1.3 The VPN Market
VPNs, in one form or another, are becoming a crucial component of corporate networking solutions. Corporate networks use the Internet for various forms of business communication, and, for many organizations, VPN technologies are used to conduct private and commercial activities. Indeed, the trend is to migrate existing private corporate networks to Internet-based VPNs, and newly created corporate networks are increasingly using the Internet as their shared infrastructure.
To meet these needs, there has been tremendous growth in VPN offerings, which we separate into two categories: VPN products and VPN services. We will also discuss barriers to the development and deployment of VPN products and services.
VPN products are the hardware and software that make VPNs possible. One way to classify VPN products is based on how the product protects corporate resources. A VPN gateway is a stand-alone device that enables authorized access to the protected network resources. The resources are not located on the same physical device with the VPN gateway. A VPN client, on the other hand, is installed on the same network device it is supposed to protect. Usually, the client is a software package installed on the host computer.
VPNs require at least two cooperating devices. The communication path between these devices can be viewed as a secure tunnel across an insecure Internet infrastructure. Wrapped around this tunnel is a series of functions, including authentication, access control, and data confidentiality and encryption.
Depending on how these functions are implemented, VPN products can also be separated into two categories:
Software-based Special software is added on top of a general computing platform, such as a Unix or Windows operating system, to enable the use of VPN functions.
Hardware-based Special hardware augmented with software is used to provide VPN functions. Sometimes, VPN functions are added to a hardware-based network device such as a router or a firewall. In other cases, VPN functions are built from the ground up, and routing and firewall capabilities are added.
Many vendors network equipment are adding VPN products to their product lines. Some vendors add VPN functions to their existing products, and others build specialized VPN devices from the ground up.
A corporation can either create and manage the VPN itself or purchase VPN services from a service provider. When a corporation creates its own VPN, it obtains only IP connectivity from the service provider. All other functions pertaining to the virtual private network service are managed by the corporation. These functions include the purchase and installation of equipment, network monitoring, and configuration management.
In the case of a contracted VPN service, the service provider attempts to mask the complexity of the VPN service. The idea is that the service provider, by virtue of being in the network service business, has the expertise to manage the Internet-based VPN. Because the service provider may operate networks for many different corporations, it has the advantage of economy of scale and can run a network operations center with 24"47 availability. This may not be economically feasible for a small company with limited resources. Additionally, Internet service providers (ISPs) control the network infrastructure, so they are better equipped to deal with problems that arise within the network infrastructure.
When you purchase a VPN service, one issue is who retains control of the network. The data being sent through the VPN is critical. Putting such critical data in the control of a service provider can be sensitive for the corporation. A trust relationship must exist between the service provider and the corporation.
Another issue is the quality of the service. Specific performance guarantees, called service level agreements (SLAs), are negotiated between the service provider and the customer. Various measures can be taken when the SLAs are not met.
There are several barriers to widespread deployment of VPNs. First is the lack of interoperability of IPsec implementations. IPsec is the Internet Engineering Task Force's (IETF) security standard for IP. Although IPsec was standardized in November 1998, many vendors' implementations of these complex protocols have not yet achieved full interoperability with each other, even if they claim to be IPsec-compliant. Also, the Public Key Infrastructure for the Internet (PKIX) standardX.509 authentication adapted for use in the Internetis still moving slowly in the IETF working group. (For more on X.509, see Chapter 6.) This important standard provides a strong certificate-based authentication mechanism, but it is not expected to be widely available in the Internet in the near term.
Second, the lack of widely used quality of service (QoS) standards, as well as the sparse deployment of QoS-capable infrastructures, has made it very difficult to guarantee the quality of Internet connectivity, especially when traffic traverses the infrastructures of multiple ISPs. Many time-sensitive applications require certain guarantees to function correctly. This is not a new problem, and several proposals are on the table, but none has established itself as a clear winner.
Third, the Internet infrastructure is still largely focused on providing connectivity and does not yet offer services beyond connectivity. Security services in support of VPNs must be constructed from additional hardware and software components. Furthermore, computer operating systems in general, and Microsoft Windows in particular, do not yet contain mature built-in security functionality.