For some, VPN is intimately linked with the internet whilst, confusingly, for others it is a way of avoiding all that is bad about the internet. Muddying the waters further it also has connotations in the voice networking arena.
So what is a VPN?
What is true of all VPNs is that they provide connectivity between two or more places using a previously established, shared network infrastructure rather than having to deploy new, dedicated hardware specifically for this purpose.
By 'overlaying' new, secure logical links or channels on top of an existing physical network infrastructure it is possible to emulate a dedicated private network without the expense, time and trouble of building one. Hence the term 'virtual private network' - it looks and acts like a private network but by being built on shared infrastructure, fundamentally is not.
An example - the voice VPN
To illustrate the concept of a VPN let's consider a corporate voice network. Traditionally companies would build their own dedicated private voice networks to link up their offices and benefit from cheaper, predictable call costs, increased control and better functionality than using the Public Switched Telephone Network (PSTN).
Voice VPNs offer these same benefits but are built on shared infrastructure rather than each company having to tie up capital in their own hardware and employing a team to maintain it. The shared infrastructure is owned and managed by a service provider who can leverage economies of scale to efficiently run a network that can cater for maximum concurrent usage without wastage.
As far as customers are concerned they are getting all the functionality of a private network (dial plans, short code dialling, inter-site conferencing etc) but without the headache of building and running a dedicated network.
IP VPNs built on service provider private networks
The same principles hold true for the data world though there are a few more considerations and variations. Firstly there is a direct comparison with the voice scenario above - a service provider builds their own 'private' network (completely separate from the internet) and uses it to transport multiple customers' traffic.
From the perspective of each customer, they have a virtual private network - their traffic is segregated from everyone else's and sites are seemingly connected as if there was a dedicated circuit between them. Clearly in the data world secure segregation of traffic is paramount, and the method by which this is achieved is dependent on the underlying technology the network is built on.
The current industry trend amongst network service providers is to build Multi-Protocol Label Switched (MPLS) IP networks which, as the name suggests, use unique labels to differentiate traffic streams.
Older technologies such as Frame Relay, ATM and X25 used the concept of 'virtual circuits' to achieve the same thing. The key benefit of MPLS over its predecessors and the internet is its support for differentiated quality of service (QoS).
Simply put this means that the network can provide traffic delivery guarantees based on predefined parameters such as maximum delay and minimum throughput. This is ideal for the convergence of voice, video and data as well as being highly desirable from the perspective of guaranteeing service levels.
For these reasons, as well as the inherent security and accountability of using a network that is wholly managed by a single service provider, this type of VPN is often favoured for corporate intranet networks. Manageability and reporting are also key benefits though all this added value comes at a price.
Internet VPNs
The subject of price is a good point to introduce the internet VPN. Unsurprisingly this type of VPN uses the internet as the underlying shared infrastructure as opposed to a private network run by a single service provider.
Relatively low cost and widespread coverage are the obvious benefits of using the internet though these have to be balanced against the absence of end-to-end service guarantees and the abundance of security threats. The latter issue is addressed by two technologies that dominate the internet VPN space: secure sockets layer (SSL) and IP security (IPSec).
Although often portrayed as competing technologies, each has its own characteristics, benefits and drawbacks that make them better or worse suited for different applications and usage. As such there is a case to use both in a complimentary manner.
SSL VPNs
SSL is a web-based security protocol that provides data confidentiality (encryption) and authentication. It is built in to web browsers and is routinely used to secure sensitive communication such as credit card transactions across the internet.
In the context of VPNs it can be used to 'tunnel' traffic from an individual's PC to a specialised SSL gateway at a central site to provide access to web-enabled applications and file shares. The key advantage of an SSL VPN is ubiquity of access - a user can access their applications and resources from anywhere there is internet connectivity.
This could be at home, in a coffee shop or an airport lounge anywhere in the world. What's more it can be from a PC, PDA, mobile phone or any other device that has an internet browser that supports SSL.
This simple mode of access makes deployment and support of SSL VPNs straightforward and low-cost. Ironically the ubiquitous access benefit of SSL can also be viewed as a drawback.
There exists the potential for users to expose confidential company information by accessing it on a public device (such as a coffee shop PC) and leaving it on display for all to see without properly logging out.
They could also leave potentially sensitive files and attachments on the same machine without even knowing it. Thankfully the technology exists to mitigate these risks but access control is still an issue. The other main drawback of SSL VPNs is that they can only be used to access 'web-enabled' applications.
Although it may be possible to adapt other applications so that they can be accessed via SSL, this integration work could be costly, especially if application integrity and a consistent user experience are key requirements.
IPSec VPNs
Whilst SSL is predominantly used to provide a remote access capability to individual users, IPSec is widely used both for individual user access and site-to-site VPN connections over the internet. IPSec gateways at each end of the connection are used to create encrypted 'tunnels' that mask application traffic from the outside world and effectively create secure point-to-point links between sites.
The gateways can be dedicated appliances or an additional capability provided on other networking components such as firewalls and routers. The choice of device will determine the level of security robustness, maximum throughput rates, number of concurrent tunnels that can be supported and solution cost.
Another consideration is that, whilst IPSec is an open standard, interoperability between different vendors' gateways is not always straightforward.
From the perspective of providing a remote access capability for individuals, IPSec relies on each user having an IPSec client application installed on their PC. In some senses this is a good thing as it maintains access control firmly within the IT department but the flipside is the burden and cost of supporting an extra application on users' machines.
Another bittersweet characteristic of IPSec is that by operating at layer three (the network layer) of the OSI seven-layer model, it provides users native IP access to applications and systems. Whilst this may be good for super-users and developers it also opens up a potential security threat that needs to be managed.
Summing up
So the answer to the question, 'Which type of VPN is best?' is inevitably, 'It depends.' If the objective is a highly available, highly secure network to act as the backbone for a corporate intranet handling a variety of applications then an MPLS IP VPN over a managed service provider's network would be the popular choice.
However for less critical or geographically remote sites an IPSec site-to-site internet VPN may be a cost-effective alternative.
This may also be appropriate for connections to third parties. For remote users internet VPNs should definitely be considered - SSL where possible for 'standard' user access to 'standard' applications; IPSec for broader user access or for applications not suited to the web. In reality a combination of all of the above may well be the best solution.
Xantus is a consultancy focused on advising UK organisations on IT decisions. Xantus' services include technology selection, business case development, strategic sourcing and programme management.
