VPNs Grapple With Administrator Concerns

by Jacqueline Emigh

As the VPN market expands, net administrators find themselves confronted with levels of complexity they hadn't anticipated as solutions providers diversify offerings and appliances vie with outsourced management.

As businesses work at adding more security to company communications, VPNs (virtual private networks) are getting a lot of play. If you've seen one VPN, though, you haven't necessarily seen them all. Just for starters, some network managers are implementing VPNs in-house, whereas others are outsourcing to service providers.

Industry seers expect VPN sales to boom along for years to come. Still, though, the VPN industry is fraught by market confusion and hype. Lots of vendors claim they're trying to de-mystify VPNs by simplifying products and services. To many systems administrators, however, the letters "VPN" don't exactly spell "trust."

Earlier this month, Gartner predicted the worldwide IP VPN equipment market to show a compound annual growth rate (CAGR) of 12.2 percent from 2002 through 2006, reaching $4.5 billion by 2005. IDC projects the US market for IP VPN services to grow from over $5.4 billion in 2001 to almost $14.7 billion in 2006, for a 22 percent CAGR.

Agreement is hardly unanimous, however, over what the VPN acronym even means.

"Some people in the carrier market still regard a VPN as a fixed connection, such as a frame relay link. Coming from the world of voice, they don't necessarily think of a VPN as something that includes security," says Mark Stevens, senior VP of network security for WatchGuard Technologies.

"If you're from an Internet background, though, a VPN means that data is being encrypted in some way -- and also that authentication is present, to verify that data hasn't been messed with even if it's already been encrypted," according to Stevens.

Some people might consider other security features, such as anti-virus protection or intrusion detection, to be essential components of a VPN. Meanwhile, vendors such as NetScreen and SonicWall have been integrating VPNs with firewalls.

VPN complexity, of course, is a related issue. Corporate administrators and ISPs can get caught up in an endless maze of technical quandaries. "We are trying to get a VPN working using IPX and Novell's client 32. We got it working a number of times, but recently upon making the connection the client computer will not reboot itself," complains one systems administrator, in an Internet news group.

"Situation: Client has a laptop, uses Microsoft PPTP VPN remotely to access some resources," according to another Internet posting. "This has worked fine, though slowly, over his dialup modem (using) ISDN solution. Now, he has a cable modem. We can connect, but are unable to log in. After troubleshooting, it appears the problem is due to the remote VPN and his local network both having the same IP subnet."

Another frustrated administrator wonders whether something's gone wrong with access permissions. "One of the (people) experiencing the problem can access files and network resources from her workstation in the office, but not via VPN from home. If this was an access permission problem, wouldn't she not be able to access files locally as well?" the administrator asks.

For simplified implementation and management, VPN appliances have been gaining ground. "For the most part, appliances are much easier to use than VPN software," according to Stevens. Appliances do have their limits, though, since their capabilities are circumscribed by vendors.

A fairly well populated subset within the VPN product space specializes in "e-mail VPNs." Examples include Tumbleweed and now, CipherTrust. "We are focused exclusively on e-mail solutions," contends CipherTrust President and CEO Steve Raber.

According to Raber, CipherTrust's IronMail appliance concentrates on "multitiered, multi-layered defenses" that have managed to escape the attention of mainstream VPN providers.

"In the (new) IronMail with Mail-VPN, one of the things we've included us the ability to use SSL tunneling for e-mail. If you put an SSL card into a messaging server, though, you've only solved part of the problem. It could still get hacked," Raber observes.

"Most VPNs only use packet-level defenses for mail. Instead, we look at the entire message. We also understand what a password means, relative to email. We're doing things like mail IDS and blocking ping attacks. We understand that port 25 is typically left open, so that anything directed against Microsoft Exchange, for example, will pass through the perimeter defense," he adds

"We're enforcing all the RFCs for mail standards such as IMAP, POP, and HTTP. To guard against denial of service attacks, we throttle the connections so you won't have too many messages from any particular e-mail address. Then we throttle them again, as they go out the back."

The IronMail device also includes mail-oriented firewall, virus scanning, and content filtering systems.

Outsourcing services to a provider is another way to simplify the VPN situation. "VPN services take away the hassle for customers by hiding the complexity," according to Stevens.

"VPNs can be complex to implement, and enterprises that assume there is a simple definition for a VPN will usually be disappointed with the results," concur Gartner analysts, in one recent report. "As VPN projects expand, the prospect of outsourcing to a carrier or Internet service provider becomes desirable."

Giant service providers like AT&T and Genuity are increasingly active in the VPN market. Their size, established names, and experience with network management lends them an edge with some customers.

Earlier this year, for instance, AT&T debuted three new managed services: Enterprise VPN Services Portfolio; High Availability and Security Services; and Enhanced Managed Hosting Services. The VPN portfolio combines IPsec VPNs and MPLS (Multiprotocol Label Switching) with several layers of management from AT&T.

For many customers, however, cost is a key criterion. "We used to work with AT&T. I've seen the bills, and they're ridiculous," charges J. C. Chatpar, president and CEO of Cyber Digital, Inc. Cyber Digital produces digital voice switching systems for network operators, in addition to IP routers, gateways and firewalls.

Chatpar, though, says he now wants to help export "the 'commodity' concept, introduced by Dell in the PC market, over to the VPN market." Cyber Digital's new business model combines VPN services with factory-configured appliances and Web-based product ordering.

After selecting from "7,000 features," and getting the boxes shipped from the factory, network managers will be able to install the boxes by themselves. Administrators will then decide whether to manage the VPN themselves, or to outsource management to Cyber Digital. Even if they go the outsourcing route, network managers can still retain control over key management, Chatpar says.

Cyber Digital's VPN appliances will priced at about $1,000 to $12,000 each. Services will start at around $20 per month.

"Users have concerns over privacy, too. Most companies don't want to be in the VPN business. The critical element, however, is dependence on the consultant, who is integrating the VPN with their equipment. Many of them don't trust an external person to do this," according to Chatpar.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Friday Apr 26th 2002