[ISN] IP VPNs save, but they can carry 'gotchas'

InfoSec News isn at c4i.org
Tue Nov 23 06:24:26 EST 2004


By Tim Greene
Network World

While IP VPNs are widely accepted as an effective remote access and
WAN technology that can save money, there are hidden challenges users
should be aware of to avoid costly problems.

For instance, Concord, Mass., business consultancy Mercator Partners
is scrapping the SonicWall IPSec VPN appliances it deployed in home
offices in favor of IPSec client software on employees' PCs.

Although the appliances live up to their promise of segregating
business machines from home machines via separate ports, it turns out
the arrangement leaves open the possibility that family members still
could tap into the corporate VPN, says Seth Cordes, IT manager at the

Rather than risk that, Mercator changed technology and now just home
PCs with the software can tap into the VPN.

Still, looking at the big picture, there are significant savings to be
gleaned from VPNs, particularly site-to-site VPNs that replace
traditional WAN links. "On average, customers are paying anywhere
between $450 and $1,200 a month per site on dedicated circuits," says
John Pouliot, a principal with WAN Strategies, an integrator and VPN
service provider in Manchester, N.H.

With an Internet-based VPN, those costs can plummet. "Compare that
with $45 a month average per site for DSL connections and the upfront
cost - anywhere from $350 to $1,295 [per site] of the VPN hardware,"  
he says.

Even with these big savings in mind, businesses have to keep in mind
that VPNs are full of cost "gotchas."

Lancet Technology, a medical software company in Boston, in the past
has created VPN connections with its business partners using Cisco and
Nortel VPN clients, says Kevin Mulligan, CIO of the firm. But the
clients are tricky to configure and the partners generally don't have
experience with them.

Plus, the VPNs require reconfiguring firewalls so VPN traffic can pass
through, which winds up costing Lancet time on the phone to help out.

"We had more headaches with them," Mulligan says. He had to spend a
lot of time negotiating with partners to get them to agree to the VPN
in the first place, the major objection being that firewall
reconfiguration goes against their corporate policies.

Similarly, being on the receiving end of such a proposal and joining a
partner's existing VPN can tie up valuable time, he says, which again
translates into expense.

Customers trying to comply with requests to use the same client ran
into trouble, creating more work for Lancet, Mulligan says. "They
would call us, and we would call Cisco technical support, and six
hours later we might resolve it," he says, but by then the day was
shot. Instead the firm has switched to a managed SSL remote-access
service that requires no client and no firewall reconfiguration.

Even when VPNs are successful, their very success can cut in on
expected savings, says Dan King, network administrator for The Mental
Health Center of Greater Manchester, N.H. He replaced point-to-point
T-1 lines from four satellite offices to the main office with a
SonicWall IPSec VPN. The switch saved enough money to give a fifth,
unconnected office an ISDN-based DSL line. But the new connections
gave each office its own Internet access, meaning Internet traffic was
no longer funneled through the lone Internet connection at the main
site. These new connections also provided faster downloads, a
performance boost that resulted in more use. And when he was offered a
price reduction on his 768K bit/sec DSL lines or an increase in
bandwidth to 1,024K bit/sec, he gave up the savings for the bandwidth.

Customers should check out proposed VPNs in all their probable uses
before committing to them, says Tony McCafferty, director of IT for
Hualalai Resort in Kailua Kona, Hawaii. It can eliminate a lot of
costly swapping, he says.

The resort needed remote access for traveling executives, and he
believed an IPSec VPN was the way to go. Initially Check Point's
Secure Remote clients were installed in company laptops, which worked
well much of the time. But at hotels and at business partner sites,
there were problems crossing firewalls, resulting in calls for help.

SSL remote

McCafferty decided to try SSL remote access because it required no
special firewall configuration. The gear he bought though, made by
Aventail, was too complex to get running properly.

"The unexpected cost on our part was trying to troubleshoot," he says.  
Software upgrades and even having the company ship him a configured
unit didn't solve the basic problem of getting it to work with Outlook
Web Access.

After about nine months of trying he gave up and bought an SSL gateway
from Enkoo, a vendor that designed its gear to be easy to set up. The
gateway lacked features of other SSL gear, but it had enough to meet
Hualalai's needs, he says. He only recently turned off the Check Point
gear. "We had so much trouble getting the Aventail up and running we
couldn't get rid of the IPSec altogether," McCafferty says.

When customers buy VPN gear, they have to accept that it is more
equipment on their network that requires maintenance. "When you buy
security gear, you are constantly installing updates and patches,"  
says Robert Whiteley, a VPN analyst with Forrester Research, and that
can mean a big investment in time. "If you're an enterprise worth your
salt, you're going to test [the updates] first."

VPN gear also can carry peripheral expenses, Whiteley says. Securing
VPNs might involve authenticating remote users with digital
certificates, another investment in time and education. "It means
managing digital certificates and making sure they are properly
deployed," he says.

Businesses also face the cost of upgrading as technologies improve,
says Desmond Lee, VPN project manager for group IT infrastructure and
operations at PartnerRe, an international re-insurance company in

The company has decided to forego an upgrade of its IPSec VPN
equipment from Check Point because it requires replacing gear at 15
sites. Instead, it is switching to just three SSL remote-access
gateways from Juniper.

SSL requires less equipment, and it comes with software to check the
security of the remote machines, something that would have meant an
upgrade with Check Point, Lee says.

More information about the ISN mailing list