Knowing when to outsource VPN services

By Michael Brandenburg
SearchEnterpriseWAN.com

The traditional approach to providing VPN services has been to build everything in-house. The wide area
network (WAN) vendor delivers the connections, and the organization leaves VPN connections to its
networking team to deploy and manage. In recent years, however, that approach has been challenged by
both external and internal forces, pushing the network manager toward outsourcing the management of
the WAN to managed service providers. Any numbers of unique factors may move enterprises to
managed VPN services, but there are a few common elements that network managers should consider
when making decisions on outsourcing services.

Comparing costs of outsourcing VPN services

Comparing the financial impact of moving your VPN links to a managed services model from an existing
in-house deployment can quickly become a lesson about capital expenditures and operational expenses,
commonly referred to as CapEx vs. OpEx. For WAN infrastructure like VPNs, capital expenditures are the
assets that make up the solution, primarily routers, as well as the costs of maintaining those assets. VPN
services already have an operational expense portion, notably the WAN links themselves, but managed
service providers take this one step further by rolling all of the costs into a single OpEx number. (Read
this article on how cloud VPN services lessen SSL VPN gateway expenses to learn more.) Although
enterprises can opt to use their existing hardware for a managed VPN service, the service providers also
work with companies such as Cisco Financial to offer customers rentals or lease agreements for the
routers. This type of arrangement would make an outsourced VPN a completely operational expense
item.

Brian Washburn, research director covering network services for the analyst firm Current Analysis, notes:

"Enterprises have the opportunity to defray the costs of routers, maintenance agreements, etc., under a
managed service agreement. Most of the asset cost can get buried within the service cost. If your
organization has become averse to capital expenditures, a fully managed VPN might be an opportunity to
move budget dollars into the expense column but also upgrade the WAN infrastructure with updated
equipment in the process."

Unfortunately, as a rule, service providers will not make pricing public, noting that each deployment is
unique and, as such, pricing for a VPN service is specific to that implementation. Getting to the final costs
of outsourcing the VPN will certainly require a lengthy RFP process, and the size and scope of your VPN
deployment is also certain to play a role in any move to outsourcing. Although a virtual private network
spanning dozens of sites is definitely a candidate for moving to a managed service, pricing for smaller
deployments will be less appealing.

Management of VPN services

Beyond the capital expense of maintaining the components of the virtual private networks, human
resources could also play a role in the decision to outsource. In recent years, the economic conditions
and the resulting austerity programshave scaled back IT staffing levels in most organizations, resulting in
smaller teams with more responsibilities. In an effort to remove some of the burden from these scaled-
back teams, networking managers might consider outsourcing VPN management to a service provider.
To offload some or all of the workload of the network engineering team, most service providers offer three
tiers of managed services for enterprise customers, with each tier ultimately tied to the level of control and
management the enterprise wants to maintain in-house. The first is simple monitoring and notification
services, where routers are polled at specified intervals and the customer is notified if the router does not
respond. The second tier includes monitoring but also adds break/fix support into the mix. In the event of
a router failure, the service provider will place the call to the hardware vendor and get the truck rolling for
repairing or replacing the down equipment. At this level, in-house network engineers are still responsible
for getting the field technician the configuration necessary to restore service, but the service provider is
accelerating the process of recovery by placing the call immediately. The third tier has the service
provider taking over full control of the VPN infrastructure, everything from break/fix resolution to
configuration and firmware management.

In particular, configuration and firmware management can be a tedious and seemingly endless process
for many network engineers. With multiple versions of the same router model, multiple firmware trees, not
to mention new router models, an enterprise network engineer could also be dedicated to the task of
keeping the WAN components current. Managed WAN services might serve as an opportunity to move
this work off the engineer's plate and allow him to focus on new projects.

The downside of outsourcing VPN services

Of course, there are drawbacks to outsourcing VPN services to a third party. Jumping into a long-term
agreement with a service provider ultimately limits the customer's bargaining power and locks the
enterprise into a particular vendor.Changing WAN service providers is difficult enough, and transitioning a
fully managed service only complicates the situation further, muddying the waters with router leases and
vendor support contracts, for example. Enterprises that are looking into outsourcing to managed services
need to weigh the loss of that bargaining position against the benefits of moving that service, namely
tighterservice-level agreements (SLAs) and faster problem resolution than can be supported in-house.

Can in-house WAN teams achieve four 9s of service?

Bearing in mind all of these factors, an enterprise network manager ultimately needs to determine
whether or not his own in-house team can deliver the same level of performance and uptime as the
service provider promises. Unfortunately, in most cases, the service providers have an advantage in both
resources and the ability to compensate the enterprise for any problems that do develop.

Some service providers are promising up to 99.99% uptime on their managed services -- this translates
roughly to a little less than an hour of downtime over the course of a year -- going so far as to offer
customers an SLA that includes remuneration for any downtime that exceeds this amount. The service
provider can back this agreement with teams of network engineers, monitoring their customers' networks
24/7, but also by adding requirements on the customer side. For example, the service provider is likely to
require secondary access to the remote routers to ensure that it can troubleshoot and resolve problems if
the primary connection is unavailable. These secondary connections could be a dial-up line, DSL service,
or even a wireless 3G modem connected to the back of each router, all of which will add to the expense
of guaranteeing primary VPN service.
Can an in-house networking team match this level of service? Probably not, as that team would be hard
pressed to match the level of resources that a service provider could bring to bear, not to mention the fact
that there is less incentive and no remuneration for the organization to provide the network team with this
level of resources. While the ability to achieve the "four 9s" of uptime is only one factor in the final
decision to outsource VPN services, it highlights how the local network team and service providers
offering the same service might be seen in different lights.

