Networking

The how, what, and when of VPN: You asked the questions, we found the answers

How reliable are VPNs? When should you use them? We posed your questions to Gartner VPN security specialist John Pescatore. Here's what he had to say.


TechRepublic member Lee Morrison has a problem.

His company needs to securely connect five remote offices so they can transmit binary data each day for centralized processing. He also needs to perform remote debugging.

Will VPN technology work for him?

We turned to John Pescatore, a Gartner analyst who specializes in VPNs, and asked him this and other VPN questions sent by TechRepublic members. We received enough questions for a two-part series on VPNs.

Sponsored by
NetScreen is the exclusive sponsor of TechRepublic's special series on VPNs and Firewalls. For more information, check out TechRepublic's VPN and Firewall Center, or visit NetScreen's website.

NetScreen is the exclusive sponsor of TechRepublic's special series on VPNs and Firewalls. For more information, check out TechRepublic's VPN and Firewall Center, or visit NetScreen's website.

In this first article, Pescatore discusses how VPNs work and whether this technology is reliable. He also explains when you should—and should not—use them.

Come back tomorrow for the second installment, in which Pescatore answers your VPN security questions.

Technology overview
TechRepublic: Can you briefly explain how VPN technology works?
Pescatore: In the pre-Internet days, we used the term “virtual private network” to mean you worked for a big company, and on the telephone you could dial just five digits and reach any of your coworkers anywhere in world. It had nothing to do with security; it was really just an addressing thing.
What we mean today by VPN is that it’s essentially an encrypted tunnel carrying communications over an unsafe network.
There are basically two types of VPNs. The first type we call remote access. It typically involves employees working on their PCs from home or a hotel room and connecting to the enterprise. So it’s their PCs to a server. You have VPN software or hardware on each PC, and at the enterprise, you have a VPN server.
Another type is the wide area network (WAN) replacement VPN. In the old days, GartnerGroup in Stamford, CT, and GartnerGroup in San Jose, CA, might have connected their two networks using leased lines or frame relay or whatever. Today, we can do that over the Internet with a WAN replacement VPN or a site-to-site VPN.

Remote access VPN


TechRepublic: How do they differ in terms of technology?
Pescatore: The major difference is that a WAN replacement VPN is server-to-server, so there’s no PC involved. The second thing is that generally, on the WAN replacement side, you might have 10 or 15 nodes. Everybody’s connected to everybody else in a mesh type network.
With remote access VPN, you might have hundreds or thousands of nodes, all those employees, but it’s very much many-to-one. It’s all of them back to one server, maybe two servers, so it’s a many-to-one kind of connectivity, and it’s server-to-PC versus server-to-server.

WAN replacement VPN


Reliability and performance
TechRepublic: How reliable are VPN connections?
Pescatore: That’s the major downside of VPNs. They use the Internet instead of dedicated telephone lines, so reliability and performance are no better than the reliability and performance of the Internet. And they’re no better than the reliability and performance of the ISP you’re using and the ISP your company’s using.
So if you’re on the VPN and all of the sudden everybody starts downloading the Monica Lewinsky transcripts or there’s a new video of Madonna’s wedding and everybody’s downloading that, and the Internet starts taking performance hits, your VPN performance is affected.

TechRepublic: With the ISP, some people have experienced problems connecting—like not being able to connect through America Online. Is that still the case?
Pescatore: Yes. You run into some problems with things like AOL. We’ve found that cable service providers today like ComCast have started changing their terms of service to prohibit VPN use.

TechRepublic: Why are they doing that?
Pescatore: Two reasons. One is that VPN users tend to leave the connection on all day, and they’re tying up some of the service provider’s bandwidth.
The other thing is that in cable service, they need to limit how much bandwidth you’re using, and they can’t do it when you’re encrypting everything. They’re also worried that millions of users will start using VPNs and totally evade detection when they’re trading pirated software and pornography and stuff.

