The Four Hundred

The virtual private network, or VPN, is a technology that many of us have heard of, or have used in business and perhaps even in our homes. VPNs are in our workplaces and homes to help safely move information from "untrusted" network segments (like the Internet) to "trusted" network segments (like company LANs). Telecommuters and business travelers who are outside of company facilities find VPNs, or secure tunnels, a helpful way to supply and obtain corporate resources and information. But VPN technology secures more than just remote clients accessing centralized company resources.

VPN tunnels help secure the privacy (did anyone see it?), the authentication (who really sent it?), the integrity (was it altered en route?), and the non-repudiation of the data and programs that are transmitted through the tunnel. Non-repudiation means that once sent, the data is electronically signed in such a fashion that it cannot later be denied as having originated from the sender. All VPNs logically do the same things. They restrict and grant secure access, they securely deliver traffic to another VPN member, and they verify that what was sent is what was received between VPN members.

The most common VPN is used for remote access of laptop and desktop clients back to corporate offices. This seems to be where most organizations have started, and in most cases stopped, the use of VPN technology. These VPNs are easy to set up, although sometimes not as easy to maintain, and they fulfill a basic business need for access to corporate resources. However, this same client technology can be used within a corporate LAN or WAN to grant and deny access to certain resources and servers.

Say you have a corporate payroll department with locations spread across the country or perhaps even internationally. All the network segments that carry your traffic are carried over your own private network. A payroll VPN could be used to securely grant encrypted access, and even visibility, to only authorized payroll personnel scattered across your network. Non-payroll personnel would not be able to see these payroll servers (or resources) residing on the corporate network. Since over 80 percent of successful security attacks occur from inside a company's network, hiding sensitive servers makes an internal attack on these resources much less likely. In addition, because the traffic going to and from these payroll servers is encrypted, any sniffed traffic would be useless to any nonmember of the payroll VPN. With the new federal and state security requirements, a VPN adds a simple but strong layer of security and legal compliance.

Another example in the client access area that has grown in the past several years is wireless networks. The weak encryption of native 802.11 has made wireless technology a prime target for hackers, but VPN technology in conjunction with 802.11 solves most of the native 802.11 security issues.

Another popular use of VPNs is for LAN-to-LAN secure internetworking connections. In some cases, this might be just a secure connection from one host to another, like an iSeries to another iSeries. A more common adaptation is connecting separate office locations into a meshed network. This is where I once believed the real value of VPNs rested. Client connectivity was going to be nice to have, but the real value started with internetworking. The problem with internetworking was that the data communications vendors were not so eager to lose revenue.

During the same period, frame relay technology, which was launched in the early 1990s and really took hold in the mid 1990s, was having several years of triple-digit growth. This was generating substantial profits for the networking vendors. The thought of a meshed (any office location to any office location), competing network, for substantially less money, was not what the network company executives wanted to see.

The major networking vendors had already lost the Internet connectivity pricing wars because of local Internet service providers, and VPNs threatened to do the same to the corporate networking business. So to use this innovative tool they had developed, the remote client access feature was the area chosen for original marketing. The remote client access technology did not compete for the significant revenue that the data communications providers were reaping. Most of us who worked with the data communications vendors were very disappointed by this revenue-protection approach.

It has only been in the past several years that internetworking technology has started to take off in the VPN environment. Because of possible Internet congestion, these networks have mainly been used to connect foreign locations or lower volume domestic locations into corporate networks. In Europe, however, this has become a popular approach to handling country-to-country traffic, avoiding a lot of state-run network communication vendor complications. There are a few U.S. companies, as well, that have accurately determined the distinct cost advantages of internetworking VPNs and have converted major network portions, or entire networks, to this technology. Because the genie is now out of the bottle, the data communications suppliers are starting to actively promote this type of VPN. While not the death of frame relay, it is becoming a viable alternative to frame, and in most cases a cheaper alternative, with only a slight disadvantage on network performance.

The least used and the most overlooked possibility of VPN technology is the use of controlled access for extranets. This provides the capability to supply information and services to customers and suppliers from inside a company's private network or behind a company's firewalls.

An example would be a manufacturer that wants to share its product catalog and pricing information with its distributors. Beyond that, the manufacturer wants to make any new product or updated product descriptions and prices available for immediate use by its distributors. Using a VPN, the manufacturer could place all current information on a server behind its firewall and let only specific TCP/IP addresses connect to selected files. Those distributors' unique IP addresses could see only a single server (or several servers) inside the manufacturer's network. Even better, certain IPs could see files that other IPs could not see. And none of the external IPs could see any other device on the manufacturer's internal network.

Many of you are probably thinking, I thought this was what Web Portal Servers and Web services do? And you would be correct. The major difference between the two approaches is cost. Web services require firewalls, Web servers, application servers, and database servers, not to mention the additional skills and training to handle these new environments. VPN technology allows you to get by with a database server and a VSU, or virtual service unit. A VSU is a black box that contains software and programming that sets up virtual networking and specific access rights to groups and individual clients. It could be described as a specialized firewall only for VPNs. In addition to the simplified hardware and software that VPNs allow us to use, the cost of VSUs are unexpectedly inexpensive. The costs for setting up the VPN environment can be substantially less than for Web services, especially if you are starting from scratch.

A distributor's ability to link to a manufacturer's databases could eliminate all product and pricing updates for the distributors. Also, logicals, DDMs, indexes, and views that included the manufacturer's databases would act as if the manufacturer's server was inside the distributor's own network. It would not take long to see the advantages this type of VPN technology could bring to our organizations.

Jim Fey has been a midrange computer, data security, and data communications designer, user, and consultant for more than 30 years. He has designed award winning networks for use by businesses and individuals and frequently speaks at COMMON and other technology conferences. E-mail: jfey@pmigroup.com