The Express Lane

Myth #1: A network that is open to remote access is not secure and can be

easily hacked into. A number of solutions such as firewalls, security tokens and

strong encryption techniques are available to tackle such potential threats. If

the organization takes adequate security measures, it is almost impossible to

gain unauthorized access.

Myth #2: It is risky to send important information via the Internet. Virtual

private networks (VPNs) can ensure that the data being sent and received is

encrypted and that the cost per user is affordable.

A number of such doubts exist in the minds of many chief information officers

who still view virtual private networks as a risky proposition. Whether this

stems from lack of a clear understanding of the technology or from just a

mindset, CIOs are especially wary of running mission critical applications on

such a network. But the fact is that a well-designed Virtual Private Network

offers the same functionality as a traditional private WAN (wide area network)

at a much lower cost. Factors like security, scalability and reliability can

also be easily addressed while designing the network.

The technology



Simply put, a VPN could be described as a private, data communication

channel that uses a public IP network like the Internet for basic data

transport. It can be used to connect corporate data centers, remote offices,

mobile employees, telecommuters, customers, suppliers, and business partners.

Using a technique called ‘tunneling’, data packets are transmitted across a

public routed network in a private tunnel that simulates a point-to-point

connection. This approach enables network traffic from many sources to travel

through separate tunnels across the same infrastructure. It also enables traffic

from many sources to be differentiated, so that it can be directed to specific

destinations.

Access VPNs: This is a user-to-LAN connection

used by a company that has employees who need to connect to the private network

from remote locations. Access VPNs provide access to a corporate Intranet or

Extranet over a shared infrastructure with the same policies as a private

network. They cover remote-access connectivity through dial-ups, ISDN

(Integrated Services Digital Network), DSL (Digital Subscriber Line), wireless,

and cable technologies.

Site-to-site: Through the use of dedicated equipment and large-scale

encryption, a company can connect multiple fixed sites over a public network

such as the Internet. Site-to-site VPNs can be Intranet or Extranet-based.

n Intranet-based–If

a company has more remote locations that it wishes to join in a single private

network, it can create an Intranet VPN to connect LAN to LAN.

n Extranet-based–When

a company has a close relationship with another company (for example, a partner,

supplier or customer), it can build an Extranet VPN that connects LAN to LAN and

allows all of the various companies to work in a shared environment.

Traditional WAN vs VPN



Many large and medium-size organizations that are outsourcing their

connectivity needs to service providers find that VPNs are a solution to many of

the challenges they face. Traditionally an organization that wanted to build a

wide-area network needed to procure expensive, dedicated lines to connect its

offices together. With long-distance charges of leased lines mounting daily, the

cost of deploying and maintaining a private network is also on the rise.

12 Benefits of Going VPN
A well-designed VPN can benefit a company by:
	Extending geographic connectivity
	Reducing operational costs in comparison with traditional WAN
	Eliminating long distance charges
	Reducing in house staff requirement with outsourcing
	Lower capital expenditure as access servers, large backbone and switches are owned and managed by service providers.
	Reduced transit time and transportation costs for remote users
	Improved productivity
	Simple network topology
	Global networking opportunities
	Telecommuter support
	Providing broadband networking compatibility
	Faster ROI (return on investment) than traditional WAN

Besides file sharing and email, the WAN provides access to Intranet Websites

and videoconferencing systems. In addition, some organizations selectively open

their WAN access to partners to provide Extranet services. VPNs not only support

the same Intranet/Extranet services as a traditional WAN, but also allow further

mobility to the worker. Leased lines don’t support mobile workers well because

they fail to extend to people’s homes or their travel destinations.

Companies that don’’t use VPNs have to resort to implementing specialized

secure dial-up services. To log in to a dial-up Intranet, a remote worker must

call into a company’s remote access server. The overheads of maintaining such

a system internally, coupled with the possibility of high long distance charges

incurred by travelers, make VPNs a more appealing option.

Designing a VPN



While designing a VPN solution, a number of factors need to be considered:

Need Assessment: A company should be able to identify its data traffic and

have a clear picture of how the organization is poised for growth. Among the

factors that determine the nature and extent of VPN requirements are the number

of employees travelling, the nature of applications that need to be accessed,

the type and sensitivity of data and the locations from which employees will be

connecting to the corporate LAN.

Ease of Deployment: Let the vendor know, which cities are the most important,

which location has the largest customer base, and make them the nodal points of

the backbone. This can bring some sanity in the network design and hierarchy. A

company that keeps adding more locations without much foresight can end up

having a criss-cross of links, which could be difficult to maintain and

troubleshoot.

Scalability: The network should be able to support a large number of users

without requiring a proportionate increase in expenditure for infrastructure or

support. It should be able to support peak loads and provide access from a

number of remote points without enhancing the infrastructure.

Reliability: Employees remotely accessing the corporate network may not

expect a high level of performance but they do expect reliable services. Dial-in

attempts must provide successful connections at reasonable speeds and shouldn’t

get disconnected while accessing important information

Manageability: The VPN solution must be easy to support and manage both on

the LAN side and at the user end. Minimal software installation should be

required and the software should be easy to install, configure and use.

Interoperability: Although standards exist for providing VPN compatibility,

various factors such as different implementation standards limit multi-vendor

interoperability. Additionally, many standards for tunneling, authentication and

encryption are still emerging. So, care must be taken to ensure that the VPN

solution selected provides end-to-end interope-rability.

