|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
Stretching 'VPN' to Fit Web-Based Intranets?
Should providers market Web-based intranet services as 'virtual private networks'? How well does this trendy technology label fit these emerging service offerings?
by Lisa Phifer
VP Core
Competence, Inc.
When the VPN market first emerged, nearly every discussion on the topic started with a question: What is a virtual private network? Over the past two years, I've seen rough consensus form around the following definition: a secure network service, riding over shared infrastructure, but with the same properties we associate with private networks. That is, access limited to authenticated users, protection against eavesdropping and data modification, and ability to define and enforce service levels.
To many, "VPN" also implies a tunneling protocol: PPTP, L2TP, IPsec, perhaps even SSH. Others disagree, saying VPNs enable services—secure remote access, site-to-site Intranet, or business-to-business Extranet—and tunnels are merely one way of supporting VPN services.
With this continuing debate as the backdrop, I'd like to ponder a question posed by an ISP-Planet reader:
Can the new crop of Web-based intranet services really be called "virtual private networks"?
Web-based intranet services
To answer this question, let's start by taking a quick look at Web-based
intranet services. These services provide "online office applications,"
with emphasis on groupware: e-mail accounts and mailing lists, personal
and group calendars, contact managers, shared files, bulletin boards,
online conferencing. These applications are accessible to registered users—all
you need is Internet access, a compatible Web browser, and the requisite
login/password. Many services offer free, ad-supported subscriptions that
are limited in some fashion, usually storage space. Some also sell paid
subscriptions for value-added services for enterprise use: additional
storage, additional users, longer conference sessions.
To illustrate the breadth of services available today, the following table enumerates several Web-based intranet services, accompanied by an example application list drawn from each provider's Web site:
| Service | Example Office Applications |
| Desktop.com http://www.desktop.com | NewsReader, Mail Drop, Find It!, Weather, Snow Report, Slashdot Reader, Web Shopper, Stock Watch, To Do List, Calculator, Stickies, Photo Album, Games |
| HotOffice http://www.hotoffice.com |
Web E-mail, Intellisync, Web Publishing, Group Calendar, Group Contact Manager, Document Management, Online Document Viewer, Private Bulletin Boards, Online Conference Rooms, Business Center |
| Intranets.com http://www.intranets.com |
Store Contact Information, Share Documents, Access Member Information, Group Calendar, Email and Newsletters, Announcements |
| L2 Interactive.com Inc. http://www.myinternetdesktop.com |
Calculator, iCalendar, iMail, iWriter, Virtual Hard Drive, Web Bookmarks, While You Were Out |
| Magical Desk http://www.magicaldesk.com |
MagicalDesk Message Center, Email, Calendar (private or shared), Address Book, Task List, MagicalFiles, MagicalSync, Internet Bookmarks, Storage Space |
| My.PlaceWare http://my.placeware.com | Web Conferencing |
| Punch Networks http://www.punchnetworks.com |
Punch WebDrive Secure, Punch WebGroups Secure |
| StoragePoint.com http://www.storagepoint.com |
Email, Contact Manager, Calendar, Web Links, Notes, Data Importers |
| USA.NET Net@ddress http://www.usa.net |
Email Forwarding, Paging, Faxing, Virus Scan |
| Visto.Com http://www.visto.com |
Personal Storage Area, Appointment Calendar, Address Book, Email Account, Share Files and Calendars, Create or Join Groups |
| Webex http://www.webex.com |
Meeting Scheduling & Notification, Office Calendar, Personal Greeting, Personal or Business Profile, Office Message Service, Address Book, Document Storage, Office Directory Listing |
Point:
Web-Based intranets meet the definition of VPN
These services are clearly "virtual"—online office applications don't
run on your desktop or a departmental server, and these sites don't sit
on your corporate network. Instead, these applications live on the public
Internet, at an application service provider. Subscriptions, whether free
or paid, carve private space out of shared resources, giving the appearance
of a private intranet server after login.
These services are also "private" in the sense that they define closed user groups—communities of interest. Users are authenticated by login/password, and access controls are configured to restrict use: for example, only authorized group members can view a shared calendar, only the mailbox owner can read email. Measures are taken to maintain separation of data on shared servers, and site policies state each provider's commitment to information privacy.
Many services use SSL to protect against unauthorized disclosure or modification of data in transit, and some also store data in encrypted form. For example, the HotOffice Publishing Wizard uses RC4 or SSL for encrypted data transfer, Visto.com encrypts either your login or your entire session with 40 or 128-bit encryption, and Punch Networks uses RC4 48-bit encryption to protect stored data. Several site policies also stress the physical security of shared servers to prevent information access or tampering.
While these services don't typically use tunneling protocols like PPTP or IPsec, one can argue that SSL tunnels part or all of the traffic between the user's Web browser and the intranet server, depending upon the service. To the end user, what's the difference between an IPsec tunnel between laptop and private enterprise intranet server, and a SSL connection between browser and an ASP's Web-based intranet server?
Counter Point: Web-Based
intranets stretch "VPN" too far
Security experts would answer my last question with a lengthy analysis
of perceived strengths and vulnerabilities. Even without being a crypto
guru, one can see these services employ weaker encryption than baseline
IPsec with 3DES, as well as weak password authentication. Clearly, risk
analysis is appropriate to determine the sensitivity of your data and
whether the security measures employed by these services are sufficient.
For many users and intended applications, Web-based intranets offer sufficient
privacy. But for many enterprise applications, they do not.
Furthermore, online office applications are just that: applications. They are not, in and of themselves, networks. In an interpersonal sense, a network is a group of people, and networking involves interacting with other people. But from a technical perspective, a network is a group of inter-connected hosts and gateways; networking involves forwarding, routing, and shaping traffic. Applying the interpersonal definition of "network" to the technical term "VPN" is quite a stretch.
Parting thoughts
I believe the more important question is not can one apply the term "VPN"
to Web-based intranets, but rather, will doing so aid consumer understanding?
Will a Web-based intranet service sell better if positioned as a "VPN"
service? Or will customers seeking shared office applications be confused,
and customers seeking IPsec VPNs be mislead?
What do you think? If you have an opinion you'd like to share, send email to lphifer@fast.net. If interest warrants, I'll summarize what I hear in a future column.
—End
ISP-Planet's
RSS feed
