Virtual Private Networks, Part 4: Turn-key solutions

In past columns you’ve seen what a Virtual Private Network (VPN) is, who to use Windows NT to set up a simple VPN, and the protocols used by VPNs. As mentioned in the second column (all columns in the series are available from my Web site http://www.tpci.com) the Windows NT setup for VPNs works well in smallish setups, such as when you need to connect two LANs together over the Internet for reasonable traffic volumes, or when you are connecting into the office network from home or a hotel room. What about scaling up to a more volume-intensive VPN? What about connecting multiple LANs together with high volumes between the connections? That’s where this column comes in.

You’ve really got three choices: go with a built-in solution like Windows NT VPN, or employ one of the growing number of VPN-specific solution packages on the market. We’ll look at the latter here, since they offer an almost turn-key VPN setup that minimizes the hassles a VAR has to go through (as well as simplifying the life of the customer). To being with, there are two ways to provide VPNs in this category: use a service provider or go stand-alone. A VPN service provider is much like an ISP in that it manages the details of the connections for you. A service provider uses a network operations center to control the details of a VPN, providing security and traffic management from the center. A stand-alone solution eliminates the service provider and lets the customer install and manage the VPN equipment themselves.

Using a service provider has the advantage of most outsourcing projects: the hassles and costs of setting up and managing the VPN systems are reduced to a monthly service fee. The disadvantages are that you have no direct control of the equipment and that you are trusting the service provider to, well, provide the service. Keeping control of everything in-house and managing the system gives you more control but adds up-front hardware and software costs as well as requiring people to manage the system.

A good part of the decision whether to use a service provider or run stand-alone can be made depending on the scale of the VPN. If the customer is not sure of how many sessions they need, scalability becomes important. There’s no sense buying many more VPN ports than they need, and buying just enough for now and having to replace everything with a larger system in a few months is a waste of money. Using a service provider allows you to scale the number of ports up or down (all at some cost, of course) until the right number is found, but many service providers require lengthy contracts and have significant fees associated with changes or drops in service plans. For stand-alone systems, a scalable solution makes sense. A customer can start with a few VPN ports and then add more to the same equipment rack as need grows, preferably without replacing any existing equipment.

One quick warning: there have been many complaints about service providers not delivering the features and performance they claim to offer. If a service provider looks like the best way to go, make sure you check for complaints and other grumblings with Usenet newsgroups, user groups, and other clients. It’s a good idea to ask a prospective service provider for a list of customers that fall in the same size and budget range as the VPN you’re looking at and to follow up with the references. Talk to the references about any slowdowns, poor technical support, inaccessibility from some sites, and anything else that is important. Always have the service provider contract examined by proper legal help: there have been many stories of customers getting on the hook for long terms and services they didn’t realize they were committing to at the time. Finally, try to find some ex-customers (a posting on a Usenet newsgroup is often a good way) and talk to some people who left. Find out why they left. There are some very reputable service providers for VPNs out there. There are also some really bad ones. Identify which category your prospective supplier falls into!

Finally, as a lead in to the next column, one of the better stand-alone VPNs systems is from Nortel Networks. They offer the Extranet Switch series, including the Contivity Extranet Switch (originally developed by Bay Networks) which provides scalable VPN support as well as other services. The Contivity Extranet Switch includes a router, firewall, traffic management and tunneling system in one. The key feature of the Contivity Extranet Switch, at least to my mind, is the ease with which it can be installed and configured for VPN use. An HTML GUI lets you add IP addresses and up to three PPTP tunnel sessions, then a step-by-step wizard guides you through the setup for each of the sessions. A QuickStart system lets you implement a basic VPN in a few minutes. Of all the VPN systems I’ve seen and use, this has one of the least technical and fastest setup routines. It’s ideal for a VAR who’s not sure of the esoteric stuff, as well as for a customer who doesn’t want to know anything more than "does it work?". You can get more information about the Contivity Extranet Switch from the web site http://www.nortelnetworks.com/products/.