If the Internet must be used for your company’s VoIP traffic, you have only one option to consider: a virtual private network (VPN). It has proven to be both cost-effective and capable of delivering good quality VoIP service for companies with limited VoIP needs.
The term virtual private network is an apt description. The virtual component was intended to convey virtually anywhere. The private is derived from the fact that a VPN uses private dedicated transports at each location on its network to connect to each of their respective local ISPs.
The VPN concept emerged in the early 1990s as a way to transfer data securely over the Internet. Consider the case of a small company with two locations, one in New York and the other in Los Angeles. Instead of using a T1 line to connect the offices at a cost of $12,000 per month, the company would pay $1200 per month to get a T1 connection at each location from a local ISP. They would then use the Internet as the backbone network to do countless computer data applications. Figure 9-5 shows an example of a VPN that connects three locations.
Historically, the use of the Internet as a network backbone is called extranet-ting, or riding the Internet for free. In the 1990s, VoIP and security issues were not even in the picture.
Figure 9-5:A simple three-site VPN.
Today, any discussion of using the Internet as the backbone of a private network inevitably leads to a discussion of VPN. VPNs require some sort of secure gateway, firewall, or router at each location connected to the network. Private, dedicated transport lines are used to connect each location to their local ISP. Each gateway is configured to route all traffic — including VoIP traffic — over the Internet to each of the other locations in the company, as well as to the Internet generally.
Because of the contentious nature of the Internet and the high cost of securing each VPN location’s network, VPN designs are proving to work well when the network has no more than five to eight locations and less than twenty people per location. However, no significant studies have determined what the maximum permissible number of users per location should be.
Before implementing a VPN, a company must undertake a thorough analysis to assess calling patterns, call volumes, hardware needs, bandwidth requirements, Internet access, and security needs — for each location on the VPN. After your present network requirements are determined, you also need to plan for future growth. All of this would then need to be balanced against the total cost of operation and the complexity of having a VPN.
In a VPN design, each site bears the full cost of the following:
Dedicated private connection to their ISP ISP Internet bandwidth access
Terminating hardware including firewall and router (minimally)
These costs are much higher than a typical single site’s cost to connect to a larger private dedicated network due to each VPN site’s need to have their own Internet access. VPN sites also require more complex network hardware configuration. However, after the connection is set up, no other recurring costs are involved because the Internet is basically a free ride. Consequently, running VoIP over a VPN can be very cost effective if the configuration can be completed in a manner that ensures security and high QoS.
The more sites added to a VPN supporting VoIP telephony, the less cost-effective it may become. Remember that each site added requires their own high-speed access to the Internet, their own router, and their own firewall. You also must consider the administrational burden for network administrators (for managing that firewall and router). All this doesn’t come cheap. Ultimately a point is reached where establishing a dedicated network becomes more cost-effective than continually upgrading your VPN. Exactly where that point is depends on many factors, but the primary ones are distance between offices and the number of offices you need to connect. Your company should do a thorough analysis to determine exactly which approach is best for your goals.
If your company has quite a few mobile or remote users, establishing a VPN may make strategic sense. Their personal computers can function as routers and firewalls, and the fact that they can connect to the company network over the VPN from any Internet access point can be a big plus. Make sure you consider the needs of your mobile and remote users in any analysis you undertake.
Implementing a VPN
VPN hardware and software technology has evolved into two distinct categories: gateways and firewalls. Gateways allow individual LANs to connect to the Internet. They can perform VPN-related tasks, as well, such as encrypting and decrypting data transferred through the gateway. The gateway physically connects each LAN to the transport lines used for Internet access.
Gateways include software that enables the network administrator at each site to manage the network. Anyone attached to the LAN would then be able to access the Internet-based external network and any of the other corporate LAN sites attached to the VPN. Through the use of IP-enabled telephones or digital telephones optimized to support VoIP, any user can make VoIP telephone calls to anyone at any of the sites on the VPN.
Mobile users connect to the VPN through client software (provided with the gateway) installed on their laptop. When the user is in the office, the laptop connects to the VPN just like everyone else’s computer. When away from the office, the mobile user uses the client software to access the corporate VPN through any Internet access port. To support VoIP telephony, the user needs to run IP soft phone software on the computer. After obtaining access to the VPN, the user can make and receive VoIP telephone calls through the IP soft phone.
Firewalls, the other VPN category, are used to implement security on any network to which they are attached. (Firewalls were discussed earlier in this topic.) Privacy and protection are important when using the Internet for any service, including VPN and the VoIP services that may operate over the VPN.
Part of the complexity involved with the design of a VPN is the configuration of the firewall and other computers exposed to the Internet. But this complexity enables each location on the VPN to nail down tight security. Through the gateway or through a separate additional firewall device, each site can set up protection from unauthorized intrusion.
The Internet Engineering Task Force (www.ietf.org) has developed the IP Security protocol suite, or IPSec. This is a set of IP extensions in the form of software, just like the entire TCP/IP suite of protocols. IPSec is installed on the gateway (or separate firewall if used) to monitor each packet that passes through. Unauthorized or questionable packets are discarded prior to entry into the protected segments of the network.
Many variations of VPNs and hundreds of VPN service providers are available. To make the best decision regarding a VPN, do your homework and investigate the options available. It is worth your time to meet with various companies and solicit bids for implementing your VPN. The more you know, the better decisions you can make.