TechRepublic: Do you think that approach will stand?
Pescatore: We’ve published some FirstTakes chastising ComCast for this prohibition because [it also compromises] legitimate use. Say a battered women’s shelter wants to let women log in with a secured connection; that would be not allowed. [Editor’s note: FirstTakes are Gartner’s initial, "first take" analyses of late-breaking industry events.] I don’t think those prohibitions will stand; they won’t be around three years from now.

VPN viability
TechRepublic: Are there circumstances when VPN technology is the best solution and circumstances when it is not a good idea?
Pescatore: Where it’s not a good idea is with performance- or latency-sensitive applications. For example, when you’re checking your e-mail, if it takes one second to download one message one time and 10 seconds the next one, it might be annoying, but that’s still okay; you’re still going to be able to read your e-mail. But anything that’s either trying to operate in real time or is sensitive to throughput and latency—ERP application transactions, processing applications—is not a good candidate to run over VPN.

TechRepublic: Does it make a difference whether you’re running a remote access VPN or a WAN replacement VPN?
Pescatore: No, same thing. The WAN replacement VPNs are really the ones to think about what applications will run over it, because there’s a lot of application-to-application communication going on WAN replacement VPNs.
There are two kinds of killer apps for VPNs. The first is replacing employee dial-up with Internet-based access. What we find is that a company with 1,000 remote employees who use dial-up and who use a North American 800 number service to connect anywhere (which most companies do that these days) might typically be spending seven cents a minute on that 800 number access, which is $4.20 an hour.
A thousand employees, that’s $4,000 per hour. If you end up with 1,000 employees each using at 100 hours per month—which isn’t a large number for many companies—you’re looking at $400,000 a month in 800 number charges. So you can easily drop that down by half if you move to Internet-based remote access.
The second problem is intranet access, where companies have large intranets spread across, say, the United States, and they’re using leased lines or satellite connections or frame relay to connect San Francisco to Connecticut to Detroit to Dallas, just so that an employee sitting at a Web browser on the corporate network anywhere can access any of the servers. That’s another area where companies can save a lot of money.
TechRepublic is featuring a series of articles on this topic in every Republic this month. If you'd like more information on security or productivity issues relating to VPNs, click here.
TechRepublic: A lot of readers sent us scenarios explaining how they planned to use VPNs. For instance, Lee Morrison wants to use VPN technology to link LANs in five satellite offices so the company can transmit binary data (one to 20 gigabytes per day) that needs to be centrally processed, as well as to support remote debugging. Is this a good use of the technology?
Pescatore: Yes, if it’s file transfer, typically it’s not a real latency-sensitive thing. Large file transfer is a good use.

TechRepublic: Would the VPN be enough or would he need additional special hardware/software at each office?
Pescatore: No, a VPN using encrypting routers or VPN servers would do the trick.

TechRepublic: What about the remote debugging?
Pescatore: They could do that, if by remote debugging they mean they need to secure Telnet to a machine. There are two ways to do it. One, you could use that site-to-site VPN; that would be like logically connecting the two networks. Another way to do that is to use a secure Telnet kind of client like SSH, which is probably the most popular one, by F-Secure.

TechRepublic: TechRepublic member Andrew Frisbie notes that each vendor uses a different IPSec configuration, with Checkpoint being the only vendor he knows of that provides documentation on how to connect to a Nortel device. Frisbie wants to know if there will ever be a standard IPSec configuration.
Pescatore: Right now there’s the IPSec standard that every vendor implements, but their solutions don’t interoperate out of the box today. There’s a lot of interoperability testing going on between Checkpoint and Nortel and Cisco and SonicWall and so on, so there are many combinations of vendor products that do work. But as far as everyone interoperating with everyone else, we’re probably still looking at a year from now, first quarter of 2002, before I’d say you have good certainty that IPSec implementations from two different vendors will interoperate.
TechRepublic is always striving to provide you with the information you need to make the best decisions for your company. But we need your feedback: Would you like to see more question-and-answer articles with industry experts? Let us know.

Editor's Picks

Free Newsletters, In your Inbox