The need for connectivity to the company network outside of the office has increased dramatically in the past several years. As telecommuting and integration of back offices due to the acquisition of other companies become standard procedure for IT departments, there has never been a greater need for remote access to corporate data, E-mail, and applications. In the past, it was possible for companies of all sizes to make this type of visibility available to only executives and top sales people using a low end access server, several phone lines and a modem.
With these executive and sales types just happy to connect for whatever reason, to copy a file or update a database, there was never a question about speed or the cost of this infrastructure. As the Internet continues to dominate our personal life and billions of dollars are spent improving the Internet infrastructure so that it can be used to its greatest potential, speed is the name of the game and everybody wants to connect. This presents new and difficult problems for IT departments at companies of all sizes.
How can an IT group build a scalable solution that is generic enough to solve all of these networking issues: access for mobile users, remote site connectivity, E commerce with trading partners and a solid internal structure that leverages investments in infrastructure. Use the Internet. By implementing a Virtual Private Network (VPN), a remote user, site or trading partner can connect to another network through the existing Internet infrastructure. (Figure A)
Using a combination of tunneling, encryption and access controls, VPNs allow users to connect securely to a corporate server located on a corporate LAN using the routing infrastructure provided by a public internetwork (such as the Internet). Connection to the Internet can be made by using any combination of access technologies including T1, frame relay, ISDN, ATM or dial access. To the user, the connection between his workstation and the server appears as if data is being sent over a private connection. When it comes to remote-access for mobile users, the idea is for them to gain access to the corporate network using the Internet.
Typically, a user would hook up to the web by dialing into his local internet provider and tunneling through the web back to the home office. They would then go through whatever security has been established to gain access to corporate resources. This is very simple compared to the traditional dial-up method, where users dial a local access number or an 800 number is forwarded to a local number, and calls are terminated on a bank of modems or an access server connected to the network. Not only is the architechiture simple, but much cheaper in a lot of ways.
It is possible to eliminate long distance access fees and replace them with unlimited $20 a month ISP accounts. Then users connect to corporate by simply placing a call to the ISP’s local point of presence (POP) instead of dialing an 800 number back to the home office. This savings alone should be reason enough for any company with a traveling sales force or remote users to investigate implementing a VPN. Some companies have reported that they cut their telecommunications charges from $1,000 to $2,000 per month with dial access to less than $20 per month using a flat monthly rate ISP service.
Significant cost savings can even be realized when using hourly rate premium ISP services. As for the internal IT department, they can now reduce costs associated with supporting the remote users. If using a VPN, it would be possible to eliminate modem pools and access servers as well as issues about busy signals, at least within their realm of responsibility. Not only are support costs reduced, but it would now be possible to eliminate the PRI circuits used for dial up access, and associated hardware.
Another excellent use of VPN technology is site-to-site connectivity. Like access for remote users, branch offices connect to corporate resources using tunnels through public networks on a provider’s backbone or the Internet. This solution may save quite a bit of money for smaller companies that have low bandwidth requirements like E mail or small file transfers, but if requirements for more bandwidth intense applications arise, it may be necessary to pay for a dedicated circuit to the local ISP using T1, ISDN or ATM.
In some areas, it may even be possible to use cable modems or DSL technologies. Unfortunately, the cost savings may not be that big, because you are essentially paying for the local loop. It would seem that most cost savings would be in committed information rates and service level agreements. It would, however, be possible to reduce communications fees, by elimination of a second data connection to the Home office.
For example, if an office has one dedicated circuit for corporate traffic as well as a second for Internet access, it would be possible to use the single Web connection to tunnel back to Headquarters to gain access to corporate data, as well as have the infrastructure at the home office serve up the web. Using VPN technology for site-to-site connectivity would allow a branch offices with multiple links to eliminate the use of the data line and ride the traffic over the existing Internet access connection.
Figure B. ) Figure B The third emerging application for VPNs is extranets. There are many ways to create extranets that do not involve VPN technology. However, VPN-based extranets give IT a single solution to accomplish many things. The basic idea behind VPN-based extranets is to use the access-control and authentication services with a VPN implementation to deny or grant customers, trading partners and business associates access to specific information or applications needed to conduct business.
