing for Earth trip
Broadband stimulus grants delayed

VPN audio roundtable transcript

Today's breaking news
Send to a friendFeedback

Network World, 04/12/99

Curious about VPNs? Want to build one, but don't know where to start? Lots of folks are in your shoes. That's why we gathered together three VPN pioneers, peppered them with questions, and recorded their thoughts, in a session moderated by Network World News Editor Doug Barney. The result is advice you can build your business on.



Listen to the discussion (requires RealPlayer)

Simon Eggington is Information and Technologies Manager for Aristocrat, Inc. a Sydney, Australia-based multinational concern. Eggington, who works in the company's U.S. headquarters in Reno, NV, says his end-users didn't have to learn anything new to reap the benefits of his VPN.

Louis Gary, Network Manager for Hamilton Beach/Proctor-Silex, Inc. in Glenn Allen, VA. tossed out his modems, put in a VPN, and never looked back.

Bill Claspe, Director of Franchise Systems for AFC Enterprises in Atlanta, GA, has wired together hundreds of restaurants all over the county. His VPN has already saved the company gobs and money, and improved access to key information resources.

Q: Can you tell about the business need behind your virtual private network?

Simon: We are a multinational company and we are also in the gaming industry. We design and build video slot machines. It is a very competitive market. There is a great deal of need for security, not only because of potential corporate espionage, but also because of the restrictions put on by the gaming regulators of each state. They want to insure that our programs do not get out to somebody that could take advantage of them and potentially use them to embezzle or rip off a casino.

We wanted a fast secure means of linking our sites and also a secure means for people in the field to dial up and get access securely to e-mail, files or on-line business solutions.

Louis: We had had some communication method for our field sales force. We have roughly 40-45 sales personnel throughout the United States selling to our major accounts and retails chains. They have data needs, things they have to download daily, as well as and weekly and monthly data reports from our network. We used to use a dial up bank of modems, and had the issue of the modem technology, both at the main office at the remote portable systems, which has to be maintained. With the advent of the Internet we started to have Web site and Web site-based information sources. We chose to use a VPN to not only get rid of the modem technology, the modem bank here in the central office, but also to allow for the internet-based access for information, not only to us but to our customers' and our competitors' sites. After getting the Internet-based access to our main office we wanted the secure access of end-users downloading the sales and other data reports that would have sensitive information. And we wanted to also make sure we knew who was coming through our firewall and who was coming into our network from the Internet. So those are the reasons we chose to do a VPN solution.

Bill: We actually installed the VPN for two different reasons. First we built an extranet to support our franchise community. We are a restaurant franchising organization; we have 5 different restaurant brands and about 450 franchisees out there. We changed our traditional field support model into a combination of a help desk support and an extranet support model. So end-users can call the help desk during regular business hours to get information, and they can go to the extranet to not only get documents that used to be delivered on paper, but also processes that used to be manual. We installed the VPN in that scenario mainly for security reasons, because when we started talking with people about transmitting data to us over the Internet they really began to balk. We needed to find a way to calm their fears about internet security. So that was the security issue. We also installed the VPN to find a way to reduce the dial up costs for our field users to access the LAN. They had been dialing in over a secure network and we are beginning to have them dial in over the VPN through the Internet, greatly reducing the monthly phone costs there.

Q: Can you describe the technology behind your VPNs?

Simon: We went with RADGUARD (RADGUARD, Inc., Mahwah, NJ). RADGUARD uses IP Filtering and Tunnel Mode IPSec, which involves a combination of implementing a routed network topography and security policy. It is also a VPN and a firewall in a single unit, which was important to us. We had smaller sales offices that we didn't want to have to maintain a server at, so this was a standalone unit that was centrally managed from our head office in Reno.

Q: Have you had to get any cooperation from your ISP?

Simon: It is independent, really, of our ISP. We run these behind the router on our end. We use AT&T Managed Internet Service for our Internet access, and we maintain the VPNs ourselves.

Louis: We chose to use the RedCreek (RecCreek Communications, Newark, CA) hardware-based VPN solution. It is a combination of the hardware access security box in our network in the office here, and then a client piece that resides on each of the remote PC laptop systems. We have a selectable level of encryption technology and a selectable level of tunneling. We can decide how much of the packet is actually encrypted. Basically it gives me a pretty flexible solution for deploying it throughout our distributed salesforce. We've also recently set up a supplier on the other side of the world. The supplier uses the same technology to get into my system, access our main corporate network, and process inventory movements. We end up with faster and more accurate inventory information from this supplier in the Far East.

The hardware approach that we took represents an easy step into VPNs and fairly simple configuration. It didn't require us to get the end-users involved, and to force them to learn much about how the system works.

Bill: We went with the VPNet (VPNet Technologies, San Jose, CA) solution. It sounds similar to the RedCreek solution in the fact that it's hardware on the network side here, and then the client side software piece. The main reason that we decided to do it this was just the maintenance at the client side. It's obviously very simple compared to trying to put hardware in all of those locations. They are not laptop users, at least not the franchise community, so it is not a mobility issue as much as just a simplicity issue. On the client side when they boot up their machine the client opens. They enter their authentication information, and minimize the client. Then if later in that session they connect to the Internet and connect to our VSU (VPNware VSU 1100), which is the box on our network, the handshake happens and they don't have to worry about a thing. They don't even know it is basically happening under the covers. It was important to us that number one; maintainability, and number two; simplicity at the client, were both easy. On the network side, the VSU box runs in conjunction with the firewall; it runs in parallel. The traffic actually passes both ways depending on how that traffic is coming and going on the network. It is not in sequence; it is in parallel with the firewall.

Louis: What you are saying is that if traffic is authenticated through the VPN, it bypasses your firewall, if it is not authenticated then it has to satisfy your firewall parameters?

Bill: That's correct.

Louis: That's interesting. The way mine is configured with the Red Creek, we have a serial connection. So essentially I've got the firewall and the VPN configured in a complimentary mode; the firewall doesn't know about the Red Creek box. But if one of them fails, it pretty much shouldn't let the other traffic go through.

Bill: There's actually another side to it. Our e-mail passes in and out through the firewall. For external e-mail users we would need everyone to be a VPN client if the information was to pass through the VPN.

Backing up the VPN, we have a Radius authentication server to just...

Louis: Challenge?

Bill: Exactly. So there is a pretty good level of security. The other reason we chose VPNet was that it really provided us the highest level of encryption, which is triple-DES. So we were comfortable with that.

Simon: We have the same level of encryption. The advantage we felt with the RADGUARD unit was the VPN and the firewall were integrated. I should also mention that we have a remote software client available as well, which works similarly, it acts as a shim???, so you do your Internet connection and then, should you make a call to one of your other locations, it automatically steps in and tunnels for you.

Louis: Bill, I was interested in your comment about the e-mail. We have Internet mail, and are handling our own forwarding and receive of e-mail to our whole mail system from our mail gateway. The Red Creek box allows for you to selectively choose some specific protocols like SMTP to determine whether you will pass it in clear or whether you will let it be subject to the VPN control. So that is how RedCreek solves that problem.

Simon: We do a similar thing with the RADGUARD. We specify the IP address of the Exchange server sitting behind the firewall and allow the specific protocols as well.

Bill: I don't know if the limitation we have on our end is so much with the VPN or the VPnet hardware as it is with our mail gateway which is Lotus Notes. We are not running a POP3 server; we are running Notes as a SMTP mail gateway. I honestly don't know. I'm pretty sure that's where the limitation is, not on the VPN side.

Simon: We were looking to really tighten down security, and also to take advantage of the features provided by the Microsoft Exchange client, as opposed to the POP client. We wanted the remote client to be able to connect to the internet while in the field with a laptop and then tunnel through to your server. We can actually pull this server behind the firewall in its entirety, and allow all the protocols required for the Exchange client, the IMAP, the LDAP, and such, to pass through encrypted. With the implementation of Exchange Server 5.5, and the Service Pack 1 and Outlook 98, it is a much thinner client. It is much closer to the thinner POP client, yet you can get all the group scheduling and contact information as well, which was important to us.

Q: I'm curious as to how your end-users have reacted to the system.