Outsourcing IP VPNs: How to measure ROI

By Vab Goel, Virtela Communications
SearchNetworking.com

What is driving the trend towards outsourced virtual private networks (VPNs)? The
answer can be summed up easily: more, more, more. Networks are growing more
complex, and enterprises need more of them, particularly as they are driven to expand
globally more than ever before to meet revenue expectations. At the same time, they are
being forced to do it all with less -- less money, less staff and less time. Vab Goel

Enter outsourcing. It's an option that's increasingly inevitable for companies to keep up
and gain a competitive edge in today's market climate. Cost savings are a key driver, enabling enterprises
access to valuable network support resources that are too costly or impractical to build in-house, such as
a 24x7 global help desk. The question is how to best go about selecting outsourced service providers,
specific IP VPN and related services to outsource, and accurately gauging their return on investment
(ROI).

All or nothing? Just say no

Typically, the menu of carrier-managed VPN services is less than appealing, given their fixed set of
services using a fixed set of providers. Forward-thinking service providers are answering the enterprise
dilemma with a la carte options that solve particular pain points, rather than requiring wholesale
outsourcing. Need to outsource just the monitoring of your existing VPN? Just the provisioning,
installation and operation of your Asia-Pac VPN? Just the management of myriad access providers
around the world? No problem. Specialized VPN service providers are flexible, customizing either
piecemeal or full-scale managed solutions using a blend of technologies and providers with a true
agnostic approach.

Unlike Frame Relay, which requires physically connecting all locations together via one network, VPNs
enable enterprises to exploit multiple global IP networks to achieve built-in redundancy, optimal
performance, and the opportunity to select different service providers to manage the network.

Not sure where to start? Selective services such as cost and performance benchmarking analyses are
also available, enabling enterprises to leverage expertise to assess the current state of their networks
and, for example, whether they are paying too much or are in line with the most aggressive market rates.
These providers can renegotiate rates, as well as handle tasks such as RFP management. The list of out-
tasked to fully outsourced services is growing exponentially, allowing enterprises to customize their
outsourcing to better focus on revenue-generating business while improving network availability, quality of
service and security through stringent service guarantees and highly skilled 24x7 resources.

Once the case is made to move forward in any direction, enterprises should demand a business case --
with ROI -- be part of the initial network assessment. This should include a number of baseline
considerations, such as current network infrastructure, critical network application drivers, network
security, IT staff and capabilities, and current network, training and maintenance costs to make the most
valid comparison.

Beyond the ABCs of ROI

There are a number of concrete considerations in evaluating the ROI of any outsourced VPN, whether
against a legacy environment or a do-it-yourself scenario. These include key one-time costs, such as
equipment, installation, access, service activation and migration. You'll also need to add key recurring
costs, including: CPE management, access, managed ports, remote access user connections and
solution redundancy. Naturally, there are associated internal costs as well as fees paid to the service
provider. Keep in mind that in assessing the value of new functionality -- such as disaster recovery or
support for overlay voice and video -- the end result may not be a true apples-to-apples comparison.

The analysis should include monthly, 3-year and 5-year timelines, including one-time charges, months to
payback, percentage savings and dollar savings -- both monthly and annually.

Beyond hard costs, enterprises must evaluate the more qualitative and strategic benefits. While it is
sometimes difficult to assign hard costs in this area, even conservative assumptions will help reflect
actual return. These include increases in IT staff and company employee efficiency, productivity and
morale; decreases in network downtime (and revenue lost to downtime); direct Internet access resources
per site; performance and bandwidth increases; enablement of new applications; and speed and ease of
adding or deleting users, locations, and partners to the network.

An area sometimes overlooked in calculating soft costs includes time expended by IT staff to develop and
price support services for internal employees. If buying services from multiple carriers (which is advisable
to mitigate risk), consider the time cost involved in contract negotiation, billing consolidation and other
aspects of multi-carrier management. For an international network, selecting a provider that offers a
single point of contact and a single bill for multiple services across multiple countries can result in major
dividends.

There are other helpful rules of thumb based on generally accepted assumptions, such as the following
put forth by industry research firm IDC. These include:

 Burdened salary (salary + 50% for benefits and overhead) to qualify efficiency and productivity
savings
 Downtime = number of hours multiplied by number of users affected
 Impact of unplanned downtime = impaired end user productivity and lost revenue
 Lost productivity = downtime multiplied by burdened salary
  Lost revenue = downtime multiplied by average revenues generated per hour (IDC attributes 30%
of lost productivity and 42% of lost revenue to savings.)

Further, to arrive at total ROI, enterprises can use the Net Present Value (NPV) tool. NPV calculates the
value in current dollars for a multi-year ROI, including annual average cost reductions, cost savings in IT,
staff and user efficiency and productivity, and additional revenue generated. ROI is the net return on
investment, or NPV divided by investment.

In additional to these pieces of the puzzle, keep in mind that there are always intangible benefits that
should be noted alongside any formal ROI evaluation, such as making recurring costs more predictable
by moving to a fixed-cost model, and the ability to pay as you grow versus overspending on capital 

When is VPN a Good Idea?

A VPN connection is only necessary if the two hosts are communicating across an unsecured,
public network and the information they are sharing should be protected.  If you have no need to protect
the information flow or thenetwork(s) in between them are under your control, there is probably no need
for VPN.
If you do need some sort of VPN connectivity, there are several means to achieve it and no specific ‘best
practice’.  If you are connecting just the two PC’s, then you can install software on each of the two PC’s to
create the VPN.  Simple, pre-shared key encryption such as a simple SSL/TLS tunnel should be sufficient
if you have secure means of installing the encryption keys and software(OpenSSL) on both machines.
If you’re looking to share the VPN connection with all PC’s connected to therouters on both sides of the
connection, you can configure the routers to form the VPN connection, provided the routers have that
capability in their firmware (eg. Cisco IOS) software.  In that case, the VPN options in the router will
dictate your choices.

