Contents

Introduction

What is a Virtual Private Network (VPN)?

Does my company need a VPN?

What can a VPN do for my business?

How can I make my VPN secure?

What VPN standards exist?

Why is "latency" important?

What about scalability and growth?

What is a VPDN?

Managing and measuring a VPN

The importance of end-to-end responsibility

Integrating a VPN into an existing network environment

What should I look for in a VPN provider?

The bottom line: 20 questions to ask a VPN provider

VPN/Security Glossary

Back to Contents 

 

Introduction

The Internet is a simple concept. It allows companies and individuals to share data over a common network. But, from that simple concept, an incredible number of useful tools have been developed. E-mail and the world wide web are familiar to everyone. The list has expanded to include video and telephony. Some experts predict that the Internet will be able to fulfill all of your communications needs within a decade, through a single access line providing voice, video, entertainment and data to your business or home.

The Internet is a shared resource. The fact that all types of data may be transmitted between any two computers on the face of the planet means that the Internet has not been considered "secure" enough for important corporate, financial or private data transactions. Major corporations and other entities dealing in sensitive data have constructed private data networks to handle this traffic. The costs associated with this private and redundant network infrastructure are enormous. And everyone who buys products, consumes services and engages in private transactions shares these costs.

Until now. What if sensitive data could be transmitted over the Internet securely? It can. It is being accomplished today by forward-looking Internet Service Providers, working closely with the companies they serve. The name of this service is Virtual Private Network (VPN). It will revolutionize corporate networks in the months and years to come.

The reward in cost savings is real: In some cases, network costs can be cut by up to 50%. Often, however, the sensitive nature of the data being transmitted is such that any breach of security is not an option, at any cost. There are technological, performance and network management concerns, as well.

This guide has been designed for the senior manager who is evaluating network options and considering the cost savings of a Virtual Private Network. Our purpose is to engage in a frank discussion of all the issues and pitfalls you must consider before implementing a VPN, as well as to clearly present the rewards that a VPN can bring to your enterprise.

 

Back to Contents 

 

What is a Virtual Private Network (VPN)?

Virtual Private Network (VPN) is simply private data travelling over the public Internet. The same data transmission services that once required private circuits from point to point can be provided on the Internet, without associated mileage charges. The promise of the technology is vastly reduced cost for private data transmission. It's the dream of every MIS manager, and nearly every public data carrier claims to have it. So, why have so few VPN's been implemented?

The main reason is that the terminology of this technology has not been standardized. To some vendors, a VPN simply means encryption on each end of a connection. But there are many more things that must be considered, such as addressing schemes, bandwidth requirements, reliability, levels of security, the ability to handle "real-time" data transmission and network management. The current lack of standardization makes it easy for nearly every vendor to claim some form of VPN. But a real VPN is not defined by the vendor; it is defined by the network requirements of the company that needs the service -- your company. Each implementation will be different.

The best VPN advice: Avoid any vendor that attempts to shoehorn your needs into their service limitations. The first requirement for setting up a VPN is to perform a thorough analysis of your individual network needs. Only after this analysis can the various technologies that comprise VPN be implemented properly.

VPNs are not meant to replace all corporate networks. Local area networks (LANs) within facilities or campuses are high speed, cost effective networks that will not be replaced by a VPN. VPNs are best employed to connect individual LANs and to provide secure access to individuals who are working from remote offices, telecommuting or travelling.

Many managers confuse VPNs with "intranets" or "extranets". The latter two are World Wide Web sites that require user names and passwords to access data that has been formatted to be read by an Internet "browser". An "intranet" is usually limited to employees of a company while an "extranet" performs the same function for business partners, clients, vendors and other external entities. While a VPN can be used for these purposes, it has much greater security requirements. It may allow direct access to the corporate network and all of the data posted on that facility, regardless of the format of the data. VPNs employ advanced features such as encryption, authentication and secure "tunnels" between the corporate network and individual users to achieve enhanced security. These security features are detailed in the "What about security?" chapter on page XX.

 

Back to Contents 

 

Does my company need a VPN?

If your company maintains a private data network today, a VPN can replace much of it while providing great cost savings. Many companies that don't currently use private data networks can increase business efficiency by implementing a cost effective VPN. If your enterprise has any of the following characteristics, you should look at a VPN as a solution:

·        Remote locations that need access to centralized corporate data

·        Geographically diverse branches, departments or subsidiaries

·        Secure information transfers between fixed locations

·        Support for mobile employees or telecommuters with secure data access

·        Polling secure data such as electronic commerce at kiosks

·        Secure intercompany links for private data transfer between companies

·        Virtual teams that need to access and update large, secure files such as engineering drawings and project management

In short, if you have more than one LAN, communicate secure data with employees, partners, vendors, consultants, telecommuters, branch offices or a sales staff, a VPN is likely to improve your business efficiency while reducing cost.

 

Back to Contents

 What can a VPN do for my business?

The most obvious benefit for businesses is dramatic cost savings.

Virtual Private Networks can replace expensive dedicated leased lines that connect Local Area Networks. Traditional Wide Area Networks consist of point-to point dedicated circuits that connect individual LANs. Charges for these circuits include mileage charges, fixed charges, local loop charges and associated equipment. The cost is high because charges cover full bandwidth access, twenty-four hours per day. So, whether you use 24 hours or 15 minutes, and whether your traffic takes up 10% of capacity or 100%, you pay the same price. Using frame relay circuits can add flexibility and reduce costs somewhat, but the use of a VPN can reduce these costs dramatically.

For example, let's look at a circuit between Chicago and New York City. At T1 capacity (1.544Mbps) the direct circuit would cost about $8,000 per month. Access provided by an ISP on a VPN would be approximately $2,400 per month for the same bandwidth -- a savings of 70%! T3 (45 Mbps) access on the same route would be $80,000 per month for the direct circuit. VPN access would be around $55,000 -- a savings of 40%. Since most private networks consist of multiple circuits, the cost savings add up quickly.

A VPN can also make use of the Internet to replace modem pools and eliminate long distance dial-up fees. They reduce network management expense by outsourcing many tasks to an Internet Service Provider.

Direct cost savings are only one side of the equation. A Virtual Private Network can increase business efficiency as well. Take a look at the following concrete examples to get an idea of how a VPN could benefit your business:

Automobile manufacturer centralizes database to track inventory, increase sales

An automobile manufacturer uses a VPN to connect dealer locations to a centralized inventory tracking database. As dealers receive requests from customers for automobiles or parts, the centralized database allows them to locate the desired item at the closest location and arrange for immediate shipping.

VPN ensures smooth and successful corporate merger

When a major corporation acquires a new subsidiary with multiple locations, a VPN is used to connect all of the locations and subsidiary headquarters to the parent corporation's systems. This provides the subsidiary with immediate access to the data it needs for the transition, while allowing management to monitor the ongoing progress of each location in real-time. The VPN is implemented using existing Internet access facilities at each location, so the time required to establish the entire network is only a few days, rather than the months typically required to implement a dedicated network.