Simon: Our end-users are very pleased with it. Again we are just rolling out the Exchange client implementation, I think they will be a lot happier with that, rather than just the POP. It has been so transparent to them. They obviously have no complaints about usability and it is easy for us to maintain. As I said, we centrally configure and maintain it from the Reno location. The remote client, you configure it in the crypto. CA (certficate authority) it is called on this side, and you generate the installation disk for the remote client and it pretty much installs itself. And as I said, it acts as a shim?? so it just steps in does the tunneling when it picks up a call to a location that is knows another unit is at.

Bill: Similarly we have a fairly simple interface, so we haven't had any issues from a usability point of view. We have had several people inadvertently delete their encryption key and we have had to go back and send them a new key and walk them through the installation of the key. But other than that, we've had really very little problem.

Louis: We basically have had a very positive response from our user base that is using this for, not so much because the VPN was great, but the VPN allowed us to move them off the modem to modem connection into an internet based connection. At the same time we kinda opened their eyes to the world of the Internet and to the technologies and the fact that now they get their files in a much more readable format. That's because in migrating to this we migrated some of the form structures from text-based to Adobe format.

And also we've given them some training on how to use the technology that they probably didn't have as much of before. Our saleforce has more knowledge on just to use their systems, their PC. For instance, there is greater awareness of simple things, such as how to compress a file so the download time is cut in half or a quarter. We're getting feedback back to the corporate office telling us that we need to go to so and so in such and such a department and train them on how to ZIP up the file. The end-users don't want to spend a half an hour downloading a file.

So the spin-off has been opening up the Internet technology, the Internet pipe if you will, using VPN and feeling that the VPN technology is giving us a secure channel to use. So I am not sure that the solution we chose made the difference though I think we have a good solution for our needs. I think just the VPN in general has helped our users take a big step forward in their ability to use modern technology.

Q: What is the greatest benefit in deploying VPN technology?

Simon: Obviously security is a great issue. Also, as the other two mentioned, being able to transfer end-users over to Internet dial up at a fixed rate per month, rather than remote access which isn't the most secure. The cost savings in that respect have been tremendous. The cost of a good high speed Internet access is not cheap. One approach we have taken to offsetting that is implementation of voice over IP, and utilizing that in conjunction with the VPN. You can even step it up to where our voice conversations between sites are encrypted as well. That is another level you can take it to.

Bill: Just to add to the cost savings concept, obviously that is a great benefit for us. Our field users are currently dialing in over the IBM Global Network at a cost of $3.50 an hour and up depending on the type of connection that they've got. If they are dialing in an 800 number it is actually more. I'm experimenting with a product called freewwweb (Internet Media Solution, Buffalo, NY) which is using the television model of advertising. It's a one time Internet connectivity fee. For a single user it is $99, if you get to a couple of hundred users they get it down into the fifties. And that's it, a one time fee, lifetime connectivity, I figure if that lasts a few months, I've paid for it basically. It works great for me. I dial into freewwweb as my ISP, I open up the VPN, I connect and I do whatever I need to do on the LAN. If that model holds true in the sense that they can maintain through advertising the ability to provide that connection, that lifetime connection, then the costs really nosedive at that point.

Louis: That sounds like pretty interesting solution I hadn't heard about. We have a similar savings in that we replaced an 800 number that was being used for the modem-based dial in that was costing upwards of $25,000 a year. Now the sales force has the typical $20 a month Internet provider charge, for an unlimited time. They actually get more than before. It was costing us $25,000 for just the data connection to download data. Now they can do that, but then they can also browse the Web. So we're saving easily $15,000 a year just on the cost of the connection, and we are getting actually more than that because now the Web is their's. There is a cost saving that is definitely driving it. The other thing that drives us is flexibility. We are looking at expanding globally and the Internet is the best global infrastructure to get into. When you are just trying out a new market and you can't commit the resources that you would want to be successful right away. The Internet is a cheap way to connect. The Internet is $20 a month, versus a nailed up circuit whether it is Frame Relay or whatever. So it gives us a little bit more flexibility to expand and get that communication channel going, where before you would have to nail up some kind of a fixed line.

