Virtual Private Networks (VPNs) is a hot topic in the field of information system networking. But there seems to be confusion on just what a VPN is and many use the term to describe a myriad of networking technologies and configurations. Those that have adopted virtual private networking have realized savings over their traditional leased line circuits, but many others still find the technology lacking in the areas of security and quality of service and are hesitant to replace their current networking methods. This report reviews the different types of VPN, the motivation behind its acceptance, the advantages, the concerns of its shortcomings, case studies of those who have accepted the technology, and a look at the business case for its use.
 

The ways in which we do business are changing. Telecommuting is growing and the number of mobile workers is growing, both resulting in an increase in the number of employees accessing corporate networks remotely. It is estimated that by 2001, there will be 62 million remote access users worldwide (User Plans for VPN Products and Services, April 1998). In addition, our marketplace is becoming increasingly global and competitive. Companies are becoming global enterprises communicating with branch offices, customers, and suppliers around the world. Traditional remote access solutions, such as dial-up modem lines, may not be able to support this growth, especially in an economical and manageable way.

Currently, most companies utilize the Internet to provide information to customers, employees, and associates via e-mail. However, in a marketplace that is becoming increasingly global and competitive, the Internet has begun to be viewed not only as a way to address the spiraling costs and management complexities of traditional remote access, but as a global infrastructure to support a competitive edge. A fairly new technology called Virtual Private Networking (VPN) has been touted as a solution that takes advantage of the Internet to address these issues. The Internet replaces the traditional leased line connection, ATM, or frame relay services and uses service provider IP backbones. Instead of dialing in long-distance, the user makes a local Internet call.

Is VPN the answer to containing costs, simplifying network management, and supplementing a competitive edge? The purpose of this study is to explore the technical and business aspects of the technology; particularly how it is used, who is using it, what benefits are gained, what business issues are addressed, and the implications of its use.

The global economy has created corporations with branch offices scattered around the country and the world connected by wide area networks (WANs). Field personnel are using remote access to take advantage of corporate network resources. Suppliers are using intranets and extranets to strengthen relationships with their customers. Various technologies are connecting users to the office, some of which are fairly new, and some that vendors are merging with the technology of the VPN to mitigate some of the concerns companies have about using VPN. The following provides an overview of various communications technologies currently in use and an introduction to VPN.

Dialed Circuit Services

Dialed circuit services are a common type of WAN connection. This type of connection uses the telephone network, an analog transmission. Users lease the telephone lines of a common carrier's network, dial the telephone number of the destination computer, and transfer data using a modem. Dialed circuit services may use different circuit paths each time the number is dialed. Charges for direct dialing are based on distance between the two telephones and the number of minutes the connection is used. Data transmission rate is fairly low at about 28.8 Kbps to 56 Kbps (Fitzgerald and Dennis, 1998).

Dedicated Circuit Services

An alternative to using dialed circuit services is a private dedicated circuit leased from the common carrier for exclusive use 24 hours a day, 7 days a week for a flat monthly fee. All connections are point-to-point, which makes changes expensive due to required rewiring. T-carrier circuits (digital transmission) are the most common form of dedicated circuit services in North America. T-1 through T-4 circuits provide a data rate ranging from 64 Kbps to 274 Mbps.

DSL (digital subscriber line) offers an improved data rate using voice telephone circuits. It operates through the local loop cable from the carrier's end office to the customer's telephone. A DSL network interface is placed at the carrier's end office and at the customer's office. The end office DSL device is connected by a high-speed digital line to the carrier's network using another service such as T-carrier (Fitzgerald et al., 1998).

Using dedicated circuit services requires understanding data transmission patterns in your network to carefully plan for all the circuits you need. Adding new applications or building new network connections can be a challenge. (Fitzgerald et al.,1998).

Circuit-switched Services

Circuit-switched services offer other alternatives that allows you to buy a connection into the common carrier's network from the end points of the WAN without specifying the circuits you need. Costs include a monthly fee, plus charges based on the amount of the time the circuits are used. The most common circuit-switched service is ISDN (integrated services digital network) which combines voice, video, and data over the same circuit. Narrowband ISDN has been available since the late 1970s, but has not been widely adopted. Acceptance has been slowed due to a lack of standards and interest from common carriers. Equipment vendors and common carriers have conflicting interpretations of the ISDN standards and equipment from different vendors may not be compatible other equipment or a common carrier's ISDN line (Fitzgerald et al.,1998). Broadband ISDN, a second-generation ISDN, uses ATM, a packet-switched service, to move data. B-ISDN encapsulates the users' data packets with ATM cells and moves them through an ATM network (Fitzgerald et al.,1998).