Tunnel Architecture Considerations

Whether you wish to use the routers as your VPN gateways, or create a direct end-to-end VPN
connection will depend on your need for security. Here’s some general things to consider before you
create your VPN connecton(s).
 An end-to-end connection protects the entire communication path.

 Using the routers as gateways only protects the router to router traffic.

 Creating separate VPN connections between  the PC’s and the routers and then a second
connection from router to router is not as effective from a security standpoint as an end-to-end tunnel
because the security encryption keys for each connection are stored on the routers and
thepackets are temporarily decrypted on receipt from a PC and re-encrypted on transmit to the far
end router, leaving the data temporarily unencrypted between ‘hops’ in the VPN.
 A router-to-router tunnel is simpler to use and scales better as othercomputers can share the
VPN connection.
VPN Server

You probably do not need a special VPN server unless you are connecting multiple external users or PC’s
to a local network or resource across unsecured networks.  VPN concentrators are used for this purpose
and most Firewall appliances and software support this function.
VPN Protocols

This is going to be a very brief summary of the available options. There are several protocols available for
use in creating VPN connections:
 Point to Point Tunneling Protocol (PPTP)

 Layer 2 Tunneling Protocol (L2TP)

 IPSecurity (IPSec)

 Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Point to Point Tunneling Protocol

 Jointly developed by Microsoft and Cisco.

 Works over PPP dial-up connections.

 Supported on nearly all Windows systems (all the way down to NT and Windows 95)

 No encryption provided unless used with MPPE

 Make sure you are using the latest version, several MAJOR security flaws existed in this protocol
originally.

Layer 2 Tunnelling Protocol

 Another jointly developed protocol by Microsoft and Cisco.

 Well supported on most routers, firewalls and Microsoft hosts.

 Can be used on non-Internet Protocol based networks (ATM, Frame Relay etc.)
 Requires a digital certificates and can use IPSec encryption.
IPSec

 A set of open standards

 Most common solution chosen.

 Broadest support from vendors.

 Growing support for this protocol

 Two flavors

o Authentication Header

o Encapsulating Security Payload

 Uses Internet Key Exchange (IKE)

Secure Sockets Layer/Transport Layer Security

 Simplest solution.
 Uses the same encryption solution as any web browser.
 Supported by installing OpenVPN or other clients.

 Creates an end-to-end encryption solution between two PC’s

 Doesn’t scale well

Which VPN Solution?

Which VPN solution is the best match is going to depend on the hardware,software, security policies and
architecture, but SSL/TLS for something simple and IPSec for anything else would be my first two
recommendations.

Connect branch offices using a VPN

By Deb Shinder

As your business grows, you may expand beyond your original physical site. That means opening
branch offices in other locations, whether across town or across the globe. It's likely that the
employees in these remote locations will need access to many of the same network resources as those
at your headquarters building, and the two groups will probably need to share files and communicate
electronically with one another.

The traditional solution has been to implement a dedicated Wide Area Network (WAN) link between
the central and branch offices. This is usually a T-1 or even a T-3 line. However, dedicated leased
lines are expensive. When you have only one branch office, a single line will suffice, but if you add a
third, you may need to add two more dedicated lines to ensure connectivity. The number of lines that
are needed for full connectivity increases dramatically as new offices are added, and so does the cost.

A more scalable solution is to connect branch offices using a site-to-site virtual private network
(VPN). Let’s look at how a VPN can offer you maximum scalability while ensuring that
communications between offices stays secure.

The Internet is the network

To implement a site-to-site VPN connection between your branch offices, each location needs a
connection to the Internet. The Internet connection can be via a T-carrier line or a less expensive
business-level broadband connection such as DSL, cable or new fiber optic technologies such as
Verizon’s FIOS. All of these provide data transfer rates at speeds far greater than a T-1 line. For
 example, in the Dallas-Ft. Worth, TX market, a 1.5 Mbps T-1 costs $399 or more per month. A FIOS
connection provides 30 Mbps, or twenty times the bandwidth, for $199 per month.

The VPN uses the fact that both your central office local area network and the branch office networks
are connected to the larger network (the Internet) to provide connectivity between the LANs. Of
course, the Internet is a public network, full of hackers and attackers, so the key concern with
sending communications across the Internet that are confidential within the company is security.

VPN technologies solve this problem by creating a "tunnel" through the Internet from one office
(site) to another. The traffic that goes through this tunnel is encrypted to protect any sensitive data.

Some advantages of site-to-site VPN include:

 Cost. You don’t need the multiple leased lines required for dedicated branch office WAN
links. You can use a single leased line to the Internet for each office, or lower cost business
broadband Internet connections.
 Performance. You can use very high speed Internet connections at each office for data
transfer rates that approach or surpass some Ethernet links.
 Flexibility. If you move one or more offices, it’s much easier to "take it with you" than a
dedicated lease line link. The VPN can be set up easily at the new site.
 Scalability. Adding new sites/connections is simple as long as each location has a connection
to the Internet. With leased lines, greater distance between offices means higher cost. Because the
VPN uses a connection to the Internet instead of a point-to-point connection between offices, it’s
much more scalable.
Implementing the site-to-site VPN
Unlike the remote access type of VPN that’s used by telecommuters or traveling executives to
connect to the office, a site-to-site VPN utilizes a gateway at both ends of the connection. Traffic is
encrypted from gateway to gateway (over the Internet).

