Virtual Private Networks A Technology OverviewWhat is a Virtual Private Network? A Virtual Private Network (VPN) is a network that uses the Internet or other network service as its Wide Area Network (WAN) backbone. In a VPN, dial-up connections to remote users and leased line or Frame Relay connections to remote sites are replaced by local connections to an Internet service provider (ISP) or other service provider's point of presence (POP). A VPN allows a private intranet to be securely extended across the Internet or other network service, facilitating secure e-commerce and extranet connections with business partners, suppliers and customers.There are three main types of VPN:
All of these VPNs aim to provide the reliability, performance, quality of service, and security of traditional WAN environments using lower cost and more flexible ISP or other service provider connections. VPN technology can also be used within an intranet to provide security or control access to sensitive information, systems or resources. For example, VPN technology may be used to limit access to financial systems to certain users, or to ensure sensitive or confidential information is sent in a secure way. There are many definitions of a VPN. Some of the more common definitions are as follows:
VPNs Based on IP Tunnels The following diagram shows an Internet-based VPN that uses secure IP tunnels to connect remote clients and devices (Figure 2). VPNs based on IP tunnels provide the following benefits:
VPNs Based on ISDN, Frame Relay or ATM VPNs based on public switched data networks are usually provided by service providers and other carriers, and may or may not provide fully managed services. In most cases, additional services such as QoS options are available. This type of VPN is likely to become particularly popular in Europe, where public switched data networks are widely available and business use of the Internet is less developed. The main benefits of VPNs based on ISDN, Frame Relay or ATM connecstions include the following:
A Note About the Term "VPN" VPN Benefits VPNs offer considerable cost savings over traditional solutions(Figure 4). Find out how much you could save. VPNs cost considerably less than traditional leased line, Frame Relay or other services, because long-distance connections are replaced with local connections to an ISP's point of presence (POP), or local connections to a service provider or carrier network. Reduced
Costs Examples
Example 1�Dial VPN Versus Traditional Remote Access
However to assess the cost justification completely, we must also consider the potential costs of making the switch to a VPN. A VPN may not make sense if, for example, nearly all of a company's remote users need only make a local call to access the network. This is especially true in the US where local calls are free as there are no monthly usage charges. In most European countries, however, this is not the case and a remote access solution based on ISDN may actually be cheaper than a dial VPN solution. In many European countries, ISDN tariffs are low, and extensive use of time cutting, protocol spoofing and filtering can dramatically reduce ISDN costs. See Cabletron's ISDN and Telesaving white paper for more details. Moving to a dial VPN solution means that each remote user requires an ISP account, and the POPs must be local to the majority of the users. The cost benefits might not be as compelling if users are switched to an ISP account with a flat monthly rate but then must Example 2�Intranet VPN Versus Leased Line and Frame Relay
Based on a cost comparison alone, the reasons for moving to an intranet VPN are compelling. However, a traditional WAN based on leased lines or Frame Relay provides guaranteed levels of Quality of Service (QoS). Replacing a traditional WAN between branch offices and central sites with an intranet VPN is unlikely to give the same levels of performance and QoS to users unless the service provider is able to give throughput and latency guarantees as part of a Service Level Agreement (SLA). See Quality of Service for more information about QoS and SLAs. Example 3�International VPN Versus International Connections Internet VPNs VPNs based on the Internet are becoming widely available, especially as an alternative for dial-up remote access. Generally when people talk about VPNs, they implicitly mean an Internet-based network as an alternative to a private network based on public network services such as T1 leased lines or Frame Relay. The Internet has become so ubiquitous and Internet service providers (ISPs) so numerous that it is now possible to obtain connections in all but the most remote locations. Most counties worldwide now have ISPs offering connections to the Internet, although some countries still restrict access. So it is possible for many organizations, both large and small, to consider the Internet not just for external communication with customers, business partners and suppliers, but for internal communications as well using a VPN (Figure 7). Internet-based VPNs can be used to outsource remote access with significant cost savings and greater flexibility. Modem racks, remote access servers and the other equipment necessary to service the needs of remote and mobile users can be replaced with a managed service provided by an ISP (see Remote Access VPNs). While Internet VPNs are suitable for remote access needs, there are still problems to overcome before moving to a full intranet VPN solution.Although most VPN products now offer adequate levels of security, the issue of Quality of Service (QoS) and Service Level Agreements (SLAs) remains.While most VPN service providers can offer guarantees for connectivity and uptime, few can offer adequate throughput and latency guarantees. In addition, there are few agreements between ISPs, so unless you can use a single ISP's IP backbone for all