VPN vital signs

Enterprises are demanding rigorous performance, reliability and security tests for their virtual private networks, and carriers are responding with comprehensive managed services. Initial results point to a healthy, booming life for VPNs

Mention virtual private networks to a room full of information systems managers and their ears perk up. They love the concept of anywhere access using the Internet, but they aren't sold on the initial proposals. Fear of the unproven technology is rampant. Is it secure? Will the encryption hamper performance? How do we manage all the users? Can our applications be transferred to IP? Why should we rely on an unreliable Internet?

Even with these ongoing concerns, early adopters are forging ahead with VPN pilot programs and seeking expertise from service providers to address security fears and management issues. These VPN enthusiasts - from health care, automotive, construction and manufacturing sectors - share characteristics that separate them from the uninitiated masses. They need to get to market quickly, they have limited connectivity and their interconnections must be flexible and secure.

These requirements are a few telltale signs of VPN supporters. In partnerships, they look for carriers with extensive network and security skills that can guarantee reliability and availability. Providers such as GTE Internetworking, UUNet, Concentric Network and U S West have struck deals with enterprises.

After accepting the VPN mantra and selecting a principal provider, these enterprises are slowly deploying VPNs within their organizations and out to their customers. For these companies, usage is limited and restricted to single sites. These initial VPN implementations provide connectivity for remote sites, customers, partners and mobile employees. Willing to lead but not bleed, these early VPN converts are supplying the fuel necessary to drive the market forward.

Performance boost

Before extranets and multiple site VPNs become a requisite within corporations, some kinks - namely interoperability, performance and education - must be massaged out. But even with these tribulations, organizations are embracing VPN technology, according to a study by Infonetics Research (Figure 1).

Leading VPN manufacturers Cisco Systems and Lucent Technologies concur with these rosy prospects.

"Enterprises are testing VPNs in areas where there is a clear value-add and where there is not a previous major investment," says Susan Scheer, director of services marketing for Cisco. "During the next few years VPN deployment will continue to be gradual, but it will become broader in scale as companies become more familiar with the technology."

Two items have inhibited the rapid adoption of VPNs: management tools and experienced personnel, says Brian Schulz, managing director of Lucent's VPN products. "We're introducing security and policy management capabilities in the next version of our security management server that work with firewall-based VPN products," Schulz says. "These tools, plus the growing availability of service providers and integrators that can design and manage VPNs, will be key VPN enablers."

Other elements mentioned by VPN customers that will ensure the technology's success include increasing the number of international points of presence for global VPNs, expanding the number of VPN and firewall partners to ensure interoperability and allowing for flexible control for managed devices at the customer premises. One last item, differentiated service offerings, has not achieved exceptional support among service providers or customers, and it's unclear if it will be a necessary VPN component.

Every service provider has network engineers looking into multiprotocol label switching or other means to add quality of service (QOS), but no one interviewed indicated a need for it because of limited network traffic.

"QOS provides real benefits in a congested environment. If there isn't congestion, there's no value, and we aren't seeing much congestion on the backbone or local loop," says John Summers, senior product manager for VPN services at GTE Internetworking. "I haven't heard a significant cry for it from customers, but there has been some interest."

VPN stretch

More than a few companies are contemplating VPNs as a way to lower pricey remote access bills. At this point in the technology's development, the No. 1 use for VPNs is remote access. Lord Corp., a manufacturer of adhesives, coatings and devices that control vibration and motion in transportation vehicles, instantly recognized the potential cost savings of VPNs and signed on for GTE Internetworking's VPN Advantage.

About 400 of Lord Corp.'s 2000 employees use GTE Internetworking's VPN Advantage to access Lord Corp.'s network (Figure 2). About 300 of these telecommuters are sales people and technical support staff working from small offices throughout the nation. Other employees use the service when they travel.

Each remote user is outfitted with a standard PC laptop configured by someone from Lord Corp.'s seven-member IT staff. GTE Internetworking provides digital certificates that the support personnel can download to the laptops.

"Every endpoint on the VPN requires an authorized digital certificate, which we set up," says GTE Internetworking's Summers. By partnering with Entrust Technologies, GTE Internetworking is a certificate authority and can distribute the necessary public and private keys from its network operations center.

Public key infrastructure (PKI) handles authentication, so Lord Corp.'s VPN gateway is used only for connectivity. A firewall works in parallel with the VPN gateway and handles traffic going to and from the unit.

"The VPN device is optimized for creating tunnels and doing encryption," says Tom Stribling, manager of network services at Lord Corp. "You can see how the throughput is affected when a VPN is done on the same box as the firewall. There is an immediate performance hit as you add users."