Packet-switched Services

Packet-switched services, such as ATM, enable multiple connections between computers simultaneously. The user buys a connection to the common carrier network for a fixed fee, plus a fee for the number of packets transmitted. No error control is performed at intermediate computers in the network; the source and destination are responsible for error control. For this reason, ATM is considered an unreliable packet service.

Frame relay is a newer packet-switching technology that also does not perform error control. Different carriers offer frame relay at various transmission speeds. Frame relay uses two connection data rates that are negotiated for each virtual circuit. The committed information rate (CIR) is the rate at which the circuit must guarantee to transmit. The maximum allowable rate (MAR) is the maximum data rate that the frame relay network will attempt to provide above the CIR. Carriers offer frame relay at CIR speeds from 56 Kbps to 45 Mbps. Frame relay also suffers from a lack of standards. Consequently, all common carriers do not provide the service the same way and some networks cannot communicate with other networks (Fitzgerald et al.,1998).

Virtual Private Network (VPN)

A clear definition of the virtual private network in the marketplace has not surfaced and different people use the term, VPN, to describe different sets of technologies. But, the most common and simplified definition of VPN is a private network constructed within a public network infrastructure, such as the Internet. VPN uses a technique called "tunneling" to send packets across shared networks using protocols, such as Internet Protocol Security (IPSec), that produce private tunnels, simulating a point-to-point connection across the network and appearing to the user as a private network (Robinson, 1999). The VPN solution generally includes authentication, encryption, a method of controlling access privileges, and management software.

VPNs are ideal for connecting widely distributed environments around the country or around the world. The primary attractiveness of VPN is that Internet access is relatively inexpensive compared to the cost of leasing dedicated circuits, circuit-switched services, or packet-switched services from a common carrier. Private network environments where the infrastructure, addressing scheme, management, and services are dedicated to a closed set of subscribers carry the associated costs of the network switching infrastructure, trained staff to manage it, and providing on-going maintenance (Ferguson and Huston, 1998). Some say VPNs deliver savings of 30 to 70 percent over traditional remote access solutions (http://www.telechoice.com/). Economies of scale can be realized with the underlying common host communications system (Ferguson, 1998). In addition to this, VPNs offer simplified maintenance and ease of adding or modifying user accounts. Forrester Research Inc. surveyed IT professionals at 50 companies on the question: "Why are you considering VPNs?" Of five reasons provided, more than 40 percent of respondents cited outsourcing remote access, followed by reducing costs at 30 percent (Hicks and Neil, 1999, 77). The following chart summarizes the survey results.

Figure 1. Top VPN Implementation Reasons

Source: Forrester Research Inc.

While many companies have reaped the advantages of VPNs, many others are slow to adopt the technology. Figure 2 relates how the same respondents cited their concerns regarding VPNs:

Figure 2: Concerns with VPNs

Source: Forrester Research Inc.

Security and quality of service (QoS) are valid concerns when dealing with the Internet. Using dedicated leased circuits, a private network can establish fixed resource levels available to it under all conditions (Ferguson, 1999). But, the Internet can be unreliable. However, several companies who have implemented VPNs are applying pressure on ISPs to guarantee minimum service levels (Neil et al. 1999). Some companies, such as PMI Mortgage Insurance, choose to use more than one service provider to boost reliability (Wallace, 1999).

Although VPN technology is fairly new, it is a hot technology and an abundance of information can be found on the subject. VPN has been a popular topic in many information technology trade magazines such as Network World, PC Week, Internet Week, Windows NT Systems, Computer World, and others. These magazines and Internet searches have been a rich source of current information about VPNs. Internet searches through Yahoo.com and AltaVista using the keyword, VPN, were employed in the research. Yahoo yielded 36 hits related to virtual private networks out of 41 hits. AltaVista provided 232,290 hits for web pages including the keyword, VPN. Many of these were vendor related. A Web-based subscription service through Network World provided daily up-to-date breaking news on VPNs. An average of three articles was received on a weekly basis. Additional links were also provided with the subscription service, which yielded www.vpdn.com , a site provided by TeleChoice, a consultancy firm. As additional links were visited, other links at these sites were browsed. Research and education organizations for system administrators, security professionals, and network administrators, such as SANS and Computer Security Institute (CSI), were also consulted through their Web sites. I registered for a free online seminar presented by TeleChoice regarding VPNs. Published case studies of companies that have implemented VPNs were also included in the research.

