Network Computingwww.networkcomputing.com

The Primary Design Factor: Scale

When you look at the abundance of VPN servers out there, the criterion of scale will let you zero in quickly on the subset of servers that will meet your needs. Two related parameters will help you sort through the contenders: the number of simultaneous users and throughput capacity.

Numerous VPN solutions are sized for 100 or fewer users. If your environment demands a larger scale, the number of choices drops dramatically, and the prices rise just as dramatically. On the high end, VPN servers targeted at Internet service providers can handle 100,000 simultaneous users.

Another dimension of scale for a VPN server is the rate at which it can process packets and shove bits down the pipe. Each packet received must be compared against any input and output filters for address, protocol type, port number and other parameters. If the packet passes the filtering process, the payload must be encrypted or decrypted, depending on its direction through the VPN tunnel.

Because the encryption process is packet-oriented, performance will vary depending on the size of the packets. Processing a megabyte of 1,000-byte packets requires about 1,000 encryption operations. The same megabyte arriving in 100-byte packets requires 10 times the number of operations. As a result, the raw performance in bytes per second for a series of 1,500-byte packets will be several times that for a stream of 300-byte packets, the average packet size on the Internet. Published specifications typically refer to the results for large packet sizes, so real-world mileage will vary.

The relationship between raw byte processing and the number of users supported must also be considered. Some VPN servers rated to support 100 users can process only 1 million to 2 million bps. Do the math. That's only 10 Kbps to 20 Kbps per user if all the users are sending packets at the same instant. If they are all watching video streams, there will be contention for server bandwidth; packets will be dropped, and the users will experience poor performance. If, on the other hand, they are all casually browsing Web pages and reading e-mail, they may find the experience acceptable. Other 100-user systems support higher throughputs, up to about 10 Mbps. Note that an encrypted frame is near-random and will not benefit from compression.

Servers that support several hundred to about 1,500 users have throughputs on the order of 20 Mbps to 80 Mbps, but such systems can't be bought for mere milk money. One reason that higher-speed VPN servers get so pricey is that they use expensive, specialized hardware to perform the packet encryption/decryption function.

When IPsec is the VPN protocol used, very large installations have to pay attention to the number of IPsec connections that can be established per second. Quite a bit of CPU activity is involved in setting up an IPsec connection, and a server capable of handling thousands of active connections may be able to create only a few hundred in a second.

The final parameter of scalability is capacity expandability. Precisely determining the number of users your system will be required to service at any given instant may be difficult. If you misjudge, you'll want a pathway to higher service levels. That may not be necessary, however, if you think you can realize sufficient return on investment on your first server in two to three years and buy a bigger server when you need it.

Some servers are purchased with licenses for a certain number of users. Later you can buy more licenses, but the hardware you're using must be able to support the additional users. Some servers provide a hardware upgrade path. This might simply mean adding one or more CPUs to the server to aid it in the encryption process. Other systems allow the installation of additional encryption/decryption hardware in the field to increase throughput.