Although VPN Advantage's devices don't include firewall software, throughput could be improved. During the next six months, the company will increase its throughput range from between 2 to 40 Mb/s up to 70 to 80 Mb/s, Summers says.

Users will benefit immediately from the increased performance, but they have voiced a further concern to Stribling about the VPN. When remote users access Lord Corp.'s network, they can't simultaneously use the Internet. Users must disconnect from the network and reconnect for Internet access.

Although Stribling is sympathetic, he's not ready to open up to the Internet. "A secure remote product would allow the staff to have concurrent use of the network and Internet, but there are inherent security problems with computers connected to the Internet."

With most of its remote access concerns put to rest, Lord Corp. is turning its eye to a site-to-site VPN for international offices. The manufacturer's international sites use dial-up connections, but Stribling is considering putting a VPN device at these sites so users can access Lord Corp.'s network.

"Before we deploy a site-to-site VPN, we need to do a cost comparison with frame relay," Stribling says. "Another consideration is import laws. Will the other country allow the stronger Triple DES encryption or do they allow export encryption at all? GTE Internetworking has done a good job keeping us abreast of international security requirements."

Delivering the goods

As a global leader in construction-engineering project management, Bechtel has extensive experience building client projects. In the San Francisco Bay area, Bechtel is well-known for its roles in projects such as the Oakland-to-San Francisco Bay Bridge and the San Francisco Museum of Modern Art. The 100-year-old company also has made a name for itself worldwide by contributing to ventures such as the Channel Tunnel between France and England and the Hong Kong Airport. Internet start-up Webvan wanted to tap into that broad knowledge base.

Webvan provides online ordering and home delivery of grocery products and has service already in the San Francisco Bay area. The company has an operational distribution facility in Oakland, Calif., and is set to open a second facility in Atlanta. In 1999, Webvan hired Bechtel to build 26 additional distribution centers throughout the U.S. during the next three years.

For this fast-moving project, Bechtel tapped UUNet. Remote Bechtel staff would need access to the Internet; Cephron Projectnet, Bechtel's intranet; e-mail; and other homegrown Bechtel applications.

"We needed to mobilize quickly for Webvan, and we jumped on what UUNet had to offer - direct connectivity to the Internet and reliability," says Chris Zeck, global network manager at Bechtel. "With the VPN, we can provide better performance for our staff and avoid capital investment for short-term projects."

UUNet's VPN allows three Webvan remote sites to access the Bechtel network and the Internet using a split tunnel (Figure 3). In the coming months, three more Webvan sites will be added to the network as Webvan begins building centers in Chicago, Seattle and Washington. UUNet manages the individual VPN devices at Bechtel's remote sites. Once Bechtel provides the necessary configuration information, UUNet ships the devices to the different sites, which can be up and running in days.

The project's original design had the 26 remote field sites connect back to Bechtel's network, but Zeck is evaluating meshing the sites to one another to provide better connectivity and reliability.

"We can dynamically change which Bechtel sites are connected, and we can change the topology much easier than with a traditional WAN," says Audrey Wells, manager of UUNet's UUSecure VPN.

Zech is satisfied with the initial VPN results from UUNet, but he looks forward to added functionality, such as single-client remote access, remote user support, software distribution and configuration management for home machines.

"VPNs have a huge potential for better, cheaper, faster remote connectivity. In the future, we may use them for extranet applications with business partners," Zech says. "A VPN is an enabling technology, but it's not the complete solution. Once you have the connection, you still have problems of securing access at the application level. Authentication and authorization are still problems, and they are the hard issues that take longer to solve."

The right connections

Most vertical markets haven't produced multiple-partner, large-scale extranets, but they are well on their way. Automotive Network eXchange, the automobile industry's extranet venture, is the most visible to date, and another high-profile exchange, GlobalNetXchange, for retailers, opened at the end of March. ANX, with partners Ford Motor Co., General Motors and DaimlerChrysler, is steering 350 partners online.

For more than a year, Hitachi Metals, a global manufacturer of prefabricated metal products, has been prepping for ANX. One of the first things the company did was turn over the management of its 15-site network to Concentric. "We wanted to get out of the router business so we could concentrate on our core business," says Roy Milano, manager of manufacturing information systems at Hitachi Metals.

With T-1s installed at each site and the network humming, Milano asked Concentric to create a VPN to ANX. Ford has mandated that all its suppliers use ANX. Rather than supplying CAD files on tape or placing orders by electronic data interface, Ford now also requires Hitachi Metals to transfer files and accept orders via ANX. To accomplish this, Concentric posted a firewall at Hitachi Metals' network through which four remote sites transfer data. The data proceeds through a T-1 circuit managed by Ameritech to Ford's firewall and then to the data's final destination at Ford (Figure 4).

