/
VPNs take center stage
VPN service providers
VPN vulnerability
Face-off: Build your own VPN or outsource?
Trimble Navigation's worldwide network
Archive of Network World features
Subscribe to our VPN e-mail newsletters
The two IS professionals have found that setting up a VPN is like peeling layers off an onion, never knowing what problems will be revealed next nor how many layers remain. They're not complaining, though, because they already stand to cut their network costs, and they are still in the trial phase of their rollout. Consider that just one of the company's engineers runs up an ISDN long-distance bill ranging up to $5,000 per month to dial in from home in Tucson, Ariz., to Trimble's corporate network. Those costs could be cut to a flat $300 per month Internet access fee for a 700K bit/sec DSL line if the company switches to a remote access VPN. Setting up such a VPN calls for redundant Cisco VPN gateways for $30,000 but the investment is well worth it, says Forbes, Trimble's network engineer. "If we get rid of [the engineer's ISDN bill] for 10 months, we just paid for the VPN boxes. That's very compelling," he says. Similarly, the company stands to cut the cost of linking its New Zealand office to headquarters from at least $8,000 per month to less than $4,000 by switching from frame relay to a site-to-site Internet VPN link supported by a 512K bit/sec wireless access link. Spurred by such dramatic potential cost savings, Trimble embarked on its VPN project last December. First it identified three sets of WAN users: the roaming sales force, telecommuters and Trimble sites. The first two groups dialed in to an 800 number using analog modems or ISDN. They number about 500 scattered around the world. Of the company's more than 40 offices, 15 were connected to Sunnyvale headquarters via frame relay, including sites in 10 other countries. Roaming users became the first target because of the $75,000 per month 800-number bills they run up, says Ching, Trimble's IS manager for network infrastructure. If those users instead made a free local call to an ISP, they could use VPN technology to turn the Internet into a secure, long-haul connection back to headquarters, which is connected to the 'Net by two bonded T-1 lines. Using gear Ching and Forbes bought from Altiga (now part of Cisco), they quickly set up a remote access trial among 30 mobile users. The VPN client software was installed by IS staff, then users installed it off CDs. Now they download it from a secure Web site. The self-installation is so easy, virtually all users have done it without help, Forbes says. Trimble has signed an agreement with Ipass, an international consortium of ISPs that lets users make local calls in 150 countries to connect with the Internet. About 150 Trimble salespeople are now using the dial-up VPN. Trimble planned to use the same Altiga VPN boxes to link corporate sites, but discovered the task was more complicated than it originally thought and more complex than the Altiga gear was designed to handle. "The box has support for [Open Shortest Path First and routing information protocol], but it is not per se a router," Forbes says. Also, the Altiga gear would have required a firewall, dynamic host control protocol support and a serial connection as add-ons. A Cisco router with VPN features could do that in one package. Cisco routers could also head off potential problems when Trimble tries to load balance between dual Internet links into important sites. Trimble wants to route based on policies such as latency and packet loss for real-time applications, such as sales order entry. "The Altiga boxes were never, ever meant to do that order of traffic shaping," Forbes says. Forbes' and Ching's knowledge of VPNs wasn't sophisticated enough at the time they made the purchase to recognize that. Trimble has decided to go with Cisco's recommendation for site-to-site connections: VPNs based on Cisco 7100, 2600 and 1700 series routers, encryption processors and the VPN features of Cisco IOS software. That requires upgrading the Cisco routers at each site, but that was planned within 18 months anyway. "If we chose to steer away from that, we'd find ourselves more and more outside what Cisco is developing. And even though they'd support [Altiga site-to-site], Cisco technicians are not going to have very much experience with it. We looked at [Cisco IOS site-to-site] from a functionality and a support perspective and said, ÔYou know what? We better go that way,'" Forbes says. The final user group, telecommuters, remains a challenge. Many