VPN’s PROS :

Virtual Private Networks

VPN differ from ordinary networks in three ways:

  1. Virtual Private Networks allow any valid remote user to become part of a corporate central network, using the same network scheme and addressing as users on this central network.
  2. Each Corporate’s central network can also be responsible for validating their own users, despite the fact that they are actually dialling into a public network.
  3. The Internet Service Provider can give each of their customer’s a unique dial-up telephone number which will distinguish their service from any otherBenefits:

 

VPN lets remote users connect to your LAN over the Internet, which greatly reduces the cost and complexity of the remote connection. The savings begin with the fact that most small businesses will no longer require a dedicated remote-access server. Businesses with a large number of remote users, say more than 75, might still require a remote server to handle such a high volume of traffic, but these companies still save money because nobody has to dial directly into the server. Instead, users only make a local call to their ISPs. In fact, lower long-distance charges are one of the biggest benefits for all companies using a VPN.

Another benefit is that, unlike in a traditional remote-network setup, VPNs do not require similar hardware at both ends of the connection. For example, an employee on a business trip can connect to an ISDN modem in your office using a 33.6Kbps PC Card modem at the same time that a remote workgroup dials in with a 56Kbps serial modem.

In addition to these benefits, a VPN also lets small businesses reap the cost savings that come from using telecommuters and freelancers. Paying three Java programmers in South Carolina, a documentation specialist in upstate New York, and a project manager in Wisconsin, for example, is undoubtedly cheaper than hiring them all full-time locally.

Pros::
1. Cost Savings - By leveraging third party networks, with VPN, organizations no longer have to use expensive leased or frame relay
lines and are able to connect remote users to their corporate networks via a local Internet service provider (ISP) instead of via expensive 800-numberor long distance calls to resource-consuming modem banks.

2.Security - VPNs provide the highest level of security using advanced encryption and authentication protocols that protect data from unauthorized access.

3.Scalability - VPNs allow corporations to utilize remote access infrastructure within ISPs. Therefore, corporations
are able to add a virtually unlimited amount of capacity without adding significant infrastructure.

4.Compatibility with Broadband Technology - VPNs allow mobile workers, telecommuters and day extenders to take advantage of high-speed, broadband connectivity, such as DSL and Cable, when gaining access to their corporate networks, providing workers significant flexibility and efficiency.

5.VPNs enble you to create secure, business-critical communication links over the Internet.

6. Give telecommuters and mobile workers secure access to your LAN

7. Share resources with partners


Virtual Private Networks : advantages

While VPNs offer direct cost savings over other communications methods (such as leased lines and long-distance calls), they can also offer other advantages, including indirect cost savings as a result of

reduced training requirements and equipment, increased flexibility, and scalability.

The biggest advantage to using VPNs is the cost savings. Traditional T1 and T3-based corporate networks must deal with tariffs that are structured to include an installation fee, a monthly fixed cost, and a

mileage chare, adding up to monthly fees that are greater than typical fees for leased Internet connections of the same speed. In comparison, an ISP-based private network only requires shorter leased-line circuits

from each remote location to the ISPs closest POP. VPNs are able to connect two computers over long distances yielding substantial savings over dedicated leased line options. With the VPN,

remote users make local connections to an ISP, which in turn "tunnels" the connection to a VPN device on the destination network.

There are also considerable savings to be realized with a reduced IT department due to the ease of the VPNs administration. In-house technical resources are no longer needed to install, configure, and

manage networking equipment.

VPNs also allow organization to forego the costs associated with WAN equipment installation and maintenance as a single WAN interface can serve multiple purposes.

Another feature of a VPN is its scalability. Organizations can expand their capacity and extend the reach of their network by setting up more accounts to handle the increased flow. This ease of scalability allows

more quick and timely responses to market demands or organizational challenges. VPNs can also allow larger organizations to link international locations into the network while avoiding the complexities,

delays and high costs associated with setting up other connections across borders.

Another factor in the VPNs favor is its ease of scalability. Organizations using a VPN can expand their capacity and reach of their network by simply opening more accounts with their ISP. This

ease of scalability means quicker responses to both organizational changes and market demands.

VPNs can also reduce the demand for technical support resources. Much of this stems from standardization on one type of connection Internet protocol (IP) from mobile users to an ISP's POP and

standardized security requirements. Outsourcing the VPN to a service provider can also reduce your internal technical-support requirements, because the service providers take over many of the support tasks for the network.