Analysis of information took in consideration:

h Source--academic, IS periodical, vendor, user testimony

h Credibility--educational and/or experience level of author

h Timeliness

h Consensus of opinion revealed by literature

Vendor sources were not discounted, but kept in mind their intent to sell a product or service. Timeliness was considered due to the fast rate of change in technology today and since VPN technology seems to be in an evolving state where different "flavors" of VPNs are developing.
 

One in five companies currently has a VPN (Laberis, 1999). A TeleChoice study on VPNs found that over 30% of businesses with WANs plan to implement or pilot a new VPN sometime next year. Those users who already have a VPN in place plan on adding more users, adding bandwidth, and adding partners through extranets. Some of the most common goals of those companies implementing VPNs include:

h Increase productivity

h Improve communications

h Decrease IT costs

h Streamline business processes

h Improve employee satisfaction

h Connect remote users to systems

h Connect remote users to networks

h Connect remote sites to WANs

h Connect business partners together

Case Studies

Companies and institutions of various sizes have implemented VPNs and others are planning to implement a VPN in the near future. The general motivation behind their adoption of VPNs is reduction of rising costs with remote access. Some see virtual private networking as forward-looking technology and want to prepare themselves for the future.

University of Pennsylvania

The demand for remote access to the University of Pennsylvania's campus enterprise network has grown so significantly that the school plans to start weaning users over to an outsourced VPN by 2002. The school currently supports a 1,100-modem direct-dial network and problems such as rising costs, aging equipment, and the lack of adequate bandwidth has prompted its decision. Funding for the remote access has come from a port fee that users pay to connect their PCs directly into the on-campus Ethernet network. Users don't pay direct fees to access the remote access service and there is no chargeback system to assess departments for their network usage. To replace the dial-up, Penn is setting up an alliance of ISPs that will tunnel traffic to the school network and users will buy an Internet account with a participating ISP. Part of the specifications will have the ISPs directly route traffic over the ISPs private backbones without sending it over the Internet (Greene, Oct. 11, 1999).

Arthur Andersen

Arthur Andersen has 382 offices around the world and a variety of leased private connects making a tangled web of their network. About 17 months ago, 17 of Andersen's sites have been connected to an outsourced VPN with two ISPs. The ISPs are responsible for keeping the backbone up and rerouting any downed lines. Only short-run T-1 or T-3 connections between each local office's VPN and the ISP remain in-house. The company expects savings of 34 percent per year from switching from ATM and frame relay connections. To address quality of service concerns Andersen has also negotiated tough service level guarantees from the ISPs. The firm also uses a suite of security applications to control encryption and authentication. Andersen sees its VPN implementation as successful and plans to add 47 more sites next year and switch over the remaining offices as needed (Vaas,1999,68).

Perot Systems Corporation

Perot Systems Corporation, with 6,000 employees and 20 remote sites worldwide, plans to move its entire company from frame relay on private leased lines to an Internet VPN. Currently, five sites and about 400 users are using the VPN. A staff of twelve is handling the deployment of the VPN infrastructure. The motivation behind the change is the high cost of leased lines and security. But the company is not ready to support mission-critical applications on the VPN because they see the technology as developing and to effectively run an enterprise-level VPN requires some additional advancement in the technology. Perot Systems hopes to put voice over IP onto the VPN but as yet does not see it possible due to quality of service issues (Chen, 1999, 70).

Reinsurance Group of America, Inc.

Reinsurance Group of America lacked a corporate network and chose to go directly to a VPN for all its applications. The company goal was not to reduce costs from leased lines or frame relay, but to choose a forward-looking technology that could grow with the company and be managed centrally. RGA has a site-to-site VPN connecting its 400 employees in 15 locations around the world. The company built their own VPN due to trouble in finding a single global provider that could meet its pricing and reliability needs. RGA contracts about eight ISPs worldwide for Internet access. Management of the VPN using management software for configuring new sites is done by a team of four located in St. Louis. Other IT managers use management software to manage backups and user account changes (Hicks, 1999, 73).

Automotive Network Exchange (ANX)

ANX has been the U.S. auto industry's high-security IP network for sharing data among 160 trading partners for about a year. The ANX was designed to offer many advantages of VPNs and private networks. ANX has outsourced operations and administration of the VPN and trading partners are able to gain access to the network through a choice of five ISPs using IPSec standard products. The ISPs provide service over IP networks that are physically separate from the Internet and since it is a high-volume shared network it can offer much lower prices than can private networks. The biggest problem faced has been the slow pace of security standards development. ANX expected vendors to be quick in going to IPSec and early trading partners had few IPSec-compliant (and interoperable) products from which to choose. Additionally, ANX services still cost two to three times what Internet-based services cost (Moad, 1999, 74).

