[vpn] Raymond ( my project)

Stephen Hope stephen.hope at energis.com
Mon Oct 15 04:54:30 EDT 2001


Raymond,

the answer as usual is - it depends.

usually VPN is a way of getting better price / performance than for a
dedicated network. 

The idea is you use part of a shared system (the Internet, or the public
voice system) rather than dedicated equipment, lines etc, so it costs less.
With this definition, Frame Relay is also a VPN, since it uses a carrier
backbone you share with others.

But, then you need security to make sure that your stuff is not accessible
to others.

You also need some way to make sure you get the performance you need from a
shared system - after all if the carrier cant overcommit the backbone (so
that there is less capacity than the worst case needed by all the customers
added up, plus the extra overheads) then there is little or no economy of
scale from the carrier perspective, and that should bear some relation to
what you pay.

The implicit assumption is that most of the costs are in the shared bit and
that the extra VPN complexity is more than offset by these cost savings - if
not then the resulting system may cost more than dedicated systems.

If you look at where VPNs are most popular, then this does follow the "cost
model". 

Most common uses are: international site to site connections, international
remote access, national remote access, national site to site within a large
country such as USA.

In practise most large companies end up with a hybrid - VPN maybe for
awkward to reach offices in other countries, and international remote
access, dedicated Frame for "local" offices, ISDN dial in for remote access
in countries where you have local support.

It also means that national stuff in smaller countries such as the UK is
less attactive for VPN - the backbone is a smaller proportion of the system.

>From a technical perspective - VPN means trading complexity for service cost
savings.

This means that if service cost dominates for your applications, then this
is a good solution (e.g. international remote access). If other costs
dominate (i.e. you run a 24 by 7 helpdesk and fly engineers to other
countries to sort lap top problems), then it may not make sense to
complicate the system design over a dedicated system.

regards

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Berkoh, Raymond - HPS [mailto:raymond.berkoh at hays-hps.com]
> Sent: 15 October 2001 09:34
> To: 'Stephen Hope'
> Subject: RE: [vpn] Raymond ( my project)
> 
> 
> can you give me some sort of critical review on the benefits 
> of VPN within
> any organisations
> cheer for your previous information
> ray
> 
> -----Original Message-----
> From: Stephen Hope [mailto:stephen.hope at energis.com]
> Sent: 12 October 2001 21:59
> To: 'Shereen aggour'; vpn at securityfocus.com
> Cc: Berkoh Raymond - HPS
> Subject: RE: [vpn] Raymond ( my project)
> 
> 
> Shereen,
> 
> 1st the cop out - all this is my opinions, and biased by what 
> i know and
> what i have done before.
> 
> VPN is term for a logical network running over a different 
> network. Many
> practical systems actually are "VPNs" at different levels. 
> The first VPNs
> were X.25, voice networks (or others) - it depends on who you ask.
> 
> Most common use in data networking is for a higher security 
> IP network which
> uses an underlying lower security IP network, (ie. a company 
> remote access
> system via the Internet) but there are lots of other useful 
> applications.
> 
> There are several common ways of providing a VPN over IP - 
> standard ones
> include GRE (IP tunnel over IP, IPsec (encryption with 
> optional IP over IP),
> L2TP, SSL. Proprietary ones include IPsec over UDP in several 
> different
> flavours, L2F and PPTP
> 
> IPsec is one way of providing IP over IP networks.
> 
> Frame relay can be (and usually is) a VPN when provided by a 
> carrier - the
> carrier has a backbone which supports multiple customers, and 
> each customer
> "sees" a logical subset of all connections. However, "real" 
> Frame Relay is
> just an interface definition, the underlying backbone may be 
> other types of
> network - e.g. the old Magellan switch used an underlying IP network,
> Newbridge / Alcatel switches use ATM and some recent kit uses MPLS.
> 
> That customer may just put native IP over their frame cloud. 
> Or, if they
> want better security, they may put IPsec over IP over Frame, 
> typically just
> for the encryption support if it is a private network.
> 
> In that case we have 3 flavours of VPN running in the same system at
> different layers of the protocol stack IPsec over IP over 
> Frame presentation
> over IP.....
> 
> And each layer needs management, and takes its own overhead 
> costs in terms
> of bandwidth, processing and potential for faults......
> 
> And that is why a lot of "data only" network architects are 
> pushing IP as
> the underlying protocol - fewer layers and more consistency. 
> Of course, when
> you carry voice over IP then you add just as many layers 
> which are even more
> complex - but that is a different argument.
> 
> So, your Q needs a bit more detail before we can give you 
> specific answers.
> 
> regards
> 
> Stephen
> 
> Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
> Energis UK, WWW: http://www.energis.com
> Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
> Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
> 4189
> 
> 
> > -----Original Message-----
> > From: Shereen aggour [mailto:saggour at gmx.net]
> > Sent: 12 October 2001 06:51
> > To: vpn at securityfocus.com
> > Cc: Berkoh Raymond - HPS
> > Subject: Re: [vpn] Raymond ( my project)
> > 
> > 
> > Actually I need your help as well for a project of mine that 
> > is to state the
> > differences between VPNs over IP oppossed to those over frame relay.
> > 
> > If you can provide me with information, that would be graet.
> > 
> > Thanks,
> > 
> > -- 
> > Sent through GMX FreeMail - http://www.gmx.net
> > 
> > 
> > VPN is sponsored by SecurityFocus.com
> > 
> 
> 
> **********************************************************************
> This message (including any attachments) is confidential and may be 
> legally privileged.  If you are not the intended recipient, 
> you should 
> not disclose, copy or use any part of it - please delete all copies 
> immediately and notify the Hays Group Email Helpdesk at
> email.helpdesk at hays.plc.uk
> Any information, statements or opinions contained in this message
> (including any attachments) are given by the author.  They are not 
> given on behalf of Hays unless subsequently confirmed by an individual
> other than the author who is duly authorised to represent Hays.
>  
> A member of the Hays plc group of companies.
> Hays plc is registered in England and Wales number 2150950.
> Registered Office Hays House Millmead Guildford Surrey GU2 4HJ.
> **********************************************************************
> 

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list