of them will be connected to the Internet VPN via always-on broadband links provided by DSL or cable modem, making these sites vulnerable to attacks over the Internet. That means Trimble needs inexpensive firewalls that can also support the VPN and be managed and monitored easily for mass deployment. Cisco's lowest price answer was a PIX firewall that costs about $2,000 Ñ too much for most sites, Forbes says. So the company is looking to Red Creek to make its Personal Ravlin II combination firewall-VPN boxes interoperate with the Cisco gateways. Forbes says he expects the Red Creek gear to suffice for a trial rollout later this year, but to fully deploy to teleworkers he needs Cisco to step up. "We need more elegant, more scalable solutions," he says. Meanwhile, Trimble has lined up DSL service provider DSL Networks to provision DSL lines as well as offer service quality guarantees for traffic crossing DSL Networks' private backbone. That way teleworkers get guaranteed quality of service by staying off the public Internet. Trimble gets a 99.75% network-availability guarantee. Finishing its VPN deployment requires patience as Trimble waits for Windows 2000 clients to fully implement IPSec and interoperate with Cisco VPN gear. If Windows 2000 becomes the standard Trimble desktop, there will be no extra VPN client software to deploy. The company is also waiting for tools to change policies and update client software. "The fact that the vendors have gotten to the point that they have is admirable. There's a lot of functionality packed within VPNs, and they're doing a pretty good job of moving on it. We realize these are deeper layers of the onion," Forbes says.
Related links
There are plenty of options if you want to outsource your VPN. VPN vulnerability
Personal firewalls for remote users are recommended to protect the network from hack attacks. Face-off: Build your own VPN or outsource?
Indus River Networks' Dave Zwicker and Concentric Network's Mark Fisher face off. Archive of Network World features Subscribe to our VPN e-mail newsletter
Trimble Navigation finds VPNs useful for remote access
 
|
|||
 | |||
|
By TIM GREENE
Network World, 08/14/00
Stanley Ching and Paul Forbes are peeling an onion, but it
doesn't make them cry. Far from it. It makes them practically giddy with glee.
VPNs take center stage
VPN service providers
VPN vulnerability
Face-off: Build your own VPN or outsource?
Trimble Navigation's worldwide network
Archive of Network World features
Subscribe to our VPN e-mail newsletters
The two IS professionals have found that setting up a VPN is like peeling layers off an onion, never knowing what problems will be revealed next nor how many layers remain. They're not complaining, though, because they already stand to cut their network costs, and they are still in the trial phase of their rollout. Consider that just one of the company's engineers runs up an ISDN long-distance bill ranging up to $5,000 per month to dial in from home in Tucson, Ariz., to Trimble's corporate network. Those costs could be cut to a flat $300 per month Internet access fee for a 700K bit/sec DSL line if the company switches to a remote access VPN. Setting up such a VPN calls for redundant Cisco VPN gateways for $30,000 but the investment is well worth it, says Forbes, Trimble's network engineer. "If we get rid of [the engineer's ISDN bill] for 10 months, we just paid for the VPN boxes. That's very compelling," he says. Similarly, the company stands to cut the cost of linking its New Zealand office to headquarters from at least $8,000 per month to less than $4,000 by switching from frame relay to a site-to-site Internet VPN link supported by a 512K bit/sec wireless access link. Spurred by such dramatic potential cost savings, Trimble embarked on its VPN project last December. First it identified three sets of WAN users: the roaming sales force, telecommuters and Trimble sites. The first two groups dialed in to an 800 number using analog modems or ISDN. They number about 500 scattered around the world. Of the company's more than 40 offices, 15 were connected to Sunnyvale headquarters via frame relay, including sites in 10 other countries. Roaming users became the first target because of the $75,000 per month 800-number bills they run up, says Ching, Trimble's IS manager for network infrastructure. If those users instead made a free local call to an ISP, they could use VPN technology to turn the Internet into a secure, long-haul connection back to headquarters, which is connected to the 'Net by two bonded T-1 lines. Using gear