VPN deployments provide hidden challenges

FRAMINGHAM, Mass. -- While IP VPNs are widely accepted as an effective remote access and WAN technology that can save money, there are hidden challenges users should be aware of to avoid costly problems.

For instance, Concord, Mass., business consultancy Mercator Partners LLC is scrapping the SonicWall Inc. IPSec VPN appliances it deployed in home offices in favor of IPSec client software on employees' PCs.

Although the appliances live up to their promise of segregating business machines from home machines via separate ports, it turns out the arrangement leaves open the possibility that family members still could tap into the corporate VPN, says Seth Cordes, IT manager at the firm.

Rather than risk that, Mercator changed technology, and now just home PCs with the software can tap into the VPN.

Still, looking at the big picture, there are significant savings to be gleaned from VPNs, particularly site-to-site VPNs that replace traditional WAN links. "On average, customers are paying anywhere between $450 and $1,200 a month per site on dedicated circuits," says John Pouliot, a principal with WAN Strategies LLC, an integrator and VPN service provider in Manchester, N.H.

With an Internet-based VPN, those costs can plummet. "Compare that with $45 a month average per site for DSL connections and the upfront cost -- anywhere from $350 to $1,295 [per site] of the VPN hardware," he says.

Even with these big savings in mind, businesses have to keep in mind that VPNs are full of cost "gotchas."

Lancet Technology Inc., a medical software company in Boston, in the past has created VPN connections with its business partners using Cisco Systems Inc. and Nortel Networks Corp. VPN clients, says Kevin Mulligan, CIO of the firm. But the clients are tricky to configure, and the partners generally don't have experience with them.

Plus, the VPNs require reconfiguring firewalls so VPN traffic can pass through, which winds up costing Lancet time on the phone to help out.

"We had more headaches with them," Mulligan says. He had to spend a lot of time negotiating with partners to get them to agree to the VPN in the first place, the major objection being that firewall reconfiguration goes against their corporate policies.

Similarly, being on the receiving end of such a proposal and joining a partner's existing VPN can tie up valuable time, he says, which again translates into expense.

Customers trying to comply with requests to use the same client ran into trouble, creating more work for Lancet, Mulligan says. "They would call us, and we would call Cisco technical support, and six hours later we might resolve it," he says, but by then the day was shot. Instead the firm has switched to a managed SSL remote-access service that requires no client and no firewall reconfiguration.

Even when VPNs are successful, their very success can cut in on expected savings, says Dan King, network administrator for The Mental Health Center of Greater Manchester, N.H. He replaced point-to-point T1 lines from four satellite offices to the main office with a SonicWall IPSec VPN. The switch saved enough money to give a fifth, unconnected office an ISDN-based DSL line. But the new connections gave each office its own Internet access, meaning Internet traffic was no longer funneled through the lone Internet connection at the main site. These new connections also provided faster downloads, a performance boost that resulted in more use. And when he was offered a price reduction on his 768K bit/sec. DSL lines or an increase in bandwidth to 1,024K bit/sec., he gave up the savings for the bandwidth.

Customers should check out proposed VPNs in all their probable uses before committing to them, says Tony McCafferty, director of IT for Hualalai Resort in Kailua Kona, Hawaii. It can eliminate a lot of costly swapping, he says.

The resort needed remote access for traveling executives, and he believed an IPsec VPN was the way to go. Initially, Check Point Software Technologies Ltd.'s Secure Remote clients were installed in company laptops, which worked well much of the time. But at hotels and at business partner sites, there were problems crossing firewalls, resulting in calls for help.

SSL remote

McCafferty decided to try SSL remote access because it required no special firewall configuration. The gear he bought, though, made by Aventail Corp., was too complex to get running properly.

"The unexpected cost on our part was trying to troubleshoot," he says. Software upgrades and even having the company ship him a configured unit didn't solve the basic problem of getting it to work with Outlook Web Access.

After about nine months of trying, he gave up and bought an SSL gateway from Enkoo Inc., a vendor that designed its gear to be easy to set up. The gateway lacked features of other SSL gear, but it had enough to meet Hualalai's needs, he says. He only recently turned off the Check Point gear. "We had so much trouble getting the Aventail up and running we couldn't get rid of the IPsec altogether," McCafferty says.

When customers buy VPN gear, they have to accept that it is more equipment on their network that requires maintenance. "When you buy security gear, you are constantly installing updates and patches," says Robert Whiteley, a VPN analyst at Forrester Research Inc., and that can mean a big investment in time. "If you're an enterprise worth your salt, you're going to test [the updates] first."

VPN gear can also carry peripheral expenses, Whiteley says. Securing VPNs might involve authenticating remote users with digital certificates, another investment in time and education. "It means managing digital certificates and making sure they are properly deployed," he says.

Businesses also face the cost of upgrading as technologies improve, says Desmond Lee, VPN project manager for group IT infrastructure and operations at PartnerRe, an international re-insurance company in Bermuda.

The company has decided to forgo an upgrade of its IPsec VPN equipment from Check Point because it requires replacing gear at 15 sites. Instead, it is switching to just three SSL remote-access gateways from Juniper Networks Inc.

SSL requires less equipment, and it comes with software to check the security of the remote machines, something that would have meant an upgrade with Check Point, Lee says.

This story, "VPN deployments provide hidden challenges" was originally published by Network World.


Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon