Are IP VPN extranets the answer? - The IP Element

Building a layer 2 VPN extranet is complicated and expensive. Although IP-based solutions promise a more cost-effective and scalable approach, service providers will have to reassure customers that QoS and security are not compromised.

The notion of a business-to-business network is not new. Extending a company's wide area network to connect with the network of its partner, supplier or customer con be done fairly simply by using leased lines, frame relay or ATM. These are perfectly adequate network solutions for companies needing a permanent, connection-orientated set-up to get closer to their affiliates and customers. Not cheap, not particularly flexible, but at least reliable.

But let's assume that the company's business grows, takes on much more than one or two suppliers and has multiple customers -- in other words, the business relationships become more numerous and more complex. To establish a separate connection for each link in this supply chain will be expensive.

Obviously, the internet changes the picture. In addition to traditional extranets using leased lines/frame/ATM, we have the possibility of IP VPN extranets -- essentially extending the corporate network via the internet to reach and collaborate with business partners anywhere and anytime. Sounds like something to get excited about -- a way to interact with partners, suppliers and customers in an efficient and dynamic fashion.

An IP reality check

Like most internet-based new frontiers, the real world is still someway behind the hype. The truth is, although IP VPN adoption is on the increase it has been slower than expected and IP-based extranet growth has been unspectacular. Why? Well, in a study undertaken by Infonetics -- User Plans for VPN Products and Services, Europe 2001 -- it was noted from interviewing IT directors at 300 western European enterprises that there are still significant doubts surrounding the security and reliability of IP VPNs.

The reason for that lock of trust is that IP VPNs are a Layer 3 service, managing routing over the internet as well as connectivity between sites where previously a Layer 2 solution was the order of the day. This can both compromise security and sacrifice performance, at least in the eyes of end-users.

Of course, there are advantages with a 'connectionless' internet approach. For a start there is greater flexibility and scalability, which means a reduction in those expensive connection costs. It also removes the need for networking expertise within the customer's organisation as an IP VPN is principally a managed solution.

Despite these benefits, operators offering this service still have to address a prevailing perception among many end-users that you can't get any meaningful quality of service over the public internet and, more damagingly, it is inherently insecure.

The role of IPSec

IPSec, the prevailing industry standard that defines a method for secure encryption and tunneling of communications across the internet, is the chosen method of creating Layer 3 IP VPNs without sacrificing security. This is especially true for SMEs for whom frame relay and ATM connections are too expensive.

Although IPSec is highly secure, not all IT directors appreciate this yet. The marketing departments of service providers should take this point on board.

But for major corporate customers, IPSec doesn't offer the kind of reliability and performance that make traditional Layer 2 services so compelling. For these customers, quality and class of service are more important than price alone. IPSec VPNs undoubtedly deliver high security, but they create several practical difficulties for IT managers when trying to build large-scale extranets.

While the IPSec-based IP VPN is a popular medium for linking mobile employees and remote offices to the corporate network, where the IT department can control the software and devices in use to ensure interoperability, it is getting intense scrutiny from businesses looking for an extranet infrastructure. When it comes to linking trading partners to back-end applications, IPSec can be costly and complicated.

In business-to-business environments, it usually isn't possible for a company to require all of its trading partners to use a particular VPN vendor's hardware or software. Although a wide variety of VPN hardware, software and services are on the market, many require a single vendor's product at both ends. The associated administration and management issues, such as deploying VPN client software on PCs and troubleshooting an external user's connectivity problems, have also given IT managers pause for thought as they consider the time and money needed to support client machines.

Although installation of IPsec client software may go smoothly at times, it can be challenging, depending on the user and his knowledge of security protocols. There are bound to be occasions where the company building out their extranet has to step in to assist the partners with wham it is linking up. Having to spend more than a few days to make IPsec work can put pressure on IT staff, since their primary responsibility is to their employer, and not to customers or partners having trouble configuring client software. In any case, a company may not want to let outsiders behind its firewalls.

It is important to note that the performance of IP Sec VPNs improves significantly when run over a dedicated IP backbone as opposed to the public internet. Over an IP network, traffic delivery is guaranteed. During the research phase of a study Infonetics is currently engaged in, several service providers interviewed were at pains to emphasise the differences between public (internet) IP VPNs and private (proprietary IP network) IP VPNs. Quality of service, class of service and SLAs all become much more achievable over a private IP VPN, and it is this route that most service providers with multi-country IP networks seem to exhibit a preference for, particularly for deploying extranet IP VPNs for multi-national corporation customers.

MPLS benefits

MPLS offers a credible alternative to private leased circuits by creating virtual connectivity between sites in an IP VPN. It handles IP as well as frame relay and ATM, (hence the 'multi-protocol' tag) and allows packets to be sent at both Layer 2 and Layer 3. In doing so, MPLS arguably offers the best of both legacy and IP-orientated methodologies and has become the buzzword amongst most service providers offering IP VPN services. It's also being touted as an ideal migration path for corporations with existing Layer 2 connections looking to move to 'full IP' services on Layer 3 in the future, but for whom investment (and trust) in their current technology, and networking staff, remains embedded.

