Like modems, virtual private networks are a necessarily evil. Telecommuters and traveling users need remote access to resources behind the firewall. Even though it's unlikely that someone will capture your data as it passes over the Internet, the fact that this could happen should motivate you to make sure your users' remote access is secure. You can meet that goal in a variety of ways, including use of IPsec VPNs, SSL (Secure Sockets Layer) and SSH (Secure Shell) tunneling, PPTP (Point-to-Point Tunneling Protocol), and encrypted modems.
Arguably, direct dial-in calls to a remote-access server maintained on your local network may be secure enough given the complexity of snooping a typical dial-up modem session. But the Internet is another story. As we well know, snooping traffic traversing the Internet is far easier, so the need to provide VPN services for remote users of your local network, regardless of the access method, is undeniable. However, traditional VPNs can be hard to configure and manage and add administrative burdens in terms of helpdesk support.
Does your company really want to become, or continue to be, an ISP? There certainly are trade-offs. Managing your own VPN gateway means you have complete control of your infrastructure, and you can rest knowing the configuration is as you left it. You have no worries about your service provider closing shop, raising rates or changing its offerings. On the flip side, managed service providers offer 24x7 monitoring, and you can off-load all configuration and software updates.
Glossary
IPsec: Defined through a set of IETF RFCs, IPsec provides encryption, authentication and data integrity for Layer 3 traffic between networks and hosts.
Socks-5: RFC 1928 extends Socks v.4 to include UDP and provisions for generalized strong authentication schemes, and it expands addressing to encompass domain-name and V6 IP addresses. See
SSL: The Secure Socket Layer protocol secures message transmission over the Internet. It shims between the TCP layer and the HTTP layer, and version 3 is the precursor to TLS.
TLS: IETF 2246, the Transport Layer Security standard, ensures that communications over the Internet between a client and a server remain secure.
Being all for off-loading work, we decided to check out providers offering VPN services. Our RFP stated: "Network Computing is moving to enable its mobile technology editors to have secure, reliable access from remote locations. The Network Computing labs are distributed across the country, and we have several contributing editors on external networks. In addition, our editors often work from home and travel for business." (See "Our Original VPN ASP Request for Proposal"
Our RFP called for a managed VPN service for 1,000 users. We wanted a split-tunneling setup, where network traffic for specific applications (a mix of TCP and UDP traffic) runs over the VPN while all other traffic for the Internet could pass in the clear. We asked each vendor to send a proposal (see the responses) and undergo testing for seven to 10 days. AT&T, Aventail Corp., Fiberlink Communications Corp. and OpenReach participated, while MCI and Vigilinx declined, both saying they lacked the resources to support the RFP. Genuity didn't respond--never a good thing in a service provider. All the services tested could back-end to existing user databases, so user management was under our control. Aventail, however, can manage users if desired.
All the solutions tested provide the same basic services. CPE (customer premises equipment) gear was shipped to our Syracuse University Real-World Labs®, and in the case of AT&T and OpenReach, smaller units were shipped to branch locations to support remote users with non-Windows laptops. AT&T's, Aventail's and Fiberlink's service offerings were wholly managed services, while OpenReach provisioned and drop-shipped VPN gateways to remote sites, with our performing further management. User profiles and network configuration were highly flexible. We could create policies using different network addressing and split tunneling based on user name.
We weighted price heavily because a main driver for outsourcing remote access is reducing costs. The prices we show in the chart "Managed VPN Services Pricing (First Year)" are list.
Means of Support
We decided to go with the companies' top-tier service offerings. Aventail and OpenReach included end-user support, though Fiberlink and AT&T said they expect end organizations to provide first-level support. Fiberlink said it will provide end-user support if needed.
It's a Microsoft Windows world, and support for other OSs was spotty at best. AT&T and Fiberlink sent us common VPN gateways, a Nortel Contivity 2600 and a Cisco 3005, respectively. Several IPsec VPN clients that interoperate with these gateways, and clients that support PPTP, are available. In addition, Cisco's Unity client supports Apple Mac OS X, Linux and Sun Solaris. However, neither Aventail nor OpenReach supports any client VPN other than Windows.
After we examined the service offerings, Fiberlink came out on top, largely because of its low annual cost. The rest of Fiberlink's tested Global Remote service is based on Cisco's 3005 product. This is a solid, if not exciting, solution. Aventail.Net came in a close second, offering a more complete service docket at a higher price.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Purchase Today: $299
REPORTS
ANALYTICS
Follow 
