There is growing interest in Internet protocol (IP) virtual private networks (VPNs) as a more cost-effective means of deploying private networks. Existing private networks are implemented by linking customer sites with dedicated connections that use private lines, frame relay or asynchronous transfer mode (ATM) to create a secure backbone network. As more businesses have found the need for high-speed Internet connections to private networks, there has been significant interest in deploying VPNs across the Internet to replace dedicated private networks. This has been driven typically by the ubiquity and distance-insensitive pricing of Internet access that can replace dedicated connections at a significantly lower cost. The notion of using the Internet for private communications is not new. Only recently, however, have the IP mechanisms needed to meet customer requirements for VPNs come together. Security solutions IP security allows users to securely connect to a shared public IP infrastructure, like the Internet. The simplest and most commonly known security solution is a firewall, which controls the IP flows between the Internet and the customer’s site using inbound and outbound access control filters. Firewalls usually are integrated with network address translation (NAT), which conceals the IP addresses used in the interior of the customer’s network. Because Internet service providers (ISPs) offer only a few public IP addresses to users, the best approach is to assign "private" addresses, which are only locally routable within a given network. NAT translates the private addresses to one (or more) routable public IP addresses, visible to the outside world. Firewalls generally are offered with a dynamic host configuration protocol (DHCP) server, which enables any host in the interior of the network to get its network address dynamically. When a host is powered on, it finds the local DHCP server and leases an IP address until the host is turned off. DHCP greatly simplifies IP address management by not requiring hosts to be assigned permanent (static) IP addresses. A firewall using NAT and DHCP is the most basic security every multihost user site should deploy. The Internet Engineering Task Force (IETF) has designed IPSec to offer a more advanced form of security through encryption, which provides complete data privacy to enable encryption of IP packets. Encryption allows businesses with multiple locations and roaming dial users to securely interconnect and exchange data over the public Internet. These connections are called "tunnels," and all IP traffic through the "tunnel" is encrypted at the originating site and decrypted at the receiving site. This requires both ends of the tunnel to use the same security key, and the IPSec standards define how this is done. An IPsec VPN is a collection of user sites where authorized hosts can exchange information over the Internet using encryption. Configuring an IPSec VPN can be a daunting task for a user not familiar with the technology. Complex network information [customer network site topology, public and private addresses used at each site, access control filters for the IPSec tunnels, and a secure distribution of encryption keys] is needed to configure a VPN appropriately. In addition to ensuring communication privacy, IP VPNs also must offer various types of quality of service (QoS) guarantees. In particular, traditional leased lines, frame relay and ATM offer both bandwidth and latency guarantees. As IP-based VPNs become more widely deployed, there will be market demand for similar guarantees to ensure end-to-end application transparency. The IETF’s policy-based framework provides a foundation for simplification. It abstracts the most commonly used security requirements using terms that customers can understand and translates these business rules into complex actions on network devices behind the scenes. Policy-based management Many customers can represent their security requirements using business terms. They know the locations between which security is needed, can enter the shared key for encryption or specify the number of hosts that must be privately numbered. Customers use simple and intuitive business policies such as: Business users don’t care about the network devices or methods by which each device must be configured. Not only should this level of complexity be hidden, but users also should talk about security services and QoS independent of the type or brand of network equipment. Therefore, from the cable operator’s perspective, the managed VPN service must be independent from the underlying device and vendor infrastructure. In this way, the cable operator can choose any vendor’s equipment without needing to change the backend components such as the data model or the customer’s portal. Instant activation Security services are time-sensitive. When users change an encryption key, want to build a new IPSec tunnel, or change the filter rules on their firewalls, they will want instant activation. The architecture must allow the customer changes specified to be implemented instantly. Self-service Users want 24×7 control over their security policies. Needing to call a service provider customer service representative for changes is inconvenient. An online self-service portal enables users to directly manage their VPN, providing more control while cutting the operating costs of the provider. Multiservice bundling Users prefer a single interface to manage all services. Multiservice bundling lets them use the same credentials and the portal to manage their firewall and VPN service as well as their email and hosting services. Monitoring and reporting An essential component of security service is the service level agreement (SLA) from the provider. Sufficient information must be provided about the state of the security service to both the user and the provider for them to know if the service is meeting the SLA goals. The up/down state of security devices and all VPN tunnels is needed for minimal reporting. Additionally, daily and monthly statistics represented both graphically and textually must be offered on usage of tunnels, security violations, network attacks and other critical events. Scalability Providers typically can activate hundreds of new accounts per month. Using the same portal and backend data storage system is essential to providing scalability. There should not be any major hardware upgrades or software changes to accommodate scalability. The infrastructure must be built to offer the desired scalability using the same code base. Operator challenges Although the previously mentioned user requirements seem intuitive, cable operators face various challenges when implementing sound solutions to meet them. Silo solutions remain an obstacle to service provider scalability. To date, providers typically create a separate service configuration solution for each type of network service. This leads to the emergence of niche point-solution providers in each individual segment. With no significant integration, these point solutions become inflexible when either cross-service applications or service bundles are marketed. Further, as the number of services offered on a network grows, the number of required customer care agents, portals and system-to-system interfaces also grow exponentially. This can result in significant cost and time delays for launching a new service. Service providers have been slow to accommodate the need for service activation. Today, there is an emergence of session-based services such as VPNs that must be turned on and off at the customer’s request. Cable operators need to support recurring orders and dynamic changes to subscriber profiles and service bundles. Previously, when cable operators offered access primarily to one service, orders were received and acted on. Constant activation and reactivation places more stress on operations, because network equipment must be reconfigured to perform the associated task. As service providers struggle to adjust, customer service quality is compromised. Equipment interoperability remains an obstacle. Many VPN equipment vendors offer proprietary management and service creation platforms. As a result, the configuration of individual network devices from different vendors is much more complicated than it should be. However, next-generation IP service mediation platforms for broadband operators who offer VPN services do exist. Central and intelligent data infrastructures are available that integrate into both the operations system and IP network. This enables real-time provisioning of security services, which eliminates labor-intensive operations processes. Ryan Moats is vice president of technology at Lemur Networks. Reach him at [email protected]. Did this article help you? Send comments to [email protected]. Bottom Line The Rise of IP-Based VPNs Until recently, the major deterrent preventing business customers from subscribing to IP-based VPN solutions has been the complexity of configuring and maintaining them. Although many managed VPN solutions are available, most are expensive and can take months from ordering to activation. Typically, large enterprises that can afford the costs and administrative burden have pursued managed VPN service. Simplification of ordering, installation and activation of security services like VPNs will generate new revenues from businesses of all sizes.