County health department uses VPN to track diseases securely

A County health department establishes a centralized disease database and connects hospitals and other health facilities to the database via a VPN so that the incidence of communicable diseases can be tracked. Since the data contains specific patient information, the need for security is paramount.

Physicians use VPN to reduce on-call time, expenses

On-call specialists must frequently travel to a hospital to view radiological scans or other visual data. A group of physicians is reducing the number of trips and associated expense by implementing a high speed VPN that transmits diagnostic material to a desktop computer in their home. They reduce the number of hospital trips required by over 50%.

Hi-tech company makes sales automation and training easy

A high technology company with a staff of 200 salespeople provides mobile dial-up VPN access to headquarters data. The sales people have resources such as catalogs, presentations, proposals, order status and current inventory available from their laptops via a secure connection, whether in a hotel room or in a customer meeting. Video and interactive product training is available over the VPN. Each day, new contact data and sales order activity from each salesperson is updated to the main corporate database, reports are generated for sales and marketing management and secure e-mail is exchanged.

Insurers use VPN for secure e-commerce

Six major insurance firms have formed an alliance to build a VPN that will let them exchange electronic mail, access a common directory service and deploy electronic-commerce applications.

Leading importer improves customer satisfaction with VPN

One of the world's largest retail importers uses its VPN intranet to link stores, sales people and inventory to save money, increase efficiency, and improve customer satisfaction.

Service vendor increases security, minimizes staff expense

A vendor provides services at airport kiosks. Customers pay with a credit card. A VPN network is used to monitor video cameras in each kiosk to deter vandalism. Each hour, credit card information is securely transferred from the kiosk to the corporate database over the VPN, eliminating the need for manual pick-up of the data.

Manufacturer saves big money with VPN

Looking for a way to let distributors access its ordering process, an electronics manufacturer chose a VPN rather than building and managing its own wide-area network and expects to save more than $100,000 annually.

Aerospace manufacturer reduces cost of working with remote subcontractor

Not all subcontractors are created equal. In this case, the best subcontractor for a major aerospace manufacturer was located on the other coast. The companies use a VPN to tie purchasing, inventory, production and shipping computer systems together to create a "just-in-time" inventory replenishment system. The VPN is used to videoconference their staffs for engineering meetings, avoiding the high cost and productivity loss of cross-country travel.

Security experts collaborate on VPN extranet

The nation's top national security experts will increase efficiency by relying on a VPN extranet to collaborate on projects and documents, linking geographically diverse locations securely, as well as at low cost.

Virtual teams increase efficiency, share data securely

Today's business teams make use of the best talent available and increasingly include partners from all over the globe. These virtual collaborations are perfect for Virtual Private Networks. Engineering, product design, large consulting projects and major system implementations all require geographically diverse entities to collaborate and share data. Many of these applications require access to large files such as engineering drawings, databases or project management software. In most cases, the projects are competitive and require a high degree of security. VPNs can be managed effectively, giving a business partner access to some information, while excluding other data and allowing access only as long as the collaborative project continues.

The list of applications is nearly endless. It includes video and teleconferencing, secure access to databases, secure remote access and enhanced efficiency in working with business partners. These few examples will give you an idea of the things that can be accomplished with the implementation of VPN in your organization.

 

Back to Contents 

 

How can I make my VPN secure?

At first, VPN seems like an oxymoron: secure data being transmitted over the world's most public network. But, when you look at it a little more closely, it makes a great deal of sense.

The fact is that the most of today's point-to-point "secure" circuits use shared facilities, as well. The telephone companies that provide these circuits bundle them together on high capacity circuits over long distances to optimize bandwidth utilization of their networks. This means that your data could be "multiplexed" with your competitors' data, even in a point-to-point network configuration. The reason that your data remains secure in this environment is that the telephone company retains control along the entire transmission path; controlling the route, message addressing, error checking and delivery of the data. When the circuit route extends between telephone companies, standards and exchange agreements assure data integrity. Virtually all telephone conversations on the switched public network are multiplexed in the same way. The fact that "private" telephone conversations can take place is a tribute to the failsafe technology and standards behind the scenes.

While many managers are shocked to learn that their "private circuit" makes use of a shared facility, it is to their advantage in two ways: First, in a circuit consisting of a single pair of wires from one point to the other, a physical interruption of the circuit could cause a major service failure. Circuit interruptions occur hundreds of times every day in the United States, because of bad weather, cable cuts, equipment failure, or other factors. With a shared facility, the data is simply routed along another path until the damage is repaired, often without interruption. A dedicated pair of wires would be out of service for the time necessary to find and repair the problem. Second, the use of a shared facility allows the telephone company to reduce cost by optimizing the use of their bandwidth resources. The end user pays less as a result.

So, the idea of secure data being transmitted over a shared facility is far from unusual. It is standard operating procedure.

Increasingly, Internet traffic is being routed over telephone company circuits, as well. The reason for this is simple. Nearly all "first tier" Internet Service Providers are now aligned with telephone companies. A first tier provider is responsible for data transmission along the Internet "backbone". If the ISP owns all of their facilities -- such as modem pools, points of presence, central switching centers, cable between nodes and everything required for data transmission over an entire, high speed, national (or international) backbone -- it's called a "facilities-based" provider. It is essential that your VPN partner be a first tier, facilities-based provider, for all the reasons you'll see in the section titled "What should I look for in a VPN provider?" on page XX. If a first tier, facilities-based provider furnishes your entire VPN network, the facilities will be as secure as a telephone company "private circuit".

However, there are other hurdles that must be overcome to assure the security and integrity of your data. The Internet operates differently from the telephone network. The Internet uses Internet Protocol (IP) addresses to route data. At strategic locations on the Internet, computers called "name servers" act like postal sorting employees to keep track of the destination for each IP address and route data so that it is received at the correct location. The Internet was designed this way so that anyone with access to the network can send a message or data to anyone else on the network.

"Hold it!" you say? "Does that mean that anyone could address a message so that it is received on my VPN?" The answer to your astute question is a qualified "yes", but that's no reason to stop reading right here. Because the good news is that some first tier, facilities-based ISPs have found ways to safely leap this hurdle. To furnish security on the Internet that is the equivalent of a dedicated line, four things are required:

1.      "Partitioning." The ISP must be able to set up private "name servers" on the Internet to partition your IP addresses away from normal Internet addresses, so that your VPN can not be addressed by everyone on the Internet. Think of this as a private mail-sorting employee that will only handle mail traffic for addresses inside your company.

2.      "Authentication" requires proof of the sender's identity before a properly addressed message is delivered. Think of this feature as a postal inspector who examines all packages that have been correctly addressed to your company and rejects any that are from unauthorized senders.

3.      "Tunneling" encapsulates your message within a standard Internet "envelope". All packages entering your company will look identical. The contents may be data, voice, video or any other type of digital data, regardless of its format. This allows data to be shared using the network protocols that already exist within a corporation, even if they aren't compatible with Internet protocols. The nature of the data, as well as the specific contents, are hidden from view so that any onlookers can not see what is inside.