National Distributors, Inc.

National Distributors, Inc. is an organization of 100 employees located at the Sellersburg, Indiana headquarters and 7 terminal sites located in Kentucky, Michigan, South Carolina, Texas, and California. A personal interview with Troy Powers revealed that the company's VPN implementation has been successful. National Distributor's VPN uses the Internet as a backbone and PPTP as the transport protocol. Prior to the VPN, users accessed the internal network via POTS (plain old telephone service). The company also plans implementing a frame relay network to subsidize the Texas and California locations. Implementation of the Internet VPN was done with in-house expertise and the frame relay implementation is using an outside vendor. Most of the networking structure, a T-1 line and firewall, was in place and some equipment, such as a PPTP server and Microsoft's NT 4.0 with RRAS (Routing and Remote Access Services), was added. The most important concerns with VPN implementation for the company were manageability and user friendliness. Due to the nature of their business, security was a lesser concern. The company was able to address remote connectivity issues such as faster, more reliable access, and lower long-distance costs. National Distributors' VPN has been in use for about 7 months and they are saving approximately $1,500 per month. The estimated payback period is about two months per location. Problems since implementation have been minor, mostly with connection troubles and configuration issues, and the company sees the overall success rate of the VPN implementation to be 95%.

Benefits - Savings over Traditional Technologies

The savings that many companies are achieving by migration of remote access have popularized VPNs. Vijay Ahuja, Senior Manager of Electronic Commerce at Ernst & Young LLP, evaluated costs and savings incurred with VPNs versus conventional leased lines. He finds that as long as the network sustains moderate usage that savings can be gained with VPNs. Ahuja estimated the costs of a scenario with remote dial-up access for 25 remote sales offices into a central server.

The dial-up access for 25 remote sales offices with the VPN setup required:

Other cost comparisons provided by Eric Zines, a Senior VPN Consultant for TeleChoice, find managed VPN services less expensive than some traditional technologies. The data was gathered by TeleChoice, a consultancy firm for the telecommunications industry supporting service providers and equipment vendors. The example is based on a 15-node network, one of which is a headquarters location, and assumed that this main site would require a T-1 line and the remote sites would use 56K circuits. The private line costs assume a 500-mile distance and a "wagon wheel" network configuration. Frame relay costs assume a "wagon wheel" configuration also. Installation charges are not reflected but apply in all three scenarios. The following chart summarizes the costs for implementing a new WAN based on leased lines, frame relay, and managed VPN services (Zines, 1999).

Table 1

Wan Price Comparison Based on Industry Midpoint Pricing
 

	Leased Lines	Frame Relay	Managed VPN
Monthly   Line Charges	$18,530	$9,642	$12,245**
CPE Monthly  Management Fee	3,300	3,300	N/A or $0
Total Monthly Cost	21,830	12,942	12,245
One-time Equipment Cost	33,950	33,950	0
First Year Cost	$295,910	$189,254	$146,940

Source: TeleChoice, Inc. 1999.

Zines' data shows the managed VPN significantly less expensive than the leased line solution, but little difference from the frame relay. It is important to note that these figures are estimations and that depending on the company's needs regarding the configuration, number of users or sites connected, and the amount of use or data transmitted, that a particular solution may or may not be cost-effective. Also, it is worthwhile to note that the source of this information is a consultancy firm that supports service providers and equipment vendors.

Security

According to Scott Bradner, a consultant with Harvard University's University Information Systems, "almost by definition, computer networks cannot be, in themselves, secure. The aim of computer networks is to facilitate access to computer-based resources…they transport information from one place to another…with [users] somewhere along the line" (Bradner, 1999).

Protecting a network from Internet intruders involves the use of firewalls, generally the first line of defense, acting as gatekeepers between the Internet and a company's intranet. A firewall is a software program that can work as a message packet filter running on a hardware device, such as a router, examining the source address and destination address of every packet of data going in or out of the company's network. Some firewalls look for a cryptographic authenticator that verifies that an incoming file or program is coming from a trusted address. Cryptographic software generates a public key and a private key. The private key is encrypted and kept on the computer's hard drive and the public key is made known to those people with whom the user wants to communicate. The private key is used to create a digital signature that accompanies the sender's message. A certification authority, an organization that stores public keys in a database, verifies the digital signature and issues a digital certificate including the public key. The public key is used to decrypt the digital signature. This sophisticated cryptography is the underlying scheme of Public-Key Infrastructure (PKI) (Larsen, 1999, 56).