There are a number of different ways to create a site-to-site VPN. First you need to consider the
protocols you’ll use to create the tunnel and encrypt the traffic. Popular tunneling protocols include:

 Point to Point Tunneling Protocol (PPTP). One of the first VPN methods, and supported by
many VPN software and hardware vendors, but less secure than some other choices. More often used
for remote access VPN but can be used for site-to-site VPNs.
 Layer 2 Tunneling Protocol (L2TP). Based on a combination of Microsoft’s PPTP and
Cisco’s Layer 2 Forwarding (L2F). L2TP creates the tunnel and IPsec is used to encrypt the traffic
inside the tunnel.
 Internet Protocol Security (IPsec). IPsec can itself be used to create a VPN tunnel in "tunnel
mode."
Site-to-site VPN software
In addition to the protocol issue, another important consideration is how the VPN software will be
implemented. You can purchase dedicated VPN gateway appliances. Most firewall appliances, such
as the Cisco PIX, also include VPN functionality. Alternatively, software firewalls such as
Microsoft’s ISA Server or Check Point can also be configured as site-to-site VPN gateways. Finally,
Microsoft’s server operating systems also can be set up through Routing and Remote Access
Services (RRAS) as VPN gateways.

In selecting an option, keep scalability in mind. If your branch office is likely to grow, that might
very well mean an increase in the amount of traffic between the branch office and the central office,
and that in turn means a heavier load on your VPN gateway. If you’re locked into an appliance,
upgrading may require that you purchase a whole new appliance. Using software-based VPN
gateway solutions such as Windows Server or ISA Server or Check Point for Windows will allow
you to upgrade the hardware more easily, by adding a processor or memory, to handle the extra load.
There’s a tradeoff, though -- appliance based gateways may provide for faster performance to begin
with, and they may also run proprietary operating systems that are less vulnerable to attack than
Windows servers.

Regardless of which way you go, a site-to-site VPN solution can offer you a highly scalable way of
connecting branch offices.

MPLS VPN basics

By Michael Brandenburg, Technical Editor
SearchNetworkingUK

In this review of MPLS VPN basics, discover the differences between MPLS VPNs and traditional virtual
private networks, as well as the advantages and disadvantages of the latest in service provider offerings.
While an MPLS VPN can simplify the design of your wide area network (WAN), some compromises and
changes to your WAN strategy are required.

MPLS VPN basics: What is an MPLS VPN?

An MPLS VPN is a virtual private network built on top of a service provider’s MPLS network to deliver
connectivity between enterprise locations. Available in layer 2 or layer 3 options, the VPN leverages the
multiprotocol and labeling capabilities of MPLS to deliver a flat, peer-to-peer network to link all of an
organization’s remote sites into a common network. In most cases, MPLS VPN services are sold without
encryption, typically relying on the fact that each customer is isolated from the others on his own private
network. But for those customers that require it, encryption schemes such as IPsec can be added on top
of the VPN configuration.

MPLS VPN basics: Comparing MPLS VPNs with other types of VPNs
What is the difference between MPLS and MPLS VPN? The distinction between MPLS and MPLS
VPN is actually straightforward, but marketing of the services, as well as customers themselves, blur the
differences. When referring to MPLS services, many customers are often actually referring to an MPLS
VPN service. Multiprotocol Label Switching (MPLS) is the underlining technology that enables service
providers to offer customers high-speed private networks. The service provider provisions virtual circuits
for each customer, insulating one customer’s data from another’s, even though both customers are on the
same physical telecom gear. To the customer, an MPLS network appears similar to aleased line service,
delivering a private network to link multiple corporate sites. Depending on the customer requirements,
MPLS can deliver connectivity to an enterprise at either a layer 2 Ethernet level or layer 3 IP level.

Further reading on MPLS VPN basics

- Selecting an MPLS provider: Key questions to ask
- Knowing when to change WAN service providers
- MPLS implementation gotchas: Eight ways to avoid lock-in with bad providers
- Read this book chapter fromTroubleshooting Virtual Private Networks: Troubleshooting MPLS
VPNs.
- See SearchTelecom.com'sguide to MPLS VPN networking services.
- Read what your peers are saying about VPNs and MPLSon TechTarget’s IT Knowledge
Exchange.

What is the difference between traditional VPN and MPLS VPN services? 
Most VPN services create a one-to-one link between two network endpoints (referred to as a point-to-
point solution). While the VPN appliance at the head end may support multiple inbound links, each link is
unique, with an encrypted tunnel created between each enterprise remote site and headquarters, for
example. In the point-to-point model, dedicated hardware or software is used to encrypt the traffic
between the two points. For data traffic travelling between two remote sites, this scenario creates an
extra hop. In order to reach another remote site, traffic from one site has to traverse the VPN tunnel to the
headquarters, then route through another tunnel to its final destination. This additional stop at the hub not
only adds latency in routing these packets but also requires that the hub in this configuration be equipped
with enough bandwidth to handle the load from multiple remote locations. This type of VPN service is
designed to create secure, encrypted links over public networks, including Internet broadband links.

MPLS VPN services, on the other hand, are designed as a multipoint technology by design, making
specific VPN tunneling unnecessary. When data moves from one site to another, it looks up the site in the
routing table, adds a tag for that site, and sends the packet to the next router. This approach not only
reduces the latency of inter-site transfers, it also flattens the wide area network design, simplifying the
approach WAN engineers can take when delivering services between sites. This approach does,
however, require all remote sites to be connected to the MPLS network.

What is the difference between L2 and L3 MPLS VPNs? 

As the names suggest, MPLS VPNs can be provisioned as a layer 2 connection, such as Ethernet, ATM
or frame relay, or at layer 3 as an IP-based network. While the majority of customers opt for the IP-based
option, customers with particular security or infrastructure needs may choose the layer 2 option, handling
the network layer themselves. MPLS enables service providers to offer a range of options to meet their
customers’ specific requirements.

MPLS VPN basics: Pros and cons

What are the advantages of an MPLS VPN? High performance and ease of deployment are often cited
as the advantages of an MPLS VPN over other solutions. Unlike traditional VPNs, which presume that
corporate data is being transmitted on public networks, MPLS VPNs use an isolated private network,
making the need to encrypt data between sites an optional feature, based on the organization’s level of
trust that the service provider can effectively segregate its customers’ networks.

