Virtual Private Networks

The concept of the Virtual Private Networks (VPN) is very simple. Take the worlds largest network, the Internet, and use encryption to pass traffic between two or more locations securely, making it a private network. However until recently, the application of this simple concept has been very complex and not cost effective. There have been two major issues; firstly the cost of the technology and the expertise needed to create and maintain a VPN, and secondly the amount of resources that needed to be devoted to the research and testing required for a successful implementation and the ongoing management of a VPN. It is only in the past few years that VPN's have become a practical alternative to the trusted private circuit Wide Area Network.

A few years ago, there were very few contenders in the VPN market. They came in two main flavors, evolving from traditional disciplines, the firewall vendors and the manufacturers of networking equipment. Early VPN products were plagued with the usual issues, the lack of standards and the limitations of existing technology. The lack of standards stunted the growth and deployment of VPN's, whilst the traditional methods made the use and deployment of the technology cumbersome, and made large complex VPN networks almost entirely non-cost effective from a management prospective.

TCP/IP the backbone of the Internet had to be updated to support encryption and authentication. The Internet Engineering Task Force (IETF) initiated the Internet Security Protocol (IPSec) project. IPSec was created to protect the network itself, allowing the use of the ubiquitous TCP/IP protocol with no changes to the applications that ran over it. This proved to be hugely popular with both vendors and users a like. Take everyday applications and make them secure enough to use by securing the network. There was also some very creative thinking governing the security of IPSec. One important component which made IPSec a clear favorite was the use of the widely accepted security, private and public key cryptography.

The technical achievement of IPSec presented an opportunity and an interesting paradox; here was a technology that would allow businesses to save a good chunck of money by connecting locations and people over the Internet and dropping expensive point to point technology but the initial cost implementation and the total cost of ownership was prohibitive to the small to medium size businesses and enterprises that were the most likely people to use the technology.

As soon as IPSec was finalized (late 1998) many fledgling companies, some software and some hardware started to offer VPN solutions and challenge the classic firewall and networking giants. As is the case so often in the industry there were many wonderful products that fell pray to the perils of 'bleeding edge technology', poor marketing, an increasingly weary IT market and to a large extent a lack of understanding by IT professionals of the running costs and limits of VPN's.

One could also argue that concept of VPN's and IPSec was a little ahead of the available technology. VPN's by nature are very resource hungry, after all the process of cryptography is thirsty work. Initial implementations on NT and NT derived operating systems lacked in performance, Linux although robust was not mature enough, and Unix and hardware based solutions were expensive. The algorithms in many cases were not efficient and those that were efficient were hacked quickly. Even when you got over these difficulties, which in most cases related to inflated costs in one shape or the other, you were confronted with the cost of managing a VPN.

I was fortunate enough to be a member of a team that archived a VPN mesh between 42 client offices and two Network Operating Centers, and migrated an enterprise level customer from a hub and spoke frame relay Wide Area Network to the fully meshed VPN. Since the management of the system was policy based the 84 devices deployed were implemented and managed by a team of 4 people. Again both the technology and project were a bit ahead of their time and we faced a few challenges, however we successfully demonstrated that policy enabled VPN's and VPN meshes with a large number of sites were achievable, and economical as long as the technology, staff and project skills were correct.

Several advances in technology and a better understanding of VPN's has started to make VPN's more readily available in the IT world. CPU's, memory, hardware devices have got cheaper and there is better performance. Algorithms themselves have got smaller and more secure, allowing VPN's to operate at wire speed.

Once small step for IT, one giant step for penguin kind, you guessed it the Linux word has caught up with VPN's. IPSec has made it to the budget-friendly operation system and has brought along some interesting friends. The folk at FreeS/WAN have done a wonderful job of coding, documenting and integrating IPSec onto the Linux platform. There are also powerful tools such as advanced IP routing and address allocation over IPSec combined with the ever decreasing price of embedded units have made Linux the platform of choice for many VPN vendors.

With many powerful tools developed and a firm standard for the underlying transport in IPSec, companies started answering the main concern of management, which until a few years ago was missing in most of the major players making them cost prohibitive.