Q: Have there been any significant problems in establishing your VPNs?

Simon: We had the usual issues of familiarity with the system, learning the protocols and the order in which to place your policies, your entries, and such. But our provider was terrific. They provided a lot of support, spent a few days out with us here and spent a couple of days out at some regional offices and really helped us get it on line. The remote client was very easy.

Louis: The only problem I can remember is a hardware failure. The manufacturer, RedCreek, very quickly replaced the box. That happens too often in all sorts of areas so it didn't really phase me. That was pretty much the only trouble we had.

Bill: Our initial installation was very smooth and the installation of the client is pretty smooth. The thing that we found was that the generation of the encryption key actually takes a lot of crunching, I don't know if it is because of the level of encryption that we are dealing with, but a key could take upwards of an hour to be created. Some of that has to do with the power of the server that we are creating them on. But if you start thinking about the number of potential clients out there, and having to create a key for each one of those folks, it can be a pretty big task. We got the vast majority of them out of the way; we still have quite a ways to go.

Q: How do you think VPN technology will change in the coming years?

Simon: The level of encryption is definitely there. But being a multi-national company we have a bit of a problem with the level of exportable encryption. We are restricted to the 64 (bit). Obviously right now we would prefer to have that up to 128 (bit) if not Blowfish (which is 256-bit). I doubt they will ever release 256 Blowfish. I would like to see the exportable level increased.

Louis: Our direction might actually be away from VPN for some issues that can be solved with a secured Web server. For example, Cisco has a Web site out now, a very good Web site, where you sign up and you get access to certain parts of it based on an account you set up with them. We're looking at that in the sense of creating a Web site that has secured areas that we control. We would have log-in name and password type of access in order to give people information. We wouldn't need to have them come through our firewall; they would be taken to an external site. Not to knock the VPN technology, but that's probably where we are thinking we might be heading. Trying to get it so people don't have to come into our network; that the data they want is secured on another server that at least keeps the traffic outside.

Simon: That certainly answers a lot of concerns as far as access to the data. However we have a lot of concerns about people being able to sniff the actual transmission of the data, which I'm not sure that approach would answer.

Louis: That's true.

Simon: Do you have concerns about that?

Louis: We would have to use browser-enabled security type of things and possibly certificates off of that. It is a different of VPN if you will, but it is not the VPN I think of where we are letting people get into our network.

Simon: You are thinking more of the firewall.

Louis: Right.

Bill: My expectation is that VPN technology will move away from the way that we have created our own solutions, through VPNet or RedCreek, or RADGUARD, into becoming a value-added service from Internet Service Providers. With some of the larger ISPs, I think this is already happening. I see this client side beginning to get bundled with the dialers that they provide and enabled as a value-added service.

Q: Any tips for people that are just beginning to look at this area?

Simon: The biggest tip is to thoroughly evaluate your business needs. You can really get into some high dollars on some of these solutions, so you want to define what your absolute requirements are. You should do a lot of research to make sure you're getting a proper solution for the right amount of investment.

Louis: I would second that. You need to know your network, and you need to know the business requirement to justify and determine what solution fits. All three of us probably have both the same and different needs. We came up with similar answers to those needs. You can go in inexpensive; you can spend a lot of money. You've just got to know your network, what is the business requirement, and also understand your capability to support the technology. We evaluated one product before we chose RedCreek and we chose not to use that product because it was too complicated. It was on the line of what Bill was talking about with generating keys and things like that. I don't have the staff to do that. I don't think I have quite the enterprise issues that Bill has. So we chose RedCreek because it was a more simplified solution for us and a way of getting a VPN up quickly. Is it the most secure? I think my network is fairly secure. Is it as secure as someone else's? I am not sure.

Bill: Obviously I would third everything that that other two gentlemen have said.