4.      "Encryption" codifies or scrambles the data inside the package. The encryption scheme (called an "encryption algorithm") is shared by only the sender and receiver of the message. The algorithm changes frequently to ensure continuing security. If, after all of the precautions taken above, someone intercepts a package and opens it, the contents would appear shredded and indecipherable.

The hardware and software to accomplish all of these tasks exists today. Manufacturers and ISPs use different methods to achieve partitioning, authentication, tunneling and encryption. Some of the software, hardware and methods are superior to others. In fact, there are several competing "standards", which are discussed in the next chapter.

The main thing to keep in mind here, is that only first tier, facilities-based ISPs can furnish the partitioning, authentication, tunneling and encryption to assure the security of your VPN.

 

Back to Contents 

 

What VPN standards exist?

 There are a number of standards that apply to VPN technology. The information that follows describes the OSI model and protocols for VPNs, and it can be enormously helpful to you in sorting through the alphabet soup of acronyms that apply to VPN standards.

The OSI Model

The first standard that's important to understand is the "OSI model". OSI stands for Open Systems Interconnection and it applies to nearly every network protocol in use today. It was designed to allow different manufacturers to build network hardware and software that would interact seamlessly with the products of other manufacturers. For your purposes, it serves as a useful way of thinking about networks, in general.

The OSI model consists of seven layers, from the "Physical Layer" (hardware such as PC network cards) at the bottom of the stack to the "Applications Layer" (software that provides network functions like the exchange of e-mail) at the top. To implement a secure VPN, the most important layers are the second—the "Data Link Layer,” the third—the "Network Layer,” and the fourth—the "Transport Layer,” because these are where most of the security features are implemented.

 The most efficient VPN protocols take advantage of higher layers on the OSI model: Protocols that operate on "Layer 3," for instance, are more efficient than those that operate on "Layer 2.” Below is a brief summary of all seven layers to give you a complete picture of the OSI model. Then you’ll want to read about protocols available specifically for VPNs.

Layer 1 -- Physical Layer
This layer encodes and decodes digital bits (1s and 0s) between network interfaces. It is typically a function of an interface card, rather than software.

Layer 2 -- Data Link Layer
The data link layer is concerned with the transmission of packets from one network interface card to another, based on the physical address of the interface cards. Some of the standard protocols at this level are Token Ring and Ethernet. These protocols are typically enabled by software (called device drivers).

Layer 3 -- Network Layer
The network layer is concerned with the end-to-end delivery of messages. It operates on the basis of network addresses that are global in nature. On the Internet, the network layer is called "Internet Protocol" (IP).

Layer 4 -- Transport Layer
The transport layer assures the safe, intact arrival of messages. It makes the receiver aware that it is going to receive a message, verifies that it arrived exactly as it was sent, and controls the flow of the message if the receiver is getting it too fast, or re-transmit portions that arrive garbled. On the Internet, the transport layer  is called "Terminal Control Protocol" (TCP).

Layer 5 -- Session Layer
The session layer manages all the activities of the layers below it. A "virtual connection" is established when a transmitting station communicates with the receiving station, and tells it to set up and maintain the communications link.

Layer 6 -- Presentation Layer
The presentation layer is responsible for formatting the data in a way the receiving computer can understand. It may also translate between different data formats.

Layer 7 -- Application Layer

The application layer provides the services of the network, and is the only layer that most network users see as they work on the network. These services include network file transfer and management, remote control of computers and software, electronic mail services, and network directory services.

VPN PROTOCOLS

There are four competing VPN protocols. It is important to know a little about each one, because they are not equal. It is also important to know about the "OSI Model", since many of these protocols are named after OSI layers.

PPTP: Point-to-Point Tunneling Protocol

This is a tunneling protocol that supports flow control and multiprotocol tunneling between routers, servers or clients over the Internet. It was developed by a consortium of network product vendors and operates in layer 2. It does not contain security features.

L2F: Layer 2 Forwarding Protocol

This protocol also supports multiprotocol tunneling. An advantage to L2F is that it can create tunnels to multiple locations. Like PPTP, L2F is a vendor-driven specification, and does not contain security features.

L2TP: Layer 2 Tunneling Protocol

Interoperability is an issue with both PPTP and L2F protocols. L2TP is an Internet Engineering Task Force draft specification and actually is a combination of PPTP and L2F. L2TP supports the same tunneling, multiprotocol support as well as interoperating with other L2TP products. It is a better solution than PPTP or L2F, but operates on layer 2 and does not contain security features.

IPSec: Internet Protocol Security

This is the only protocol that integrates authentication and encryption. It works on layer Three of the OSI model and it allows each data packet to be individually authenticated and encrypted. This assures that no packets from unauthorized sources are allowed. IPSec is designed specifically to operate on the Internet, using Internet protocols. IPSec has gained industry-wide support since its introduction. It was named the tunneling and security protocol of choice by the largest (10,000 user) VPN in existence (the Automotive Industry Action Group).

While it is important to be aware of all of the available protocols, IPSec is clearly the protocol of choice if you are building a VPN from the ground up. Not all VPN providers use this standard, however. Make sure that your ISP has this capability before entering into a service agreement.

 

Back to Contents 

 

Why is "latency" important?

The Internet was not originally designed to operate in "real-time" mode. Real-time applications include telephone or interactive videoconferences and remote process control. Web browsing, e-mail, data transfer, even broadcast audio and video over the Internet present no problems, given enough bandwidth. But real-time applications encounter a condition called "latency".

Latency occurs because each Internet data packet contains an individual address and is enclosed in an "envelope". These envelopes must be opened, the address read and the data routed to the appropriate party. The time this process takes is measured in fractions of a second and is usually imperceptible. However, the delay (less than one quarter second) between when the sender speaks and the listener hears the message can cause an unnatural pace to human conversation. Anyone who has had a telephone conversation transmitted by satellite has experienced a similar delay.

If your VPN application includes remote process control, audio-video conferencing, Internet telephony or any other kind of real-time application, latency will be a concern. And with VPN, latency becomes an even larger concern because the encryption and decryption processes that ensure security can introduce additional delays. Fortunately, there are ways to minimize these effects.

Latency caused by encryption and decryption can be greatly reduced by the use of hardware-based encryption at each entrance into the VPN. This shifts the burden off the network on to specialized equipment that speeds up the process. The alternative is to use software-based encryption, which requires processor time and additional network resources and capacity. To reduce the effect of latency to a minimum, hardware-based encryption must be employed.

Much of the latency on the Internet is caused when data moves from one Internet Service Provider to another. If your VPN is provided by a facilities-based ISP that can serve all of your locations, latency will be further reduced. First tier ISPs are working closely to reduce latency on routes that extend from one ISP to another.

Most first tier, facilities based ISPs are aligned with telephone companies. Some of these companies can deliver Internet and real-time services over a single access to your location, while routing real-time services over the telephone network and Internet services over the Internet. This reduces the real-time latency factor to the speed of light. It doesn't get any better than that!

