SAN FRANCISCO -- Where do you turn when your company makes seven acquisitions in the space of a year, many of them in other countries with a large number of remote users, and you have to give everyone immediate access to the corporate network?
A remote access virtual private network (VPN) is the answer for many companies because it grants their users transparent access to the network and business applications, while at the same time reducing network management overhead and other costs
Here at the Catalyst Conference 2002, hosted by networking consultancy the Burton Group, users, vendors and analysts hashed out the pros and cons of remote access VPNs.
The consensus was that VPNs are superior to traditional dial-in scenarios for all but the smallest and the most geographically limited deployments, but debate centered on whether to build a VPN in-house or to outsource it to one of the many VPN service providers.
Before a company can even look at possible solutions, however, it must determine what its needs are, said Jack Stackhouse, senior consultant for the Burton Group. Quantify the big five criteria -- security, cost, scalability, service quality and ease of deployment and management -- and use those parameters to compare options, he said.
"Make sure you consider your immediate requirements and also do some capacity planning to project how many users you'll have six months down the road, a year from now, and over the life of the technology," said Stackhouse.
Experts also recommended thinking about who your users are and exactly what their remote access needs are.
"Define your users," said Patrick Wilson, IT director of optical component and test equipment manufacturer Finisar Inc., Santa Clara, Calif. In the past year, the company has hooked up 900-plus remote access VPN users in several countries.
"Defining the users was the most difficult and the most important part," said Wilson. Finisar identified five different user types, each with its own reliability requirements and specific problem areas that needed to be addressed by VPN technology.
Once a company has a handle on its needs, it can look at the advantages and disadvantages of each approach. Do-it-yourself VPNs appeal to many IT managers because they offer a greater level of control, said Stackhouse.
The enterprise has possession of the equipment, retains control of security information, such as passwords and encryption keys, and can enforce its security policies from the remote user location to the enterprise and back. Another advantage is that the VPN is independent of any service provider, so the IT staff can change carriers easily in case service is unreliable or economic conditions warrant.
Purchasing and installing an in-house remote access VPN, however, can require a significant capital investment. Keep in mind, said Stackhouse, that over the long term the network will require maintenance and support from in-house IT staff that may already be overtaxed.
The number of remote users an IT department can support is directly proportional to its number of IT personnel, according to Stackhouse. Unless a company has a large IT staff, he strongly recommended outsourcing for companies with more than 100 remote users.
Outsourcing a remote access VPN means that the service provider will install and maintain the necessary equipment and client software, said Stackhouse. The provider maintains firewalls, virus software and usually offers 24x7 support to end-users. A service provider is also in a position to supply higher availability because of its network resources and ability to quickly diagnose and repair VPN problems, Stackhouse said.
Service providers are frequently able to deploy software-based solutions almost immediately, said Wilson. Because Finisar was adding new remote locations and users at a dizzying rate, this capability was one of the key reasons the company decided to outsource its remote access VPN.
"We were able to configure a company in Germany in less than two days," he said.
Whatever a company decides, it should experiment in a test environment before the business is dependent on it.
"Go through a pilot phase," said Wilson. "You don't want to deploy 500 systems and then not have the tools to deal with the problems. We got stuck with that type of situation, so that's one of my rules now."