Outsourcing VPNs: Privacy For Hire

George Gualda, CIO at Link Staffing Inc. wanted to securely connect 49 branch offices in 23 states to his company's Houston headquarters. Gualda decided he needed to build a virtual private network (VPN) to tie the far-flung parts of Link Staffing together. Trouble was, he lacked the staff to design and manage the system in-house.

So Gualda chose OpenReach Inc. in Woburn, Mass., to provide Link Staffing with a secure VPN over the public Internet.

Link Staffing is one of many companies that are turning to outsourced VPNs, whether over the Internet or through the private IP network of a service provider. Some are pinched for security-savvy network personnel. And even some that have the staffs simply want to off-load the hassle of policing increased infrastructure to a firm that provides VPNs for a living.

The offerings of those providers, however, vary significantly and require users to evaluate their needs thoroughly and select their providers carefully.

For example, Gualda discovered that his firm needed a VPN service that used the Internet as the transport mechanism but didn't require Link Staffing to replace the eight Internet service providers that connect its remote offices. For Link Staffing, technical support for the VPN was also a crucial issue—a fact proved by bitter experience.

Prior to cutting a deal with OpenReach, Gualda says, he had a "very bad experience with a major service provider." Gualda won't name the company, but he says it was unwilling to provide the support his firm needed. His technicians ended up doing most of the VPN support, which contradicted the idea of using a service provider in the first place, he says.


About Boingo

A VPN is an encrypted tunnel through an existing IP network. It makes a company's network traffic invisible to others that might be using the same network, be it the Internet or a shared private network. But VPN services vary widely in approach, price and function, which makes the choice of provider crucial.

Although OpenReach manages the network, Gualda says he never feels out of the control loop because he can view VPN performance from his own desktop through a special browser-based interface. "I can drill down to the workstation level on a remote location [to see how the VPN is performing]," he says.

The OpenReach service costs Link Staffing $100 per month per site, or $4,900 per month total, according to Gualda.

APL Logistics Ltd., a contract logistics company and unit of Singapore-based shipping giant Neptune Orient Lines Ltd., wanted one managed service provider that could provide VPN service over a private IP network spanning 180 sites in 32 countries. Network availability is critical to APL because scheduling and shipping is time-sensitive, says Cindy Stoddard, the Oakland, Calif.-based firm's CIO. APL recently selected Amsterdam-based vendor Equant NV, signing a three-year, $23-million agreement for VPN and network services. APL chose Equant, says Stoddard, because Equant has global reach and the ability to manage the whole network and employs a routing scheme that speeds up time-sensitive traffic running over a VPN.

Joe Przepiora, IT manager for global network services at agribusiness giant Cargill Inc. in Minneapolis, pays for his VPN service by the hour. Cargill's field salespeople and other remote employees log on to the corporate network via a VPN service provided by RemotePipes Inc. in Mendota Heights, Minn.

Many of Cargill's employees work in rural areas that are woefully underserved with local Internet service provider dial-up numbers, Przepiora says, noting that RemotePipes specializes in providing VPNs over the public Internet via toll-free dial-up.

Przepiora acknowledges that analog modem connections—even if you're lucky enough to get a quiet phone line for a connection speed above 56K bit/sec.—are slow compared with Digital Subscriber Line and digital cable speeds of more than 1M bit/sec. But, he points out, at least his people can connect.

At a cost of $6 per hour, Cargill's remote users can log on to the company network via a VPN that uses IPSec encryption—the current protocol for end-to-end encryption forged by the Internet Engineering Task Force (IETF). E-mail and sales force automation systems are among the applications most frequently accessed through the VPN service, Przepiora notes.

Many providers that use the Internet for VPN connections either have VPN devices or require VPN networking software to be installed on remote user PCs. But RemotePipes facilitates remote dial-up connections without requiring VPN client software. That means there's one less thing to go wrong on remote users' PCs, says Przepiora. But national coverage coupled with fixed price is really RemotePipes' strength, he notes.

IP-based VPNs don't always run over native IP networks, which leads to confusion about what's really happening technically with any given VPN service, says Jason Smolek, an analyst at IDC in Framingham, Mass. For example, AT&T Corp. offers what it calls a "private IP VPN" service that rides on top of its frame-relay network. That might seem contradictory, because it implies the creation of a VPN over a virtual private circuit. And since the latter is already private, why bother?

Different Contexts

Tim Halpin, AT&T product manager for frame and Asynchronous Transfer Mode services, says the term VPN may be used in different contexts. In the case of AT&T's private IP VPN, Halpin says, the technology is really a service allowing existing AT&T frame-relay users to run IP packets over those networks. In the process, he says, customers benefit from the existing security of frame relay's private virtual circuits while getting the added functionality offered by IP.

One function, prioritizing network traffic by class of application, is what attracted Andras Bellak to AT&T's offering. Bellak is director of wide-area network engineering at Wireless Facilities Inc., a San Diego-based contractor that designs and sets up cellular tower and transmitter systems. Bellak says he designates IP videoconferencing, which is susceptible to delays and jitter, as a high priority, while setting database applications as medium priority and e-mail as "best effort," AT&T's term for the class of traffic that's least important.

"It really doesn't make any difference if an e-mail gets there in one and a half seconds or seven seconds," Bellak explains, but he adds that jerky video or voice audio that's out of sync with video is unacceptable. Bellak also says he designates a voice over IP phone system over the AT&T network as high-priority traffic. Otherwise, he says, callers may have to put up with voice delay and echo when they're on the phone.

To prioritize by class of traffic, both AT&T and Equant employ Multiprotocol Label Switching (MPLS) routing. MPLS is an IETF specification that enables routers at the edge of networks to read special tags on IP packets. That bypasses destination lookup in routers at the core of the network, which helps speed routing and affords quality of service at levels that can support a variety of types of network traffic, including video, says Jim Slaby, an analyst at Giga Information Group Inc. in Cambridge, Mass.

Stoddard says APL also chose the VPN service from Equant because of its MPLS routing capabilities, which she hopes will facilitate voice and video across the network as well as time-sensitive traffic involving scheduling and shipping.

The use of MPLS in conjunction with a frame- relay system that can understand IP also translates into the same service-level guarantees for latency—120M bit/sec. for data to make a round trip on the network—on AT&T's private IP VPN, says Halpin.

That's one reason why Bellak says the $1,800 that Wireless Facilities pays for each 1.5M bit/sec. per month—about $150,000 per month—is money well spent. Like other VPN users, he has found that finding the right provider to meet his needs is priceless.

Cope is a freelance writer in Notre Dame, Ind. He can be reached at jamescopeus@yahoo.com.


VPN From a Service Provider

Data is encrypted and encapsulated in IP packets before passing through the user's edge router/gateway device onto the Internet or provider network and is automatically decrypted at the other end.

VPN From a Service Provider

Copyright © 2002 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon