Myth #1: A network that is open to remote access is not secure and can be
easily hacked into. A number of solutions such as firewalls, security tokens and
strong encryption techniques are available to tackle such potential threats. If
the organization takes adequate security measures, it is almost impossible to
gain unauthorized access.
Myth #2: It is risky to send important information via the Internet. Virtual
private networks (VPNs) can ensure that the data being sent and received is
encrypted and that the cost per user is affordable.
A number of such doubts exist in the minds of many chief information officers
who still view virtual private networks as a risky proposition. Whether this
stems from lack of a clear understanding of the technology or from just a
mindset, CIOs are especially wary of running mission critical applications on
such a network. But the fact is that a well-designed Virtual Private Network
offers the same functionality as a traditional private WAN (wide area network)
at a much lower cost. Factors like security, scalability and reliability can
also be easily addressed while designing the network.
The technology
Simply put, a VPN could be described as a private, data communication
channel that uses a public IP network like the Internet for basic data
transport. It can be used to connect corporate data centers, remote offices,
mobile employees, telecommuters, customers, suppliers, and business partners.
Using a technique called ‘tunneling’, data packets are transmitted across a
public routed network in a private tunnel that simulates a point-to-point
connection. This approach enables network traffic from many sources to travel
through separate tunnels across the same infrastructure. It also enables traffic
from many sources to be differentiated, so that it can be directed to specific
destinations.
Access VPNs: This is a user-to-LAN connection
used by a company that has employees who need to connect to the private network
from remote locations. Access VPNs provide access to a corporate Intranet or
Extranet over a shared infrastructure with the same policies as a private
network. They cover remote-access connectivity through dial-ups, ISDN
(Integrated Services Digital Network), DSL (Digital Subscriber Line), wireless,
and cable technologies.
Site-to-site: Through the use of dedicated equipment and large-scale
encryption, a company can connect multiple fixed sites over a public network
such as the Internet. Site-to-site VPNs can be Intranet or Extranet-based.
n Intranet-based–If
a company has more remote locations that it wishes to join in a single private
network, it can create an Intranet VPN to connect LAN to LAN.
n Extranet-based–When
a company has a close relationship with another company (for example, a partner,
supplier or customer), it can build an Extranet VPN that connects LAN to LAN and
allows all of the various companies to work in a shared environment.
Traditional WAN vs VPN
Many large and medium-size organizations that are outsourcing their
connectivity needs to service providers find that VPNs are a solution to many of
the challenges they face. Traditionally an organization that wanted to build a
wide-area network needed to procure expensive, dedicated lines to connect its
offices together. With long-distance charges of leased lines mounting daily, the
cost of deploying and maintaining a private network is also on the rise.
12 Benefits of Going VPN | |
A well-designed VPN can benefit a company by: | |
Extending geographic connectivity | |
Reducing operational costs in comparison with traditional WAN | |
Eliminating long distance charges | |
Reducing in house staff requirement with outsourcing | |
Lower capital expenditure as access servers, large backbone and switches are owned and managed by service providers. | |
Reduced transit time and transportation costs for remote users | |
Improved productivity | |
Simple network topology | |
Global networking opportunities | |
Telecommuter support | |
Providing broadband networking compatibility | |
Faster ROI (return on investment) than traditional WAN |
Besides file sharing and email, the WAN provides access to Intranet Websites
and videoconferencing systems. In addition, some organizations selectively open
their WAN access to partners to provide Extranet services. VPNs not only support
the same Intranet/Extranet services as a traditional WAN, but also allow further
mobility to the worker. Leased lines don’t support mobile workers well because
they fail to extend to people’s homes or their travel destinations.
Companies that don’’t use VPNs have to resort to implementing specialized
secure dial-up services. To log in to a dial-up Intranet, a remote worker must
call into a company’s remote access server. The overheads of maintaining such
a system internally, coupled with the possibility of high long distance charges
incurred by travelers, make VPNs a more appealing option.
Designing a VPN
While designing a VPN solution, a number of factors need to be considered:
Need Assessment: A company should be able to identify its data traffic and
have a clear picture of how the organization is poised for growth. Among the
factors that determine the nature and extent of VPN requirements are the number
of employees travelling, the nature of applications that need to be accessed,
the type and sensitivity of data and the locations from which employees will be
connecting to the corporate LAN.
Ease of Deployment: Let the vendor know, which cities are the most important,
which location has the largest customer base, and make them the nodal points of
the backbone. This can bring some sanity in the network design and hierarchy. A
company that keeps adding more locations without much foresight can end up
having a criss-cross of links, which could be difficult to maintain and
troubleshoot.
Scalability: The network should be able to support a large number of users
without requiring a proportionate increase in expenditure for infrastructure or
support. It should be able to support peak loads and provide access from a
number of remote points without enhancing the infrastructure.
Reliability: Employees remotely accessing the corporate network may not
expect a high level of performance but they do expect reliable services. Dial-in
attempts must provide successful connections at reasonable speeds and shouldn’t
get disconnected while accessing important information
Manageability: The VPN solution must be easy to support and manage both on
the LAN side and at the user end. Minimal software installation should be
required and the software should be easy to install, configure and use.
Interoperability: Although standards exist for providing VPN compatibility,
various factors such as different implementation standards limit multi-vendor
interoperability. Additionally, many standards for tunneling, authentication and
encryption are still emerging. So, care must be taken to ensure that the VPN
solution selected provides end-to-end interope-rability.
Security: A major issue
Probably one thing that worries most companies while deploying a remote
access network like VPN is security. Managing security could be a complex
affair, as every resource on the corporate network needs to be protected:
systems, information, application resources and networks. The network should
provide for two levels of security. The first is user authentication and second
is data encryption. User identification allows one to be confident that the
party we are establishing communications with is who we think it is. VPN
technologies are making use of several tried and trusted methods for
establishing the identity of the party at the other end of a network. These
include passwords, digital certificates, smart cards and biometrics.
5 Check-points Before Going VPN | |
Potential pitfalls in VPNs that can lead to unplanned costs: | |
VPNs require an in-depth understanding of public network security issues and proper deployment of precautions | |
The availability and performance of an organization’s wide-area VPN (over the Internet in particular) depends on factors largely outside its control | |
VPN technologies from different vendors may not work well together due to immature standards | |
VPNs need to accommodate protocols other than IP, including existing legacy internal network technology | |
It is assumed that Service Level Agreements (SLAs) ensure reliable services and high performance, but there is no guarantee. They might provide financial compensation when the terms are not met. But financial incentives do not make up for lost productivity and opportunity |
Another significant factor is the security of critical data. Information
privacy is maintained while it is in transit between servers and clients.
Protecting data requires that it be encrypted while travelling over the
Internet. Various techniques such as TripleDES and IPSec’s AH (Authentication
Header) are available to address this issue. IPSec is a framework of open
standards for ensuring secure private communications over IP networks. Based on
standards developed by the IETF (Internet Engineering Task Force), IPSec ensures
confidentiality, integrity and authenticity of data communications across a
public IP network. IPSec provides a necessary component of a standards-based,
flexible solution for deploying a network-wide security policy.
Emerging potential
Optical VPNs are among the emerging technologies in this area. These are
wavelength-based or Lambda-based VPNs. The idea is to use DWDM (Dense Wavelength
Division Multiplexing) as the core technology. DWDM and WDM (Wavelength Division
Multiplexing) are currently used as long haul transport technologies. When there
is a high density of customers, it will evolve into an access technology. So
there will be a shift from a packet domain-based VPN to an optical domain-based
VPN. The shift will not be prominent until the next few years, because
implementation standards and vendor support are also crucial to the adaptation
of new technology.
SHWETA VERMA in New Delhi
CASE STUDY WHIRLPOOL INDIA: From the Horse’s Mouth
Business
A global leader in home appliances, Whirlpool has been operating in India
since 1996. With a turnover of about Rs 1,000 crore, it is spread over 40
locations in India and has over 4,000 dealers and 500 service centers in India
alone.
Objective
In 1999, the company decided to set up a WAN (Wide Area Network) to connect
all its locations. This would optimally utilize the SAP ERP solution that was
being implemented and deploy network applications such as messaging to improve
communication among its various locations.
|
|
MR Sundaresan director (IT), Whirlpool |
VPN strategy
Although Whirlpool already had an existing VSAT network from Comsat Max,
linking 12 locations, the company was looking at expanding its reach. Apart from
setting up a Virtual Private Network (VPN), this could be done in two other
ways. One was to scale the existing VSAT network. Another was to set up a
point-to-point LAN-based terrestrial network. "While both these options
were well established in India at that time, VPN was a relatively new concept.
Not many organizations had deployed it on a large scale," explains MR
Sundaresan, director (IT), Whirlpool. "So, it was a tough decision."
The three technologies were evaluated on the basis of reliability, accessibility
or reach of the network, the overall investment along with recurring costs
involved and the security issue. After careful assessment and advice from a
network specialist from the corporate office in US, the company finally decided
in favor of VPN. Among the VPN service providers, Whirlpool opted for Sify
because it was a dominant player at that time. While others had entered the
market, they didn’t have enough reach. The deployment, which was carried out
in a phased manner, took about 12 months to cover all locations and was up and
running by November 2000. At present, there is a central server based in the
Delhi office and all the other offices connect to it through Sify using a VPN
based on the IPSec network protocol.
Challenges
Being among the first few large enterprises to deploy VPN, Whirlpool had
virtually no reference cases to learn from. It had to go all out on its own.
Even for the service provider, it was the first rollout of its kind and a
learning experience of sorts. "There were last-mile connectivity problems.
Getting DoT and BSNL links up and running was a huge issue," recalls
Sundaresan. "Another problem that cropped up was that certain locations
that appeared feasible earlier could not be reached through terrestrial links
due to technical hitches." The company had to finally depend on radio
frequency microwave links. Although this was a reliable option, it added to
costs.
Results
n Despite all
costs incurred, the VPN ultimately proved to be much cheaper than other options
under consideration. The cost was about 20% less than a point-to-point leased
line network and 30% cheaper than a VSAT-based link.
n What seemed
like a mammoth exercise during the deployment proved quite reliable after it. It
has been running uninterrupted for almost two years, with an average up time of
about 95%.
n All the SAP
modules, messaging, Intranet applications and a live call center (100 agents)
are running comfortably on the network.
n The network has
been extended to connect to the global database in the US.
n A design center
set up in Pune to do backend design work for the US, Europe and Latin America is
also connected with these places through the VPN.
n The network is
highly scaleable and provides a lot of flexibility in terms of adding or
removing links easily.
The future
Satisfied with the performance of its VPN, Whirlpool wants to expand the
range of applications like VoIP, HR information systems and other Intranet
applications. The company will also gradually extend the network to connect to
its dealers and suppliers and use it for other remote office work.