When Collaborative Health Informatics Centre (CHIC) was set up recently to facilitate collaboration between healthcare providers and IT suppliers, efficient data communications was the centre's top priority. CHIC installed a local area network for data communications, then began examining its options for a virtual private network (VPN) to provide communications between its Brisbane head office and external business partners.
That's where things began to get tricky. A not-for-profit organisation, CHIC has to keep its costs as low as possible. With cost savings touted as a primary benefit, the VPN option looked like just the route to help the centre achieve that goal. However, while IT manager Brett Silvester found plenty of ISPs had VPNs on offer, he also discovered taking up those offerings would force him to provide a secure second Internet line between his office and the ISP's. That was an extra investment he just didn't want to make. Furthermore, he considered the cost of going with an ISP for VPN services, at between $20,000 and $30,000, "hideously expensive".
So CHIC is going it alone and will take advantage of the newest technologies on offer to install its own VPN to extract maximum savings from the service. Like many other CIOs, Silvester wonders whether VPNs have a role to play in helping them take advantage of the Internet's reach while bumping up its point-to-point reliability and security.
Analysts expect greater take-up of VPN technology this year, with trenchant resistance finally ceding ground to enthusiasm as VPN standards start to gel, performance lifts and large vendors get on side. "VPNs have been around for more than 10 years and have been notoriously badly accepted in the market," says independent telecommunications analyst Paul Budde. "The major reason for that has been the lack of an open standard. Everybody tried to develop a VPN, and it ended up a proprietary standard; and, of course, it's a nightmare and it's very costly. The Internet has changed all that, and you definitely see the move towards intranets that are taking over the VPN. The VPN originally was very much based around voice. The intranet is actually a VPN, but it is mainly based on data."
Until recently the lack of standards, particularly in relation to security, had the market in confusion and buyer resistance at a peak; companies were loath to place their mission-critical data at risk and concerned about ease of use and performance. Now a lot of hard work by numerous vendors is paying off and pushing VPNs towards the mainstream. Over the last year vendors announced significant enhancements to VPN equipment for enterprises and service providers.
The attraction of the VPN lies in its ability to secure communications via the Internet or a shared IP network. It lets organisations slash the cost of corporate communications by doing away with leased lines or frame-relay services. VPNs are ideal for opening brand new channels of communication - such as among partners and supply chain players, or between headquarters and a remote branch office. They also provide cost-effective and easily administered access to internal networks for road warriors.
Vendors claim VPNs offer the security of a private corporate network combined with the economy and simplicity of the Internet and can slash networking costs by more than half. "The motivators are you can dial into a local number and get access to the Internet and access back to head office cost-effectively," says Andy Hurt, business development director 3Com Asia Pacific. "So cost reduction is one, and speed of connection is another. What you can do is get relatively fast connection into a local point of presence through the Internet, then a high-speed connection in your head office to the Internet and providing access to you."
Definitional problems tend to obscure debate about the merits of VPNs. The phrase has been used to describe combinations of existing networking technologies including TCP/IP stacks, network operating systems, remote access servers, routers, firewalls, and tunnelling software packages. Under the widest definition, even ATM virtual circuits or frame relay virtual circuits that form a private network comprise a VPN. However, at its most basic the VPN is a simple point-to-point Internet-based network that allows users to access private information on a corporate network.
In effect, using a VPN means creating a tunnel through the Internet into your own business, or between your business and other organisations or people. So in CHIC's case, the value of a VPN is in helping the organisation fulfil its role of providing information to the health industry by letting external business managers access and update data held at the national office.
"The kind of people we're mostly talking to about VPNs at the moment are people who require remote access for dispersed staff," says David Osterland, Victorian channel manager with OzEmail. "Until now it's been unaffordable to have remote access for all staff, because the only alternatives have been either STD phone calls to remote access servers or quite expensive alternatives like frame relay. In contrast, we put together solutions that enable companies to have their clients or their staff being able to access their network back at home for the price of a local call plus our fees, which works out to be quite reasonable. So it's enabling staff to get remote access, whereas they wouldn't have been able to before."