If you intend to use any real-time applications on your VPN, be sure to choose a first tier, facilities-based ISP with an extensive network that includes all of your sensitive VPN locations. Be sure to use a provider that can supply hardware-based encryption, deliver multiple services over a single access facility and route traffic using the most efficient method of delivering real-time data.

 

Back to Contents 

 

What about scalability and growth?

Once your VPN is successfully implemented, one thing is inevitable: It will grow. Nodes served by point-to-point circuits will become rare as traffic is diverted to the VPN to reduce costs and increase flexibility. The demand for remote, secure access will grow as the number of traveling, telecommuting and remote employees increases. Secure links with consultants, vendors, subcontractors and partners will become commonplace.

So, before you implement a VPN, think hard about how big your Virtual Private Network will grow. This is important, because all approaches to VPN do not scale beyond a certain point. If you are still growing when you reach that point, your network could require an expensive redesign.

Practical considerations to think about are addressing schemes, protocols, remote access, encryption and authentication keys and management issues.

Your VPN will utilize Internet Protocol addresses. You must make sure that you start with enough dedicated addresses to allow your network to grow to its largest configuration. Otherwise, you may be stuck with having to re-address all of your nodes at some point in the future.

The type of VPN protocol can also affect scalability. Tunneling that uses "Layer 2" protocol is less efficient than "Layer 3" tunneling. This means that there are practical limits to how much data can be transmitted on "Layer 2" systems before bandwidth problems arise. In "Layer 3" protocols, the Internet Service Provider handles the overhead required for message routing. In "Layer 2" protocols, it must be handled on your company's equipment. Equipment that resides on your premises will also have difficulties with "Layer 2" systems, as they grow larger. Routers and file servers must handle a greater number of sessions with "Layer 2". This equipment will quickly become overloaded, requiring replacement or upgrades.

How will remote locations access your VPN? Access point locations must match the locations of your employees now and in the future. The number and speed of modems, Integrated Services Digital Network (ISDN), Digital Subscriber Lines (DSL) or other access facilities must be matched to the traffic that will flow on them.

In a small VPN, encryption and authentication keys can be implemented and changed manually. However, this can quickly become an administrative nightmare as the system grows. The need to switch to an automated system could require expensive hardware and software changes in the future.

The ability to manage your VPN is yet another consideration. Will you need to add employees just to manage the VPN?

Talk over all of these issues with your VPN provider. Look at your initial configuration, then ask what will be required to grow to your five year plan. Will there be any unpleasant, disruptive or expensive transition points? If you've chosen the right VPN partner, they will have most, if not all, of the answers.

Back to Contents 

 

What is a VPDN?

One of the greatest benefits of VPN is the ability to provide secure network access to remote employees.

A VPDN is a Virtual Private Dial Network. This allows remote, telecommuting or traveling employees secure access to your data. It will require dial up access lines using regular telephone lines, high-speed modems, ISDN, DSL or other transmission methods. You will have these requirements at both ends of the connection, so modem pools, routers and encryption software must exist in sufficient quantities to cover your needs.

Most companies use the inbound access facilities of a VPN provider that already maintains the modem pools, routers, other hardware, software and network facilities. It is important to understand how security is maintained at these facilities, since they are often shared with other, non-secure Internet access.

Telecommuters can program a specific local number into their computer to access the VPN, but travelers aren't inclined to look up a local number for every geographical location they visit. Instead, they dial back into the modem pool at the headquarters location, incurring long distance charges. This is a good reason to work with a VPN provider that has 800-number access for your VPN: All of the travelling laptops can dial the same access number and reduce costs, as well.

If you plan to implement a VPDN, make sure you choose a provider that can service all of your remote and mobile locations with points-of-presence and modem pools. The provider must furnish easy access to the system, while maintaining absolute security (see "What about security?" on page XX). Your VPN partner must also allow you to manage the VPDN in real-time, through the implementation of a RADIUS (Remote Authentication Dial-in User Service) system, as you'll soon see.

Back to Contents 

 

Managing and measuring a VPN

There are several management issues to consider before implementing a Virtual Private Network: Service Level Agreements, access to real-time status of your VPN, accounting or usage tracking, VPN provisioning, trouble management, security management and real-time remote access authorization should all be primary concerns.

Quality of service is extremely important for a VPN. Any VPN provider should be willing to enter into an agreement to guarantee a level of service on your VPN. This Service Level Agreement (SLA) should guarantee availability of not less than 99.8%, including scheduled maintenance and local loop problems. Be sure to ask if the ISP's availability statistics include these factors.

Service Level Agreements containing guarantees for latency are difficult for an ISP to provide. Latency can be affected by traffic that goes outside of an ISP's backbone, the type of encryption used, and network overhead beyond the ISP's control. Frankly, the best latency assurance achievable today is to select a facilities-based ISP that has points-of-presence where your VPN nodes will be located and that employs hardware based encryption. When you find such an ISP, it would be worthwhile to discuss latency SLA performance criteria for traffic under the control of the ISP. If your system is designed properly, an ISP may be willing to issue a latency SLA. 

Access to real-time information on the performance of your VPN is essential. A VPN provider should be able to furnish tools that allow your company to monitor network performance. The interface to these tools should be secure and easy to use. Most network managers prefer a Web-based interface for ease of accessibility and use. Be sure to ask for a demonstration of your VPN provider's tools to make sure that they will meet your requirements.

Frequently, a network manager is required to provide information to internal users that allows for an accounting and allocation of network costs. If this requirement exists within your organization, be sure to discuss your needs with your ISP to make sure they'll meet your requirements.

Once your VPN is designed, how will it be implemented? Purchasing, integrating and deploying equipment and software, coordination of vendors, testing and troubleshooting a VPN can be expensive, time consuming and challenging for the most experienced network manager. Some ISPs offer turnkey solutions that include all of these functions. Your VPN implementation will go much smoother if you choose an ISP that has extensive experience in such implementations.

Trouble management is another key consideration: Your VPN provider's trouble management system must integrate seamlessly with your company's system. This integration should be discussed with your ISP before an agreement is signed. How will trouble calls enter the system? Who will be notified? How will trouble escalation take place? What criteria must be met before a trouble report is closed? Most network managers agree that the ISP should take responsibility for end-to-end trouble management, and that the network manager should be notified and participate in escalated trouble calls.

Security management can be a time consuming task, so it's a good idea to make your ISP responsible for issuing of digital authenticating certificates and encryption keys. This is especially important as the VPN grows and the security infrastructure requires more frequent maintenance.

However, you will want to retain control over access privileges for your dial-in clients so that you can make real-time adjustments if there are personnel changes, computers are misplaced or security is compromised. Remote user communities tend to be dynamically changing environments. You can retain control by implementing Remote Authentication Dial-in User Service (RADIUS). In a RADIUS system, a remote user dials into an ISP's modem/ISDN bank. A challenge is issued to the remote user, who must respond with correct identification. This information is routed to an authentication computer on your company's premises, which issues an authorization back to the ISP to allow entrance of the user onto the VPN. Although this entire procedure is transparent to the user, it permits your company to control dial access in real-time without having to update authorization tables throughout the ISP's network.