What are the disadvantages of an MPLS VPN? Like any managed service, an MPLS VPN solution
ultimately requires a leap of faith for both the organization and the wide area network (WAN) engineers
themselves. Unlike typical point-to-point VPN solutions, which usually have been managed and
maintained in-house, using MPLS requires outsourcing your VPN. While relinquishing control of the VPN
can take the workload off the WAN engineer, the organization is still at the mercy of the service provider
for any moves, adds or changes that need to occur. For many, having to submit a request to the service
provider to have configuration changes made, instead of simply making the changes themselves, could
be a significant culture shock.

Layer 3 VPN architectures

By  Crystal Bedell
SearchEnterpriseWAN.com

The primary role of a virtual private network (VPN) is to provide secure connectivity over a shared
infrastructure. There are several types of VPNs and each provides a varying degree of security and
scalability. The purpose of this guide is to serve as an introduction to Layer 3 VPN architectures. As you
consider these VPN architectures, be mindful of the type of traffic you want to transmit (data, voice, etc.),
the business factors that may dictate future scalability needs and the resources you have to manage and
administer a VPN.

MPLS VPN architectures

MPLS VPNs send site-to-site VPN communications using Border Gateway Protocol (BGP)
signaling, Multiprotocol Label Switching (MPLS) traffic isolation and router support for virtual routing and
forwarding (VRF). MPLS labeling algorithms are used to encapsulate IP packets, and BGP is used to
distribute VPN-related information between a company’s customer edge (CE) router and a service
provider’s edge label switch router. Unlike other Layer 3 VPNs that use encryption to secure data, MPLS
VPNs address security by separating traffic that is similar to Frame Relay and ATM. In addition, the labels
of packets are examined to ensure that those that do not belong to the MPLS VPN are dropped.
An MPLS VPN is configured in either a star or full mesh topology. To set up an MPLS VPN, the
customer’s and service provider’s MPLS-enabled network devices must be provisioned accordingly. You
can learn in these two tips how toprepare enterprise WANs for MPLS/VPN integration or find out when
companies should consider building MPLS networks.

Benefits of MPLS VPNs

MPLS VPNs enable service-level agreements and provide scalability and end-to-end Quality of Service
(QoS). Thus, they are a good option if you want to outsource your WAN or need to ensure QoS for delay-
sensitive traffic on a converged network. For more information, view these resources:
 MPLS technology overview
 MPLS VPN basics
 Understanding Layer 3 MPLS VPNs
 Find the best MPLS/VPN service for your WAN.

IPsec VPN architectures

An IPsec (Internet Protocol Security) VPN supports a variety of security functions to protect data as it
travels over a public or private IP network. Packets are encrypted for data confidentiality and
authenticated for data integrity. The source of packets is authenticated for data origin authentication,
and anti-replayprevents delivery of duplicate packets. IPsec VPNs allow network architects to dictate what
traffic is protected, how it is protected and who can receive it. TheInternet Key Exchange (IKE) is used to
communicate and negotiate these parameters between network devices. An IPsec VPN is usually
configured in astar network topology.

Remote access IPsec VPN architectures

Remote access IPsec VPNs use specialized client software to initiate a secure connection with a private
network. The user runs the software and selects a destination. This could be a host name or an IP
address, for example. Once the user is authenticated and the IPsec tunnel is established, the user
accesses applications as if from the corporate LAN. IPsec VPNs are usually configured in a star topology.

Site-to-site IPsec VPN architectures

In the case of site-to-site IPsec VPNs, session negotiation and authentication occurs between IPsec-
enabled VPN routers at different locations. Instead of launching client VPN software, users launch
applications directly. The router then initiates an IPsec session with the central location. After successful
negotiation and authentication, a secure VPN tunnel is established.

Benefits of IPsec VPNs

IPsec VPNs provide a number of security functions beyond those you’ll find in an MPLS VPN. This type of
Layer 3 VPN also costs less and offers more flexibility than private networks based on WAN
infrastructures -- like leased line and Frame Relay -- because it uses public network access or existing
private IP networks. IPsec VPNs are also easy enough to set up that many IT departments choose to do
so themselves.
Unlike Secure Sockets Layer (SSL) VPNs, IPsec VPNs allow access to nearly all networked applications.

SSL VPN architectures

An SSL VPN provides remote access to Web-based applications via a Web browser. When the Web
browser connects to an SSL VPN device, the browser and device are authenticated through digital
certificates. The traffic sent between them is encrypted using the Secure Sockets Layer or Transport
Layer Security.
This type of Layer 3 VPN does not require the use of specialized client software. However, because an
SSL VPN resides at the session layer, it does not support applications that are not coded for SSL, such
as standard email clients and multicast applications.

In an SSL VPN, the SSL protocol must keep track of each connection or application session. This tracking
is handled by application proxies and requires adequate memory. To prevent bottlenecks created by
compute-intensive encryption processes, the server requires adequate processing resources. The SSL
VPN device can be integrated within the existing network topology.

More on SSL VPN architectures and benefits

Benefits and different types of SSL VPNs
Web SSL VPN introduction
Web SSL VPN advantages: Secure remote access
VPNs for disaster recovery: IPsec vs. SSL

Benefits of SSL VPNs

An SSL VPN offers flexible remote access. Web-based applications can be securely accessed from any
device with a Web browser and Internet connection -- no specialized client software is required. As a
result, end users can work securely from anywhere.  An SSL VPN is also beneficial to the IT department
because it eliminates the need to install and manage additional software. This is particularly helpful when
you need to give network access to devices that aren’t managed internally.   

SSL itself offers several additional benefits. It is broadly supported by commercial Web browsers, so there
is low training overhead. Also, because SSL sessions are not locked to an IP address, users can enjoy
transparent wireless roaming across access points. SSL also enables granular access control. You can
limit an individual user’s access to specific Web pages or other internal resources.

