|
| November 2000 |
Creating a secure connection to the paper over the InternetRemember the days of writing your story on a "Trash 80," jamming a phone receiver into a rubbery set of couplers sitting precariously on the desk, chair or your knees? All that, just to file a story. Now reporters can file stories, check in-house e-mail, access the company's intranet, the Internet and a variety of other network resources previously unavailable to the remote user. The technology that advanced remote access beyond story dumping comes in the form of Virtual Private Network (VPN). It is more than a buzzword with an ephemeral sound to it. Yet, it's not just a term tossed out casually by well-intentioned, blustery corporate IS folks, it's a meat-and-potatoes solution for newspapers. VPN may start with virtual, but its power lies in reliability and cost-effectiveness. Cost and reliability are two items newspapers cannot continue to do business without in these budget-conscious times. Prior to VPN technology, reporters' access consisted of a dial-up connection with little or no terminal emulation. They would write a story, save it in the word-processing program they were using (such as Xywrite), put a predefined header on top of the story, connect all the phone gadgetry, dial into the newspaper's communications server via modem and cross their fingers that the story landed at the paper. Stories were usually dumped into a dedicated remote access server (RAS) at the newspaper. However, RAS equipment requires higher maintenance for the IS department. As more and more reporters stayed in the field to file, RAS could no longer handle the increased load without expensive enhancements. Remote filing depends on available phone lines and modem banks with plenty of hunt numbers. As soon as the convenience and expedience of filing from the field was noticed, the need for new methods of receiving stories, as well as handling remote access, became critical. Also, upgrading or modifying RAS meant downtime for the users. VPN solves many of the network-administration headaches associated with remote filing. VPN also solves many of the remote users' dilemmas of getting the story to their editor on time. RAS also included a way for photographers to file photos. They'd dial into a dedicated server and upload the photos. However, photo-based RAS included the same security concerns as for the reporters, and the added concern of what to do in the event that the RAS were to go down. You can't dictate a photo. The idea of setting up a VPN isn't brand new -- the need to segment parts of a company's network has always been an issue. The problem was, implementing and maintaining it on the network wasn't as easy as deploying VPN today. Today, several suppliers offer off-the-shelf solutions that can easily be done in a day.
Cost prohibitive
"End users were clamoring for remote access," he said. Prior to installing a VPN system from Nortel Networks Corp. (formerly Bay Networks) of Brampton, Ontario, Canada, the Herald was using RAS and modems to handle remote access. "But the cost was becoming prohibitive," Williams said. "Especially for the number of users dialing in." Now, Williams said, the Herald can handle up to 200 concurrent users, with plans to increase that number. Using VPN allows for a very scalable solution. There's no need to add extra analog circuits. Once the switch hits its predetermined maximum, just throw on a new switch. Just a few years ago, suppliers of VPN were in short supply. But like all other technologies that harness the power of the Internet, that number has grown significantly. With that growth comes competitive pricing, overall competition and plenty of research and development. For its VPN solution, the Herald uses Nortel Networks Contivity 2000 Extranet Switch. Among other companies offering VPN solutions are Microsoft Corp., Cisco Systems Inc. of San Jose (which bolstered its VPN suite last spring with the acquisitions of Altiga Networks and Compatible Systems Corp.), the InterNetworking Systems division of Lucent Technologies Inc. of Murray Hill, N.J., Check Point Software Technologies Inc. of Redwood City, Calif., and Axent Technologies Inc. of Rockville, Md. Cisco just announced the release of Vpn 5000, which offers Internet Protocol Security-based services. "It's basically a self-contained PC," Williams said of the switch the Herald uses for VPN connectivity. According to Nortel Networks, "the switch integrates routing, firewall, bandwidth management, encryption, authentication and data integrity." A VPN simulates a private network over a public one. It takes advantage of the public availability of Internet technology including protocol standards and allows for private, encrypted traffic with very little cost in phone charges, administration or support. VPNs include account codes, access restriction, criteria for call screening, network overflow control and routing capabilities. The Internet allows access to a VPN through a local phone call, greatly reducing the costs spent on long-distance phone charges, including 800 numbers. This is a huge bonus for a newspaper deploying hundreds -- or even dozens -- of writers in the field and in bureaus.
