http://www.internetwk.com/news0199/news012999-7.htm Virtual Client Headache By SALVATORE SALAMONE Washington, D.C. -- Can anything slow the virtual private networking juggernaut? The answer is a resounding yes, and the impediment is the hidden costs of installing and properly configuring complex client software. There are often problems deploying any new application, but "with VPNs you usually are talking about getting software to geographically dispersed users who are either in small offices with no technical support staff or full-time telecommuters who never get into an office at all," said Ronald Brendon, IS director at the accounting firm Randall, Kline and Browner. No IT staff means no one to help the user work through the complexity of configuring the software settings specific to IPSec, something that IT staffs will increasingly have to consider as companies look for the hardened security and interoperability that the protocol can deliver. Deploying VPN client software to thousands of remote users can turn into a management nightmare, requiring the IT staff to spend huge amounts of time resolving user problems. The operational cost in labor hours alone could significantly erode any VPN cost savings derived from reduced telecommunications charges, according to members of InternetWeek's VPN Alliance assembled in a roundtable discussion this week at the ComNet trade show. IT managers should not hold their breath waiting for things to improve quickly. Equipment vendors said they don't make any money on the client and there is little incentive to improve the client because Microsoft plans to give it away. Many VPN equipment vendors that are members of the VPN Alliance said things could be simplified if Microsoft would just support IPSec within Windows as it does today with the Point to Point Tunneling Protocol (PPTP). However, some vendors are talking out of both sides of their mouths. While agreeing Microsoft support would make life easier for IT managers, some of the same vendors point to features in their client software as a differentiator. For its part, Microsoft said it is protocol agnostic. To date, it continues to promote Windows NT PPTP for VPN because of its ease of use and economy. Still, it's no secret that Microsoft fully supports the direction of IPSec inside the Internet Engineering Task Force. In addition, Microsoft is working with numerous networking vendors--and the Windows 2000 beta already supports PPTP, Layer 2 Tunneling Protocol (L2TP), IPSec and Internet Key Exchange--to make key management easier. These technologies are essential to maintain the standards-based authentication and interoperability demanded in any broad-scale deployment of VPNs. For many IT managers, security concerns have been a barrier to entry to using VPNs, vendor representatives said at the roundtable. "IPSec and standards-based solutions are making IT managers more comfortable with this aspect of using a VPN," said John Summers, senior product manager of VPN services at GTE Internetworking. In fact, IPSec support is becoming increasingly common. At ComNet, AT&T said it is using IPSec today, Bell Atlantic said it would support IPSec sometime in the second quarter, and MCI WorldCom said it would support both L2TP and IPSec by the third quarter. But one potential problem for IT managers considering IPSec-based VPNs for remote access is the hidden management costs. VPNs are touted as a cheaper way to access corporate networks. And many companies such as AFC Enterprises Inc. have found they can significantly reduce their telecommunications costs using a VPN instead of dial access. However, companies moving to VPNs have found that "there might on paper be a cost savings from the tariff and toll costs that they could save, but ultimately they have to invest so much money in management that it offsets those cost benefits," said Adrian Bisaz, vice president of marketing at Assured Digital Inc. "So there has been a slowdown in the acceptance of remote access in a pure ROI point of view because of those complicated management issues." Bisaz said the situation is improving with new features and services coming down the line. But for many IT managers today, moving to an IPSec-based VPN is a classic software-distribution problem with a twist. With IPSec, VPN users typically have to enter such settings as an IP address and digital certificate data manually. This adds complexity for the user and usually adds to the IT staff's workload because they have to talk the user through this process and troubleshoot problems remotely. The industry recognizes this is a problem. "We're in the client deployment business for the next year to 18 months," said John Lawler, VPN product manager at Concentric Network. For IT managers, "the real issue is around ease of use and making it cheaper to manage the stuff," said Mark Tuomenoksa, chief technology officer at Shiva Corp. "What's missing is making this stuff dumb-easy to use." Some VPN equipment makers have tried to simplify the installation process by enabling IT managers to do bulk configurations and shipping customized disks to users that contain a cryptographic ID file with configuration information specific to that user. That eliminates the need to manually configure the software. Once the client is installed on a remote PC, additional problems can tie up management resources. For example, there can be conflicts with other communications or network adapter card driver software. Or users may need help to dial into a service provider's network. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:55 PDT