The Case for Migrating to IP-Based VPNs

Switching from traditional nets can cut costs, increase flexibility.

Enterprise VPN solutions are traditionally deployed over leased lines, frame relay or ATM (asynchronous transfer mode) connections, but many organizations are migrating their VPN infrastructure completely or in part to IP-based virtual private networks using protocols such as IP Security, MPLS and SSL.

While IPSec and Multiprotocol Label Switching are more suitable for site-to-site connectivity and Secure Sockets Layer is better suited for remote access, the main business drivers for switching from legacy WAN connections to any IP-based VPN are to reduce operational costs and increase network flexibility.

There are many ways to build a cost-effective and robust IP-based VPN infrastructure. IT managers should carefully detail their organizations requirements and work closely with hardware vendors and service providers to find the most suitable of the many VPN options out there.

IP-based VPNs can be built from the ground up using purpose-built VPN routers or VPN gateway appliances from vendors such as Check Point Software Technologies Ltd./Nokia Corp., Cisco Systems Inc. and NetScreen Technologies Inc. (see review). These "build-your-own" IP VPNs are constructed with low-cost, easily managed appliances that provide integrated firewall functionality, encryption, tunneling and routing capabilities.

These vendors also provide a complete line of gateway appliances with performance matrixes for fulfilling different site requirements—for example, allowing administrators to deploy a multiport scalable device for the main office and a smaller, single-port device for the remote office.

Companies that deploy this type of build-your-own VPN will add significant management complexity to their network infrastructures. It will be important to include the cost of training current staff or possibly adding staff when figuring total cost of ownership.

To reduce management costs, look for VPN products that provide centralized policy management capabilities. This is especially important for larger enterprises linking many remote and branch offices in geographically disparate locations.

Some enterprises will elect to outsource their site-to-site VPN needs—entirely or in part—to MSPs (management service providers). An MSP IP VPN solution can provide rapid global deployment and lets companies scale their networks quickly by leveraging the vast ISP backbone.

Companies that run critical applications over VPNs should elect for a premise-based solution, where the ISP installs customer premises equipment, known as CPE, and provides end-to-end service with quality of service and service-level agreement guarantees. ISPs including AT&T Corp., Sprint Corp. and WorldCom Inc. offer IPSec-based VPN systems and can usually leverage existing hardware and expertise.

Vendors including Aventail Corp., Neoteris Inc., SafeWeb Inc. and URoam Corp. provide VPN services and hardware appliances that allow companies to run VPN applications using SSL. As an alternative to remote access IPSec VPNs, the most attractive feature of SSL-based VPNs is that they significantly reduce complexity. VPNs running on SSL eliminate the client-side software needed for IPSec VPNs, and a standard Web browser can be used to access internal resources and applications.

The SSL protocol is well-suited for remote access VPNs and extranets, but IT managers might have to deploy SSL acceleration devices to ensure adequate performance. In addition, not all legacy applications can run on SSL, so administrators should consider running Web applications over SSL VPNs while keeping mission-critical legacy applications on traditional VPNs.

Many companies are now exploring the idea of using VPNs to secure WLANs (wireless LANs). Sites that have already deployed IPSec remote access can use an existing VPN system to secure WLANs. However, because IPSec is not designed to accommodate the latency found in mobile networks, IT managers will likely run up against problems with segment roaming and bandwidth.

Vendors including ReefEdge Inc. and Vernier Networks Inc. provide appliances that tighten WLAN security using VPN technology (see the Labs Feb. 3 review of ReefEdges Connect System 3.1 at links), but deploying this type of system will add cost and increase management complexity.

Technical Analyst Francis Chu can be reached at