With a VPN-based extranet application, the outside party would get to the corporate firewall by tunneling across the Internet or a service provider’s network. The ability to get behind the firewall will be controlled by the VPN access-control services. It is difficult, if not impossible to attach a dollar figure to the savings incurred using VPN technology for the implementation of extranets. For many companies, VPN-based solutions open up a whole new area of business that was previously not cost effective.
On the other hand, a cost analysis might be possible if the VPN extranet replaces dedicated circuits to trading partners. For example, some companies that do business with trading partners using Electronic Data Interchange (EDI). Electronic Data Interchange is a set of specifications for ordering, billing, and paying for parts and services over private electronic networks. Becoming popular in the 1980s, mostly in the retail, apparel, and transportation industries, EDI today spans most types of transaction-based business.
It’s a fast and dependable way to deliver electronic transactions via computer-to-computer communications. Replacing or upgrading existing EDI solutions, which often require custom software applications, dedicated circuits and firewalls with a VPN based extranet, a web server and web based applications, could reduce the cost significantly enough to make an EDI business model affordable for the smallest of companies. One of the most interesting applications still developing in the area of VPNs is their use within the IT shops own internal infrastructure.
The concept is to use the encryption, authentication and access-control services of a VPN to segment user groups on the corporate network. There are many times that users require that their data is confidential. Many human resources departments may want employees to be able to update hours worked or their 401k information, but do not want them to have visibility to manager reviews or pay rates. Another example might be where a sales manager has access to all sale associates’ information, but each associate can only access their own information.
For a long time IT groups have been faced with these types of issues and have used many different methods to solve them. VLANs are one of the most recent solutions. With VLANs, the network can be quickly segmented into logical groups, most often by department or function, so workers appear to be on their own physical LAN segment. Network administrators can assign users to specific groups to grant access to required segments. One of the biggest problems with using VLAN technology, is that there is no standard, and that it is not compatible across different equipment, even different models form the same manufacturer.
Virtual Private Networks can cut across environments using different combinations of manufactures and models by using tunnels between a user’s workstation and a server. The traffic between the two devices would be encrypted, which helps ensure confidentiality. VPNs create an environment that is analogous to physically segmenting users on distinct LAN segments, much like a VLAN would. One of the most important aspects of implementing any of these VPN solutions is that one does not discount the other. Money spent by the IT organization on any of the four applications will only help build a foundation for any of the other three.
A company could begin building a VPN infrastructure to solve an immediate problem of limited access for remote users, such as an over worked or over populated Network Access Server (NAS). As the sales force grows, it would then be possible to place those people in remote locations and connect those sights back to corporate using the same equipment. If the growth continues and departments, such as Human resources and Finance, also decentralize like the sales force, the same VPN infrastructure can be used to segment traffic from these departments.
Included in all this is the ability to serve up secure online ordering information to customers, again, using the same infrastructure. With the corporate culture what it is today — E Commerce, telecommuting, increase in travel, and decentralization of operations, the need for remote access is needed now more than ever. VPNs offer a way to keep costs in check. Recurring communications charges can be reduced by using the relatively inexpensive bandwidth of the Internet or a service provider’s network to connect a user to a corporate network or carry traffic between sites.
For dial-up access, the basic idea is to replace that long distance phone call to the company with a local call into a service provider’s POP. Gartner Group reports that 90% of enterprises will use Virtual Private Networks or (VPN) services by the year 2002, and that every year, extranets will save companies $1000 per user, or $5M for the average large company. Another way VPNs can save communications costs and possibly cut down on management costs is by reducing the amount of access gear required.
In the dial-access scenario, a company would typically have one or more dedicated T1 lines connected to a remote-access server, which are only used for dial-access users to get into the company network. Additionally, the company would have a high-speed Internet access line. If all of the dial-access users switched from direct dial to VPN access, the T1 lines used for dial access could be eliminated, since the user would enter the network over the existing high-speed Internet access lines. This also would eliminate the cost of the T1 lines to headquarters for dial access.
Moving all users to VPN access also eliminates the need for a remote-access server. With this piece of equipment removed, the person responsible for its management would then have more time to concentrate on other duties. Similar savings can occur in site-to-site connectivity scenarios. Many sites have multiple access lines–one for traditional data connections and another for Internet access. If branch offices are linked to corporate headquarters over a VPN connection, it might be possible to reduce the number of traditional data lines company wide, and WAN access equipment could possibly be consolidated.