VPN solutions are also a good bet for organisations needing to control access to network servers, or to provide security both inside and outside of their firewall. And the technology is a boon for road warriors, who can dial in from anywhere to the service provider's nearest point of presence. All the mobile user needs to access the VPN is dial-up software (found in Microsoft Windows 95 or available in stand-alone packages), VPN software and an Internet account. The ISP takes care of the rest.
Although the VPN concept has been around for a while, it has moved on considerably from its original incarnation where the main focus was on virtual data circuits running within traditional packet or frame relay networks and on voice-switching services. Having moved to the Internet Protocol (IP) environment, VPNs are now equally happy serving up applications geared for the Internet, intranet and extranet computing models.
Typically, you create a VPN by forming a virtual tunnel between two network endpoints. Much of the cost savings come from the fact that users need make only a local phone call to the nearest point of presence of a service provider (whether network or Internet). This makes VPNs substantially cheaper to run than leased lines, which are normally priced according to the distance between end points.
To achieve a virtual private network, VPN software encapsulates the user's network protocol (IP, IPX or AppleTalk, for example) inside the Point-to-Point Protocol (PPP) and wraps that in a tunnelling protocol. That tunnel will either get routed through the shared Internet mesh or else traffic will move across a single vendor's IP backbone; it may even be routed between different carriers or ISPs. How it is done is irrelevant to the user, since to them the link will always appear dedicated and the VPN technology remains reasonably transparent. While tunnelling brings a measure of privacy to VPN communications, most organisations accept the need to add security to protect business-critical applications.
Tunnelling and encryption are both used to provide security and privacy within the VPN. Tunnelling establishes a private point-to-point connection between end-points to allow information exchange. Encryption scrambles the data sent between two end points, so that even if an unauthorised third party observes the data, they will be unable to extract its content. In certain circumstances where security needs are tight, both tunnelling and encryption will be deployed.
And two significant initiatives are helping to provide certainty and uniformity for VPN security standards. They are also improving on Point-to-Point Tunnelling Protocol (PPTN), which was the first effort to create secure encrypted tunnels over the Internet, but which many users criticised as being too weak.
The first initiative, Internet Protocol Security (IPSec), developed by the Internet Engineering Task Force (IETF), is designed to provide industry-standard cryptographic techniques to guarantee authentication, access control, and confidentiality. IPSec's two central elements are Single Key Management Internet Protocol (SKIP) and Internet Security Key Management Protocol (ISKMP). IPSec uses Triple Data Encryption Standard and is considered more secure than PPTN.
IPsec is already proven and in use but will continue to evolve, says Michael Boland, a consulting SE with Cis "The issue is, if I just send packets in clear text across the Internet, it's a public network. If I go through one service provider who gives me a service level agreement, he can guarantee me that the IP addresses that are given are out of his domain, and he manages them, and there's a certain level of security. IPSec basically introduces encryption technologies and authentication technologies."
Hoping to beat the IP Security standard to the punch, an industry-wide coalition of networking vendors, led by RSA Data Security, is working on the complementary S/WAN standard for secure wide area networking. Proponents say S/WAN will be more than just a firewall technology. Rather, it will be able to be implemented in almost any kind of software that uses IP or UDP packets to communicate over the Internet. This is expected to significantly enhance the IPSec protocols by allowing customers to mix and match virtually any firewall, stack and router products into customised configurations. The hope is that this will at last overcome the chronic incompatibility problems that have plagued VPNs to date. S/WAN will employ RSA's RC5 symmetric block cipher, its most advanced algorithm. It will also be compatible with all of the main encryption algorithms.
