The Remote Access Conundrum - Part 2 - page 2

Standard L2TP inherits compulsory tunneling from L2F. It also supports voluntary tunnels that extend end-to-end, from client to enterprise gateway. Voluntary tunnels are transparent to the provider, but require client support.

However, neither L2F or L2TP provide confidentiality. Microsoft recommends running L2TP over IPsec to encrypt data over dial-up. Customers that use L2F or L2TP alone may not require confidentiality. Others may be satisfied with the degree of privacy offered within a single provider's network. According to Cohen, AT&T is still wrestling with this one. "It would be reasonable to assume that we'll either need to encrypt L2TP or bring IPsec into our network-based services," said Cohen. "But our engineers have yet to decide on the best approach."

Making tradeoffs
According to Cohen, "Carriers that pick just one protocol have a simplistic view of the world. Any carrier that offers only IPsec remote access either doesn't have to support multiple network protocols, or will be forced to kludge things at some point."

Just how important is multiprotocol support? A recent Internet Draft argued against requiring multiprotocol support in IPsec remote access, stating "With the widespread acceptance of IP, the usage of alternative protocols such as IPX, SNA, NetBEUI, and AppleTalk is declining rapidly. Thus while multiprotocol networks are still common today, this is not expected to be the case within five years."

But providers must worry about the here and now. Dave Bove, Director of Infrastructure Operations at Vitality Beverages, selected AT&T because they could offer multiprotocol support. "We're a shop that needs access to both an AS400 and an IP network for LAN support. This is an absolute requirement for us," said Bove. Vitality has been using AT&T's managed VPN service for nearly two years to provide 200 users with remote access. "The AT&T team knew my needs and knew their VPN product very well," said Bove.

According to Cohen, the vast majority of AT&T's VPN customers are running IP, followed by SNA. "Most of the world's SNA networks run over AT&T," said Cohen. "We already had a big share of this market, and when we purchased IBM Global Network Services, we gained the rest. When these SNA customers are ready to move over to IP VPNs, we'll be in a great position to accommodate them."

Keeping the client simple
Another remote access VPN challenge is client installation and configuration. Layer two compulsory tunnels are attractive because they require nothing more than a dialer. Voluntary tunnels at layers two and three require additional client software. Although Windows 2000 includes a built-in L2TP/IPsec client, most VPN customers will require multi-OS support. Smart providers keep their VPN client software as thin and painless as possible.

AT&T's client includes automation tools for updating phonebooks and user profiles, SLA tools for collecting usage data, and a rudimentary firewall. "We are embedding IPsec in the client for customers who want this," said Cohen, "But most of our services today are network-based L2TP, L2F, or GRE." The same "dialer" client is used for remote access VPN over broadband. Customers using IPsec tunnels may access their VPN over non-AT&T dial, but compulsory L2TP/L2F tunnels require an AT&T transport.

Ken Thygesen, Managing Director of Technology Infrastructure at CPA firm McGladrey & Pullen, identified client ease of use as his hot button. McGladrey & Pullen equipped about 3,500 professionals with AT&T's dialer client. "I have so many users that I demand simple software," said Thygesen. "Let's put it this way: Even a Florida voter could use AT&T's dialer."

Thygesen selected AT&T after finding other dialers difficult to use. "There was also the issue of access points and the way you get billed," said Thygesen. "Being a CPA firm, we're rather fastidious about bill-back and we needed the detailed per-user accounting that AT&T's dialer gives us."

Go to page 3: Integrating the back end