Security: A major issue



Probably one thing that worries most companies while deploying a remote

access network like VPN is security. Managing security could be a complex

affair, as every resource on the corporate network needs to be protected:

systems, information, application resources and networks. The network should

provide for two levels of security. The first is user authentication and second

is data encryption. User identification allows one to be confident that the

party we are establishing communications with is who we think it is. VPN

technologies are making use of several tried and trusted methods for

establishing the identity of the party at the other end of a network. These

include passwords, digital certificates, smart cards and biometrics.

5 Check-points Before Going VPN
Potential pitfalls in VPNs that can lead to unplanned costs:
	VPNs require an in-depth understanding of public network security issues and proper deployment of precautions
	The availability and performance of an organization’s wide-area VPN (over the Internet in particular) depends on factors largely outside its control
	VPN technologies from different vendors may not work well together due to immature standards
	VPNs need to accommodate protocols other than IP, including existing legacy internal network technology
	It is assumed that Service Level Agreements (SLAs) ensure reliable services and high performance, but there is no guarantee. They might provide financial compensation when the terms are not met. But financial incentives do not make up for lost productivity and opportunity

Another significant factor is the security of critical data. Information

privacy is maintained while it is in transit between servers and clients.

Protecting data requires that it be encrypted while travelling over the

Internet. Various techniques such as TripleDES and IPSec’s AH (Authentication

Header) are available to address this issue. IPSec is a framework of open

standards for ensuring secure private communications over IP networks. Based on

standards developed by the IETF (Internet Engineering Task Force), IPSec ensures

confidentiality, integrity and authenticity of data communications across a

public IP network. IPSec provides a necessary component of a standards-based,

flexible solution for deploying a network-wide security policy.

Emerging potential



Optical VPNs are among the emerging technologies in this area. These are

wavelength-based or Lambda-based VPNs. The idea is to use DWDM (Dense Wavelength

Division Multiplexing) as the core technology. DWDM and WDM (Wavelength Division

Multiplexing) are currently used as long haul transport technologies. When there

is a high density of customers, it will evolve into an access technology. So

there will be a shift from a packet domain-based VPN to an optical domain-based

VPN. The shift will not be prominent until the next few years, because

implementation standards and vendor support are also crucial to the adaptation

of new technology.

SHWETA VERMA in New Delhi

CASE STUDY  WHIRLPOOL INDIA: From the Horse’s Mouth

Business



A global leader in home appliances, Whirlpool has been operating in India

since 1996. With a turnover of about Rs 1,000 crore, it is spread over 40

locations in India and has over 4,000 dealers and 500 service centers in India

alone.

Objective



In 1999, the company decided to set up a WAN (Wide Area Network) to connect

all its locations. This would optimally utilize the SAP ERP solution that was

being implemented and deploy network applications such as messaging to improve

communication among its various locations.

	“A relatively new concept, not many enterprises have deployed VPNs on a large scale”
MR Sundaresan director (IT), Whirlpool

VPN strategy



Although Whirlpool already had an existing VSAT network from Comsat Max,

linking 12 locations, the company was looking at expanding its reach. Apart from

setting up a Virtual Private Network (VPN), this could be done in two other

ways. One was to scale the existing VSAT network. Another was to set up a

point-to-point LAN-based terrestrial network. "While both these options

were well established in India at that time, VPN was a relatively new concept.

Not many organizations had deployed it on a large scale," explains MR

Sundaresan, director (IT), Whirlpool. "So, it was a tough decision."

The three technologies were evaluated on the basis of reliability, accessibility

or reach of the network, the overall investment along with recurring costs

involved and the security issue. After careful assessment and advice from a

network specialist from the corporate office in US, the company finally decided

in favor of VPN. Among the VPN service providers, Whirlpool opted for Sify

because it was a dominant player at that time. While others had entered the

market, they didn’t have enough reach. The deployment, which was carried out

in a phased manner, took about 12 months to cover all locations and was up and

running by November 2000. At present, there is a central server based in the

Delhi office and all the other offices connect to it through Sify using a VPN

based on the IPSec network protocol.

Challenges



Being among the first few large enterprises to deploy VPN, Whirlpool had

virtually no reference cases to learn from. It had to go all out on its own.

Even for the service provider, it was the first rollout of its kind and a

learning experience of sorts. "There were last-mile connectivity problems.

Getting DoT and BSNL links up and running was a huge issue," recalls

Sundaresan. "Another problem that cropped up was that certain locations

that appeared feasible earlier could not be reached through terrestrial links

due to technical hitches." The company had to finally depend on radio

frequency microwave links. Although this was a reliable option, it added to

costs.

Results



n Despite all

costs incurred, the VPN ultimately proved to be much cheaper than other options

under consideration. The cost was about 20% less than a point-to-point leased

line network and 30% cheaper than a VSAT-based link.

n What seemed

like a mammoth exercise during the deployment proved quite reliable after it. It

has been running uninterrupted for almost two years, with an average up time of

about 95%.

n All the SAP

modules, messaging, Intranet applications and a live call center (100 agents)

are running comfortably on the network.

n The network has

been extended to connect to the global database in the US.

n A design center

set up in Pune to do backend design work for the US, Europe and Latin America is

also connected with these places through the VPN.

n The network is

highly scaleable and provides a lot of flexibility in terms of adding or

removing links easily.

The future



Satisfied with the performance of its VPN, Whirlpool wants to expand the

range of applications like VoIP, HR information systems and other Intranet

applications. The company will also gradually extend the network to connect to

its dealers and suppliers and use it for other remote office work.