While many companies are concerned about the security of VPNs, compared to remote access servers, VPNs can provide levels of protection equal to or better than those of remote access server systems. Traditional remote access systems use password and callback techniques. In contrast, VPNs provide methods of authenticating user identity, source addresses, and ensuring data has not been altered in transmission (Falk, 1999).

In order to take advantage of a higher level of protection, implementation of a VPN requires careful consideration of the security protocol and the configuration that best suits the needs of the company. Point-to-Point Tunneling Protocol (PPTP) and IP Security (IPSec) protocol enable private sessions over the Internet and securely link remote users to corporate networks. Each protocol has relative strengths and weaknesses in security and deployment (Marcotte, 1999).

Point-to-Point Tunneling Protocol (PPTP) was first intended for dial-up VPNs, augmenting remote access by allowing users to dial in to local Internet Service Providers (ISPs). When first created, it was not intended to address LAN-to-LAN tunneling. PPTP is an extension of point-to-point protocol (PPP) which is widely used to connect dial-up users to the public Internet or the private corporate network. Like PPP, PPPT functions at Layer 2, the data link layer. PPTP encapsulates PPP packets and allows users to send packets other than IP, such as IPX or NetBEUI. PPTP performs encryption, a method of scrambling the data before transmission, at the PPP layer and supports 40-bit or 128-bit encryption (Marcotte).

IPSec functions at Layer 3, the network layer, and can provide the tunneled transport of IP packets. IPSec was intended for secure tunneling over the Internet between protected LANs such as a remote office or corporate supplier. IPSec offers 168-bit Triple-Data Encryption Standard (DES) encryption, regarded as more secure than PPTP. IPSec provides packet-by-packet encryption and authentication thus preventing interception by a third party " middleman attack." PPTP cannot protect against this kind of attack since it authenticates sessions, not packets, by using Password Authentication Protocol and Challenge/Handshake Authentication Protocol (Ferrell 1998). While IPSec is considered superior to PPTP, deployment of a IPSec VPN requires loading specialized client software on each desktop, a potentially labor intensive task up front (Marcotte). IPSec is the evolving standard for network layer encryption in the Internet and the protocol is already supported in all major firewalls and many routers (Reavis, 1999). IPSec designers are working on solutions to address security once the user is inside the network such as the integration of public-key infrastructure (PKI) and digital certificates into VPNs. IPSec is also incorporating various authentication methods including smart cards, digital certificates, and biometrics (Kirkley, 1999).

Quality of Service (QoS)

Quality of service (QoS) is a special type of connection-oriented dynamic routing that defines different classes of service, each with different priorities. For example, quality of service would be more important in time-dependent transmissions such as in videoconferencing where delays in routing can affect quality. E-mail transmission would be relatively less affected by delay, therefore requiring a lower priority (Fitzgerald et al.,1998). VPNs are maturing rapidly, but quality-of-service (Qos) concerns are still to be resolved. The processing required for encryption and decryption can add latency because routers in the network cannot read the bits marking QoS. Carriers are working to provide the best way to guarantee QoS so they can offer service-level agreements (SLAs) ensuring that important traffic gets priority handling. Some ISPs offer VPN services that keep a company's traffic on their network only, thereby enabling service-level guarantees. But these guarantees are for network transport time for all traffic, so E-mail gets the same priority as other applications. Currently, QoS by application is not offered by any service provider (Greene, Sept. 1999).

There are protocols that can address the problem of QoS. Ipv6 deals with the reading of QoS bits by adding more unencrypted header fields to include the QoS information so that it can be read by any router. But this protocol is not yet widely adopted. Multi-protocol Label Switching (MPLS), a technology within routers, is also a potential solution since it secures traffic so it can go only to certain sites, eliminating the need for encryption. With MPLS, a label is attached to an IP header to enable routers to forward the message packet according to specified QoS levels. MPLS is also not widely adopted by carriers and the Internet Engineering Task Force (IETF), the standards-making organization, has not completed its work on this technology (Greene, Sept. 1999).

