Modernizing Authentication — What It Takes to Transform Secure Access
Almost no other technology today generates the demand, enthusiasm and interest level as virtual private networks (VPNs). As evidence, Infonetics Research indicated 57%, 55% and 51% of large, medium and small businesses, respectively, plan to deploy VPNs by 2002. To find out why, we will take a look at the technology and some of the costs, benefits, advances and limitations associated with it.
VPNs utilize the shared public infrastructure of the Internet to securely and privately connect user groups for Internet, extranet and intranet applications. The most common of these connections are gateway-to-client (such as for mobile or SOHO workers), gateway-to-gateway (for satellite office connections) or client-to-client (peer-to-peer).
As opposed to traditional circuit switched networks, VPNs use the Internet backbone, a packet switched network, to create the connection between two end points. Security is most often provided through the Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft, Layer 2 Tunneling Protocol (L2TP), a Cisco and Microsoft collaboration, and IPSec, a multi-vendor platform largely supported by Check Point Software.
Prior to VPNs, disparate offices relied on frame relay, ATM or leased-line connections. Mobile workers would have to dial in to the corporate network, with the company left to incur any long-distance charges. In both cases, the direct connection provided a secure connection (user authentication issues aside), but the corporation bore the brunt of the telecommunications charges.
Today, many corporations are utilizing VPNs to lower their telecommunications costs. For a private line between three U.S. domestic offices connected to an international line and supporting 100 remote access users, a company could reasonably expect to pay approximately $62,500 per month, depending on carriers, bandwidth, usage and location. A VPN, under the same configuration, would cost less than $10,000 a month, resulting in a payback period of less than two months. Cost savings of this magnitude explain why companies of all sizes are still spending on VPNs despite tighter capital budget restraints.
From here to ubiquity?
With earlier numbers cited of planned VPN deployments, one could assume that within the next few years the technology would be ubiquitous. However, VPNs still have to overcome a few obstacles on their way to universality.
According to a poll conducted by Information Security, the greatest obstacle to VPN deployments is the difficulty with centralized management of client policy/configuration. This is a multi-fold dilemma involving both the manageability of the multiple vendors and devices (multiple firewall/VPN vendors at multiple sites) and the encryption technology used between VPN devices. As to be expected, VPNs employing multiple protocols from multiple vendors can encounter interoperability problems. However, qualifying vendors' products with industry standards such as IPSec can address this.
VPNs also rely on encryption technologies to provide the tunnel for information. To date, most wide-area network VPNs use shared secret for authentication. While this offers the simplicity between two points, it is an administrative nightmare for larger deployments. To determine the number of keys you'd need for a given number of sites, use the formula k=n*((n-1)/2)), where k = keys managed, and n = sites. So, for 50 sites, you'd need to manage 1,225 keys.
A solution for the key management issue is to employ public key infrastructure, which uses a public/private key combination to address key management. For instance, a VPN from Check Point would offer interoperability from multiple PKI vendors including RSA Security and others. PKI could also validate users on both sides of the secure pipe. After all, it does little good to have a secure tunnel if you do not know who is on the other side.
Another knock on VPNs has been performance. We believe this concern has abated as crypto accelerator network interface cards now speed encryption processing on general purpose servers and VPN appliances offer increased performance nearing gigabit throughput.
Perhaps the largest impediment for VPN deployments, as with any technology, is the horror stories from misconfigurations (user error) or wide-open back doors. The best solution for this problem is to maintain and enforce security policies and use caution for activities such as split tunneling for remote access, where users may inadvertently allow a back door entrance for intruders.
While VPN implementations, like every new technology, have their share of hurdles, we believe the technology vendors will continue to offer innovation and a compelling valuation proposition for any company looking to lower the cost of its telecommunications. As a result, we continue to be bullish on the future of VPNs.
This article was excerpted from the May 25, 2001 edition of Watchdog, a periodical published by Tucker Anthony Sutro Capital Markets covering business and financial topics in the Information Security sector. Frederick D. Ziegel is managing director of equity research and John D. Hall is an associate analyst for the firm, based in New York. Ziegel can be reached at email@example.com and Hall at firstname.lastname@example.org.