What makes an IP VPN ‘private’ is a tunnel that is created during a VPN
session. The term tunnel implies some sort of fixed path through a network. But,
that is not the case. Since your traffic is IP-based, it is likely that your VPN
packets will take different paths through the network. What makes the IP VPN
transmission a tunnel is the fact that only the recipients at the other end of
your transmission can see inside your protective encryption shell. Tunneling
technology encrypts and encapsulates your own network protocols (which may be
other than IP) within Internet protocol (IP). While IP Security (IPSec) and
Layer 2 Tunneling Protocol (L2TP) are two widely used tunneling methods, IPSec
has emerged as the technology of choice among IP VPN users today.
Today’s competitive environment calls for companies of all size to maximize
productivity in order to grow revenues, cut costs, enhance customer
satisfaction, boost bottom lines and survive economic slowdowns. The fittest
would survive.
To
stay ahead, enterprises are deploying various mission-critical applications,
ranging from enterprise resource planning (ERP) to customer relationship
management (CRM) and supply chain management (SCM). With all these
mission-critical applications requiring network connectivity, the role of
networks is becoming critical to businesses. The evolution of internetworking
technologies has clearly been a key contributor to the vastly improved
efficiencies within organizations. Networking is in. And it’s here to stay.
In the battle for business supremacy, and even survival, factors like remote
offices, mobility of employees, extended supply chains and global reach have
become decisive across industries. The actual location of employees, offices,
factories and warehouses has become secondary because internetworking
technologies help connect people and business processes in ways unimaginable
until a few years ago.
On one hand, increased connectivity within the enterprise offers tremendous
advantage and flexibility. But on the other hand, it also requires unassailable
network security. Transmitting sensitive data across a public network such as
the Internet and allowing transactions to take place over an intranet or
extranet is not without risks. If an unauthorized party disrupts or damages the
corporate network or intercepts key files, results can be costly.
Dilemma of Legacy Networks
A comparison of various WAN options across private lines, ATM, Frame Relay,
and IP VPNs shows that while private networks are secure, they are also complex
and cumbersome to set up and manage, and costly to maintain. And they are not
usually flexible or scalable. Private networks, by design, are limited. Because
a given private line links only two sites of a single customer in a
point-to-point fashion (no one else can use that capacity), they deliver a
secure but expensive and rigid solution.
There is no way to connect a third site and have all sites interconnected in
an any-to-any fashion without requiring each site to maintain leased line
connections to each of the other sites. Further, users have to pay the same
amount whether they run traffic for three hours or 24 hours a day.
Frame Relay or ATM networks are efficient when it comes to stable traffic
patterns in a spoke-to-hub design. They work best where traffic flow is steady
and predictable from the remote sites to the central location. These approaches
involve setting up a permanent virtual circuit between each spoke and hub.
Setting up numerous permanent virtual circuits (PVCs) is costly and justifiable
only if the PVCs are expected to see high utilization. Consequently, these
networks also tend to be complex, cumbersome and costly. Moreover, supporting IP
along with legacy networks would mean higher overheads. Hence, the migration
from legacy to IP in the entire network has to be a one-time event, and cannot
be done in a piecemeal manner.
IP-based networks are more efficient for mesh networks, where traffic flows
in a many-to-many pattern. IP-based networks do not require PVCs, and users need
not constantly set up and adjust PVCs between communicating points. IP-based
VPNs give the freedom and flexibility to scale a business quickly, easily, and
cost-effectively.
Historically, Frame Relay or ATM hindered enterprises from fully extending
their corporate networks to include remote sites, traveling employees or
business partners such as suppliers, distributors or dealers. Today, the
shackles have been removed and IP VPNs have emerged strongly as a compelling
alternative for corporations that are looking to reap the rewards of a fully
connected enterprise. Moreover, concerns about the security of IP VPNs have been
dispelled by the adoption of advanced techniques to ensure that IP VPNs are as
secure as private line networks.
How Secure Is It?
IP VPNs are private partitioned networks that reside on and transport data
over either a public network like the Internet or the private network of a
service provider. IP VPNs combine the security of a private network with the
scalability and pervasiveness of the Internet. They use shared facilities under
software control that provide the appearance, functions, and benefits of a
private network, including security, continuous availability and reliability.
IP VPNs have built-in mechanisms to ensure that data traveling over shared IP
infrastructure is as secure as over a private line network. Measures include
packet encapsulation (tunneling), encryption, and authentication to ensure that
sensitive data reaches its destination without being tampered by unauthorized
parties. In cases where the customer chooses to avail of the IP VPN services
from a service provider, data is routed through the provider’s private IP
network, which ensures that the data is not exposed to all and sundry, as would
be the case with a public Internet-based VPN.