Which VPN should your business network implement?

By Crystal Bedell and other contributors
SearchEnterpriseWAN.com

Businesses can reap the benefits of an SSL VPN as well as an IPsec VPN with a well thought out VPN
strategy. In this section of the VPN guide, many questions about business VPNs are answered. Is a Web-
based SSL VPN a good fit for your organization, or should you go with the more traditional IPsec VPN?
Should you consider alternatives to SSL and IPsec VPNs? Find out which VPN you should choose for
your organization and how to implement the right security strategy or skip to other sections in the VPN
tutorial using the table of contents below.

Table of contents
 VPN tutorial: Understand the basics of IPsec and SSL VPNs
 VPN types: Protocols and network topologies of IPsec VPNs
 The benefits and different types of SSL VPNs
 Mobile VPN solutions and benefits
 Which VPN should your business network implement?

Introduction: Use both IPsec and SSL

The "Which virtual private network (VPN) do I choose?" question doesn’t have to be an either/or
proposition. Both Web-based SSL and IPsec VPNs have their advantages and drawbacks. Businesses
can reap the benefits of both with a well-thought out VPN strategy.

"These two technologies are complementary rather than exclusive: Both protocols provide a valid solution
for securing remote access users, and each has its own merits," said Itay Yanovski, Zim Shipping's
information security officer. "At our organization we use both IPsec and SSL VPNs, and as the company's
security officer I wouldn't give up either."

Vivian Ganitsky, management director of Juniper Networks’ SSL VPN product line, said plenty of
Juniper's customers feel the same way. As a result, she said the company's latest product overhaul is
designed to make it easier for companies to use both IPsec and SSL.

"The great benefit with IPsec is that it's a fast mode of transport," she said. "It is optimized for quick
access to VoIP and screaming media, and fast access to items at the network layer."

But while many companies still use IPsec and SSL, Forrester Research analyst Rob Whiteley believes
most will eventually push IPsec to the sidelines and go full-on with SSL.

"We are in a transition phase," he said in an interview with Information Security magazine, a sister
publication to SearchSecurity.com. "We are going to see more SSL deployments until IPSec becomes the
niche technology, which is the reverse of today."

He recommended enterprises assess their applications and ensure internal compatibility with their VPN
plans. Exhaustive SSL VPN evaluations should be conducted and IPsec should be maintained for
specialized applications that are not Web enabled, he said.

This information was excerpted from Is IPsec on borrowed time?  by Bill Brenner.

Which VPN is right for you?

Making the SSL VPN decision: What you should know and ask
Five best VPN tools

Questions to ask when deciding which VPN to use

Is a Web-based SSL VPN a good fit for your organization, or should you go with the more traditional
IPsec VPN? Here are some questions you should ask when determining which VPN to deploy:

 Are your company's applications all browser-based?

 Do browser-based applications already use SSL? (If so, then there’s no need for additional VPN
functionality to be added.)
 Do you want to avoid installing IPsec software on all user client computers or mobile devices?
 Are residential broadband providers blocking and/or charging more for IPsec traffic?
 Are remote users coming in through NAT routers?

If you’ve decided that an IPsec VPN better meets your needs, but don’t have the budget for one, a free
VPN client or even an alternative to a VPN might be in order. In that case, ask yourself:

 Why are you looking for a VPN client?

 Are you planning to tunnel to an enterprise network?
 Are you hoping to provide secure remote access to your small business network?
 Are you trying to protect traffic on a residential wireless LAN?

In each case, the best answer may be different.

 Users tunneling to enterprise VPNs are typically required to use the client dictated by that
network's operator. In some cases, a specific client is required to support vendor extensions. The
company may also supply the necessary security policy in a client-specific format.
 Users seeking secure access to a SOHO (small office/home office) LAN must weigh the value of
the data and network being protected against the cost of the VPN, including hardware, software,
and configuration/maintenance. Many small businesses use the Point-to-Point Tunneling Protocol
(PPTP) VPN client freely available in every Windows PC to reach either a Windows NT/2000 server
or a VPN/firewall appliance that supports PPTP. This is an easy solution for Windows-only shops
that need lightweight protection.
 Users that want something better than Wired Equivalent Privacy (WEP)between peers on a
residential wireless LAN must first find a VPN server. Can your access point or gateway act as a
VPN server for your wireless LAN? If not, can you connect one PC or an inexpensive security
appliance to an Ethernet port on your access point to act as a VPN server? Or can you run peer-to-
peer IPsec between wireless stations? (This requires security know-how, but is often possible.)

You should also consider the traffic you are hoping to protect with a VPN client. After all, why use a
sledgehammer if a tack hammer will do?

 If you’re looking to exchange secure email with business partners, consider an email encryption
program like Pretty Good Privacy.
  The wide area network (WAN) administrator looking for a secure way to manage corporate
routers and servers from home may find Secure Shelldoes the trick.
 The road warrior looking for roaming access to his always-on PC back at home may consider a
commercial secure desktop access service likeGoToMyPC.

Is a mobile VPN right for your WAN?

Mobile VPN roadtest
Mobile computing security concerns lead to more IPS, SSL VPN spending.

Where mobile VPNs are useful

Mobile VPN products operate over many kinds of networks, from satellite links and GSM to Wi-Fi and 3G.
Some mobile VPNs are network-agnostic, sending exactly the same messages over any data link. Others
are network-aware, adjusting messages to optimize performance over high-latency or low-
bandwidth links. Some mobile VPNs simply use the connection with the highest data rate. Others let you
control link selection and/or automate network authentication with configurable policies.
Mobile VPN clients have been developed for many devices and operating systems -- from Windows
XP/2000 laptops and tablets to smartphones and wireless point-of-sale terminals. Because of this,
platform support varies widely and often depends on nitty-gritty details such as OS version, hardware
model, and wireless adapter. Some mobile VPN clients can even be purchased with anSDK for porting to
additional platforms.
→ For more information about mobile VPNs, see the mobile VPN solutions and benefits section of our
VPN tutorial.

