Service providers likewise offer variations using some combination of these pieces of equipment and software. But most of the service providers have allied themselves with only one or two hardware or software vendors, so any given carrier is not likely to offer much choice.

Given the various ways you can create a VPN, whom should you talk to first? If keeping your corporate traffic secure is of the utmost importance, most analysts agree you should leave your traditional router and server vendors behind and start anew with a hardware encryption vendor.

An encryption device typically sits behind a firewall. It encrypts traffic going out over the Internet to internal users and business partners, and decrypts incoming traffic. In most cases the firewall is still the first line of defense, but the hardware device adds another strong layer of security.

While the primary component of these devices is hardware, they all require client software that sits on a user's laptop or desktop computer. This software lets traveling employees and branch office users exchange secure data with those on the corporate network.

Hardware encryption devices are considered more secure than their software-based counterparts because they can support higher levels of key encryption without introducing latency, says Joel Snyder, a senior partner at Opus One, a Tucson, Ariz.-based consulting firm.

"Three leaders in this area are Radguard, RedCreek and TimeStep," says Snyder, a member of the Network World Test Alliance who has conducted extensive VPN product testing. These three vendors offer users the easiest way to deploy and support the most solid security available, he says.

Radguard's cIPro, the company's latest hardware encryption device, supports up to 128-bit key encryption and the IP Security (IPSec) protocol. As far as encryption goes, 128-bit is pretty powerful. Keys of about 56 bits or less are considered by experts to be vulnerable to hackers, but anything above that is suitable for most applications. The most powerful encryption methods available today use 164 bits. The bottom line: More bits mean more security.

IPSec, meanwhile, is the IETF standard for securing business traffic for transport over the Internet. The IETF approval process, while not complete, is progressing in stages. Many vendors, including RedCreek and TimeStep, are already claiming IPSec support based on the IETF-approved portions of the standard. At any rate, the industry has pretty much come to the consensus that IPSec is the security standard for business traffic over the Internet.

IPSec defines how to encrypt the IP address of a sender along with the entire IP payload. The protocol uses a 164-bit key encryption algorithm based on the Digital Encryption Standard (DES). IPSec also ensures that rogue packets - basically packets that don't belong - are not inserted into the original traffic stream. The standard supports the use of digital signatures and unique digital certificates based on the X.509v3 standard.

But the digital certificate portion of the IPSec standard is one of the primary areas where interoperability trouble lies. Digital certificates are unique identifiers based on public keys and are issued by certificate authorities. To access a secured network, a user submits his unique certificate to a central authorization server, typically a Lightweight Directory Access Protocol server, which checks the certificate against a database of authorized users. Once the user is authenticated, the encrypted session is established.

The interoperability problem is that various authorities can issue certificates, but certificates from different authorities won't work together. That effectively forces you to get all certificates from the same authority, at least until the IETF finishes hashing out the issue.

Routing around your VPN

Many routers can be made VPN-ready with the addition of some software or by programming software that may already be installed.

For example, 3Com's NetBuilder router can support site-to-site tunneling over the Internet using the Point-to-Point Tunneling Protocol (PPTP). The router can handle anywhere from 48 to 2,500 VPN tunnels, says Neil Henry, product manager for security at 3Com. The company isn't yet supporting digital certificates for authentication but instead is using shared secrets until the IPSec protocol is final and interoperability issues among certificate authorities are resolved, Henry says.

Shared secrets involves an alphanumeric set of characters based on an agreed-upon format with minimum and maximum lengths. They are similar to digital certificates, but there is no third-party certificate authority. Instead, the secrets are shared among users.

In lieu of supporting the IPSec standard, 3Com is offering 56-bit DES and in September began shipping 128-bit encryption support in hardware and software.

Opus One's Snyder warns that while internetwork vendors heavily push their VPN wares, implementations may be limited in terms of flexibility, depending on router capacity and the number of simultaneous tunnels supported.

You need to evaluate the processing load on your routers prior to adding VPN support, says Greg Howard, senior analyst at Infonetics, a San Jose, Calif.-based consulting firm. If the routers are running at near-full capacity, they will not be able to support multiple VPN tunnel sessions without dropping packets.

The router approach can also be expensive. If a router isn't powerful enough to support hundreds of simultaneous tunnels, you may be forced to upgrade it to a larger model. Upgrading to a Cisco 7000 would cost you about $60,000, Howard says, whereas adding a Radguard or RedCreek hardware device would only run $4,000 to $6,000.

In short, given that VPNs are still new, sticking with your existing vendor for the sake of simplicity is not the best idea, he says.

Router hope

A number of internetwork vendors have been on the acquisition trail to garner VPN hardware expertise. Bay Networks earlier this year spent $156 million to acquire New Oak, one of the first companies to roll out hardware that supports encryption and switching. (Nortel has since acquired Bay.) Similarly, Shiva this year acquired Isolation Systems, a hardware encryption company, and integrated Isolation's products with Shiva remote access gear.

The products Bay now offers as a result of its New Oak acquisition are the NOC 2000 and 4000 Extranet Access Switches. These devices support Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol, PPTP and IPSec tunneling and security protocols, enabling users to choose the protocol that best suits their needs (see graphic below). Bay's NOC switches interoperate with Microsoft's Windows 95 and NT 4.0 software clients.

Cisco's PIX firewall server, which is integrated with the firm's 1600 and 2500 series routers, is also getting more secure. Cisco and RedCreek this year signed a deal that will allow Cisco to integrate RedCreek's Ravlin hardware into its PIX firewall, which will give Cisco users IPSec support.