The main reason for implementing a VPN is to reduce costs. Be aware that many ISPs may charge extra to furnish the tools and support needed to manage and measure the performance of a VPN, while a few include them at no additional cost. Be sure to find out how much you will be charged to get the support you require. 

 

Back to Contents 

 

The importance of end-to-end responsibility

End-to-end responsibility has been discussed repaeatedly throughout this guide. Nevertheless,  it is worthwhile to summarize its importance here for the simple reason that it can't be overstated or overemphasized.  By now, it should be clear that the success of your VPN depends on the success of your partnership with the VPN provider. That success will, in turn, depend on the provider's ability to provide full end-to end responsibility for your VPN.

The only ISPs that can provide this level of responsibility are first tier, facilities-based providers. That's why it's so important to choose a provider that completely owns and controls its network facilities in every major node of your VPN: If your corporate data access is impaired, the last thing you need is two or even three vendors insisting that other vendors are responsible.

When you select a facilities-based partner that takes end-to-end responsibility:

·        Your service agreements will have more meaning

·        Latency will be better controlled

·        Security will be better maintained

·        Hardware and software compatibility issues will be greatly reduced

·        Hardware, software and network upgrades will be provided by the vendor, further reducing costs.

·        Network management and maintenance tasks will be shifted from in-house to the ISP, reducing overhead costs.

·        You retain control of remote user access, full network performance monitoring and trouble correction processes.

·        Labor intensive security management will be handled by the ISP, saving you more.

Creative use of bandwidth to your company locations can allow secure VPN data, Internet, voice telephone, fax, video and other services to arrive via a single digital pipeline. This reduces cost while simplifying the task of network management. There are obvious advantages of managing a single network access facility, calling a single vendor and paying a single, reduced bill. This approach can also simplify the lives of your team members: Everyone from your MIS staff to the Accounting department to the President of your company will appreciate the wisdom of partnering with a VPN provider who takes end-to-end responsibility.

Remember, not every ISP can provide this level of service. Ask your prospective VPN partner if they can support you to this degree.

 

Back to Contents 

 

Integrating a VPN into an existing network environment

Most companies that deploy a Virtual Private Network will integrate it into an existing network infrastructure that may contain Local Area Networks, Wide Area Networks, some form of dial-up access, Internet access, management tools, security systems and legacy hardware and software.

Your VPN provider should be made completely aware of all aspects of your existing networks. The time to work out compatibility, protocol and management issues is before the final VPN design. Your current design might demand layer 2 routing, rather than the preferred layer 3. Your trouble management system may have specific requirements that the VPN provider's system must comply with. Bandwidth may be an issue at certain locations. Legacy systems may require gateways or routers to access the VPN. Firewalls and security must be discussed. Current user interfaces, operating systems and data exchange formats must be supported. Corporate network administration policies must be enforceable on the VPN.

Your VPN partner must be able to talk intelligently about these issues and accommodate your requirements.

 

Back to Contents 

 

What should I look for in a VPN provider?

First, be aware that a VPN provider is providing service, not a commodity. One of the most common mistakes that companies make in selecting their provider is to assume that all VPN providers are equal. They clearly are not.

Once companies start using and then depending on their VPN, they find that it becomes a critical part of their business. That's why your network must be as reliable, secure and easy to use as your telephone service. Choosing the wrong VPN partner can have an unfortunate effect on your bottom line, because it will waste your employees' time, delay or fail to deliver important communications, and frustrate automated business processes. The only partner that can properly deliver your VPN service is a first-tier, facilities-based provider with points of presence in all your major VPN node locations. Often, first tier providers, operated by national or international telecommunications providers, can save money by integrating VPN, Internet, data, voice and other telecommunications services.

Discuss the following issues with the prospective VPN provider to determine if they can meet your detailed VPN requirements.

Full Range of Services

Does the provider offer a full range of services, or is it simply filling a niche? If you have to increase or decrease your service level, will they be able to accommodate you? Or, will you have to switch providers?

Can the service provider integrate VPN, Internet, data, voice and other telecommunications services?

Does the potential provider offer true one-stop shopping? Will they supply equipment, manuals, training, consulting, on-site analysis, installation and other support in addition to basic service?

Availability

Availability for direct connections is measured as a percentage of uptime for the network under control of the VPN provider. This should not be less than 99.8%, including scheduled maintenance and local loop problems. Be sure to ask if the provider's availability statistics include these factors. Your VPN partner should be willing to provide a Service Level Agreement (SLA) that includes availability guarantees including scheduled maintenance and local loop outages.

Network Topology and Security

This is important. By reviewing the firm's network topology, you can determine how vulnerable the network is to outages, how much capacity is available when the network is operating at peak load periods and how well the provider understands sound network engineering.

Reputable providers will provide information on their network topology because it gives them the opportunity to explain how well they understand their business.

Examine the network topology closely. Is the backbone operated by the VPN provider? Is the backbone at full OC-3 or higher speeds? Where are the provider's points of presence? On critical routes, is the backbone redundant so that traffic can be carried even though an outage occurs?

Once you've evaluated the physical topology, you need to examine the speeds of the backbone links. Your organization's network connection can only be as fast as the slowest link in the network path. Does the ISP utilize SONET technology? SONET (Synchronous Optical Network) services have many advantages:

·        The service can be configured at speeds up to OC-48 (2,488 Mbps) in a ring configuration, as well as OC-3 (155 Mbps) and OC-12 (622 Mbps) in a linear topology.

·        SONET architecture offers increased network survivability as well as the benefits of central monitoring and control capabilities.

·        SONET provides self-healing rings that can automatically reroute transmissions in as little as 50 milliseconds.

Even if your organization has a T3 node, if there is only a T1 link between your connection and the Internet backbone, throughput will be limited to the slower speed. It would be the same as hooking a half-inch garden hose to a fire hydrant. The limiting factor is the garden hose, not the fire hydrant. If the provider claims to have a high-speed backbone, determine if the speed is available now or is being planned. Determine if the topology you are being shown is operational or still in development. Some providers have been known to show links that aren't operational as part of their backbone infrastructure.

Some providers claim to have a high speed backbone but they may only have a "fractional" T3 connection, running at the slower range of T1 speeds. Be sure to ask.

How secure must the data be between network locations? What is the best way to implement security for dial-in nodes? How will the service provider meet your requirements?

Will the service provider guarantee end-to-end integrity of your system? Will they provide the management tools necessary for you to monitor the network in real-time?

As new standards for VPN emerge, will your service provider implement them?

Is the design scalable so that nodes and bandwidth can be added to meet your growth needs? How much capacity can be added before performance suffers?