Look before you decide which VPN to implement

Deciding which mobile VPN meets your network and device requirements is just the first step. Selecting
the right mobile VPN for your workforce will involve evaluating many requirements -- including the VPN's
ability to implement and enforce your company's security policy.

What often matters the most, is usability and reliability. Will adopting a mobile VPN really make your
workforce more productive? More competitive? More responsive? To answer those questions, read this
article on test-driving mobile VPNs.  
This information was excerpted from Mobile VPN: Closing the gap, by Lisa Phifer.

Alternatives to SSL and IPsec VPNs

A VPN, by definition, provides privacy by employing tunneling protocols that encrypt data at the sending
end of the tunnel and decrypt it at the receiving end. This is not to be confused with protocols that provide
tunneling but do not provide privacy -- but might still be referred to as a VPN!
Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation
protocol. GRE is used when IP packets need to be sent from one network to another, without being
parsed or treated like IP packets by any intervening routers.
The future of SSL VPNs
IPsec is included in the IPv6standard and will be included in all IPv6 end node implementations,
but it doesn't have to be turned on. If IPv6 catches on and most applications turn on the IPsec
feature, then SSL will be unnecessary. As that is not the case today, we can at least reap the other
benefits of SSL, such as greater compatibility with NAT routers, no need to install client software,
etc.
The IPsec Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets.
However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec
ESP is used when IP packets need to be exchanged between two systems while being protected against
eavesdropping or modification along the way.
You might also come across L2TP and MPLS VPNs. Multi-Protocol Label Switching (MPLS) is a routing
protocol: Packets are tagged with labels that allow routers to decide how to handle them. Different labels
allow for different routing paths between endpoints, which can be used to implement different classes of
service in the network. Layer 2 Tunneling Protocol (L2TP) is an encapsulation technique that allows
packets to be transported between a pair of endpoints inside IP packets. Both MPLS and L2TP may be
used to transport IP and non-IP protocols. MPLS may be used to implement a VPN, with network privacy
ensured by controlling the routing of the packets, rather than by encryption. Because L2TP is intended for
use in the public Internet, it is normally used with encryption (for example IPsec) to ensure privacy and
authenticity.

VPN tutorial: The basics of IPsec and SSL VPNs

By Crystal Bedell and other contributors
SearchNetworkingUK

The virtual private network (VPN) used to be a new concept for most businesses; nowadays, it is included
in many security-related products. In this VPN tutorial you will learn all about VPN basics, starting with the
different types of VPNs and ending with a VPN implementation strategy. In the first section of the tutorial
(below), learn the basics of IPsec and SSL VPNs and how they are deployed, or skip to other sections in
the VPN tutorial using the table of contents below.

Table of contents
 VPN tutorial: Understand the basics of IPsec and SSL VPNs
 VPN types: Protocols and network topologies of IPsec VPNs
 The benefits and different types of SSL VPNs
 Mobile VPN solutions and benefits
 Which VPN should your business network implement?

About fifteen years ago the virtual private network (VPN) was a fairly new concept to most businesses.
Today, the VPN is considered a standard feature in any serious security- and router-related product, and
the technology is increasingly becoming a requirement for doing business online. It is common knowledge
that most of the protocols and applications used on the Internet send information via cleartext. Encrypting
data over public networks via a VPN helps prevent hackers from sniffing sensitive data off the wire and
helps businesses comply with strict data privacy laws. 
→ For more information on meeting strict data privacy laws, you can learnhow to manage compliance
and secure file transfers across a wide area network (WAN), in this Q&A.
Early VPN products required -- as many still do -- their own client, which is usually installed on the remote
workstation that needs access to the local network. The encryption methods and supported protocols
made them either a very good choice or a very bad one because they could easily be compromised. For
example, Point-to-Point-Tunneling Protocol was a popular choice for VPN solutions, but did not provide
adequate security because of its weak encryption through GRE tunnels and simple authentication
methods via MS-CHAP.

Today, IPsec-based VPNs are the standard. Using the Internet Protocol Security and a number of other
related protocols, they provide adequate security and encryption to ensure that a session is secure and
properly encrypted.

More VPN tutorial resources

As legislation passes,enterprises need to get VPN-ready.
Is IPsec on borrowed time?
Using a VPN is crucial for WAN managers trying to secure road warriors.
Mobile computing security concerns lead to more IPS and SSL VPN spending.
What is Virtual Routing and Forwarding?
Understand Network Address Translation (NAT).
How does VPN tunneling work?

In addition, a broader range of applications and the mobilization of data have paved the way for SSL
VPNs and mobile device VPNs. As enterprises broaden the range of devices their employees use to
access sensitive data, they are also expanding the number of applications that are transmitting that data.
An SSL VPN can help protect all of these applications. 

Businesses have more options than ever before to protect their sensitive data while enabling remote
access and complying with data privacy laws. At one time the question was, “IPsec or SSL?” But some
businesses are finding that the two are not mutually exclusive. Each technology offers its own advantages
that can be reaped when considered as part of a larger remote access plan.

This VPN tutorial was created to help you understand the basics of IPsec and SSL VPNs. By first
understanding the protocols, and then how IPsec and SSL VPNs are deployed, you will develop a
knowledgebase that will serve as the foundation for developing a VPN strategy that meets the remote
access needs of all your users on your enterprise WAN while taking into account your IT organization’s
resources and capabilities.

