IP VPN: Private Tunnel

What makes an IP VPN ‘private’ is a tunnel that is created during a VPN

session. The term tunnel implies some sort of fixed path through a network. But,

that is not the case. Since your traffic is IP-based, it is likely that your VPN

packets will take different paths through the network. What makes the IP VPN

transmission a tunnel is the fact that only the recipients at the other end of

your transmission can see inside your protective encryption shell. Tunneling

technology encrypts and encapsulates your own network protocols (which may be

other than IP) within Internet protocol (IP). While IP Security (IPSec) and

Layer 2 Tunneling Protocol (L2TP) are two widely used tunneling methods, IPSec

has emerged as the technology of choice among IP VPN users today.

Today’s competitive environment calls for companies of all size to maximize

productivity in order to grow revenues, cut costs, enhance customer

satisfaction, boost bottom lines and survive economic slowdowns. The fittest

would survive.

To

stay ahead, enterprises are deploying various mission-critical applications,

ranging from enterprise resource planning (ERP) to customer relationship

management (CRM) and supply chain management (SCM). With all these

mission-critical applications requiring network connectivity, the role of

networks is becoming critical to businesses. The evolution of internetworking

technologies has clearly been a key contributor to the vastly improved

efficiencies within organizations. Networking is in. And it’s here to stay.

In the battle for business supremacy, and even survival, factors like remote

offices, mobility of employees, extended supply chains and global reach have

become decisive across industries. The actual location of employees, offices,

factories and warehouses has become secondary because internetworking

technologies help connect people and business processes in ways unimaginable

until a few years ago.

On one hand, increased connectivity within the enterprise offers tremendous

advantage and flexibility. But on the other hand, it also requires unassailable

network security. Transmitting sensitive data across a public network such as

the Internet and allowing transactions to take place over an intranet or

extranet is not without risks. If an unauthorized party disrupts or damages the

corporate network or intercepts key files, results can be costly.

Dilemma of Legacy Networks



A comparison of various WAN options across private lines, ATM, Frame Relay,

and IP VPNs shows that while private networks are secure, they are also complex

and cumbersome to set up and manage, and costly to maintain. And they are not

usually flexible or scalable. Private networks, by design, are limited. Because

a given private line links only two sites of a single customer in a

point-to-point fashion (no one else can use that capacity), they deliver a

secure but expensive and rigid solution.

There is no way to connect a third site and have all sites interconnected in

an any-to-any fashion without requiring each site to maintain leased line

connections to each of the other sites. Further, users have to pay the same

amount whether they run traffic for three hours or 24 hours a day.

Frame Relay or ATM networks are efficient when it comes to stable traffic

patterns in a spoke-to-hub design. They work best where traffic flow is steady

and predictable from the remote sites to the central location. These approaches

involve setting up a permanent virtual circuit between each spoke and hub.

Setting up numerous permanent virtual circuits (PVCs) is costly and justifiable

only if the PVCs are expected to see high utilization. Consequently, these

networks also tend to be complex, cumbersome and costly. Moreover, supporting IP

along with legacy networks would mean higher overheads. Hence, the migration

from legacy to IP in the entire network has to be a one-time event, and cannot

be done in a piecemeal manner.

IP-based networks are more efficient for mesh networks, where traffic flows

in a many-to-many pattern. IP-based networks do not require PVCs, and users need

not constantly set up and adjust PVCs between communicating points. IP-based

VPNs give the freedom and flexibility to scale a business quickly, easily, and

cost-effectively.

Historically, Frame Relay or ATM hindered enterprises from fully extending

their corporate networks to include remote sites, traveling employees or

business partners such as suppliers, distributors or dealers. Today, the

shackles have been removed and IP VPNs have emerged strongly as a compelling

alternative for corporations that are looking to reap the rewards of a fully

connected enterprise. Moreover, concerns about the security of IP VPNs have been

dispelled by the adoption of advanced techniques to ensure that IP VPNs are as

secure as private line networks.

How Secure Is It?



IP VPNs are private partitioned networks that reside on and transport data

over either a public network like the Internet or the private network of a

service provider. IP VPNs combine the security of a private network with the

scalability and pervasiveness of the Internet. They use shared facilities under

software control that provide the appearance, functions, and benefits of a

private network, including security, continuous availability and reliability.

IP VPNs have built-in mechanisms to ensure that data traveling over shared IP

infrastructure is as secure as over a private line network. Measures include

packet encapsulation (tunneling), encryption, and authentication to ensure that

sensitive data reaches its destination without being tampered by unauthorized

parties. In cases where the customer chooses to avail of the IP VPN services

from a service provider, data is routed through the provider’s private IP

network, which ensures that the data is not exposed to all and sundry, as would

be the case with a public Internet-based VPN.

The Security Techniques



What makes an IP VPN ‘private’ is a tunnel that is created during a VPN

session. The term tunnel implies some sort of fixed path through a network. But,

that is not the case. Since your traffic is IP-based, it is likely that your VPN

packets will take different paths through the network. What makes the IP VPN

transmission a tunnel is the fact that only the recipients at the other end of

your transmission can see inside your protective encryption shell. Tunneling

technology encrypts and encapsulates your own network protocols (which may be

other than IP) within Internet protocol (IP). While IP Security (IPSec) and

Layer 2 Tunneling Protocol (L2TP) are two widely used tunneling methods, IPSec

has emerged as the technology of choice among IP VPN users today.

Encryption is a technique used to scramble and unscramble information. The

VPN gateway at the sending location encrypts the information before sending it

through the tunnel over the Internet. The VPN gateway at the receiving location

decrypts the information back into clear-text. The industry has published

well-known and well-tested encryption algorithms, such as the popular Data

Encryption Standard (DES), which uses a 56-bit key. Since the encryption

algorithms are standardized and known to all, they require the use of keys to

make the data secure. DES has been developed even further with its 3DES (triple

DES) system that encrypts information multiple times. Triple DES uses the

technique of encrypting, decrypting, and encrypting (EDE) to increase the key

length from 56 bits to 168 bits, thus making it extremely difficult for hackers

to break the coding. Further, if you establish a policy of periodically changing

your keys, you will make it virtually impossible for any trespasser to break

into the network.

The life span of a key is called a crypto-period. At the end of this period,

keys expire. Since it was noticed that frequent change in keys actually increase

the risk of disclosure, another ingenious method was designed which uses what

are called symmetrical and asymmetrical keys. The use of symmetrical keys

involves using the same key at each end of the tunnel to encrypt and decrypt

information. Symmetrical keys are akin to ‘shared secrets’. The logistics of

managing these keys is complicated because they are hard to distribute, given

that the keys have to be kept confidential. Commonly used methods of

distribution of symmetrical keys are manual and involve using paper, removable

media, or hardware docking. Asymmetrical keys are more complicated to design,

but logistically easier to manage. Asymmetrical keys allow information to be

encrypted with one key and decrypted with a different key. The two keys used in

this scenario are referred to as private and public keys.

Further, digitally certified and validated transactions are legally valid and

enjoy the protection provided by the most advanced security techniques available

today.

Make no mistake. Constant and diligent security monitoring is as integral to

IP VPN security as any of the mechanisms described above. Because IP VPN is

often used within small offices or at remote locations, companies need to make

sure they have a comprehensive policy and security solution, including firewalls

and virus-scanning software, in place right from the start.

Productivity Booster



Whether enabling secure access for employees in a branch office or for

traveling salespersons or business partners, companies using IP VPNs benefit

greatly by expanding their employees’ ability to remain productive, no matter

where they are located in the world. Because of this, IP VPNs have quickly

become the latest standard in providing remote access to the corporate network.

In fact, the Yankee Group reports that 79 percent of the US companies with at

least 500 employees and two sites use VPN solutions to provide secure access to

traveling employees. About 63 percent use them to ensure secure site-to-site

connections, and 50 percent use them to provide network access to customers and

partners. "IP VPN is a highly effective tool for a company that has offices

and people geographically dispersed," says the Yankee Group. "It

extends the corporate network." In a Gartner survey, almost 90 percent of

the companies in the US surveyed reported cost savings from switching to a VPN

solution, primarily due to lower connectivity charges. On an average, the

companies surveyed by Gartner realized a 54 percent return on their VPN

investments over 18 months. "IP VPNs have emerged as a viable alternative

to point-to-point communication and dedicated lines," says The Aberdeen

Group. "They’re an attractive solution for managing people and

data."  

Reduced Total Cost of Ownership



It is now widely accepted that IP VPNs lower the costs of extending an

enterprise network to reach a geographically dispersed end-user base, be it

employees or business partners. They also lower the total cost of ownership (TCO)

by requiring lower-performance routing equipment at the customer premise and by

eliminating the need for costly long distance calls through the use of a shared

IP backbone.

Studies comparing the TCO for a private line network with that of an IP VPN-based

network reveal that enterprises can reap savings of up to 45 percent by

deploying IP VPNs for their WAN connectivity needs. Given that the costs of

legacy networks mount up disproportionately with the size and complexity of the

network, customers stand to save more as the size and scale of their network

grows.

The savings for a large Indian enterprise with several hundred or thousand

geographically dispersed locations can run into hundreds of crores of rupees.

Moreover, customers have the optional added benefit of outsourcing the

management of the network.

Choosing the Right Service Provider



The Indian enterprise customer has a variety of choices today, when it comes

to choosing a service provider. Service providers can be broadly categorized as

telecom carriers and data networking services providers. Telcos tend to be broad

generalists with a wide variety of offerings in voice and data. Several telcos

have expended large amounts in laying fiber, an activity which requires deep

pockets and basic project management skills. The sales proposition of a typical

telco is usually centered around being a one-stop shop for voice and data. On

the other hand, there are service providers who have specialized in

data-oriented offerings to the market place. Enterprises need to carefully

evaluate the strengths of a service provider before deciding upon it.

Excerpts from a Sify whitepaper