your connections, you are likely to suffer service degradation where connections cross boundaries between ISPs. Most users will not want to give up the levels of service currently offered by leased lines, Frame Relay or ATM networks for something inferior. However, in the long term these problems will be overcome, and Internet-based VPNs will become much more widespread for intranet as well as remote access. In a few years, global VPN services based on the Internet will become as cost-effective and as highly available as global Frame Relay and other public network services. Public Network VPNs Public networks such as ISDN, Frame Relay and ATM can carry mixed data types including voice, video and data. They can also be used to provide VPN services by using B channels, Permanent Virtual Circuits (PVCs) or Switched Virtual Circuits (SVCs) to separate traffic from other users (Figure 8). Optionally, authentication and encryption can be used where the identity of users and the integrity of data needs to be guaranteed. Using PVCs, SVCs or B channels makes it easier to provide additional bandwidth or backup when needed. The traffic shaping capabilities of Frame Relay and ATM can be used to provide different levels of QoS, and because these services are based on usage, there is significant opportunity to reduce telecom costs even further by using bandwidth optimization features. Frame Relay in particular has become a popular, widespread and relatively low-cost networking technology that is also suitable for
VPNs. Running VPNs over a Frame Relay network allows expensive dedicated leased lines to be replaced and makes use of Frame Relay's acknowledged strengths, including bandwidth on demand, support for variable data rates for bursty traffic, and switched as well as permanent virtual circuits for any-to-any connectivity on a per-call basis. Frame Relay's ability to handle bursty traffic and built-in buffering means that it makes optimum use of available bandwidth, something that is important in a
VPN environment where latency and performance are concerns. Frame Relay can be used to create a VPN in two ways: Remote Access VPNs Remote access VPNs (Figure 9) are rapidly replacing traditional remote access solutions as they are more flexible and cost less. Remote access refers to the ability to connect to a network from a distant location. A remote access client system connects to a network access device, such as a network server or access concentrator. When logged in, the client system becomes a host on the network. Typical remote access clients might be:
With VPNs, local area users typically have a wider range of data services to choose from, regardless of the support at the enterprise or central site VPN equipment. However, long-distance connections are currently via modem access. What VPN carriers currently offer corporations are "Work Globally, Dial Locally" services. The VPN equipment will use high-speed leased lines to the nearest POP of the chosen VPN carrier and all remote access traffic can be aggregated or routed as IP datagrams over this single link. Advantages of Remote Access VPNs over Traditional Direct-Dial Remote Access
Most of the disadvantages listed here refer to Internet-based VPNs and solutions will be available on VPN-focused carriers. Possible
disadvantages of VPN remote access include the following:
Intranet VPNs (Figure 10) can be used to provide cost-effective branch office networking and offer significant cost savings over traditional leased-line solutions. Intranet, or site-to-site,VPNs apply to several categories of sites, from small office/home office (SOHO) sites to branch sites to central and enterprise sites. SOHO sites could be considered as remote access users where dial services are used, but as SOHO sites often have more than one PC, they are really small LAN sites. In an intranet VPN, expensive long distance leased lines are replaced with local ISP connection to the Internet, or secure Frame Relay or ATM connections as shown in the following diagram. Local ISP connections can be provisioned using many technologies, from dial-up POTS and ISDN for small sites, to leased lines or Frame Relay for larger sites. New emerging "last mile" technologies such as DSL, cable and wireless provide both low-cost and high-speed access. Many ISPs and service providers are now starting to support these emerging technologies for Internet access, particularly for home users and SOHO sites. The intranet market is one where traditional WAN carriers are likely to compete heavily with ISPs.Traditional WAN carriers can offer a VPN service similar to a Frame Relay service with Quality of Service (QoS) based on Committed Information Rate. Traditional WAN carriers are well placed to push their advantage in providing secure, reliable, low-latency, intranet links by adopting their current services to support routed VPN links. Advantages
of Intranet VPN Solutions
Possible disadvantages of intranet VPN include the following:
There are a number of issues, both technological and practical, that need to be
overcome before you can implement a VPN. Here are some of these issues. Security Performance and Quality of Service (QoS) Monitoring Actual Throughput Preventing Denial of Service Attacks Scalability
Client-based software should be as transparent as possible. VPN carriers will require new management tools in order to simplify the configuration and monitoring of a corporate customer's VPN. Also,VPN customers may well want a privileged management window into their VPN carrier-held database to make changes for themselves! Flexibility Telesaving Bandwidth Reservation and Quality of Service (QoS) Some possibilities for inbound reservation are:
High-Performance Routing Issues Quality of Service What Quality of Service can you expect from your VPN service provider and how can you measure what you are getting?