While hardware may be the Holy Grail of VPNs, there are software options. Compaq's AltaVista Tunnel 98 (acquired along with Digital), Data Fellows' F-Secure VPN Plus, Microsoft's NT Routing and Remote Access server, and Aventail's VPN Gateway are just a few of the software packages you can use to build a VPN.

The idea of using software to fashion a VPN has been around for about three years, according to Compaq, but that relatively long history doesn't mean it's a better approach. In fact, analysts aren't too hot on software-based VPNs.

Users who already have Windows NT servers in their networks may think it will be easy and inexpensive to use the same servers to set up a VPN. That's not the case, Snyder says.

"Software licenses are not cheap, and if you're going to have many users connecting to a server that supports thousands of simultaneous tunnels, you'll have to upgrade your server hardware," he says. On top of that, he notes PPTP, Microsoft's tunneling protocol, does not offer the highest level of security. In addition to supporting weaker levels of encryption than hardware, software VPNs as a group don't scale very well, Infonetics' Howard says.

Pirkka Palomaki, product manager at Data Fellows, acknowledges the shortcomings - to a point. "Every time you add encryption there is a slight impact on performance on the network," he says. "But it's something we are addressing all the time, and our products perform as fast as some hardware devices."

The VPN software companies see the writing on the wall and have already stated plans to develop hardware-based encryption products, whether on their own or through partnerships and acquisitions, Howard says.

Compaq is a case in point. The company is developing a hardware encryption device that will be tightly integrated with its AltaVista Tunnel software, says marketing manager Ray Suarez. The combination hardware/software package will be for larger enterprises that need a high-end VPN, he says, while the lower cost, software-only option will be targeted at small to mid-size businesses.

AltaVista Tunnel 98 is based on a proprietary protocol developed by Digital that supports 128-bit encryption, Suarez says. "Our next set of products will be IPSec compliant," he adds.

Compaq wouldn't give any details as to when it will deliver the new hardware/software version of AltaVista, but based on past production cycles you can expect a new version before year-end.

Firewalls

Firewalls are typically used as policy-based traffic managers that let you establish a protective layer between your corporate network and the Internet. Most of these products support tunneling capabilities, but more and more are adding stronger encryption and security features.

For instance, SecureComputing this year came out with SecureZone, an upgrade from its BorderWare Firewall Server, which only supported PPTP tunneling. SecureZone now supports IPSec.

SecureZone, while software based, is now operating system-independent. It requires an Intel Pentium PC, but SecureComputing provides a bootable CD-ROM that turns the PC into a SecureZone server.

And based on an agreement made in April, RedCreek is designing a software client for the SecureZone firewall that will support a high level of encryption and digital certificates.

CheckPoint Software Technologies is also getting help to beef up its software-based Firewall-1. Earlier this year, CheckPoint announced a deal to integrate Firewall-1 with Internet Security Systems' Real Secure intrusion detection software. Real Secure analyzes packets and traffic patterns to detect network intruders and immediately notifies network managers of an attack.

Servicing your VPN

It's best to look for an ISP that's offering a variety of firewalls and/or VPN hardware devices, Howard says. For instance, TCG CerfNet, @Work and Epoch Networks, three national ISPs, are offering VPN services based on RedCreek's Ravlin hardware devices, in addition to supporting a variety of firewall servers.

In terms of variety, WorldCom Advanced Networks is probably your best bet. Due to WorldCom's multiple ISP acquisitions over the past few years, it now has five VPN service offerings, although not all of them meet our definition. WorldCom's offerings are WorldVPN, SafeReach IP, Virtual Private Data Network (VPDN), ExtraLink and ExtraLink Remote.

WorldVPN uses CheckPoint Firewall-1 servers along with Security Dynamics ACE Servers and SecurID tokens for secure dial-up user access. The service also supports dedicated access. SafeReach IP uses Cisco's L2F tunneling protocol but operates over CompuServe's proprietary network; it does not include Internet access.

VPDN, originally designed by ANS Communications, is a dedicated VPN service that lets you set up a proxy firewall server. ExtraLink is UUNET WorldCom's fully managed, dedicated extranet/VPN service that enables you to open your corporate network to outside business partners and clients. This service also uses CheckPoint Firewall-1 servers. ExtraLink Remote, which will eventually be migrated into the WorldVPN service, supports dial-up access to a company's internal IP network.

AT&T WorldNet, IBM Global Services, PSINet and Concentric Network, like many other ISPs, have rolled out VPN services over their Internet backbones. This means if you dial in over another ISP's network, your company's service-level guarantees will not hold. "We can't guarantee performance over the Internet, so instead we've decided to invest in building quality-of-service parameters and strong service-level agreements into our VPN service," says Bob Schroder, manager of IP services at AT&T WorldNet.

While VPNs that use the Internet are less expensive than frame relay-based VPNs, some users aren't comfortable with the idea of their corporate traffic traveling over public 'Net byways.

But frame relay is also a shared network, so don't let carriers fool you on that account. The only "private" network setup would be one based on dedicated leased lines, which are more costly than an Internet-based VPN (see graphic below). If you set up a dial-up VPN that uses the Internet as a means of access, then you immediately have a worldwide network, says Brad Baldwin, IDC's director of remote access. You simply don't have that with a frame relay network.

ISPs are struggling to develop the right combinations of quality networking and security expertise to address users' VPN needs. If it's not imperative that you get a VPN set up immediately, perhaps you can wait for more robust VPN services to become available over the next year.

Whether choosing a hardware, software, firewall or service provider VPN approach, you can increase flexibility and reduce overall costs by using the Internet to keep your users in touch. There are dangers lurking on the 'Net, but the right type of protection can keep your network safe and sound.