Implementation

Senior research analyst, Abner Gemanow, of IDC suggests that when implementing a VPN businesses should ensure that all new clients issued are VPN-enabled even if they are not currently using a VPN. This way, a transition to the technology will go much smoother. He also advises, for LAN-to-LAN connectivity, to identify the most expensive legacy connections and decide whether or not to migrate them to VPN. For remote access, the location of the company's user base determines whether or not to convert to VPN. If users are calling in from the same area code as your headquarters conversion doesn't make sense and you should probably keep your remote access servers and modem pools. However, if users are located all over the world, then an Internet VPN would be sensible to offset long distance costs (Kirkley, 1999).

Outsourcing your VPN implementation is an option and some ISPs offer packages connecting all your sites over their own IP backbones, avoiding the Internet and the possibility of poor QoS. These ISPs can offer service-level agreements on availability, lost packets, and speed of transmission (Greene, Sept.1999). Latency, which is determined by the path a packet takes through the Internet, averages 200 milliseconds. Packet loss affects performance because packets must be retransmitted. The retransmission process can take up to 600 milliseconds. Packet loss rates can be as low as 2% to 5% to a high of 20% to 30%. With packet loss nearing 30%, bandwidth use is so high that the Internet ceases to be usable. Most common service-level agreements guarantee latencies of 100 to 150 milliseconds and should consider the network severely impaired at 10% packet loss and unavailable if packet loss exceeds 15% (Gasparro, 1999). According to Rob McKinney, director of VPN and Internet security for GTE Internetworking, due to legal reasons, service-level agreements will not guarantee against security breaches due to the fact that it is difficult to define exactly what a security breach is and to determine the value of losses. Having an ISP implement your VPN may be easier, but the provider may take security shortcuts such as not tunneling your traffic until it reaches its network, leaving your data insecure between your site and the carrier network (Greene, Sept.1999).

Another consideration in VPN implementation is interoperability. Interoperability among vendors' equipment is required to make VPN set-up and operation successful. This interoperability requirement is due to using encryption that requires partners to share encryption keys. The Internet Key Exchange (IKE) authentication protocol that governs how keys are exchanged to authenticate each end of a encrypted tunnel does not work well when equipment at each site is not made by the same company. This may be a problem when trying to set up extranet links with business partners that you want to grant access to certain network resources. Getting your business partner to install the same equipment may be difficult for financial, logistical, and political reasons (Greene, Sept. 1999).

Careful consideration of security methods is important in implementing a VPN and while the newer security technologies are providing a higher level of protection understanding their strengths and weaknesses is essential. For example, PKI is a relatively new set of technologies and there are a few issues that should be considered. One issue is that the various companies making digital certificates do not all do it the same way. A second issue involves integration of PKI components with existing applications that have to be able to accept digital certificates. Third, where to store the user's private key is in question. If the private key is stored on a PC at work that means the user will need a different key for a laptop or a PC at home. This last issue can be addressed by using smart cards that the user can carry with them. Just recently developed is a "roaming certificate" technology where keys and certificates are held at a central server and are uploaded to end users operating any authorized machine attached to the network. The certificates then vanish from the PC after the user logs off. However, many users and vendors see holding certificates and keys in a central server as risky and subject to attack (Messmer, 1999, 14).

Management

Management of VPNs can be a challenge. Under IPSec, VPN devices have no quick way of knowing when sessions established with other devices have failed (Greene, Sept. 1999). At a preset interval, IPSec switches the key it uses to encrypt data. When no key exchange information comes from the receiving device the sending device then knows the equipment is not operational. Detection of a failure this way could take hours. There are proprietary methods that can let VPN servers let each other know they are still operating but these will inhibit full interoperability among different vendors' equipment (Greene, August 2, 1999).

Additionally, connecting more remote users means more remote client software that needs to be managed. The management challenge is in how to distribute, install, maintain, and upgrade VPN client software for thousands of remote users. (Greene, May, 1999). Distribution of client software can be via disk, e-mail, or as a download from a Web server. Distribution by disk requires either site visits or bringing all PCs to a central location. Both can be logistically difficult. Sending the disks or sending an e-mail attachment to users may not be a viable method since installation may be beyond the end users' capabilities. However, downloading the software from a central server simplifies distribution and the setting of parameters defining users' remote access rights (Greene, May, 1999).

Another VPN management consideration is that tunneling over the Internet means using authentication, authorization, and encryption to secure transmission. Client software is needed on remote PCs to handle this security. While some operating systems such as Windows 95, 98, and NT support VPN tunneling with PPTP, many users do not consider PPTP to be secure enough for their data and use IPSec. IPSec passes encryption keys between clients and the central-site VPN equipment, subsequently requiring the use of a certificate authority that stores users' keys and issues the digital certificates that verify users' public keys to other users. Managing the key process manually can be tedious. To date, the soon-to-be-released Microsoft Windows 2000 is the only operating system integrating an IPSec client giving companies the flexibility of buying VPN equipment from multiple vendors (Greene, Sept., 1999). However, many companies don't quickly upgrade to the latest operating system thus, for those companies using IPSec, a VPN requires separate client software.