We were unwitting pioneers. We didn't expect to be pioneers; it just happened that way, and we got a little publicity because of it. I do receive phone calls on a regular basis from folks and most of the phone calls are from people who are very skeptical that either VPNs work or that they are secure. It is hard to believe that you can get a secure connection at $20 a month or whatever it is that you are spending. And the only thing that I would say is "yeah, they are for real". They really do work. We are very confident with the connectivity, and the performance has been very good. Obviously the service levels are based upon agreements with your Internet Service Provider, which at this point aren't at the same level as what secure networks provide, if you can even get an SLA (service level agreement) from an Internet Service Provider. We are using our VPN and we are generating cost savings because of it. There is something to be said for that.

Louis: I agree. People ask "does it work?" or "can it work?" I made an earlier comment t that "I don't know how secure mine is compared to someone else's." This is true, but I also know that we tested our VPN and I know when I turn off my VPN to a certain host, you can't get there. Granted if somebody is going to use a supercomputer to try to break into my network, let 'em have it; it is not worth it to stop that. But I don't think we have the secrets of the universe here. You've got to gauge your security needs against the risks. I think I have a secure network for what I need and it has been tested.

Bill: We have some pretty good recipes that I think some people would like to get their hands on, but they're not available on our network so I don't have to worry about it.

Louis: Hey, you can get recipes off of our Web site (Hamilton Beach), but I don't think they are the recipes you're looking for.

Q: Any there any specific pitfalls you would like warn folks about?

Louis: I'd say, don't take the deal of the week. Do the research, look around, evaluate. The vendors all want you to 'try and buy'. So try a couple of them and if the first one feels good, at least try another one, and make sure that it is good. You don't have to try everything under the sun. But 'try and buy' is out there, and that is a good way to do it.

Simon: Usability is also a key factor. You need to balance the levels of security, functionality, and ease of configuration. You need to evaluate how valuable your data is to your competitor or somebody else.

Q: Has your opinion of VPNs changed in the last 12 months given the rate of change in technology and the large amount of press coverage?

Simon: In my case, seeing was believing. We had initial skepticisms, we read the reviews, and had product demos. After having used our VPN, and seeing the benefits, I am very much sold on the technology. I'm very pleased with the technology we bought into and the level of technology in VPN in general right now.

Bill: I'd have to agree. It is becoming a more mature tool, at least on the VPnet side. We've got an upgraded generation of the tool. The management software as well as the client is better now. We started working with them back in the fall of 1997, and at the time, there really wasn't a whole heckuva lot of talk about virtual private networking. What was being said was "someday you will be able to do this."

But had an immediate need for a level of security over the Internet that we couldn't match any other way. So we did it. The press that has been in all of the rags about virtual private networking in general, along with the fact that it is a real technology and really is being used, has just made me a lot more confident that we made the right decision back then to do it.

Q; Can you summarize your overall level of satisfaction with your virtual private network; the performance, the manageability, and your relationships with service providers?

Simon: After having it for a year, and doing the initial tweaking and the upgrades, we're very satisfied and very confident in it. We are finding additional uses for it and additional ways to offset the cost of our data circuits such as voice over IP, eventually video conferencing. And our vendor has been very responsive and very helpful in maintaining our configurations.

Louis: I've been very satisfied with our selection of the RedCreek solution. We are at a crossroads, however. We are on Version 2 and they have come out with Version 3. Version 3 has solved some of our issues, like NT Workstation support that wasn't handled in Version 2. My current issue is that of migration. Now they have got a new hardware solution at the central office side that has to replace the existing hardware solution. So going from Version 2 to Version 3 requires a more significant upgrade than I would have liked at this point. What I've got now for Windows 95 environments on the remote VPN side, and also network to network which we have tested, I have been satisfied with.

Bill: I too have been satisfied with the decision and with the folks at VPNet. They have been great about supporting our needs. It may be that I have a relatively simplified environment. Our PCs, at least the ones on the franchise side, we purchased, we configured, we locked down the desktop and we rolled them out. There wasn't a need for us to ship disks to an end user and say "put the disk in drive a" kind of a thing. We did it all for them, so we had complete control over the configuration which was nice. And every single image is the same. So we didn't really run into any conflicts that weren't handled up front. On the network side installing the VSU hardware, my network guy did it in a day. He had it up and running and was dialed into it. There were really no major issues.

Related Links

Contact News Editor Doug Barney

Net Resources: VPNs
Links to primers and more advanced info.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.