Does the service provider use hardware devices to minimize the delay normally caused by encryption algorithms? What type of IP addressing will be used to keep your traffic segregated from Internet traffic? Is the network designed to carry your traffic without delay, even during peak periods? Does the service provider own and control their own facilities? Are they fiber-optic based to provide the greatest reliability and integrity of your data?

How will you measure the performance of your network? Does the service provider offer tools to monitor performance in real-time? Are the tools included in the price? Are the tools easy to access and use?

Does the service provider have access to all of the technology required to meet the needs of your company, both now and in the future? Can the provider furnish transport mode (layer 4) encryption in addition to IPSec tunneling mode protocol?

Technical Staff

The most important area to check when choosing a VPN Provider is the quality of their technical staff. These are the people who get your connection installed and keep it and the network running.

Check the staff's experience in TCP/IP data networking (TCP/IP is the network protocol that the Internet requires to work). They should have several staff members who have had extensive experience in this area. Make certain that the technical staff consists of individuals who are experienced with TCP/IP and not just "networking-related" projects.

Make certain that the provider has adequate staff to handle unusual situations, which may arise. Many service providers are vulnerable to failure due to inadequate staff capacity during heavy traffic or network difficulties.

Network Operations Center

Take a close look at the provider's Network Operations Center (NOC). It should be staffed round-the-clock and round-the-calendar. The network must be accessible to your employees who may be working outside of normal business hours.

Determine how the NOC is staffed. While it is normal to have junior staff members on duty at odd hours of the night, it is critical that senior personnel be onsite between 6:00 a.m. and 9:00 p.m. Monday through Friday in all areas that your network extends to. If a connection fails during these business hours, your requirements deserve to have senior people immediately available to resolve the situation.

The Network Operations Center should be constantly testing each link of the network to provide proactive service to fix a problem before it affects your business.

The NOC should be equipped with an Uninterruptible Power Supply (UPS) and a self contained diesel generator to power the operation during a power outage.

The NOC should be redundant (mirrored in several geographically dispersed locations). A local disaster at the NOC site should not interrupt your service.

Can the Network Operations centers remotely troubleshoot the entire network, including connectivity, routers on your premises and encryption devices?

Organization Stability

Determine how long the firm has been in the business. Are they in the business for the long haul?

Determine their financial stability. If they are publicly held, ask for copies of their audited financial statements. If they are a division or subsidiary of a larger corporation, determine the fiscal health of the parent firm and their commitment to the ISP services industry.

Determine if they have one or two major accounts that provide a majority of their revenue. The loss of these accounts could dramatically impact their ability to maintain quality of service for your firm.

Comparison Shop

Carry out a price/benefit analysis.

While prices should be competitive when compared to other business oriented providers, beware of prices that appear to be too low. The least expensive providers make compromises on backbone capacity, access capacity (dial up and ISDN) and support services. Be sure that your VPN partner is as professional as your organization.

You know the reliability of your current data network. Can the VPN provider improve on that level of service? Up-time? Bandwidth? A realistic expectation is a service level of 99.8% uptime, including scheduled downtime and downtime associated with local access facilities. Will the service provider guarantee these service levels?

Some providers may appear to be less expensive than others. Make certain you are doing an "apples-to-apples" comparison. Don't compare no-frills service with full-service offerings. Make certain that "Basic" service with one is the same as "Basic" service with another provider. Don't get trapped into incurring the added expense of having your employees provide services that the VPN partner should provide.

Make sure that the prices quoted include everything that will be required to provide the service. Does the price include Telco local loop charges? Does it include routers and other necessary equipment? Does it include maintenance, proactive monitoring and network management? Some providers do not include these charges so that their price will appear lower.

Your consideration should be limited to first tier providers. These providers have the resources to properly service your Internet needs. They are in the business for the long term. And in the long term, they are the most cost effective solution, since they also have the power to integrate your telephony, private data and Internet requirements.

Ask for customer references. Talk to them. Find out what issues current customers have. They may be the same as yours.

Once individuals and organizations begin taking advantage of the cost savings, power, flexibility and capabilities made available by VPN, they wonder how they ever got along without it. The key is to select a responsive and responsible service provider that can help you optimize the use of this new professional and business tool.

Any service provider should be willing to discuss all of these subjects with you, provide a careful analysis of your needs and present a comprehensive proposal to meet your requirements.

 

Back to Contents 

 

The bottom line: 20 questions to ask a VPN provider

This guide covers a wealth of topics that should be discussed with a Virtual Private Network partner before you commit your company to deploying a VPN. But to quickly qualify a potential partner, ask these twenty questions right up front. If the provider can't answer these twenty questions to your satisfaction, find another one that can.

* 1 *

Q. Are you a first tier, facilities-based provider that owns and operates your network backbone?
A. If they aren't, you can stop right here.

* 2 *

Q. What VPN protocols do you support?

A. The higher the OSI model layers supported, the more efficient. Look for IPSec (layer 3) and transport mode (layer 4). Stay away from layer 2 protocols, if you can.

* 3 *

Q. Do you provide hardware-based encryption to reduce latency and network overhead?
A. If you plan to grow beyond a few VPN nodes, or if you have real-time communications requirements, this is essential.

* 4 *

Q. Can you provide turnkey service for all of our VPN needs, including connection, hardware, software, security, training, network management, trouble call management, integration with our local network and consulting?
A. You may need some or all of these services to augment your in-house staff.

* 5 *

Q. What network management and monitoring tools do you have? Are they included in the price?

A. Ask for a demonstration. The tools should meet your needs, be comprehensive, easy to use and included in the price.

* 6 *

Q. Can you manage encryption keys for the VPN? Can we retain control over dial-up user privileges (RADIUS)?
A. Answer should be yes for both. You will need to save time and money by using the former capability, while retaining flexibility and control by implementing the latter.

* 7 *

Q. What is your typical availability for dedicated connections? How is it measured? Will you guarantee this level of service? Does this guarantee include scheduled downtime and outages due to local facilities failure?
A. 99.8% is acceptable for VPN services including scheduled downtime and local facility failures..

* 8 *

Q. How will you control latency on our VPN? Will you guarantee performance?
A. You should be satisfied that latency will be controlled to a degree that matches your use of the VPN. If they guarantee latency performance within their network backbone, it's a large plus.

* 9 *

Q. How will you avoid obsolescence? Will you support new standards?
A. Your VPN partner must have a plan to avoid obsolescence. This field is evolving so quickly that changing standards are a major factor.

* 10 *

Q. Can you give me a network topology map? Does your topology include SONET technology?
A. Don't select a provider who can't furnish a topology map. Make sure the backbone extends throughout the area where your VPN nodes will be located. SONET provides advantages in speed, reliability and self-healing features.

* 11 *

Q. Is the backbone full OC-3 or faster? Does it exist today?
A. Any answer other than a full OC-3 in existence today is unacceptable.

* 12 *

Q. Are the backbone and routes to major connection points redundant to avoid single point of failure problems?
A. This is absolutely essential to provide sufficient reliability for business use.