Cisco as always has a bulletproof, scalable and robust product, however their product offering is limited as is their management front end. Other industry leaders Checkpoint and Nortel have a broader offering aimed at a much wider market.

The people at Checkpoint have developed a suite of products aimed at all levels of the industry and have developed a decent suite of management programs (Smart Center). Their products start with Safe@Home (about $300) aimed at the DSL user, with 5 nodes and 5 VPN tunnels and scales all the way to the Small office solution Safe@Office (at around $800) and through to the full blown VPN-1 Net solution, all utilizing a stateful inspection firewall. Remote users can gain access over the Internet using IPSec client and or SSL tunnels in a client-less fashion. Checkpoint currently holds 65% of the VPN market.

Nokia has a VPN offering based on the checkpoint product but their own hardware and operating system.

Nortel has taken a similar approach to Checkpoint and makes a VPN offering through its Contivity series and Contivity Configuration Manager. The Contivity 600 Series is aimed at the branch offices and would be on par with the Safe@Office product from Checkpoint. At this level you are looking at 50 tunnels that can be configured in a classic hub and spoke or a VPN mesh. Remote Access Users can connect to any of these products using a host of client covering most Operating systems and including Linux and Macintosh. At the high end of the Nortel spectrum you have the 4600 series which can handle up to 5000 tunnels.

One company making an impact on the VPN scene with an excellent offering is Watchguard. They have an incredibly capable product line starting with the Firebox systems aimed at the small medium size and scaling up to the Firebox Vclass aimed at the enterprise level VPN's. The Firebox.V60 in tests out preformed the equivalent Cisco and Net screen products in independent studies and boasted a 21 time higher throughput than the equivalent Cisco product with zero loss throughput. At the top end the Class can handle an impressive 20,000 tunnels. Besides the excellent throughput the real offering with the Firebox Vclass is the Central Policy Manager. This management console allows the administrator to centrally manage and deploy policies, and greatly simplifies VPN mesh management. Watchguard recently announced the merger of the Firebox Systems and the Firebox Vclass line of prodcuts.

Another company doing well in the VPN market is Sonicwall. Although Sonicwall does not have the same high end throughput of the Watchguard they do have a good product offering. Their lower end systems are very capable and they have some unique offerings. Take for instance the Tele3 SP which has automatic fail over capabilities from an ISP connection to an integrated analogue modem, making the system ideal for retails stores, banks and gas stations that require constant connections.

A capable product with both a software and hardware component is Securepoint. They offer a good set of management tools for enterprise level organizations. Securepoint for a longtime has contributed to the freeware market and have a very respectable product. You can download and evaluate the non-commercial version of the product from their website.

For those looking to the open source market there is the OpenVPN project (http://openvpn.sourceforge.net/) and as we have mentioned there is also the FreeS/Wan project. Although there is a front end to the FreeS/WAN project via the Webmin, this is very much in Beta. As is the trend with the Linux world one would expect to see some very real developments in the area of enterprise level VPN management. My Linux team has been involved in the development of the hardware devise and the Linux based operating for the Policy Enforcement Point of the ISCS and we have been successful in implementing the Policy Enforcement Point for our customers. The ISCS is much more than just a VPN. Like the Watchguard, Nortel and Checkpoint there is a central console which will eventually maintain all the edge devices, and unlike most other firewalls there is a real emphasis on inter-office security. Each device is policy-enabled reducing the management overhead of these devices by as much as 90%. There are also added benefits to the remote users of DHCP over IPSec. At the moment the firewall on these units is provided by the Fwbuilder, and we hope to integrate the firewall component into the Central Policy Manager.

There are also several companies that are acting as VPN Service Providers. These organizations look after all your VPN requirements. They provide a single point for remote access users, and look after the security and processing of all your VPN traffic.

In conclusion the last 3 years have seen the VPN market mature to a level where both small and large companies are providing affordable, scalable and reliable VPN solutions. More and more emphasis is being put on central management which has dramatically reduced the total cost of ownership of these devices and software products, making them more accessible to the small to medium size businesses.

Shad Mortazavi
US Technical Manager, Nexus.
Senior Technical Consultant, News Views