Security: top of list
Network administrators place security at the top of the list of requirements for remote access solutions. VPN resolves security through integration with an existing firewall, authentication, encryption and tunneling. The firewall portion is usually in place already and the VPN interacts with it. The VPN sits behind the corporate firewall and is attached directly to the network, but segmented to control traffic. "It's secure, easy to maintain and very user-friendly," Williams said. VPN adds an extra layer of authentication and provides a needed form of encryption. The key to VPN is that it employs tunneling (transparent and secure) as part of its security package. Tunneling is transparent and secure in that it wraps data or data packets and sends them encrypted. Non-tunneling connectivity works, but it is not secure. Data packet hijackers dance for joy when they catch these streams. Sending data through the tunnel involves a client sending data to a host. The VPN encrypts the data and encapsulates it into an IP data packet. The data packet travels over the Internet in the tunnel (sometimes called a tunnel server), which decrypts the packet and forwards it to the host. The process works in reverse as well. Most popular in a VPN solution is the Point-to-Point Tunneling Protocol (Pptp), which uses encryption and encapsulation combined with packet authentication during a remote session. It sends the encrypted, encapsulated packet through the Internet making it appear to be a tunnel cutting across the polyglot of traffic. In addition to Pptp (developed by Microsoft), VPNs can also employ other tunneling protocols such as L2TP (Layer 2 Tunneling Protocol) or L2F (Layer 2 Forwarding). But only Pptp includes data encryption. L2TP supports all routable protocols such as IP and AppleTalk. It incorporates the positive aspects of Pptp and L2F. However, on the way to becoming a standard is Internet Protocol Security (IPsec). IPsec resolves the inability of TCP/IP -- it means transmission control protocol/Internet protocol; it's the way computers talk to one another on the Internet -- to support authentication and encryption. IPsec's main purpose is to provide TCP/IP with the necessary public network security. It is designed to support transport mode to protect the data packet and the tunnel mode, which protects the packet and the header.
Compact disc, instructions
All the user has to do is load the software and then establish a connection with their ISP. Once they establish connection with the ISP, they launch the VPN client, which tunnels from the user's ISP to the Herald's extranet switch, which prompts for a password. Once connected, users have the same access to network resources as they do when they are inside the building. The only difference is the connection speed. In the office, it's T1; outside it's usually standard modem or Digital Subscriber Line (DSL). Supporting users on VPN is pretty straightforward: create, modify, delete. It remains a fairly routine task. In fact, Williams said they delegate most of the user creation and modification responsibilities to the various departments to administer. Administration depends on how complex you want it to be. It can be easier than administering a single workstation. "It's browser-based without too much real hands-on," Williams said. "We push down the DNS to the user." Gary Fong, director of editorial graphics technology at the San Francisco Chronicle, said the Chronicle has been using VPN since February 1999. The Chronicle uses a system from XO Communications Inc. of Reston, Va., which was formerly Concentric Networks. "We have access to our internal data assets such as [System Integrators'] Coyote3, intranet, on-line phone book, photo archive and Associated Press," he said. "It has enabled us to be out there longer and easier." At the Herald, users also access the same in-house resources, including Coyote3 and Coyote Layout. Coyote is the client software for a System/55 from System Integrators Inc. of Sacramento. Coyote Layout means it is now possible to layout pages remotely through the VPN. "Photographers can get their photo assignments through Coyote, allowing us to communicate on several levels," Fong said. "It allows photographers to have virtual offices." Fong said they are just starting to deploy digital cameras, but they are widely using Ricochet, a wireless modem from Metricom Inc. of San Jose. "Ricochet allows photographers to access the Chronicle through the VPN and transmit from their seats," he said. "It increased our [football] deadlines into the fourth quarter and sometimes into overtime." The Ricochet 128,000 bits-per-second service is available in eight markets in the United States and Metricom is promising service to 14 more markets shortly. Like the Herald, the Chronicle's national and remote bureaus and users have VPN access. "Sometimes problems with speed come up from our overseas bureaus," said Williams. "But that's usually something that has to do with an intermediate ISP connection." Aside from speed, overwhelming appreciation for remote access overshadows complaints. VPN technology, for its part, has revolutionized working in the field. The Chronicle's Fong said remote users can be sitting in the bleachers at sporting events with a Ricochet modem and have full connectivity to the paper. Among the number of capabilities VPN provides reporters is the ability to do research remotely. No more phone calls to the library. "The main complaint from users is that they have to pay for their own ISP," Williams said. Aside from that, most of the reporters can no longer function in the field without VPN access. And dictation is a very, very bad word given the kinds of access now available. As wireless technology expands, so will the remote user's ability to go farther into the field. Fong couldn't come up with any negatives about VPN usage. For his staff and others at the Chronicle, there are only the positives of rarely coming into the office. According to Fong, you are more likely to find them working out of a Starbuck's. -- Jason Zappe, jzappe@colepapers.net
Axent Technologies Inc., From THE COLE PAPERS, November 2000, Copyright © 2000, All Rights Reserved.
|
|
Top |
ColeGroup.com |
Consulting |
Cole Papers |
NewsInc. |
Cole's Store |
Miscellanea |
Search Copyright © 1990-2012, The Cole Group. All Rights Reserved. Contact us. Modified date: 11/ 1/2000, 9:53:32 AM. URL: http://www.colepapers.net/tcp.archive/cole_papers_00/TCP_00_11/vpn.html |