VPNs offer network managers a way to reduce the overall operational cost of wide area networking through reduced telecom costs. In the case of a managed VPN service the savings can be even greater, as

the ISP or service provider manages the WAN equipment, so that fewer networking experts are needed to manage the security aspects of the VPN. In many cases, implementing a VPN also means that

better use is made of existing dedicated Internet connections.

 

 

 

 

VPN’s CONS:

Quality of Service. Unlike circuit-switched or leased line data services,VPN links (or tunnels) over public routed networks do not typically offer any end-to-end throughput guarantees. In addition, packet loss is variable and can be very high, and packets can be delivered out-of-order and fragmented

Security. VPN connections are made by first connecting to a POP of the public network, and then using that network to reach a remote peer to form a private tunnel. Once the connection has been made to the POP, unsolicited data from other users of the public network can be received, and the exposure to "attacks" requires comprehensive and complex security measures.

Bandwidth reservation or Quality of Service (QoS) at the enterprise or central site. Bandwidth reservation refers to the ability to "reserve" transmission bandwidth on a network connection for particular classes or types of traffic. It is much harder to achieve with VPNs than traditional networks. Some reservation can be done on out-bound traffic, but for inbound reservation to be achieved, the VPN carrier would need to help

Two-way calling. Small office/home office sites that use ISDN to access a central site directly enjoy the capabilities of two-way calling, e.g. if the link is idle (the inactivity timer has fired and disconnected the call) and traffic needs to flow from the central site to the remote site, the central site can initiate the call. In a VPN network, this is a capability missing from common ISP offerings today. Call-back is a related topic; offering to pick up the dial-in costs incurred by partners and customers is also difficult .

Centralized telesaving control. Managing cost-effective use of dial links centrally may no longer be possible.

Overhead. VPN tunnels impose overhead for dial-in users: encryption algorithms may impact the performance of the user's system, there will be an increased protocol header overhead, authentication latency will increase, PPP and IP compression will perform poorly (compared to a direct link), and modem compression won't work at all.

Support issues. Replacing direct-dial links with VPN tunnels may produce some very painful fault-finding missions. Due to the complexity of VPN carrier networks, the opportunities for "hand-washing" are enormous.

Reconnection time. Using tunneling may increase the reconnection time for dial users. With the VPN carrier L2TP model, the client has to go through two authentication phases: one on contacting the VPN carrier POP, and another on contact with the enterprise Security Gateway.

Multimedia. Applications such as video conferencing only work acceptably over low latency links that can offer the required minimum throughput. Currently on the Internet, latency and throughput can vary alarmingly. Multi-channel data services, such as ISDN and xDSL solve this problem in the short term, allowing the "data" channel to be used for VPN tunneling, and a separate "voice" channel to be used for business telephone calls or video conferencing.

Encryption. When using encryption to protect a tunnel, data compression is no longer achievable as encrypted data is not compressible. This means that hardware compression over a modem connection is not possible.

Possible disadvantages of intranet VPN include the following:

Denial-of-service attacks. Unlike a private leased line, traffic that is not from the peer remote site (tunnel end-point) can flood down the receive path of a VPN tunnel from anywhere on the public network. This unsolicited traffic may reach such a level that solicited data can no longer be retrieved. To combat this, the VPN carrier could offer to filter non-VPN traffic, or perhaps provide a band-width reservation or QoS service.

No end-to-end data link in some cases. For some tunnel technologies, there is no end-to-end data link, so detection of reachability will need to be supported at the routing layer with protocols capable of rapid failure detection and instant re-route.

Packet loss. A VPN tunnel can sometimes suffer high packet loss and can reorder packets. Reordering can cause problems for some bridged protocols, and high packet loss may have an impact on the optimal configuration of higher-layer protocols.

Latency and multimedia.This is very much a next-generation VPN carrier goal that will require considerable investment to do properly. There are serious doubts as to the chances of the Internet achieving success in this area in the near future. Data-link carrier companies and newly-formed VPN-focus companies offering VPN services have a better chance.

Increased downtime. Decreased mean time between failures, longer lasting outages, painful problem solving and downtime compensation claims.

 

Unfortunately, VPNs put IP at a disadvantage. The additional overhead of a VPN increases the size of IP packets. This causes packet fragmentation, which means that network resources are used inefficiently. Encryption also increases latency, which reduces overall throughput. Our performance numbers in multistream tests represent the best throughput available in a low-latency, zero-loss Internet with real-world software at both ends

We take interoperability for granted with most products, but VPNs are another story. As enterprises build huge VPNs, they'll quickly discover that no one vendor has a good solution for all environments and that multivendor interoperability is key to a successful deployment. Vendors who come to this realization as well will prosper; those who don't will wither.