* 13 *

Q. Is your Network Operations Center staffed with qualified Internet technicians 24 hours per day, every day? Can the technicians remotely troubleshoot the entire network, including connectivity, routers on our premises and encryption devices?

A. Yes is the only acceptable answer. Your employees will need to work outside of normal business hours. The NOC should be able to troubleshoot the entire network.

* 14 *

Q. Does your Network Operations Center have a back up power generator? Does it have multiple SONET connections?

A. An indication of how seriously they take the business.

* 15 *

Q. Do you use multiple Network Operating Centers and diverse backbone routing.
A. A necessary feature to avoid failures, even during catastrophes.

* 16 *

Q. Does your Network Operations Center continuously monitor each link to proactively fix problems before they affect customers?
A. Any business provider should answer yes.

* 17 *

Q. How will your trouble management systems interface with ours?
A. There should be a seamless integration. If they say "We don't expect trouble" it's time to move on.

* 18 *

Q. How many years have you been providing IP based network service?
A. Seven to ten years shows stability and experience. This is typical of first tier providers.

* 19 *

Q. Can you furnish a business reference list that includes customers in my field?
A. Look for major businesses that you are familiar with, even if they're not in your field..

* 20 *

Q. Can you provide cost savings by integrating my VPN, Internet, voice and data requirements? Can you act as a single source for my data and communications needs?
A. Integrating services is a proven method to reduce costs, hassles and complexity.

 

Back to Contents 

Virtual Private Network/Security Glossary

Although Virtual Private Networks are relatively new, there is an extensive jargon that accompanies VPN. Most of this terminology is borrowed from other disciplines: networks, telephony, security and the Internet. You certainly will not need to know all of these terms. The purpose of this glossary is to define enough terms so that your conversations with technical staff will be meaningful.

3DES: Triple Data Encryption Standard

AAA: Authentication: Authorization: and Accounting

ACP: Access Control Protocol

ARA: AppleTalk Remote Access

ARAP: AppleTalk Remote Access Protocol

ACCESS CONTROL: The ability to determine who has access to what network resources, and to deny service.

APPLICATION-LEVEL FIREWALL: a firewall that blocks or transfers traffic at the application or top level of the OSI model.

ARP: Reverse address resolution protocol.

ATM: Asynchronous transfer mode; high-speed packet switching with dynamic bandwidth allocation.

AUTHENTICATION: Authentication is a method used to prove the identity of any entity attempting to gain access to a virtual private network (VPN).

AUTHORIZATION: The process that grants access to a local or remote computer system, network or to online information.

BANDWIDTH: In common use, the amount of data that can be sent through a given communications circuit.

BROWSER: Software used to find, retrieve, display and move easily among various kinds of Internet resources, including text, video, graphics, etc. Often called a "Web browser".

CAP: Competitive Access Provider

CERTIFICATION AUTHORITY: The entity that distributes electronic keys for encrypting information and electronic certificates for authenticating user and server identities.

CHALLENGE/RESPONSE: An authentication technique that has the server send an unpredictable "challenge" to the user, who then responds with some form of authentication.

CHAP: Challenge Authentication Protocol

CHECKSUM: A computed value sent with a data packet when transmitted. The receiving system computes a new "checksum" and compares the two values to determine whether or not the data was received correctly.

CLIENT: A computer or software that requests a service of another computer system or process (a "server"). For example, a workstation requesting a file from a file server is a client of the file server.

CLIENT-SERVER MODEL: A way to describe many network paradigms, such as the file-server/file-client relationship in a network file system.

CO: Central Office

CPE: Customer Premise Equipment

CRACKER: Someone who breaks into computer systems without permission. Sometimes referred to as a "Hacker".

DEK: Data Encryption Key; used for the encryption of message text and for the computation of message integrity checks.

DES (DATA ENCRYPTION STANDARD): A standard encryption technique that translates data into an unbreakable code for public transmission. It uses a binary number as the encryption key, chosen randomly for each session, to create the encryption pattern.

DIGITAL CERTIFICATES: A public-key directory entry that has been "signed" or validated by a certification authority. Digital certificates verify digital signatures.

DIGITAL SIGNATURE: A coded message added to a document or data that assures the identity of the sender.

DHCP: Dynamic Host Configuration Protocol

DLCI: Data Link Connection Identifier

DNIS: Dialed Number Identification String

DNS: Domain Name System; a general purpose, distributed data query service, mainly used to look up IP addresses based on host names.

DNS SPOOFING: Assuming the DNS name of another system.

DS0: Digital Signal 0 - 64 Kbps

DS1: Digital Signal 1 - 1.544 Mbps

DS3: Digital Signal to 45 Mbps

DSL: Digital Subscriber Line

DSS (DIGITAL SIGNAL STANDARD): A standard that provides data integrity assurance and data origin authentication. It also serves as a legally binding "signature" for electronic transactions.

ELECTRONIC COMMERCE: The use of an information infrastructure through which businesses can speed the exchange of information, improve customer service, reduce operating costs and increase global competitiveness.

EDI (ELECTRONIC DATA INTERCHANGE): A set of standards for exchanging orders and other business transactions by electronic format.

EMAIL (ELECTRONIC MAIL): Enables computer users to exchange messages with each other over a network.

ENCRYPTION: Encryption is the process of disguising information in such a way as to hide its content. Converting the encrypted information back to its original form is called decryption.

ESP: Encapsulating Security Payload

FIPS 140: The Federal Information Protection Standard (FIPS 140) is a standard for key recovery that some hardware-based VPN solutions support. Financial institutions and the U.S. federal government use only VPN solutions that support FIPS 140, which makes it possible to recover an encryption key that has been lost or corrupted. No software-based VPN solutions or firewall-based VPN solutions support FIPS 140.

FIREWALL: A server or collection of components that supervises all traffic in and out of a network, permitting only traffic which is authorized by local security policy to pass.

FTP (FILE TRANSFER PROTOCOL): A protocol allowing computer users to exchange large documents with other users. Commonly used to send or retrieve files with online archives of accumulated software and data.

GATEWAY: A communications device that passes data between networks. May perform data translation between dissimilar networks.

GSSAPI (GENERIC SECURITY SERVICE APPLICATION PROGRAMMING INTERFACE): An Internet standard interface which links between several user or vendor client/server applications (such as the World Wide Web) and a variety of security mechanisms (including both private-key and public-key security).

GRE: Generic Routing Encapsulation

GUI: Graphical User Interface

GW: Gateway

HACKER: A person who enjoys using computers and has a thorough understanding of how they work, as well as the networks they run on. Often misused to mean "cracker" (see definition above).

HASH CODE: A unique, mathematical summary or "fingerprint" of a document that serves to identify the document and its exact contents. Any change in the hash code signifies that the document's contents have been altered.

ISDN: Integrated Services Digital Network. Two channels that may be combined for up to 128 Kbps

I-D: Internet Draft; working document of the IETF that is valid for six months and may be updated, replaced, or rendered obsolete; they are often precursors to RFCs.