As far as extranets go, MPLS offers significant benefits. It scales quickly and efficiently, and enables corporations to build out or pull down parts of the extranet rapidly -- new sites can be added or removed within hours without the need to reconfigure all other sites on the extranet. On the security side, MPLS VPNs do not encrypt traffic, This may enable the network to handle the data in a more specific way but it doesn't offer the same WAN security as IPSec. For firms that have security as a greater priority than high bandwidth and scalability, IPSec VPNs remain a popular choice. IPSec can be layered on top of MPLS though, to add encryption if it is required. Also, MPLS only works as a site-to-site technology, whereas IPSec can handle both site-to-site and remote access.

There is also an emerging group of products and companies that use application-layer security (SSL/SSH/HTTPS) to create private connections to web-based content and applications (SafeWeb, uRoam), and some that even allow users to connect to legacy applications (NeoTeris). The unique part of these solutions is that they are clientless; they require only the user's web browsers and are therefore easy (and cheap) to set up and maintain. These products and companies are brand new and their impact is yet to be felt, but they do address some key problems with building extranets.

But despite the networking technology in the marketplace, extranet adoption remains muted. 2002 is being pronounced by many as 'the year of the IP VPN', perhaps rightly so, but it does not necessarily follow that IP VPN extranets will see the same growth. For one thing, VPN extranets may not realise quite the same levels of deployment or acceptance that other VPNs do, namely remote access and site-to-site connections. Clearly they never will as extranets of any description are not necessary or desirable for many businesses. Technology is not the issue. The Infonetics study referred to earlier showed that 57 per cent of respondent organisations plan to build VPN extranets by 2003. Of those, 52 per cent already have them. Whilst this demonstrates much enthusiasm for VPN extranets, it is tempered by the realities of deployment, which are inhibiting wider adoption. It will take some time for users adopting IP VPNs to get a lot more comfortable with this way of networking before they necessarily go for IP VPN ext ranets.

Extranet access headaches

For any type of extranet, the inherent headache is complexity -- a case of who gets to look at what within the newly formed extranet (or newly extended WAN, if you prefer). It is a question of access, a diplomatic problem that requires technical solutions. Who has access to which parts of a company's enterprise resources and what can they do once they have that access?

When a company is planning to open up its internal IT resources to the outside world, IT directors are reluctant to offer partners the same behind-the-firewall access they grant employees. They don't want to give suppliers access to the whole corporate network, only a small number of destination applications with explicit conditions about who has access, when and for how long. There are important policy and technical criteria to address. To leave those issues open-ended invites security problems ranging from malicious activity to authorised users straying into unauthorised areas.

Access control and policy management are probably the most important features of an extranet. Without them, companies have no easy way to govern resources or users. Access control and management tools should make it easy for an administrator to give or take away very specific permissions, such as letting a manufacturing manager from a supplier company come into the network to access predefined files. It should be as quick and easy to remove access rights as it is to give them.

There's also the issue of educating potential users on the benefits, pitfalls, and definitions of using the VPN extranet. It's hard enough to get people at one company on the same page with IT policy and philosophy, let alone a loose affiliation of third-party companies, each with its own IT approach.

But if the thought of having to install, manage, and troubleshoot VPN clients on far-flung machinery sounds too imposing, numerous service providers are willing to tackle the job. Most major VPN service providers in Europe have some sort of extranet offering and there are specialists emerging. They typically offer WAN connectivity, helpdesk support, emergency alerts, and numerous levels of security and encryption, but perhaps the real value-add is in the diplomatic process. Having an experienced third party conciliation consultant with technical, strategic, and management capabilities to steer the process is what end-users really need to see.

RELATED ARTICLE: Types of extranet use

For many companies extranets are still only web-based systems that provide password-protected areas allowing users (customers, resellers) to fill out forms or perform simple online transactions. HTTP-based extranets allow companies to deliver information through a browser interface but offer very limited ability to interact with core business systems and applications. That's fine as far as it goes, but it doesn't really leverage the full potential of extranets.

On the customer side, extra net VPNs offer secure tunnels to remote databases, which let users access inventory data, examine special discounts, view delivery status, research products, place and fulfill orders, and collaborate via a secure internet connection. By opening customer access in this way, extranets offer businesses a significant customer retention opportunity -- the customer is almost literally 'attached' to your business.

On the supply side, extranet VPNs offer an opportunity to improve supply chain management by enabling access to productivity-boosting applications and streamline business processes such as ordering, shipping, and billing. Companies can give independent agents direct access to corporate resources, which improves the efficiency of reseller or agent programs so that enterprise channels can service themselves.

Another development is 'community extranets'. These could involve open-ended design projects, inter-business alliances, or other ways to share information equally among partners. Typically this type of extranet forms on a project-by-project basis between companies collaborating on a one-off basis.

Industry-specific business exchanges, whether for agribusiness, energy or manufacturing vertical sectors, were expected to lead the VPN extranet charge. But things haven't worked out that way, as many of those exchanges have failed or scaled back their original charters.

In reality, many extranets are generally put together by one company with multiple participants. These are not e-market-places or private business hubs, but rather the practice of market-leading, power-wielding companies that dominate an industry, and that everybody else simply has to deal with. Their sheer size makes it difficult to refuse joining their extranet.

VPN extranets are also emerging in public services, enabling communities of interest to share sensitive documentation. For instance, this type of shared network could allow doctors to remotely access patient medical files.

COPYRIGHT 2002 Horizon House Publications, Inc.
COPYRIGHT 2002 Gale Group