Virtual Private Networks

Choosing Customer Premise Equipment for VPN Services

There are many options to fit many situations. The successful VPN provider will be up to speed with a range of solutions that fit their customers' unique business needs.

by Lisa Phifer VP Core Competence, Inc. [June 25, 1999]

In my June column, I described both turnkey and managed Virtual Private Networking services offered today by various Internet service providers. The key differentiator between these two types of VPN services: who owns and manages the customer premise equipment—the customer or the ISP? This, of course, begs a more fundamental network-design question: What is the customer premise equipment, typically known as "CPE"?

Many remote-access VPN services need only a modem and client software on the remote PC. That is, they don't require any special-purpose VPN CPE. But some remote-access VPNs—and all site-to-site VPNs—require some type of CPE to be installed at the customer site to serve as the endpoint for VPN tunnels. It may be an access router, a hardware "black box," a firewall, or a proxy server.

Access routers
WAN access routers from vendors like Ascend, Cisco, and 3Com can be outfitted with software images that allow the router to act as an IPsec Security Gateway. This configuration can be attractive in a managed service because everything to be managed is contained within a single edge device.

Because it places the processing burden of encryption on the router, however, this configuration may introduce a bottleneck for all traffic—particularly if the access router is serving a high-speed link and is already operating at or near capacity. Furthermore, if the access router is compromised, no other device protects your VPN.

Hardware VPNs
Vendors like NetScreen, RADGUARD, VPNet, and Xedia market special-purpose hardware devices designed just to support VPNs. These devices are hardened to protect against attacks that might compromise a general-purpose device, and they employ custom ASICs that enable high-speed encryption.

Some products can be purchased with WAN interfaces to operate as edge devices, effectively replacing WAN access routers. Other products offer dual or triple Ethernet interfaces and are designed to sit just inside the access router or firewall.

Hardware CPE can be simpler to deploy—just drop in a new box—and bring more focus on services required by the VPN. However, it's not quite that simple: Should the box be placed in front of, or behind, the customer's firewall? The new box will also impact network addressing, packet filters, routing, and redundancy.

VPN enabled firewalls
Axent, Checkpoint, Network Associates, and other firewall vendors market VPN add-on software that turn general-purpose firewalls into either a PPTP Concentrator or an IPsec Security Gateway. This configuration centralizes security policy decision-making at the firewall and does not obscure the firewall's view of packets to be tunneled.

VPN hardware sitting inside the firewall can be incompatible with network address translation applied at the firewall; VPN hardware or routers sitting outside the firewall cannot ensure the privacy of traffic all the way to the firewall. These dilemmas can be sidestepped by placing tunnel endpoints on the firewall itself. On the other hand, as with the access-router solution, this alternative cranks up the processing demands placed on the firewall. Furthermore, adding new software to an existing firewall can be technically tricky and a political nightmare, depending upon whether the firewall is managed by the customer or the ISP.

goto page 2: Software-based VPNs