Virtual Private Networks, Part 7: VPN ISPs

In the last column we looked at what you should consider when you are going to outsource your VPN setup and configuration to a third party, much like an ISP. We should briefly touch on a few of the larger companies that provide these services both here in Canada and internationally.

One of the best known providers is AT&T WorldNet. Since WorldNet started providing VPN services in 1997 it has quickly grown and provides several attractive features such as a plethora of POPs and toll-free dial-in access. WorldNet has access in over 35 countries at the moment, all with dial-in or ISDN provisions for reasonable performance. WorldNet provides customers with a firewalled server (you can manage the firewall or let AT&T do it for you). There’s a wide variety of optional equipment and different service plans available from WorldNet, but they do offer a very good service guarantee and reasonable prices.

MCI (now a part of giant Worldcom) offers a VPN service called InternetMCI VPN (the name may change due to reorganizing of the lines of business). InternetMCI provides a firewalled server in the customer’s site, with access to the firewall through MCI’s network. As with AT&T, you can manage the server or let MCI do it for you. Although configurations may have changed, when I last checked InternetMCI didn’t have as many countries or toll-free lines available as AT&T WorldNet, although their rates did seem lower.

One of the veterans of the ISP business, UUNET (now part of Worldcom, too) also offers VPN capabilities through its ExtraLink service. Instead of using firewalled servers like WorldNet and InternetMCI, UUNET uses encrypting routers (which lowers the costs and eases management tasks). The only real flaw in the UUNET ExtraLink system I could discern was its use of Cisco routers with only 56-bit encryption. This would be easier to crack by a hacker than the encryption systems used with the other two companies mentioned. UUNET does guarantee a higher availability than WorldNet or InternetMCI, although the penalties for failing to me the guarantee are only a 25% refund of some charges.

Finally, the granddaddy of the VPN business is ANS (Advanced Network Services). ANS has been providing VPN-like services for years, even before they were thought of as VPNs. Their Virtual private Data Network (VPDN) uses proprietary tunneling protocols and encryption algorithms, all managed from the ANS headquarters in Michigan. VPDN has 128-bit encryption which makes it secure, and the company has the best latency guarantee of any VPN vendors I checked (in fact, they offer a latency of half the others). Although ANS has adopted commercial VPN standards now, they do allow you to choose the system that will best meet your needs. ANS is notable for the speed with which they can have your VPN up and running, too.

Rather than continue on for many more columns about VPN, we’ll bring this part of the Advanced Network Help Desk series to a close with a few observations. (If you want more information about VPNs, there are some excellent books on the subject available through your local computer bookstore or on-line. Or you could wait and buy my up-coming book on the subject!)

The primary advantage of VPNs is the ability to provide network access to employees and contractors from anywhere, including their homes and hotel rooms. The convenience of VPNs has to be tempered with two observations, though. The first has to do with security. Networks that are accessible by VPN have the inherent problem that others can hack into them. Paying special attention to security and firewall servers is important, and cannot be understated. Installing a VPN instead of dial-in modems can in many ways be a bigger security hole.

The second observation about VPNs has to do with their relative youth. VPNs are still only a couple of years old, and the standards, techniques, and procedures are still maturing. You could sink a tremendous amount of money into a VPN system that will be obsoleted by newer, safer, faster technology in a couple of years. That’s one of the advantages of outsourcing the VPN system: it’s someone else’s problem to keep up with technology.

The debate about outsourcing versus installing your own VPN is not easy to resolve. For smaller companies, it is quite easy to modify existing servers to handle VPN systems, especially if Windows NT is the operating system and Windows 95/98 clients are the primary users. For larger, heterogeneous networks, though, the choices become less clear and dedicated equipment becomes very expensive. Outsourcing can be sensible but beware service agreements that provide for long terms, poor responses, or no upgrades in case of new standards.

Are VPNs worth the effort for most companies? Most definitely. They are expensive and come with provisos, through, and you should understand the field before jumping in blindly. A complete set of this series on VPNs is available at the Web site http://www.tpci.com. Next column, we tackle a whole new subject!