Vendors recognize the difficulties that management of VPNs pose and are working to resolve these (Greene, May, 1999). As recent as early November 1999, chipmaker Intel introduced its VPN Client Development tool that automates delivery of VPN client software by sending it over the Internet. The software product eliminates the need to send IT staff to each site, send disks or CDs to users, or having users send their notebooks to headquarters for configuration (Wallace, Nov. 1,1999).

Regardless of the management problems, research from Infonetics, finds that most companies are likely to manage their own VPNs rather than outsource. But the market research firm predicts that by 2003, the trend will shift to outsourcing with users paying $10.4 billion for their own equipment and $14.2 billion for managed services that year (Greene, Sept. 1999). Outsourcing dial-up access can reduce costs for technical resources substantially because managing the physical infrastructure becomes the responsibility of the service provider. Service providers manage dial access, user setup and management, equipment support, and security. Also, shifting responsibility for remote access support to the dedicated help desks of network service providers can reduce costs even more and reduce the in-house help desk burden (Banson, 1999).

Competing Technologies

Most other competing technologies are based on dedicated circuits and are still viable solutions for many companies. Some telecommunications technologies, particularly DSL, are gaining the attention of companies interested in fast access and in replacing dialup lines. Other existing technologies such as frame relay and ATM are still popular for their QoS and security. There are also vendors now offering less expensive T-1 service.

Symmetric DSL (SDSL) operates over a single twisted copper pair and offers the same bandwidth as T-1 at nearly half the price. IBM sees DSL as a less expensive way to provide dial-up lines for its employees who work full time from home. A recent (November 1999) Federal Communications Commission ruling may make DSL even more affordable. The Commission says that established local phone companies must allow competitors to sell DSL services on the same phone lines that the local carriers use to carry voice services. This means carriers will not have to wait to get separate lines installed and will not have to lease entire separate lines (Greene, Nov. 22, 1999). One disadvantage is that DSL operates effectively only over copper wires within 15,000 feet of a switching center, so availability is currently a problem (Wallace, Oct. 25, 1999).

The growth of frame relay use has slowed. Carriers expect 50% growth in ports this year, down from 70% to 100% growth in prior years. Migration to ATM, VPN, and DSL account for the trend. But frame relay is far from dead. Market researchers say frame relay will be a $7.5 billion business by next year (Dix, 1999, 36). Many companies stay with frame relay because they cannot get the performance they need from VPNs, while others consider VPNs only for installation of new lines (Robinson, 1999). Some carriers report that the demand for frame relay to ATM interworking is greater now than in the past three years and customers are building ATM core networks fed by frame relay. ATM is also an attractive alternative to frame relay and its use is growing 80% to 100% per year (Dix, 1999, 36).

Less expensive T-1 service is beginning to appear on the market. One vendor is offering T-1 service for a flat monthly fee of $500 plus $1 per minute (or a reduced per-minute rate of 50 cents at night) of use. Traditional T-1s cost $500 to $1000 per month plus $20 or more per mile for the length of the access line. For customers who need T-1 access for less than 100 hours per month, the new offering is economical (Greene, Sept. 6, 1999). Another vendor is introducing equipment that could allow carriers to deliver T-1 lines over fiber optic lines for half the price of traditional T-1s. Using this new equipment that eliminates the need for expensive electronics on the fiber that runs from the service provider to the customer, carriers reduce their equipment costs by 90% and allows them to offer T-1s for $300 per month (Greene, Oct. 25, 1999).

It appears from popular press that Virtual Private Networking is on the fast track to acceptance even though confusion exists in the exact definition of a VPN. Many are jumping on the VPN bandwagon for a variety of reasons including cost reduction and security. Interestingly, security has also been one aspect of concern with VPNs with which companies have reservations, mostly due to evolving standards and interoperability issues. The IETF (Internet Engineering Task Force) is working to resolve standards on IPSec and MPLS. Vendors are trying to address interoperability among equipment through "bake-offs" where each vendor tests its equipment with other vendors' products. Quality of Service (Qos) is also an issue high on the list of concerns. Currently negotiation of service level agreements from ISPs is partially addressing QoS. Additionally, what makes sense and what works for companies in design, deployment, and management of their VPN depends on numerous variables including, but not limited to, the size of the network, number of users, applications, bandwidth, available financial and technical resources, and future growth.

