[ISN] Virtual Client Headache

From: mea culpa (jerichoat_private)
Date: Tue Feb 02 1999 - 12:06:57 PST

  • Next message: mea culpa: "[ISN] Hacker takes revenge on computer security expert"

    Virtual Client Headache
    Washington, D.C. -- Can anything slow the virtual private networking
    The answer is a resounding yes, and the impediment is the hidden costs of
    installing and properly configuring complex client software. 
    There are often problems deploying any new application, but "with VPNs you
    usually are talking about getting software to geographically dispersed
    users who are either in small offices with no technical support staff or
    full-time telecommuters who never get into an office at all," said Ronald
    Brendon, IS director at the accounting firm Randall, Kline and Browner. 
    No IT staff means no one to help the user work through the complexity of
    configuring the software settings specific to IPSec, something that IT
    staffs will increasingly have to consider as companies look for the
    hardened security and interoperability that the protocol can deliver. 
    Deploying VPN client software to thousands of remote users can turn into a
    management nightmare, requiring the IT staff to spend huge amounts of time
    resolving user problems. The operational cost in labor hours alone could
    significantly erode any VPN cost savings derived from reduced
    telecommunications charges, according to members of InternetWeek's VPN
    Alliance assembled in a roundtable discussion this week at the ComNet
    trade show. 
    IT managers should not hold their breath waiting for things to improve
    quickly. Equipment vendors said they don't make any money on the client
    and there is little incentive to improve the client because Microsoft
    plans to give it away. 
    Many VPN equipment vendors that are members of the VPN Alliance said
    things could be simplified if Microsoft would just support IPSec within
    Windows as it does today with the Point to Point Tunneling Protocol
    However, some vendors are talking out of both sides of their mouths. While
    agreeing Microsoft support would make life easier for IT managers, some of
    the same vendors point to features in their client software as a
    For its part, Microsoft said it is protocol agnostic. To date, it
    continues to promote Windows NT PPTP for VPN because of its ease of use
    and economy. 
    Still, it's no secret that Microsoft fully supports the direction of IPSec
    inside the Internet Engineering Task Force. In addition, Microsoft is
    working with numerous networking vendors--and the Windows 2000 beta
    already supports PPTP, Layer 2 Tunneling Protocol (L2TP), IPSec and
    Internet Key Exchange--to make key management easier. 
    These technologies are essential to maintain the standards-based
    authentication and interoperability demanded in any broad-scale deployment
    of VPNs. 
    For many IT managers, security concerns have been a barrier to entry to
    using VPNs, vendor representatives said at the roundtable. "IPSec and
    standards-based solutions are making IT managers more comfortable with
    this aspect of using a VPN," said John Summers, senior product manager of
    VPN services at GTE Internetworking. 
    In fact, IPSec support is becoming increasingly common. At ComNet, AT&T
    said it is using IPSec today, Bell Atlantic said it would support IPSec
    sometime in the second quarter, and MCI WorldCom said it would support
    both L2TP and IPSec by the third quarter. 
    But one potential problem for IT managers considering IPSec-based VPNs for
    remote access is the hidden management costs. 
    VPNs are touted as a cheaper way to access corporate networks. And many
    companies such as AFC Enterprises Inc. have found they can significantly
    reduce their telecommunications costs using a VPN instead of dial access. 
    However, companies moving to VPNs have found that "there might on paper be
    a cost savings from the tariff and toll costs that they could save, but
    ultimately they have to invest so much money in management that it offsets
    those cost benefits," said Adrian Bisaz, vice president of marketing at
    Assured Digital Inc. "So there has been a slowdown in the acceptance of
    remote access in a pure ROI point of view because of those complicated
    management issues." Bisaz said the situation is improving with new
    features and services coming down the line. 
    But for many IT managers today, moving to an IPSec-based VPN is a classic
    software-distribution problem with a twist. 
    With IPSec, VPN users typically have to enter such settings as an IP
    address and digital certificate data manually. This adds complexity for
    the user and usually adds to the IT staff's workload because they have to
    talk the user through this process and troubleshoot problems remotely. 
    The industry recognizes this is a problem. "We're in the client deployment
    business for the next year to 18 months," said John Lawler, VPN product
    manager at Concentric Network. 
    For IT managers, "the real issue is around ease of use and making it
    cheaper to manage the stuff," said Mark Tuomenoksa, chief technology
    officer at Shiva Corp. "What's missing is making this stuff dumb-easy to
    Some VPN equipment makers have tried to simplify the installation process
    by enabling IT managers to do bulk configurations and shipping customized
    disks to users that contain a cryptographic ID file with configuration
    information specific to that user. That eliminates the need to manually
    configure the software. 
    Once the client is installed on a remote PC, additional problems can tie
    up management resources. For example, there can be conflicts with other
    communications or network adapter card driver software. Or users may need
    help to dial into a service provider's network. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:55 PDT