Internet−Based VPN
One might say that these Internet−based data VPNs are the same as voice VPNs, but different at the same time. The philosophical point is that a dedicated network will be overbuilt in some areas and underbuilt in others. A shared network offers the hope that we can spread the overall cost out while getting the benefits of a private network. Historically, this accounts for the popularity of shared data networks beginning with X.25, Frame Relay, ATM, and now the Internet. The Internet has become a popular, low−cost backbone infrastructure. Because of its ubiquity, many companies now want to use a secure Virtual Private Network (VPN) over the public Internet. The challenge in designing a VPN is to exploit the technologies for both intracompany and intercompany communication while still providing security. Of course the rule of thumb we now use in an Internet Protocol (IP) network is "IP on everything." A VPN is an extension of an organization's private intranet across a public network (that is, the Internet), creating a secure connection essentially through a tunnel. VPNs securely convey information across the Internet connecting remote users, branch offices, and business partners into the corporate network. Figure 4−1 is a graphic depiction of an Internet−based VPN.

Figure 4−1: Tunnels provide secure access for VPNs. VPNs are owned by the carriers, but used by corporate customers, as though the customers owned them. A VPN is a secure connection that offers the privacy and management controls of a dedicated point−to−point leased line, but actually operates over a shared routed network. In the past we saw traditional networks being built as part of a leased line, point−to−point network. This was expensive and risky. A single link error brought the network down. Later a virtual networking scenario emerged using a packet−switching technology called Frame Relay. This demanded that presubscribed links were established by being premapped in logic. VPNs are created using encryption, authentication, and tunneling, a method by which data packets in one protocol are encapsulated in another protocol. Tunneling enables traffic from multiple organizations to travel across the same network, unaware of each other, as if enclosed inside their own private steel pipe.

It is easy to jump to the conclusion that the Internet is free and, therefore, there are tremendous cost savings to be had from this free shared network. Later, we will explore some cost comparisons, but as one might guess, the relative cost benefit depends very much on each network's geography and traffic volume. Goals The goal of any network is to support users in a flexible, reliable, secure, and inexpensive manner:

• Network managers want the network to be flexible.
• Users want the network to be reliable and secure.
• Management wants the network to be inexpensive.
  
  

A balance of these often−competing goals can be achieved, provided a good dialog is maintained among the participants. Table 4−1 shows the network goals in terms of applications, users, potential network solutions, and access to the network. It is an exercise left to the reader to select from the list those applications and users who are to be served. The network list indicates that these users and applications could be interconnected by any of these network technologies. As indicated previously, dedicated networks are expensive and rarely fit the need perfectly. Frame Relay and Asynchronous Transfer Mode (ATM) are shared network technologies that can be very cost effective, depending on the geography and traffic volume. Dial−up telephony can be a networking technology for highly mobile, low−volume users. Normally, we would like to have a backbone network with direct access for various users and dial−up remote access for infrequent users. We will discuss these alternatives in the following sections.

The advantage of shared networks is that organizations do not have to incur the entire cost of the infrastructure. For that reason, Frame Relay has been extremely popular. Because it (like X.25 before it) is virtual circuit based, there is little concern about misdirected or intercepted traffic. Still, Frame Relay service is not universally available and access charges to a point−of−presence (POP) can be expensive. However, compared to the cost of dedicated networks, shared networks offer equivalent performance and a much lower cost. Internet The next logical step is to use the Internet as the private network. It is almost universally accessible, minimizing access charges.

The path our data takes across the network is quite unpredictable. This leads to the conclusion that performance will be unpredictable and that our precious corporate data may pass through a router on the campus of "Den−of−Hackers University." (It is not the intent here to malign university students, but only to offer the observation that they are bright, curious, love a challenge, and may have time on their hands and access opportunity to do a little extra curricular research on the vulnerability of data on the Internet.) There are then two problems: performance and security.

Performance
The performance issue poses the problem of sizing the bandwidth on each link, which becomes a major task as the network grows. Unfortunately, few network managers have a good handle on the amount of traffic flowing between any given pair of locations. Typically, they are too busy handling moves and additions to the network, which frequently leads to performance problems. Because the network grew without the benefit of a design plan, invariably, it means that portions of the network, including servers, become overloaded. A dedicated line network is expensive, requires maintenance, and necessitates a backup plan should a line or two fail. Using a shared network does not alleviate the problem of traffic analysis. On the contrary, we now have to worry about the capability of the Internet to provide the bandwidth we need when we need it. Selecting our ISP to provide the performance we need becomes an important issue.
Outsourcing
One solution is to outsource the network to a network provider (the analogy to a voice VPN here is strong). The most popular previous solution was to lease Frame Relay service. The benefit was that the network provider took care of the management of the network and even provided levels of redundancy (for which you paid) within its network. Unfortunately, to make most efficient use of this service, one still needed to have a handle on traffic volumes. For example, a committed information rate (CIR) that was too low resulted in lost data and retransmission, while a CIR set too high was a waste of money.  A national or international carrier with its own Internet backbone then becomes a good choice as a VPN provider. One negotiates service level agreements (SLA), which include quality of service (QoS) guarantees. Some ISPs even provide Virtual IP Routing (VIPR) in which they permit you to use internal, unregistered IP addresses. If one builds a completely independent, internal (intranet) network, one could use any set of IP addresses one might choose. This alternative is attractive to large corporations that are constrained to using class C addresses. If these private addresses were to get out onto the Internet, chaos would quickly ensue. VIPR permits the flexibility to continue to use this unregistered set of addresses transparently across the Internet. This is strongly analogous to having one's own dialing plan on a voice VPN. There are many possibilities and choices here. We can outsource the whole network, including the VPN equipment on each site, or outsource pieces. Standard Outsourcing Issues A few points are worth making about outsourcing. One must take a realistic look at the task at hand:

• If the internal staff possesses the capability to implement the VPN, do they have the time?
• If you outsource the whole network, how permanent will the relationship be?

To what extent will the internal staff become involved in the design and maintenance of the VPN?
·
Choose your vendor carefully. Evaluate responsiveness in the areas of presale support, project management, and post−sale support. As in any procurement process, writing a system specification and Request for Proposal (RFP) is essential. Also, make up the evaluation criteria ahead of time. You may (or may not) choose to publish the evaluation criteria in the RFP. Select the vendor who is most responsive to your requirements. Here is a good opportunity for the vendor to do the traffic analysis so that a traffic baseline for design can be established. Always include growth in the RFP. Ongoing support will be critical. If the network spans multiple time zones, specify the minimum support requirements. For example, 9 A.M. to 5 P.M. CST is of little use to offices located in Taiwan. What training is offered as part of the package? The more knowledgeable the internal staff can be, the better they will be able to support the VPN — even when they are outsourcing support. It is important to have a coordinated security plan so that we have an integrated and consistent view across our firewalls, proxy servers, and VPN equipment. Security The basic concept of a VPN is to provide a secure, point−to−point connection across the network between communicating entities. A couple of questions about security are important to keep our paranoia in check. The first question is how much security is enough? To answer that question, we must consider the impact on our business if the data we are sending is · Simply lost. Is there a backup mechanism for sending or recovering the data?

• Found by another business (not a competitor).
  
• Found by a competitor.
  

Actively pursued by a competitor

In the last case, we must ask how much effort is the competitor willing to invest to get our data? The answer to these questions will help us decided how much security is enough. Note that in the foregoing example, one can equally substitute the word hacker for competitor. What About Security Issues? Turning to security, remote access to a system must have integral