InformationWeek

February 8, 1999

Automated-Policy VPNs Become Top Priority

Administrators find an easier way to maintain networks and monitor traffic

By Amy K. Larsen

Related links from our sister publications:

InternetWeek VPN Products Confront FUD

Network Computing cIPro-DMZ: More VPN for Your Dollar

his is the year companies will move their virtual private networks from pilot test projects into full production. As the VPN momentum builds and more companies start relying on these secure tunnels to carry business data over private and public IP networks, network administrators are looking for more control over exactly what, when, and how users access network resources.

Whether it's filtering specific server content for individual users or closing the network to traffic at certain times, administrators want a way to take the manual labor out of policy enforcement. Automating policy enforcement is one way to reduce the time administrators spend setting policies, says Michael Howard, principal analyst with Infonetics Research. In addition, he says, policy-based VPNs reduce the number of errors people introduce.

Deckers Outdoor Corp. opted for a VPN from Fortress Technologies Inc. last year. The shoe and apparel maker wanted to reduce the high costs of its frame relay connection between its California headquarters and its European offices. Migrating to the less-expensive VPN was a success, but the company ran into problems that hampered salespeople's ability to enter orders over the new VPN.

"One issue we ran into was the time difference between our headquarters and a field office in the Netherlands," says Steve Miley, director of IS for Deckers. "We were bringing the system down for maintenance from 9 p.m. until midnight, and users were getting knocked off the network in the middle of filling out an order. Then, when they would log back on to the network, the order they filled out would be locked."

It would have helped to have a mechanism built into Deckers' VPN to set a policy to block access during certain times. Because there wasn't an easy technological solution at the time, Deckers told users when the network was unavailable and built a workaround using some custom tools to help salespeople unlock their orders.

Deckers isn't alone with this problem. Forrester Research Inc. estimates that U.S. companies will spend $602 million on VPN access services this year, up from $142 million last year. It says that by 2002, U.S. purchases will reach nearly $8 billion. In tandem with VPN popularity growth, more customers are looking for VPNs with policy capabilities.

Recent introductions of such products include Indus River Networks Inc.'s RiverWorks for remote access VPNs, which has policy management built in, and Cisco Systems' Security Manager 1.0, an application that provides policy-based management capabilities for Cisco VPN equipment.

A lot of point products, such as Cisco's Security Manager, are available integrated into a vendor's equipment, Infonetics analyst Howard says. But those products still require network administrators to spend a lot of time setting systems to specify access rights. And even if setting policies isn't an immediate concern for new VPN deployments, once IT administrators put in a VPN, they need some system for administering who can tap into what devices, and when.

Dictating access policy was a priority for the United Network for Organ Sharing when it set out to buy a VPN last year. The organization, which matches organ donors to patients on the national transplant waiting list, will go live this spring with a VPN that will connect the doctors of the 56,000 people on the list with hundreds of medical facilities that have potential organ donors.

"We were sold on VPNs because of their universality of access," says Berkeley Keck, director of IT for United Network. "But we needed a way to limit the access doctors have to patient information." Doctors for specific patients needing or donating organs had to be able to get all the information they needed on their patients without seeing other patients' records.

Limited Access
The organization's new Cisco network will allow only authorized medical personnel to get updated transplant information by logging onto a special Web site. It's secure enough to block unauthorized users from accessing donor information, Keck says. However, security concerns about internal users' accessing unauthorized files put his application security team to work.

"We still aren't at the point where we trust a vendor to be able to filter what content an authorized user can see once they are inside the VPN," Keck says, "So we built the security policies into the application itself."