Before anybody can grapple with the technical issues involved in choosing, implementing, and maintaining a VPN,
one has to go through the exercise of explaining and selling the notion of virtual private networking to those who approve whatever investments of time, effort, and money are necessary to introduce and use this technology. Fortunately, neither the sell nor the explanation need be terribly difficult because of VPNs' obvious benefits--particularly, its ability to enable the use of low cost local Internet access points for both ends of a connection, while protecting the contents of what's communicated across that connection.
Establishing the groundwork for discussing benefits may take some effort, but is best explained by describing how lots of normal everyday Internet services--such as basic e-mail, file transfer, and so forth--remain fundamentally insecure. Any time anybody uses such services to access corporate networks and information without added protection involved, there's a real and tangible chance of compromise.
By itself, this is usually enough to sell VPNs to most managers. But for those operations that already have other secure options in place--such as proprietary terminal servers--the sale may have to be different. In this case, if users are dialing directly into the server, the sale needs to concentrate on how a VPN allows remote users to link into an Internet link locally (and for the server on the other end to do likewise), thereby eliminating long distance phone costs (and often, enabling faster, cheaper connections as an added bonus). These two arguments also apply when linking sites to one another, where applicable, except that they end up protecting networks on both ends, rather than users on one end and servers on the other.
With business benefits boosting interest, managers will typically want to know about costs and options next, and possibly about how VPNs actually work. With client options that include software built into most modern IP stacks (IPSec, IKE, and so forth) and affordable server options abounding, as well as affordable commercial implementations from vendors of all scales widely available, costs seldom need to exceed $100 per user. When risk analysis is used to compare the cost of potential losses against the price of a VPN solution, it's a slam dunk to make the financial case.
When explaining the ins and outs of VPNs to those who may not be technically inclined, you'll also find some good tools at your disposal. These include Cisco Press's excellent The Business Case for Network Security (by Catherine Paquet and Warren Saxe, 2005, ISBN: 2-58720-121-0) which covers VPNs among a host of other tools and technologies in explaining how and why information security is needed, designed, and deployed (Chapter 3 covers VPNs). You'll also find lots of great tutorials online, such as The International Engineering Consortium's (an outfit that numbers Cisco, Alcatel, and Agilent Technologies among its principal sponsors) VPN tutorial.
With the right combination of information about the risks inherent in unprotected Internet communication, business benefits of VPNs, and basic operation and implementation details and costs, VPNs are easy to justify. The notions and resources in this tip should help you make that case with your management should you need to do so.
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publising's Exam Cram 2 and Training Guide series of IT cert prep books. E-mail Ed at firstname.lastname@example.org.