Even in the consumer space, VPN providers are seeing an uptick in interest. Perhaps that's not surprising as the Snowden files detailing widespread online surveillance, on both sides of the Atlantic, have caused many users to look for ways to cloak their online activity. It's more a matter of principle than anything else.
As each new user logs on, they become part of the provider's WAN, in much the same way that businesses have been using VPN for years: to connect their remote offices to centralised resources.
Implementing a corporate VPN needn't be complicated. Neither is there any requirement for its users to understand how it works - or even that they're using one.
"[It lets you] store your files, intranet servers, authentication servers and so on at the head office, and connect to them via the VPN," said Dan Harris of business ISP, Beaming. "You'd have a router with a VPN server at the head office and routers in the branches with specific configurations that allow them to connect back to it... You can do other things like fibre between buildings, which will work, but it's debatable whether this is secure, and it's certainly expensive."
What Harris describes is one of the most common VPN implementations within a disparate business. Called hub and spoke, the corporate HQ or data centre sits at the centre and its remote sites call in. For a long time, this was the only viable infrastructure, but it's latterly been joined by the mesh-configured VPN.
"These have got redundancy built in," explained IT security manager Daniel Prendergast. "If the primary connection back to the hub goes down, the remote offices will refer back to their routing tables to find an alternative track to the resources they need, often through their sister offices. Basically, it's how the internet works, but on a much smaller scale."
Beyond VPN
VPNs may be grabbing the headlines at the moment, but they're not the only option. "Traditionally, you'd have opted for MPLS [Multiprotocol Label Switching] because it guaranteed you a set bandwidth when the internet was still fairly slow," said Prendergast. "That's no longer the case, of course, when broadband frequently tops 500Mbits/sec on fibre, but it remains an option."
Yet MPLS has its detractors. It doesn't offer the flexibility of a VPN, setup costs are higher to reflect the more involved process, and contracts are often longer.
"[It's] really about stitching together a lot of different network protocols," explained Bob Hendy of Cerberus Networks. "When you had multinational companies, they might have a frame relay in one country, an ATM network somewhere else, but now everything is IP everywhere."
IP traffic can just as easily be routed over a VPN, which can be set up in a few hours, taken down instantly and reconfigured whenever business needs change. "You could easily buy another office anywhere in the world, get your connectivity and set up a VPN," said Harris. "You can immediately give your customers peace of mind that their data is being handled securely, which a business might like to use to market itself."
The only downside is that speed isn't guaranteed because the connection passes over the internet, and is thus contended.
A managed solution
Larger businesses with in-house IT will naturally oversee their own VPN, but there's no reason why VPNs can't be handed off to a third-party and hosted in the cloud, effectively making the head office just another node on the WAN.
As far as its users are concerned, they're paying for a virtual gateway in exactly the same way they'd rent a virtual server. It can be scaled up or down as required and managed entirely from one central point, rather than requiring IT support at each office, or for a technician to travel between sites. As the hub is already cloud-based, additional services, such as online backup and PBX, can be added at the same point.
"It's exactly the same as an MPLS service provider would do, but without all that additional kit that's there to support MPLS networks," Hendy said. "We just do it as an Ethernet VPN. The net effect is the same but it's cheaper and more flexible, and we can deploy a lot of VLANs across our network."
Moving the firewall to the cloud and using that as the hub of a virtual spoke-based network consolidates the organisation's out-facing nodes to a single egress point and centralises its security configuration. There are also fewer variables to consider when diagnosing problems as there isn't a separate firewall or authentication server at each remote site.
Partnering VPN
In many cases, it won't be an either/or decision. VPN's flexibility, simplicity and affordability mean that it's easily combined with complementary tech.
"Larger businesses - and particularly those that don't want to consider contention on a daily basis - might opt for MPLS for their primary WAN infrastructure," said Prendergast. "But this could be backed up by an inexpensive VPN, which remains dormant until and unless the MPLS connection goes down. It would be up to the business to decide whether all of its services are available across both connections, but it could offer just a subset over the VPN, perhaps cutting external internet access or bandwidth-hungry applications."
It's a policy that works both ways. Beaming's ProtectNet Plus offering, aimed at the security sector, connects remote sites using a secure VPN backed up by a 4G connection. Monitoring devices, such as cameras and alarms, feed a central monitoring point across the VPN, which is configured to restrict access to only authorised users. Should an outside agent bring it down, service continues via the failover connection which, because it's physically distinct, offers a second level of defence.
Making the right choice
VPN, MPLS and rival technologies such as ATM, Frame Relay and GRE are, ultimately, delivering a single end result: binding multiple remote LANs to act as a single WAN. In each case, the choice of technology deployed will be determined by its use. For insurance brokers accessing databases on a provider's network, VPN would be ideal. A research institute sharing data between remote labs may opt for MPLS, reasoning that the additional cost would be offset by the faster iterations and shorter time to market that the guaranteed speed and security could deliver.
As Prendergast advises, it's a matter of evaluating your use and picking a technology to fit. "Do you want secure internet access? Do you need to expose your services to the internet, in which case you'll have to consider authentication?
Maybe that poses a security risk, and you need to offer remote access without an internet front end. There are many possibilities, all of which VPNs can address, but it's not the only choice, and won't always be the right choice, either."
Certainly, VPN remains the most flexible option, giving organisations of all sizes the freedom to scale as required, and even move the infrastructure from site to site simply by boxing their pre-configured routers and shifting them to the new location.
However, as Harris explained, minimising the number of third-party providers involved is good practice, where both security and complexity are concerned.
"We could provide a VPN service as an add-on to an existing connectivity package," he said, "[but] we wouldn't recommend it. It's still better to be dealing with a single provider who's handling the encryption and the VPN-based stuff because then it's going across [a single] network. That way we're aware of everything, including any attempted breaches, and it's fully encrypted as it traverses our secure network."