Most data services, such as Frame Relay, provide guarantees for uptime and availability, as well as throughput and response time. These guarantees, or Quality of Service (QoS) metrics, are defined in the Service Level Agreement (SLA) with your service provider.
These bandwidth reservation mechanisms are built into the ATM and Frame Relay standards. Examples are ATM ABR and CBR, and Frame Relay CIR. IEEE specifications that allow Level 2 switches to provide traffic prioritization over Ethernet and Token Ring LANs. An IETF standard that defines ways of assigning specific service levels and priorities to IP traffic using the IP TOS field. A method of encapsulating and tagging IP traffic to improve efficiency and control of routed networks. An IETF standard that defines how routers and other network devices should reserve bandwidth across the network on a hop-by-hop basis. SLA Checklist
Over the long term, SLAs for VPN services are likely to improve as the various different QoS schemes are deployed more widely. However, until this time, SLAs may be limited to connections over a single service provider's network. To ensure end-to-end SLAs in the interim time, traffic should stay on the same network. If the connection goes across networks, a service provider has little control over the quality of the other provider's network. This situation is likely to remain until service providers reach agreement on SLA interworking. VPN Futures VPNs are only just starting to be deployed. Once VPNs are in wide use, they provide the opportunity to integrate other types of communication such as multimedia and Voice over IP (VoIP). The primary concern for VPNs will always be security. However, once VPN products are widely available, the focus will fall more and more on delivering quality of service (QoS) and class of service (CoS) over IP networks as part of a VPN. As voice and data services merge into one (voice over IP, IP fax), new network services are being developed to offer the QoS/CoS required for data, telephony and fax. (For more information about QoS see Quality of Service and SLAs.) As products develop to take advantage of this opportunity, all communication devices will become IP addressable, providing voice, fax, video and data to the desktop.All of these services can make use of VPN security protocols. Name servers could become very useful for configuring and reconfiguring VPNs. If the routers in a complex intranet VPN network were to make use of name servers to locate peer routers, then these networks could be reconfigured simply by changing the name-to-address mapping. Work is in progress to extend the use of DNS servers to provide a secure (IP Security-based) mechanism for routers to find peer routers and clients to find servers. Next Generation VPN Carriers New 'last-mile' technologies like Digital Subscriber Loop (DSL) deliver a means for the phone companies to provide high bandwidth IP access over existing cabling (twisted-pair copper). Cable companies also offer the potential to deliver high bandwidth IP access over existing and new cable infrastructure. As the phone and cable companies become familiar with delivering IP services, these new last-mile technologies put them in a good position to acquire a significant share of the Internet access and VPN markets. New providers are focussing on providing VPN services. A popular technique is to build an ATM or Frame Relay backbone and then offer VPN links with guarantees on throughput and latency to enable customers to outsource remote access, site-to-site and even interoffice fax and voice.These networks are well placed to offer everything from voice to site-to-site by making use of the quality of service options inherent in ATM and Frame Relay networks. To offer global services to a VPN customer with global data needs, consortiums of VPN carriers are forming to offer a uniform service internationally. Many of these services are
based on ATM and Frame Relay, although new IP based services are becoming available. VPNs and Voice/Data Convergence On the data side, LAN infrastructure is typically provided by a stackable or chassis based hub with multiple 10/100 Ethernet segments. WAN connectivity is typically provided by a router using leased lines or Frame Relay, with Internet connections for e-mail and web browsing provided via a separate firewall connection. Companies
that use a variety of data and voice services to meet their communication needs will find new alternatives becoming available that offer direct and indirect cost savings. New customer-premises routers are now appearing that act as both Security Gateways and Multimedia Gateways. These Multiservice Routers integrate a number of LAN and WAN capabilities such as hub and routing functions, and also support new applications such as Voice Over IP (VoIP), IP-fax, Internet access (browsing, publishing,
e-mail, e-commerce) as well as VPN traffic over a single local-loop link to a service provider POP.
Companies are already becoming familiar with accessing and publishing information and exchanging e-mail over a public routed network. Providing a more scalable remote access solution with cheaper access to corporate networks. The existing "modem pool" may be preserved for backup. Rather than arrange for one-off solutions each time a new partner needs to be linked to the corporate network,VPN networks provide a common technology to reduce the complexity and expense of adding new partner network links. Once VPN networks can offer QoS guarantees, corporate backbone links could be outsourced to managed routed networks. These would have built-in failure recovery, and should have a lower cost per month than traditional dedicated leased bandwidth. For example, electronic-fax, voice-over-IP and electronic ordering.With the growth in the reach and capacity of the Internet and the IP protocol suit, there is the promise of providing all common communications services over the same communications link-an IP datagram service. |