Security /

VPN services save money despite stalled implementation

Three users describe the pros and cons of VPN service deployments.

By Suzanne Gaspar
Network World, 12/11/00

Going with VPN services rather than installing and managing your own VPN installation offers your company the ability to increase bandwidth, add remote access capabilities, and get advanced security with redundant data transfers. But current users warn that you must be prepared to deal with the pitfalls to this VPN approach, which include unreliable Quality of Service over the Internet, implementation issues arising between ISPs and local telcos, and almost non-existent international Service Level Agreements.

If you don't have available IT resources and aren't looking forward to the $5,000 to $20,000 hardware investment to buy and deploy a traditional VPN system, using ISP-based VPN services can save you money, says Harvey Golomb, President, Netscan iPublishing. This Falls Church, VA, company uses OpenReach TrueSpan Services to reap a higher reliability of data transfer and better monitoring of the network for publishing online legislative and regulatory news feeds to its customers. Golomb says Netscan saves approximately 25 percent annually by going with a managed VPN service over rolling out a VPN, and about 90 percent of the one-time start up costs.

Virtual Private Networks: Viable Products Now
Review: Pure hardware VPNs rule high-availability tests
High availability's dark side
Buyer's Guide: Interactive database
How we did it
Interactive Scorecard and NetResults
Archive of Network World reviews
Subscribe to the Product Review e-mail newsletter

Another user, David Brauchler, national telecommunications manager for the international law firm Paul, Hastings, Janofsky & Walker, concurs that ISP-based VPN services can save money. While Brauchler says the law firm's IT staff could have implemented most of its own VPN, problems may have resulted that would have resulted in a lot of man hours, and in the long-run possibly not worked as well.

Paul, Hastings, Janofsky & Walker chose Fiberlink's managed VPN system so should a problem arise, IT could just make one call and say, 'Fix it' says Brauchler. Unlike Open Reach, Fiberlink isn't a typical ISP as it resells VPN service from a number of ISPs including UUNet, Epoch, and Qwest, but it does provide the law firm with a VPN system. . Since the initial deployment a year ago, the firm and its IT staff has grown. With plans to add more staff this year, having to make just one call to truly get a reliable system that hasn't resulted in any business profit loss pays off, he says.

Reap the benefits

"Managing a VPN ourselves would have been much too costly both in direct costs and personnel costs," says Golomb.

He says deploying a traditional VPN system would have required a full time network administrator at each of his company's locations. There's also the connection costs for supporting a Virginia site with a T-1 Internet connection, a sales office in Exton, PA with a DSL connection and a computer center in Jacksonville, FL running a cable modem connection. Instead, Netscan uses Open Reach site-to-site VPN services to transfer about 10G per year between offices. With this volume increasing annually, traditional FTP was not reliable enough or secure enough, and generally not adequate for this critical function, says Golomb.

Similarly, Brauchler says Paul, Hastings, Janofsky & Walker, headquartered in Los Angeles, CA, implemented managed VPN services from Fiberlink to increase Internet bandwidth, redundancy and remote access capabilities.

"With Fiberlink, we weren't locked into one type of canned solution without choices. No two companies are the same, yet some vendors only support one basic type of configuration, hardware, or even just one carrier," says Brauchler.

The firm supports 800 attorneys in nine offices around the globe, using both site-to-site and dialup remote VPN services for its network. The firm's main applications include email, document sharing, open document libraries, accounting, and utilize Citrix MetaFrame to provide remote users all the application access that they have while in the office, all which run across secure VPN tunnels either between offices or remotely. With VPN services starting on site, the firm owns the routers, VPN gateways, and firewalls.

"The VPN provides us expandability and flexibility. The design we put together with Fiberlink's help provides greater redundancy at a lower cost than our old frame relay service would have," says Brauchler.

Brauchler says Fiberlink's VPN service has given each office plenty of bandwidth for direct access to the Internet. He says prior to the Internet based VPN, the firm was on a single T-1-based meshed frame relay WAN. Only two of their offices had direct T-1 connections to the Internet which were shared to the other offices and this made connecting to the Internet for some of the offices very slow, he says. The VPN service installation gave each office two direct T-1s to the Internet for transporting the inter-office communications through secure tunnels.

Brauchler says the firm's main driving force to implement a VPN was not cost savings but rather an increase in functionality and performance. Paul, Hastings, Janofsky & Walker managed to save 10 percent on the circuit costs over its old frame-relay WAN, in spite of the fact that overall monthly spending increased by 50 percent for the Internet-based VPN system. However, for that increase in spending the firm doubled the bandwidth at every office and increased Internet access bandwidth ten-fold. Aside from additional bandwidth, the law firm's Fiberlink VPN service adds full redundancy, better security, and offers new remote access capabilities, says Brauchler.

With the VPN equipment on-site, together with Fiberlink, Brauchler's IT staff has full control over the configurations and settings as well as the ability to actively monitor security settings and attacks. In June, Paul, Hastings, Janofsky & Walker acquired another law firm of 125 attorneys and 300 total users. IT was able to assume responsibility for the existing Internet T-1, install new VPN equipment on-site, and connect the new firm to the network in less than a week since the firm's Cisco routers have enough expandability to add additional circuits or increase bandwidth at any time.

Brauchler says a wide array of remote access options exist for attorneys and staff, from dial-up to DSL or cable modem, plus an edge in setting up Extranets for clients. He says IT is happy with Fiberlink relationship over the past year, being a hearty resource for questions about internal expansion, to setting up secure extranet connections to clients. He says the customer service is more personal than other larger vendors are, and, experienced technicians are more accessible to IT, with account managers returning calls and responding to emails quickly.