Ching and Forbes bought from Altiga (now part of Cisco), they quickly set up a remote access trial among 30 mobile users. The VPN client software was installed by IS staff, then users installed it off CDs. Now they download it from a secure Web site. The self-installation is so easy, virtually all users have done it without help, Forbes says. Trimble has signed an agreement with Ipass, an international consortium of ISPs that lets users make local calls in 150 countries to connect with the Internet. About 150 Trimble salespeople are now using the dial-up VPN. Trimble planned to use the same Altiga VPN boxes to link corporate sites, but discovered the task was more complicated than it originally thought and more complex than the Altiga gear was designed to handle. "The box has support for [Open Shortest Path First and routing information protocol], but it is not per se a router," Forbes says. Also, the Altiga gear would have required a firewall, dynamic host control protocol support and a serial connection as add-ons. A Cisco router with VPN features could do that in one package. Cisco routers could also head off potential problems when Trimble tries to load balance between dual Internet links into important sites. Trimble wants to route based on policies such as latency and packet loss for real-time applications, such as sales order entry. "The Altiga boxes were never, ever meant to do that order of traffic shaping," Forbes says. Forbes' and Ching's knowledge of VPNs wasn't sophisticated enough at the time they made the purchase to recognize that. Trimble has decided to go with Cisco's recommendation for site-to-site connections: VPNs based on Cisco 7100, 2600 and 1700 series routers, encryption processors and the VPN features of Cisco IOS software. That requires upgrading the Cisco routers at each site, but that was planned within 18 months anyway. "If we chose to steer away from that, we'd find ourselves more and more outside what Cisco is developing. And even though they'd support [Altiga site-to-site], Cisco technicians are not going to have very much experience with it. We looked at [Cisco IOS site-to-site] from a functionality and a support perspective and said, ÔYou know what? We better go that way,'" Forbes says. The final user group, telecommuters, remains a challenge. Many of them will be connected to the Internet VPN via always-on broadband links provided by DSL or cable modem, making these sites vulnerable to attacks over the Internet. That means Trimble needs inexpensive firewalls that can also support the VPN and be managed and monitored easily for mass deployment. Cisco's lowest price answer was a PIX firewall that costs about $2,000 Ñ too much for most sites, Forbes says. So the company is looking to Red Creek to make its Personal Ravlin II combination firewall-VPN boxes interoperate with the Cisco gateways. Forbes says he expects the Red Creek gear to suffice for a trial rollout later this year, but to fully deploy to teleworkers he needs Cisco to step up. "We need more elegant, more scalable solutions," he says. Meanwhile, Trimble has lined up DSL service provider DSL Networks to provision DSL lines as well as offer service quality guarantees for traffic crossing DSL Networks' private backbone. That way teleworkers get guaranteed quality of service by staying off the public Internet. Trimble gets a 99.75% network-availability guarantee. Finishing its VPN deployment requires patience as Trimble waits for Windows 2000 clients to fully implement IPSec and interoperate with Cisco VPN gear. If Windows 2000 becomes the standard Trimble desktop, there will be no extra VPN client software to deploy. The company is also waiting for tools to change policies and update client software. "The fact that the vendors have gotten to the point that they have is admirable. There's a lot of functionality packed within VPNs, and they're doing a pretty good job of moving on it. We realize these are deeper layers of the onion," Forbes says.
Related links
Contact Senior Editor Tim Greene
Other recent articles by Greene
VPNs take center stage
Virtual private networks merge IP technology with encryption to offer significant cost savings on WAN traffic.
There are plenty of options if you want to outsource your VPN. VPN vulnerability
Personal firewalls for remote users are recommended to protect the network from hack attacks. Face-off: Build your own VPN or outsource?
Indus River Networks' Dave Zwicker and Concentric Network's Mark Fisher face off. Archive of Network World features Subscribe to our VPN e-mail newsletter