Virtual Private Networking is a technology in its infancy and is in a state of flux. There are problems to be worked out, but from the variety of companies who have rushed to accept it, it is clear that there are advantages and as vendors rush to support the demands of these customers the technology will mature rapidly. The concept of the virtual private network is here to stay. The rapid pace of changing technology will determine the VPN's ultimate form and definition, as well as, acceptance.

Ahuja, Vijay. (1998, September). VPNs by the Numbers: Securing the

Savings. [TechWeb WWW document]

URL http://www.data.com/issue/980907/numbers.html

Banson, Cris. (1999, October). Managing VPN Dial-up Access. Windows

NT Systems, p. 27.

Bradner, Scott. (1999, August 2). The Absence of Network Security.

Network World, p. 27.

Chen, Anne. (1999, August 16). Perot's VPN Path to the Virtual

Enterprise. PC Week, p. 70.

Clark, Elizabeth. (1999, November). Virtual Private Networking Version

2.0. Network Magazine, p. 38.

Dix, John. (1999, September 27). Tracking Frame Trends. Network World,

p. 36.

Falk, Howard. (1999). Supporting Remote Access Workers: VPNs Versus

Remote Access Servers. Faulkner Information Services.

URL http://www.faulkner.com.freereport/freereport.htm

Ferrell, Tom. (1998). Virtual Private Networking is Real Technology--Now.

document]. URL http://www.employees.org/~ferguson/vpn.pdf

Fitzgerald, J. & Dennis, A. (1998). Business Data Communications and

Networking. New York: John Wiley & Sons, Inc.

Gasparro, Daniel M. (1999, September 7). Next-Gen VPNs: The Design

Challenge. Data Communications [WWW document].

http://www.techweb.com

Greene, Tim. (1999, May 31). VPNs are Easy--Once You Get the Clients

Installed. Network World Fusion.

URL http://www.nwfusion.com/archive/1999/66800_05-31-1999.html

(1999, August 2). Standard Needed so VPN Failures Can be

Detected. Network World, p.8.

(1999, August 16). Covad Puts DSL to Work in Virtual Networks.

Network World, p. 14).

(1999, September 6). Inexpensive T-1 Service on Tap from Start-up.

Network World, p. 1.

(1999, September 13). Microsoft Struts Windows 2000 VPN Features.

Network World, p. 14.

(1999, September 27). The Vaunted VPN. Network World, p. 65.

(1999, October 25). Start-up's Fiber Gear Could Slash T-1 Prices.

Network World, p. 85.

Hicks, Matt. (1999, August 16). Starting from Scratch to Build the VPN.

PC Week, p. 73.

Kirkley, John. (1999) VPNs Ready for Prime Time…Almost. VPNs that

Deliver: A Practical Guide to Reliable and Secure Virtual Private

Networks. Network World White Paper.

Laberis, Bill. (1999). Eyes Wide Open. VPNs that Deliver: A Practical

Guide to Reliable and Secure Virtual Private Networks. Network World

White Paper.

Larsen, Amy K. (1999, July 12). Global Security Survey Virus Attack.

Information Week, p. 56.

Marcotte, Greg. (1999, May 31). Protocols Serve Up VPN Security.

Network World, p. 41.

Messmer, Ellen. (1999, November). Defense Department to Tap New

Mobile Digital Certificates. Network World, p. 14.

Moad, Jeff. (1999, August 16). The ANX Agenda: Reinvent the Web.

PC Week, p.74.

Reavis, Jim. (1999, September 24). Is VPN the Killer Application for PKI?

[WWW document]. Network World Fusion. http://www.nwfusion.com/focus

Rendleman, John. (1999, August 9). Covad Readies VPN over DSL.

PC Week, p. 18.

Robinson, B. (1999, January 4) A Leg Up--Frame Relay Faces a Major

Threat from VPNs. Tele.com [WWW document].

URL http://www.techweb.com/se/directlink.cgi?TLC19990104S00031

Thyfault, Mary E. (1999, April 5). Perfect Partners--DSL and VPNs Let

p. 68.

Wallace, Bob. (1999, October 25). Cheap, High-speed Local Links

Transform the Market. InformationWeek Online.

http://www.informationweek.com/758/dsl3.html

(1999, November 1). Unique VPN Plan Pushes the

Envelope. Information Week, p. 120.

Network World White Paper.

URL http://www.nwfusion.com/whitepapers/vpndom/savings.html