Tripling network security

Security was one of the main concerns on his VPN project right from the start and remains so today, says Brauchler. By installing a VPN, his staff knew there would be potential security risks, and thus needed to address these risks as a priority, he says. The VPN implementation needed to guard against any type of unauthorized access and maintain the level of security and confidentiality the firm's clients and attorneys required, he says.

"There's a law in remote access. The easier it is, the less secure it usually is," says Brauchler.

He says the firm continually trains its IT staff on Internet security, yet, it's a skill area of low expertise, so the firm required a qualified integrator that had strong security expertise. While the firm has its own internal 24x7 monitoring system for the entire network including Internet usage and security, Fiberlink provides remote 24x7 monitoring as well.

Since the VPN uses the Internet to carry all office-to-office communications, as well as remote access services, the firm opened itself up to potential security issues. IT made sure the VPN gateways supported the latest and highest levels of IPSec and Triple DES encryption and properly configured authentication certificates. IT tightened the configuration on firewalls, and has a third party vendor provide bi-annual security audits and penetration testing, not only externally through the VPN, but also over any dial-up or internal workstations. Brauchler recommends to any company installing or using VPNs, remote access, or even dedicated Internet connections, to contract with a third party vendor for unbiased full security audits as added protection.

Improving network security was also one priority forcing Bechtel, a global engineering and construction company with corporate headquarters in San Francisco to begin limited implementations of both site-to-site and dial-up VPN services from UUNET, says Chris Zeck, the company's Global Network Manager. Bechtel interconnects over 250 offices and sites around the world and has a number of joint-venture companies and subsidiaries with inter-corporate connections.

Aside from security, Bechtel is pleased with UUNET's end-to-end network management and monitoring service because he doesn't need to add staff to look into daily network administration and management. IT leveraged existing contracts with UUNET to take advantage of aggregate discounts. Additionally, Zeck was impressed with UUNET's demonstrated flexibility and responsiveness to Bechtel's requirements. UUNET exhibited an extensive global reach with its remote access IPLINK offering.

Zeck says Bechtel is also pleased with UUNET's responsive account managers, representatives, engineering, and technical support. IT also likes the standard design for similar sites, a full mesh topology, and the 7x24 end-to-end management and monitoring.

Trouble with QoS and International SLAs

While Bechtel is satisfied with generally good performance, the uncertainty of QoS for traffic traversing the public internet and the typical speed of a dial up connection at 35K to 40K with the overhead of VPN security, means performance is poor at best, says Zeck. His staff has also found the utilization reporting could be improved with real time client Web access statistics. There's also a lack of support for DSL and the amount of time it takes to get VPN services up and running from Betchel's notice to proceed due to local Telco issues is disappointing.

The present lack of guaranteed international SLAs affects most of Betchel's projects with international connections, says Zeck. Bechtel does have latency and availability SLAs for domestic UUNET VPN service including 7x24 management and monitoring and reporting and some QoS, but IT has experienced issues with monitoring and interpretation of the service levels, he says.

Brauchler says Paul, Hastings, Janofsky & Walker has an SLA with Fiberlink. It covers installation, network availability, outage notification, latency, and packet loss, with latency defined as the average round trip transmission on the Fiberlink network. Since the law firm's VPN system is fully meshed with direct tunnels between each branch location, IT actually improved its average transmission rates between all sites, in some cases greatly. He says the Fiberlink VPN services are identical for all of the firm's domestic offices with redundant T1 circuits through independent top tier ISPs.

The SLAs from Fiberlink do include the firm's international sites. The only difference for the international site is latency guaranteed at no more than 120ms compared to 85ms domestically. However, Brauchler says the firm has since an increase in service overall/ Domestically, response time has increase 5 to 10 percent and international response times have increased even higher than that. On the old frame relay network, only headquarters had a direct connection to the European and Asian offices making connectivity between these offices to the other domestic sites to be slow.

Golomb says Netscan doesn't have a VPN SLA in place with Open Reach, still, IT likes the low level of support required to keep the service running and are very satisfied with the service overall. In particular, Golomb says installation took less than a day, it simply involved downloading software to a PC, configuring the network, and it was up and running, he says, Netscan has had happy users for the past few months.

Consider installation issues

While installation was a piece-of-cake for Netscan, Brauchler says it took Paul, Hastings, Janofsky & Walker about three months to complete installation at nine sites due to a delay in London with British Telecom, which was responsible for installing the local loop for the E1, the European equivalent of a T-1, for Fiberlink and the ISP. Unfortunately some countries, which need not be too remote, take longer to install circuits and this must be taken into consideration when ordering service and putting together the project plan, he says.

VPN service installation has been the biggest challenge for Bechtel too, says Zeck. Installation ETA was barely met or delayed due to the local Telco provider's service (or lack of), hindering the ISP. He says the same problem exists with any of the other network services including Frame Relay and Private Leased Lines.

Considering VPN services are still maturing, Bechtel plans to evaluate current VPN implementations and analyze performance in terms of how it scales to provide the service in an enterprise-wide architecture, says Zeck. Developing a standard network design and testing on a small scale prior to broad deployment is wise he says.

Brauchler says companies considering adding VPN services should make sure the vendor and product chosen meet current requirements and will be flexible enough to grow to meet future needs.

"Teaming up with a VPN service vendor you can trust has the experience and knowledge and also understands your business will make the process a lot easier," he says.