The Promise of VPNs
So why bother? Because VPNs offer tremendous profit potential. According to VARBusiness' survey of SMB end users, the security and VPN platform technology category was cited as the highest spending
priority in the next 12 months, followed by Internet or Web-related hardware, software of services, and computer hardware (including servers and PCs).
"VPNs are a total green field and represent tremendous opportunity for the channel," says Joe Gottlieb, general manager of the Check Point Software alliance for Nokia Internet Communications, Mountain View, Calif. "With the increase in mobile communications and wireless users, you are exposing your network and your enterprise to another layer of vulnerabilities,you have to have the right tools."
That especially holds true for SMBs, which have yet to get involved with these technologies. "There is probably a little more education with smaller businesses; most larger-sized business are [aware of what VPNs can do these days," says Steve Martinez, a consultant with RazorLine Technologies, a security integrator and Check Point partner in Kansas City.
VPNs also promise big-business benefits. "VPNs make sense for companies that participate in an extranet, are involved in a supply chain or have multiple sites and want to support remote access," Gottlieb says.
VPN Flavors
Despite its complexity, the notion behind a VPN is simple: to ensure no one can eavesdrop on or intercept your client's information when it is en route between offices, traversing the otherwise-public Internet. A VPN creates an encrypted pathway between any two points. Those paths are private and protected from anyone outside the corporate network.
Your job is to select the right kind of VPN and make sure it is configured properly. Which one you and your client choose will be determined by cost, the number of users and whether they will be connecting from fixed or roaming locations,laptops are an example of roaming locations.
- One option is to make use of VPN services provided by an ISP. Basically, that amounts to outsourcing an entire corporate network backbone to the ISP. This is useful when you have multiple branch offices and insufficient staff to support the network infrastructure.
- A second option is to employ network-to-network VPNs, such as connecting two offices in different states. Doing so requires specialized hardware, such as routers, firewalls or VPN appliances at the edge of both networks, where they connect to the public Internet.
- A third option is to use VPN software to enable specific PCs to connect to a VPN appliance, router or firewall maintained at the headquarters. VPN hosting providers can set up a secure network across the Internet, connecting several locations and mixing networks and isolated PCs together. This is useful when you have more individual users, rather than networked offices to support.
- At the heart of each of these methods is a "tunnel",a secured connection supported by special software and protocols that encrypts traffic between chosen clients or network end points. Establishing these tunnels is a key value-added service, because getting everything to work often requires a fair amount of support and hand-holding.
- "We tend to stick with a single VPN product, such as Cisco's Secure VPN, using its routers and firewalls," says Mederick Jones, president of security reseller NetMD, Buena Park, Calif. "Cisco's VPN products excel in performance and manageability."
- One important consideration for matching up the right VPN gear is the maximum number of simultaneous tunnels supported by any product. Products from Avaya, Check Point, Cisco, Nokia and others can cover a wide range of configurations, depending on that number and other features. However, most of those vendors' products, which are designed for larger enterprises, are pricey,starting with configurations that begin in the tens of thousands of dollars.
- But lower-priced products are on the way for SMBs with smaller IT budgets. For example, Check Point sells its SofaWare line of VPN products for less than $1,000 per unit in a complete appliance package that includes a firewall, VPN and multiport hub. Check Point is the first of the major firewall vendors to enter this market, though Cisco and others have plans for lower-priced VPN products within the next year.
- Among the smaller players, Netgear and Linksys have come out with two lower-end models,the FVS318 and BEFVP41, respectively, each of which retails for about $150. (The simplest setup would require a matched pair of models, one at each office that needs to connect via a VPN.) These products are similar to the companies' other firewall/hub/router Internet gateway products and offer four- or eight-port switched hubs, as well as basic routing services.
- "It is truly amazing how little you can spend these days and get a fairly sophisticated solution," says Douglas Klatt, a design consultant with Project Leadership Associates, a leading Chicago-based networking and communications reseller.
- Nevertheless, Klatt advises sticking with the tried-and-true VPN vendors rather than going the route of the cheapest models, such as those available from Linksys and Netgear. "Would you buy a car from the lawn-mower shop if he sold cars sometimes? I think not," he says. "Why go to Joe's VPN when you can get a standards-based product with extensive support and development behind it?"
- Naturally, adding features and reliability ups the price and might make these products too costly for some businesses. But if customer needs are modest and budgets are tight, the products from Netgear and Linksys make good starter VPN solutions.
- VPN's Finer Points
- Once you've determined the proper VPN configuration and products for your client, there are several factors to keep in mind in deployment. First and foremost is supporting them,and profitably. Because configurations are so particular and the settings so numerous, VARs need hands-on knowledge before they can adequately support the units in the field.
- "We have a methodology that assures things are working before we try to deploy them in the field," Klatt says. "Plus, we tend to deploy products from a single vendor, so it is just easier and a tighter solution."
- "The key is that all of the gear must be integrated and be able to be configured and managed, upgraded, supported and maintained from a central location," adds Jim Ulatowski, executive director of marketing for Intergraph Solutions Group, a Huntsville, Ala.-based security reseller.
- The second factor is training. "[Solution providers should know the overall scheme,the fundamentals,and actually perform and install [products in their own labs," Klatt says. Training also ensures that solution providers stay current with new feature sets of their products, and understand the various scenarios in which VPNs will be deployed at customer sites.
- The third factor is technical: understanding the inability to establish a tunnel between two end points. That could be due to the wrong authentication method, a bad user name and password combination, mismatched encryption algorithms or mismatched gear. Understanding the different hashing and encoding algorithms supported by each product,whether it depends on a shared password or a key server, and where this information is entered in the setup screens of the products,is essential.
- Fourth is the level of support and service available from the various ISPs that connect your customers together. This is especially critical given the number of ISPs that have either gone out of business or cut back their support staffs as revenue has dropped. Knowing the right people within a provider's support organization and being able to get in touch with them for troubleshooting will go far in terms of supporting a VPN.
- "Always get the name and number of the person you are speaking with at the ISP," Klatt advises. "They will lie to you,not intentionally,but what they say will rarely be the truth. You need to call them back and make them accountable for what they do."
- Klatt also recommends having the ISP supply a DSL router if your customer is using that method of connection. "It's not worth the few dollars you might save to have to deal with the various DSL subtleties," he says. In addition, make sure the ISP gives you a static IP address. While some VPN devices can work with dynamic IP addresses, it makes supporting these remote users easier with a static one.
- Finally, there is the issue of longevity. Choosing a vendor that will be around for several years will make the VAR's life easier, to be sure. "We strive to secure a long-term working relationship with our clients," Intergraph's Ulatowski says, "so that three to five years from now they are still sure we made the right recommendation for a VPN."