The Security Techniques
What makes an IP VPN ‘private’ is a tunnel that is created during a VPN
session. The term tunnel implies some sort of fixed path through a network. But,
that is not the case. Since your traffic is IP-based, it is likely that your VPN
packets will take different paths through the network. What makes the IP VPN
transmission a tunnel is the fact that only the recipients at the other end of
your transmission can see inside your protective encryption shell. Tunneling
technology encrypts and encapsulates your own network protocols (which may be
other than IP) within Internet protocol (IP). While IP Security (IPSec) and
Layer 2 Tunneling Protocol (L2TP) are two widely used tunneling methods, IPSec
has emerged as the technology of choice among IP VPN users today.
Encryption is a technique used to scramble and unscramble information. The
VPN gateway at the sending location encrypts the information before sending it
through the tunnel over the Internet. The VPN gateway at the receiving location
decrypts the information back into clear-text. The industry has published
well-known and well-tested encryption algorithms, such as the popular Data
Encryption Standard (DES), which uses a 56-bit key. Since the encryption
algorithms are standardized and known to all, they require the use of keys to
make the data secure. DES has been developed even further with its 3DES (triple
DES) system that encrypts information multiple times. Triple DES uses the
technique of encrypting, decrypting, and encrypting (EDE) to increase the key
length from 56 bits to 168 bits, thus making it extremely difficult for hackers
to break the coding. Further, if you establish a policy of periodically changing
your keys, you will make it virtually impossible for any trespasser to break
into the network.
The life span of a key is called a crypto-period. At the end of this period,
keys expire. Since it was noticed that frequent change in keys actually increase
the risk of disclosure, another ingenious method was designed which uses what
are called symmetrical and asymmetrical keys. The use of symmetrical keys
involves using the same key at each end of the tunnel to encrypt and decrypt
information. Symmetrical keys are akin to ‘shared secrets’. The logistics of
managing these keys is complicated because they are hard to distribute, given
that the keys have to be kept confidential. Commonly used methods of
distribution of symmetrical keys are manual and involve using paper, removable
media, or hardware docking. Asymmetrical keys are more complicated to design,
but logistically easier to manage. Asymmetrical keys allow information to be
encrypted with one key and decrypted with a different key. The two keys used in
this scenario are referred to as private and public keys.
Further, digitally certified and validated transactions are legally valid and
enjoy the protection provided by the most advanced security techniques available
today.
Make no mistake. Constant and diligent security monitoring is as integral to
IP VPN security as any of the mechanisms described above. Because IP VPN is
often used within small offices or at remote locations, companies need to make
sure they have a comprehensive policy and security solution, including firewalls
and virus-scanning software, in place right from the start.
Productivity Booster
Whether enabling secure access for employees in a branch office or for
traveling salespersons or business partners, companies using IP VPNs benefit
greatly by expanding their employees’ ability to remain productive, no matter
where they are located in the world. Because of this, IP VPNs have quickly
become the latest standard in providing remote access to the corporate network.
In fact, the Yankee Group reports that 79 percent of the US companies with at
least 500 employees and two sites use VPN solutions to provide secure access to
traveling employees. About 63 percent use them to ensure secure site-to-site
connections, and 50 percent use them to provide network access to customers and
partners. "IP VPN is a highly effective tool for a company that has offices
and people geographically dispersed," says the Yankee Group. "It
extends the corporate network." In a Gartner survey, almost 90 percent of
the companies in the US surveyed reported cost savings from switching to a VPN
solution, primarily due to lower connectivity charges. On an average, the
companies surveyed by Gartner realized a 54 percent return on their VPN
investments over 18 months. "IP VPNs have emerged as a viable alternative
to point-to-point communication and dedicated lines," says The Aberdeen
Group. "They’re an attractive solution for managing people and
data."
Reduced Total Cost of Ownership
It is now widely accepted that IP VPNs lower the costs of extending an
enterprise network to reach a geographically dispersed end-user base, be it
employees or business partners. They also lower the total cost of ownership (TCO)
by requiring lower-performance routing equipment at the customer premise and by
eliminating the need for costly long distance calls through the use of a shared
IP backbone.
Studies comparing the TCO for a private line network with that of an IP VPN-based
network reveal that enterprises can reap savings of up to 45 percent by
deploying IP VPNs for their WAN connectivity needs. Given that the costs of
legacy networks mount up disproportionately with the size and complexity of the
network, customers stand to save more as the size and scale of their network
grows.
The savings for a large Indian enterprise with several hundred or thousand
geographically dispersed locations can run into hundreds of crores of rupees.
Moreover, customers have the optional added benefit of outsourcing the
management of the network.
Choosing the Right Service Provider
The Indian enterprise customer has a variety of choices today, when it comes
to choosing a service provider. Service providers can be broadly categorized as
telecom carriers and data networking services providers. Telcos tend to be broad
generalists with a wide variety of offerings in voice and data. Several telcos
have expended large amounts in laying fiber, an activity which requires deep
pockets and basic project management skills. The sales proposition of a typical
telco is usually centered around being a one-stop shop for voice and data. On
the other hand, there are service providers who have specialized in
data-oriented offerings to the market place. Enterprises need to carefully
evaluate the strengths of a service provider before deciding upon it.
Excerpts from a Sify whitepaper