VPN types: Protocols and network topologies of IPsec VPNs

By Crystal Bedell and other contributors
SearchEnterpriseWAN.com
The IPsec suite was developed to address some of the fundamental security flaws of IPv4. In order to
address these problems, four services were provided: data transmission encryption, data integrity
validation, data source authentication and data state integrity. In order to provide these services, a
number of protocols had to be introduced to IPsec VPNs. In this VPN tutorial, you will learn about the
protocols that make IPsec secure and the network topologies of IPsec VPNs. You can also navigate the
table of contents to read other sections of the VPN tutorial.
Table of contents
 VPN tutorial: Understand the basics of IPsec and SSL VPNs
 VPN types: Protocols and network topologies of IPsec VPNs
 The benefits and different types of SSL VPNs
 Mobile VPN solutions and benefits
 Which VPN should your business network implement?
An introduction to IPsec VPNs
The IPsec VPN framework is a suite of IETF standards that delivers secure transmission of data over
unsecured networks, like the Internet. IPsec VPNs provide protocols to secure communications at
the Network Layer along with a mechanism for exchanging identity and security protocol management
information. The IPsec suite was developed to address some of the fundamental security flaws of IPv4.

To address these vulnerabilities, the IETF has developed different protocol standard definitions. These
standards provide four basic services:

 Data transmission encryption: The originating host can encrypt packets prior to transmission.
 Data integrity validation: The receiving host can authenticate each packet sent to ensure the
original data that was transmitted was received.
 Data source authentication: The originating host can mark packets, so the receiver can
authenticate them.
 Data state integrity: The originating and receiving hosts can mark packets, so any re-
transmission of the data stream can be detected and rejected (this is known as anti-replay).
IPsec VPNs at a glance
 They work at OSI Layer 3.
 IPsec VPNs provide a secure tunnel between a remote location and a corporate network.
 IPsec VPNs require host-based clients and hardware at a central location.
 Ongoing IPsec VPNs configuration maintenance and account administration can be burdensome.
 Users have full office functionality.
 There is little granularity in IPsec VPNs access control.
 IPsec VPNs are optimized for fast access to VoIP and multimedia and items at the network layer.
IPsec VPNs use a number of different security protocols to provide these services. From a lower level,
these protocols can be broken down into two different camps: packet protocols and service protocols. The
packet protocols are used to provide data security services. There are two IPsec packet protocols:
Authentication Header (AH) and Encapsulating Security Payload (ESP). There are a number of service
protocols, but the primary one is the Internet Key Exchange protocol (IKE).

Below is a quick overview of the protocols commonly used in IPsec VPN implementations:
 Authentication Header: AH, defined in IETF RFC 2402, supports IPsec data validation,
authentication and integrity services. It does not support data encryption. AH is typically implemented
by itself, but can be implemented alongside ESP. AH is used when we only need to ensure with whom
we are exchanging data.
Encapsulating Security Payload: ESP, defined in IETF RFC 2406, supports IPsec data encryption,
validation, authentication and integrity services. ESP can be implemented alone or with AH. While the
AH header is pre-pended to the data payload portion of the IP packet, ESP encapsulates the entire
data portion of the IP packet with a header and trailer.
Internet Security Association and Key Management Protocol (ISAKMP):These provide the
framework and processes for implementing IPsec VPN service negotiation. ISAKMP is defined
in IETF RFC 2408. IKE is defined inIETF RFC 2409. ISAKMP defines the schemes, syntax and
procedures for creating and deleting authentication keys and security associations (SAs). IPsec peers
use SAs to keep track of the different aspects of the security service policies negotiated between
different IPsec peers.
Internet Key Exchange: IKE is a hybrid of the Oakley key determination protocol and SKEME key
exchange protocol. The IKE protocol manages the IPsec security associations within the ISAKMP of
IPsec VPN peers. IKE is a protocol available to ISAKMP; but they are not the same thing. IKE is the
mechanism that establishes the IPsec connection between IPsec peers.
This article excerpt was adapted from IPsec protocol details for implementing VPNs, by Michael J. Martin.
Site-to-site VPN configuration

Enlarge site-to-site VPN diagram.

In the site-to-site VPN configuration above, each node is connected to a discrete network, separated by
other unsecured or public networks. Depending on the security requirements for these network segments,
it could be the case that end nodes on the networks are not able to exchange data unless the VPN is in
place. This type of VPN configuration is known as a closed site-to-site network topology. Alternatively, the
end nodes connected to the segments could have the ability to freely exchange data, utilizing other
networks to relay the data back and forth. This data exchange, however, is unsecured. In this kind of
network environment, IPsec VPNs can be employed to secure some or all of these data exchanges. This
type of VPN configuration is known as an open site-to-site network design. The key point is that in either
case, IPsec VPNs are implemented using gateways that secure the data exchanges. And, more
importantly, the securing of the data exchanges is done without any knowledge of the end nodes
connected to the networks being secured.

This section was excerpted from IPsec VPN connection models: Site-to-site and client-to-site, by Michael
J. Martin.
→ For more information, view these VPN and remote access security best practices.
Client-to-site VPN configuration

Enlarge client-to-site VPN diagram.

The models open and closed hold true in the case of a client-to site topology as well as a site-to-site
topology. Connectivity between nodes separated by (or adjacent to) the IPsec gateway may or may not
be restricted. In an open client-to-site topology, the network path between the end node and the IPsec
gateway is secured. In a closed client-to-site topology, the path between the end node and gateway is
secure. But data exchanges between the client node and nodes adjacent to (i.e., behind) the IPsec
gateway is only possible if a connection to the IPsec gateway exists.
In both topologies, the relationship between the client node and the IPsec gateway is architecturally
similar to a traditional PSTN  (public switched telephone networks) remote-access dial network. The end
node establishes a connection to the gateway and the two communicate as IPsec peers. Additionally, the
gateway provides the end node an IP identity that gives the client node IP network access to other end
nodes directly connected (via VPN) and adjacent to the IPsec gateway. The communications between the
client end node and the gateway is secured with IPsec. Communications between the client end node and
other end nodes adjacent to the IPsec gateway, however, are not secured.