IETF: Internet Engineering Task Force (IETF) - The IETF is an Internet standards committee. The IETF reviews emerging Internet technologies and determines what must be done to achieve "standard" status.

INTERNET: A worldwide system of computer networks. Networks connected through the Internet use a particular set of communication standards and protocols, known as TCP/IP.

INTEROPERABLE: Software or hardware able to run on multiple machines from multiple vendors effectively, without causing problems.

INTRUSION DETECTION: Detection of attempted network break-ins via software.

IP: Internet protocol.

IP ADDRESS: A 32-bit address, usually represented in dotted decimal notation.

IPSEC: IP Security (IPSec) is an International Engineering Task Force (IETF) standard for IP security. The IPSec standard defines a sset of security protocols that authenticate TCP/IP connections, add data confidentiality and integrity to TCP/IP packets, and are transparent to the application being used and to the underlying network infrastructure. This VPN protocol operates on layer 3 of the OSI model and incorporates authentication and encryption.

IP SPOOFING: A system impersonating another system by using its IP network address.

ISAKMP/OAKLEY: Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) is one of two public-key management schemes that the IPSec standard supports. ISAKMP/Oakley is actually a hybrid protocol, integrating ISAKMP with the Oakley key exchange scheme. ISAKMP builds secure associations in multiprotocol environments and has very low overhead. (See also SKIP.)

ISO: International Standards Organization; a voluntary, non-treaty organization founded in 1946 to create international standards in many areas, including computers and communications.

ISP: Internet service provider.

IPVPN: IP-based Virtual Private Network

IPX: Internet Packet Exchange

KERBEROS: A distributed encryption system developed by the MIT. It uses symmetric key cryptography.

L2F: Layer 2 Forwarding (L2F) is a tunneling protocol that Cisco Systems Inc. submitted to the IETF as a proposed standard. L2F transports link-layer frames such as Point-to-Point Protocol (PPP) and Serial Line Interface Protocol (SLIP). L2F, operates at layer 2 in the Open Systems Interconnection (OSI) model. It does not include encryption.

L2TP: Layer 2 Tunneling Protocol (L2TP) authenticates dial-up users and establishes a router-based connection to a server. L2TP is a combination of L2F and Point-to-Point Tunneling Protocol (PPTP). Specifically, L2TP is designed to tunnel PPP and SLIP sessions over the Internet, operating at layer 2 of the OSI model, and does not include encryption.

LAN: Local area network.

LCP: Link Control Protocol

LEC: Local Exchange Carrier

MAC: Message Authentication Code

MD5: Message Digest v5; an encryption technology.

MPEC: Microsoft's encryption control protocol

MSX: Multi-Service Access Switch

MTBF: Mean Time Between Failure

MTTR: Mean Time to Repair

NCP: Network Control Protocol

NLAM: Network Layer Address Management

OC3: Digital optical cable service up to 115 Mbps

OC12: Digital optical cable service up to 540 Mbps

OSI: Open Systems Interconnect; a standard model of network organization and protocols.

PAP: Password Authentication Protocol

PCAP/TAP: Packet Capture and Trace & Performance

PKIX: Public Key Infrastructure using X.509 standards

POP: Point of presence; a site where there's a collection of telecommunications equipment such as leased lines and routers.

POTS: Plain Old Telephone Service

PPP: point-to-point protocol.

PPTP: PPTP, which encapsulates dial-up PPP traffic, is currently available for Windows NT servers and workstations and also for Windows 95 workstations through an upgrade. It works on layer 2 of the OSI model and does not support security.

PRIVATE-KEY SECURITY: This method is based on both parties having the same encryption key, as in secret-key cryptography. Also known as symmetric-key security, the client and server share a key to encrypt and decrypt data on a network. A common implementation of private-key security is Kerberos (see Kerberos).

PROXY SERVER: A software agent that acts on behalf of something or someone else; decides whether or not the user has permission to use the proxy, perhaps does additional security checks, then connects to a remote destination on behalf of the user.

PSTN: Public Switched Telephone Network

PUBLIC-KEY SECURITY: This is a mechanism for securely distributing encryption keys that are used to "lock" and "unlock" data across an unsecured path. Also known as asymmetric-key security or public-key encryption technology, Public-key security is based on encryption key pairs, in contrast to methods based on having a single, shared key, as with private-key security.

PVC: Permanent Virtual Circuit

QoS: Quality of Service

RADIUS: Remote Authentication for Dial-In User Services

RAS: Remote Access Server

RBOC: Regional Bell Operating Company

RDBMS: Relational Database Management Systems

RFC: Request for comments; a document series used to describe Internet standards.

ROUTER: A device that transmits traffic between networks.

ROBO: Remote Office/Branch Office

RSA: Rivest-Shamir-Adelman public-key cryptosystem. An encryption mechanism by RSA Data Security that uses both a private and a public key. RSA is also used for authentication.

SERVER: A computer or software that provides files or other information, to client software running on other computers.

SHA-1: Secure Hash Algorithm

S-HTTP-(SECURE HYPERTEXT TRANSPORT PROTOCOL): A protocol that uses public-key technology to encrypt sensitive data and to verify user and/or server authenticity.

SKIP: Simple Key Management for Internet Protocol (SKIP) is one of two public-key management schemes supported by the IPSec standard. SKIP is optimized for client connections to a remote network. (See also ISAKMP/Oakley.)

SLIP: Serial Line Internet Protocol

SNMP: Simple Network Management Protocol

SOHO: Small Office/Home Office

SSL (SECURE SOCKETS LAYER) PROTOCOL: A security protocol developed by the Netscape Communications Corporation to encrypt sensitive data and to verify server authenticity. Used primarily for Electronic Commerce.

SPKM: A security protocol that uses public-key technology to encrypt sensitive data and to verify user and/or server authenticity.

STEP: Secure Tunnel Establishment Protocol (STEP). Unlike L2TP, which operates at layer 2 of the OSI model, STEP operates at layer 3. STEP prevents PPP connections from monopolizing an Internet connection. If a STEP tunnel is in place, a second concurrent connection can be established.

SVC: Switched Virtual Circuit

T1: Traditional service with bandwidth of 1.544 Mbps

T3: Traditional service with bandwidth of 45 Mbps

TCP: Transmission control protocol.

TCP/IP: Transmission control protocol/Internet protocol. The suite of protocols developed by the U.S. Department of Defense in the 1970s to support the construction of world-wide internetworks. Today, TCP/IP is the predominant protocol of internetworking.

TMA: Tunnel Management

TMS: Tunnel Management Server

TUNNELING: A VPN can be created by using "tunneling." Tunneling is a technology that allows a network transport protocol to carry information for other protocols within its own packets. The packets are delivered unmodified to a remote computer that has been set up to handle them. The packets may be secured using data encryption, authentication or integrity functions. L2F, L2TP, PPTP, and STEP are all tunneling protocols.

UNI: User Network Interface

VIRUS: A self-replicating computer code that can infect a computer or netw