Concentric's original design for Hitachi Metals included a VPN box from VPNet, but it was later nixed because it was not certified by ANX, probably because of interoperability problems, Milano says.

"Just because equipment is IPSec-compliant doesn't mean that it will communicate with other IPSec-compliant equipment," says Maaz Sheikh, VPN product manager at Concentric. "We have spent a lot of time and effort working with ANX to come up with specifics on IPSec tunneling, to set up security policies and to decipher when we will communicate and how we are going to do it."

Another sticky issue for Concentric has been management and responsibility. The single connection between Hitachi Metals and ANX has fingers from multiple hands touching it. Ameritech is providing the dedicated link, Ford manages the firewall on its side and Concentric is liable for Hitachi Metals' firewall. "We often don't know where a problem originates from, and it's difficult to know who is responsible for making sure everything is up and running," Sheikh says.

Concentric has finalized testing and now manages the firewall at the Hitachi Metals site. Milano is not fazed by the lower throughput Hitachi Metals will have due to the single-box design for firewall and encryption. "Our files aren't that big, and we probably won't have any throughput problems," Milano says. "Besides, I'd rather have 5 milliseconds delay than not have the network up and running."

Healthy VPN

At HBSI, the information systems department's top initiative is migrating its disparate databases to the Web. More than 900 hospitals use HBSI's National Healthcare Data Warehouse, and the information systems department's mission is to give these customers secure access to these databases and robust performance.

Hospitals use HBSI's data to compare their performance to peers and industry norms. The data is integral to evaluating individual departments, profiling physicians or developing patient education programs. During the last year, HBSI has been building a VPN to each of its hospital customers, but the process has been painstakingly slow. Less than 10% of HBSI's customers - or eight hospitals - use a VPN (Figure 5).

"Even with the improved performance, it's been difficult to move hospitals toward VPNs," says Bruce Huchinson, network administrator at HBSI. "Before we can get hospitals to accept VPNs, we have to spend a lot of time educating them about firewalls and encryption. They are extremely concerned about security, even though we explain that the boxes are as tight as they can be."

Customer education has been one concern, but interoperability issues also have kept the VPN numbers low. To increase its VPNs, HBSI added an alternative to its internally managed VPN, which employs Security Dynamics SecurID. The company opted for U S West's VPN service, an option available to customers of U S West's On-Site Managed Firewall.

For the last few years, U S West has been managing HBSI's firewalls at its network premises in Bellevue, Wash. Now U S West is managing the firewall and encrypting the data transferred between HBSI's National Healthcare Data Warehouse and a Hawaiian hospital. U S West's managed service appeals to HBSI's small information systems staff, and the company would like to move more hospital firewalls under U S West's care, but Huchinson has run into interoperability issues.

Many of the firewalls used by the hospitals are not compatible with U S West's firewall choice, Check Point. "We've had to struggle with network address translation," Huchinson says. "It's one of the hardest things to accomplish but necessary to get two firewalls to work together."

Addressing these concerns, U S West is extending its network design and adding Cisco 3700 and 7200 routers. The architecture hasn't been finalized, says Darin Quest, group product manager at U S West, but it will include security and VPN connectivity within U S West's network that will alleviate the need to deploy equipment to the customer premises.

U S West also is exploring other enhancements such as integrating PKI for management capabilities, e-commerce for extranet applications and QOS assurances. New owner Qwest's expertise and experience will play a key role in adding the extranet and QOS features, which will be available when the two companies combine service offerings.

"Qwest has put a lot of effort into the traditional core network and the wide area IP network to ensure that application loads meet QOS needs," says U S West's Quest. "QOS qualities and functionalities will make the difference among the VPN service offerings. Security, thanks to IPSec, will be less of a concern, and QOS will represent the value we can offer enterprises."

All systems go

These four examples portray the rawness - and potential of VPNs. With the initial test results positive and VPN pilot programs multiplying, service providers are set to reap the rewards. "The VPN adoption rate may not have taken off with the exuberance we expected, but that can be attributed to fear of the unknown," says UUNet's Wells. "There's still some fear, but 20 years ago, people feared frame relay.

"Once the IT personnel become more comfortable with the technology, you will see them moving their legacy traffic to IP. Within the next year, IP VPNs will surpass frame relay."

Frame relay may be the corporate world's protocol of choice for WANs today, but its time as top dog may be coming to a close. "Companies are quickly moving to VPNs," says Karen Barton, vice president of strategic marketing for Lucent's WAN Systems Group. "During the next two to five years, we will see Internet-based VPNs become the predominant corporate communication tool."