Support of the equipment and services at the enterprise - the question
of who owns the VPN equipment and services--the corporate customer or
the public network service provider

According to industry experts, one major impediment is that a VPN
requires a great deal of pre-installation planning and careful
consideration of its impact on IP addressing and traffic loads.

We've got private IP addresses that need to be taken into consideration
when we move to a VPN," said Ronald Brendon, IS director at the
accounting firm Randall, Kline and Browner. "And we're probably typical
[in that] we're not really sure where is the best place to put a VPN
gateway." He noted, for instance, that he is not certain how network
traffic will be impacted if the gateway is put between a WAN router and
a LAN as opposed to making the gateway a node on the network.

The high cost of connecting to sites overseas.

A 128-kbit/s link between the United States and Europe typically costs
about $3,800 per month. A comparable VPN connection could cost much
less, on the order of $400 to $800 per month.

Hidden costs associated with distribution of VPN client software.

Some adopters are finding that simple tasks not unique to VPNs, such as
distributing and installing client software to remote users, pose a
bigger challenge than ever imagined.

Managing security and authentication systems, require realizing that
complex skill sets not available in-house.

Cost-VPN often requires a substantial up-front effort for configuration
and software deployment.


Firewalls-vendors include a tunnel capability in their products.
Like routers, firewalls must process all IP traffic?in this case,
to pass traffic based on the filters defined for the firewall.
Because of all the processing performed by firewalls, they are ill-suited for tunneling on large networks with a great deal of traffic. Combining tunneling and encryption with firewalls is probably best used only on small networks with low volumes of traffic.
Also, like routers, they can be a single point of failure for a VPN.


Support Staff-While many of these hardware devices are likely to offer
you the best performance possible for your VPN, you will still need to decide how many functions you want to integrate into
a single device. Small businesses or small offices without large support staffs (especially those experienced in network security) will benefit from products that integrate all the VPN functions as well as a firewall and perhaps one or two other network services. Some
products?usually the more expensive ones?include dual power supplies and failover features to ensure reliability.

Certificates-Lastly, certificate authorities are needed to verify keys shared between sites and can also be used to verify individuals using digital certificates. Companies can choose to maintain their own database of digital certificates for users by setting up a corporate certificate server. For small groups of users, verification of shared keys might require checking with a third party that maintains
the digital certificates associated with shared cryptographic keys.

MICROSOFT HACK:

** New Details Of Microsoft Hack Surface (10/31/00)

Hackers who broke into Microsoft's computer network for 12 days

this month may have gained access via an employee's home computer,

spotlighting industry concerns about IT security.

Microsoft issued a statement last weekend saying that intruders

had access to its corporate network during a 12-day span from Oct.

14 to 25. (Early reports had put the incursion at three months).

Microsoft on Monday confirmed that the intruders could have gained

access by installing rogue software called QAZ Trojan on a

Microsoft employee's home computer that was sometimes used to

access E-mail and the Web. The company is testing other theories

as well.

Microsoft security employees discovered the break-in Wednesday

after they found that internal passwords were being siphoned to an

E-mail address in St. Petersburg, Russia. Microsoft called the FBI

the next day; the investigation continues. During the attack, the

intruders may have used those passwords to view source code--the

secret blueprints of Microsoft products--for software the company

plans to release in three to five years, a Microsoft spokesman says.

Microsoft, like many large companies, lets employees access its

network by dialing in remotely. While the company declined to

comment on its security infrastructure for such connections, the

spokesman says employees dialing into the network must have proper

credentials. The company also uses antivirus software. But those

measures may not be enough to prevent an attack similar to the one

that surfaced last week, according to security experts.

Most companies have server-side antivirus software in place, but

that doesn't prevent employees connected to the Web from a remote

computer from infecting those machines while outside the company's

firewall, says John Pescatore, a research director for Internet

security at Gartner Group. The next time they connect to the

network, the virus can spread. In addition, firewall software for

users' PCs that prevents certain types of outgoing data--large

graphics files, for example--wouldn't necessarily prevent outgoing

E-mail messages containing sensitive information, says Eric

Hemmendinger, a senior information security analyst at the

Aberdeen Group. And it's hard to prevent users from installing

malicious files spread as E-mail attachments. Says Hemmendinger,

"If you have a VPN for remote access, it doesn't mean you've got

the whole problem solved." - Aaron Ricadela