Microsoft, which is fully supporting IPsec, says users who switch to Windows 2000 will be able to easily set up VPNs with business clients. Microsoft last year teamed with Cisco, Nortel Networks, 3Com, Altiga Networks and Routerware to demonstrate Windows 2000's ability to establish and maintain VPNs over the Internet, based on IPSec standardised encryption.
Analysts say the interoperability of Windows 2000 tunnelling with other vendors' equipment will make it far easier to set up corporate VPNs. And having VPN clients already incorporated on end-user PCs as part of the operating system should greatly ease the burden on network managers who would otherwise have to distribute VPN clients. And there's another benefit to be gained from interoperability - the fact that Windows 2000 shops will be able to set up branch-office VPN connections using Windows 2000 Server, while installing specialised more powerful gateways from other vendors at head office locations.
A virtual private network (VPN) was the obvious answer when the University of Western Australia's Faculties of Economics and Commerce, Education and Law (ECEL) wanted to enhance external access to services. System administrator Tim Viller says ECEL wanted to provide external access to numbers of online services, including a library catalogue and course material which would otherwise have been restricted to people on campus. There are currently about 50 students and staff who regularly dial in via the VPN.
"If the student or a staff member is coming from a non-UWA Internet provider like Big Pond, we can use virtual private networking to make it appear as if they were a local computer so they can access these resources," Viller says. "It was the easiest solution really. To do otherwise would mean getting IP addresses from each individual and then putting them on the system, which is pretty silly. This way all they need to do is e-mail me or someone and ask for VPN access."
While Viller says the VPN was the logical way to go, he concedes there's still a reasonably high administrative overhead in connecting those users. The faculty tries to get around this by providing detailed instructions and screen shots to help people set up access, but still gets phone calls from people who can't relate those screen shots to their own individual systems.
"But the administration load is improving, because once we become more familiar with the problems people encounter we can improve our instructions, and the help desk people can also become more familiar and know pretty much immediately what the problem is from the description the person gives them," he says.
- S Bushell
What to Watch Out For
Before you decide if a VPN is right for you, consider your approach carefully and be prepared to heed the expert's warnings about the need to avoid potential trouble spots. For a start, OzEmail's David Osterland warns you should always use an integrator that understands TCP/IP networking and VPN technology. Then connecting people back to their main office becomes merely an organisational, rather than a functional issue.
Reliability Furthermore, while the leading ISPs around the world are starting to overlay quality of service capabilities into their infrastructure to help assure reliability levels and response time, some analysts still warn against using VPNs for mission-critical work like transaction processing or real-time interactive customer applications. "I think enterprises need to be able to have a strong SLA with their ISP that guarantees a level of service and speed and performance and, for that matter, reliability over a VPN. Because the biggest fear that I think IT managers have is of the unknown quantity, that is the ISP. And I think it is a real fear, because I don't think it is that controllable and measurable yet," says Andy Hurt, business development director for 3Com Asia Pacific.
Re-engineer Independent telecommunications analyst Paul Budde says its those organisations that have taken the trouble to work out where their information is, whether it is in the right format and how useful it will be to people, that have the strongest chance of succeeded in operating an intranet or VPN. "You most probably will have to re-engineer your business in that respect, so that the sorts of promises and services that are relevant to your e-commerce and e-services are adjusted towards the new environment."
Budde says undergoing this process before approaching a network vendor or ISP will maximise the organisation's chances of setting up a truly effective VPN. Never leave it to the vendor, he says.
Management challenge 3Com's Andy Hurt warns that while the hardware and software security options now available mean you can guarantee you'll get secure access, administering that security remains fairly complex. "It isn't that easy yet; it's not simple to administer just yet, and I think that is probably where the maturity still has some way to go," he says.
"You can make your access secure, you can make your access quite functional and robust; it's purely, I think, now a case of it still being a little bit administrative-hungry. So if people are going to implement VPNs today, they have to be aware that the set-up isn't that simple. You've got to take some time and plan it out first, with not only your hardware vendor but also your software vendor, and the ISP.
- S Bushell
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.