Mar 12, 2013

Virtual Private Network Pros and Cons

VPN, or Virtual Private Networks, has both its advantage and disadvantages. But in the end, we end up using it. Let me list those advantages and disadvantages that I see.

VPN lets remote users connect to your LAN over the Internet, which greatly reduces the cost and complexity of the remote connection. The savings begin with the fact that most small businesses will no longer require a dedicated remote-access server. Businesses with a large number of remote users, say more than 75, might still require a remote server to handle such a high volume of traffic, but these companies still save money because nobody has to dial directly into the server. Instead, users only make a local call to their ISPs. In fact, lower long-distance charges are one of the biggest benefits for all companies using a VPN.

Another benefit is that, unlike in a traditional remote-network setup, VPNs do not require similar hardware at both ends of the connection. For example, an employee on a business trip can connect to an ISDN modem in your office using a 33.6Kbps PC Card modem at the same time that a remote workgroup dials in with a 56Kbps serial modem.

Virtual Private Network Pros:
  • Cost Savings – By leveraging third party networks, with VPN, organizations no longer have to use expensive leased or frame relay lines and are able to connect remote users to their corporate networks via a local Internet service provider (ISP) instead of via expensive 800-number or long distance calls to resource-consuming modem banks.
  • Security – VPNs provide the highest level of security using advanced encryption and authentication protocols that protect data from unauthorized access.
  • Scalability – VPNs allow corporations to utilize remote access infrastructure within ISPs. Therefore, corporations are able to add a virtually unlimited amount of capacity without adding significant infrastructure.
  • Compatibility with Broadband Technology – VPNs allow mobile workers, telecommuters and day extenders to take advantage of high-speed, broadband connectivity, such as DSL and Cable, when gaining access to their corporate networks, providing workers significant flexibility and efficiency.

Virtual Private Network Cons:
  • Quality of Service. Unlike circuit-switched or leased line data services,VPN links (or tunnels) over public routed networks do not typically offer any end-to-end throughput guarantees. In addition, packet loss is variable and can be very high, and packets can be delivered out-of-order and fragmented
  • Security. VPN connections are made by first connecting to a POP of the public network, and then using that network to reach a remote peer to form a private tunnel. Once the connection has been made to the POP, unsolicited data from other users of the public network can be received, and the exposure to “attacks” requires comprehensive and complex security measures.
  • Bandwidth reservation or Quality of Service (QoS) at the enterprise or central site. Bandwidth reservation refers to the ability to “reserve” transmission bandwidth on a network connection for particular classes or types of traffic. It is much harder to achieve with VPNs than traditional networks. Some reservation can be done on out-bound traffic, but for inbound reservation to be achieved, the VPN carrier would need to help
  • Two-way calling. Small office/home office sites that use ISDN to access a central site directly enjoy the capabilities of two-way calling, e.g. if the link is idle (the inactivity timer has fired and disconnected the call) and traffic needs to flow from the central site to the remote site, the central site can initiate the call. In a VPN network, this is a capability missing from common ISP offerings today. Call-back is a related topic; offering to pick up the dial-in costs incurred by partners and customers is also difficult .
  • Centralized telesaving control. Managing cost-effective use of dial links centrally may no longer be possible.
  • Overhead. VPN tunnels impose overhead for dial-in users: encryption algorithms may impact the performance of the user’s system, there will be an increased protocol header overhead, authentication latency will increase, PPP and IP compression will perform poorly (compared to a direct link), and modem compression won’t work at all.
  • Support issues. Replacing direct-dial links with VPN tunnels may produce some very painful fault-finding missions. Due to the complexity of VPN carrier networks, the opportunities for “hand-washing” are enormous.
  • Reconnection time. Using tunneling may increase the reconnection time for dial users. With the VPN carrier L2TP model, the client has to go through two authentication phases: one on contacting the VPN carrier POP, and another on contact with the enterprise Security Gateway.
  • Multimedia. Applications such as video conferencing only work acceptably over low latency links that can offer the required minimum throughput. Currently on the Internet, latency and throughput can vary alarmingly. Multi-channel data services, such as ISDN and xDSL solve this problem in the short term, allowing the “data” channel to be used for VPN tunneling, and a separate “voice” channel to be used for business telephone calls or video conferencing.
  • Encryption. When using encryption to protect a tunnel, data compression is no longer achievable as encrypted data is not compressible. This means that hardware compression over a modem connection is not possible.
  • Possible disadvantages of intranet VPN include the following:
    • Denial-of-service attacks. Unlike a private leased line, traffic that is not from the peer remote site (tunnel end-point) can flood down the receive path of a VPN tunnel from anywhere on the public network. This unsolicited traffic may reach such a level that solicited data can no longer be retrieved. To combat this, the VPN carrier could offer to filter non-VPN traffic, or perhaps provide a band-width reservation or QoS service.
    • No end-to-end data link in some cases. For some tunnel technologies, there is no end-to-end data link, so detection of reachability will need to be supported at the routing layer with protocols capable of rapid failure detection and instant re-route.
    • Packet loss. A VPN tunnel can sometimes suffer high packet loss and can reorder packets. Reordering can cause problems for some bridged protocols, and high packet loss may have an impact on the optimal configuration of higher-layer protocols.
    • Latency and multimedia.This is very much a next-generation VPN carrier goal that will require considerable investment to do properly. There are serious doubts as to the chances of the Internet achieving success in this area in the near future. Data-link carrier companies and newly-formed VPN-focus companies offering VPN services have a better chance.
    • Increased downtime. Decreased mean time between failures, longer lasting outages, painful problem solving and downtime compensation claims.


Post a Comment