VPN- Extend your network and keep hackers out Once upon a time, a VPN was about as important to your small- to medium-sized business as UPN, the television network that featured "Buffy the Vampire Slayer." But hackers and online villains have come along to change that. VPN, which stands for "virtual private network," is a hardware/software solution for remote workers, providing authorized users with a data-encrypted gateway through a firewall and into a corporate network. Once the domain of big business, VPNs have come down in price and are a hot commodity in the small-to-midsized business market. If you have telecommuters, satellite offices or employees who travel and need to connect to your corporate network via the Internet, a VPN — implemented properly — will slay the efforts of most any vampires trying to get their teeth around your sensitive data. It also will save you a bundle on long-distance phone calls. "VPNs are data-encrypted tunnels over the Internet," says Kneko Burney, chief market strategist for business infrastructure and services at In-Stat/MDR. "They offer robustness and security, and are a cheaper alternative to a dedicated phone line." (Solutions for a small number of users start at under $200.) So, the question is: Do you need a VPN for your business? The answer is a definite maybe. Here are a few things to consider: 1. How sensitive is your company's data? For most businesses, the answer is probably "very." Most companies have customer information and records, financial records and company secrets in their internal networks that merit the best protection you can afford. On the other hand, if your sensitive data is stored offline, and you don't have anything online that you think a hacker might be interested in, perhaps you don't need a VPN. 2. Do you have telecommuters, traveling employees or other remote workers? The benefits of a VPN are twofold: Not only do they offer secure network access to those traveling or working off-site, but they extend the corporate network to those workers to make them feel a part of the company — part of your team. 3. Do you have more than a few employees? A VPN may be an expensive solution for a company with fewer than five employees, unless they all travel or work remotely. Burney suggests companies with 10 or more employees (including telecommuters, remote workers or travelers) are most likely to reap the economies of scale that a VPN can offer. Obviously, the service costs more per month than DSL. 4. Do you have SSL-encrypted Internet pages already? Some companies using Microsoft Exchange servers for e-mail already may have the encryption protection necessary for remote workers — at least for accessing their e-mail (via Outlook Web Access), says Matthew Berk, a tech research analyst. For businesses with low sensitivity requirements, he says, "there are Web-based alternatives to a VPN for authentication and encryption," though they may be less secure. If you've determined you do have a need, here are six tips from analysts: 1. Know the difference between CPE and network-based VPNs. CPE stands for a Customer Premise Equipment-based solution, which represents the majority of VPNs on the market. A CPE-based solution offers end-to-end encryption. A network-based solution does not encrypt data until it reaches the Internet; in other words, there may be small gaps before and after the data reaches the Internet where it is unencrypted. Most analysts believe the security risk of a network-based VPN is minimal. But businesses in certain federally regulated industries such as telecommunications, energy, banking and finance and health care are required by law to have secure networks — which virtually mandate end-to-end data encryption, as well as firewalls and other security devices. The advantages of a network-based solution? They are often cheaper and easier to manage, says analyst J.P. Gownder of the Yankee Group. 2. Install yourself or use a managed service? If you have an IT staff or a consultant, you may want to buy and implement a VPN from a top-notch provider such as Cisco or SonicWall yourself. You have more control over the setup and usage. But . . . VPNs often are implemented incorrectly, and that can open up big security holes, Berk says. In addition, administration and management of VPNs in-house is complicated and "can be a hassle," says Jason Smolek, an analyst for IDC. Telecommunications companies such as Qwest, Verizon and BellSouth, as well as several Internet service providers, offer managed security solutions that could save you the hassle. Many bundle their VPNs with a firewall. 3. Have a firewall too. Some users have a VPN instead of a firewall, but that isn't smart. The purposes of a VPN are to create an encrypted tunnel or gateway through your network's firewall and to keep out hackers. The VPN encrypts the pieces of data, but the firewall is still needed to provide a prison fence around your network. It makes little sense to have a VPN and not a firewall. 4. Look for "IPSec" compliancy and operating system compatibility. IPSec stands for Internet Protocol Security, and is VPN-supporting technology included in Windows 2000 and Windows XP. Used with compatible VPNs (and the majority are, according to analysts) IPSec guarantees the authenticity, integrity and confidentiality of network traffic. Interoperability with a VPN may be an issue, however, with Macintosh systems or those using Windows 98 or a prior Windows operating system on their desktop, Berk says. Make sure you buy a VPN compatible with your operating system. 5. If you have a wireless LAN, make sure your VPN operates securely with it. Having a VPN certainly enhances the capabilities of your wireless local-area network (LAN). But the "layering" of a VPN on a wireless network can result in security holes if not done properly. Dennis Eaton, chairman of the nonprofit Wireless Ethernet Compatibility Alliance (WECA), recommends that businesses place their wireless LAN outside of their network firewall, and provide the VPN to tunnel through the firewall, to ensure the utmost security. Otherwise, he says, wireless network traffic can accumulate and move around inside the firewall, virtually nullifying the VPN and risking security. "You want to make sure the firewall is on the inside and the wireless network on the periphery," Eaton says. 6. Know that a VPN may cause a performance hit for the remote user. This happens when suddenly some 10% to 15% of the bandwidth you have available remotely goes to security. "VPNs are great for setting up a secure connection, but they take up a healthy chunk of the performance speed," says Joe Laszlo, broadband analyst for Jupiter Research. "It's not so bad that it is unusable, but in many cases, it is noticeable." Despite this, Laszlo and other analysts say that if you need a secure connection for your remote and traveling workers, VPNs are worth the money. "Some smaller businesses are just getting to know them, and there is a perception among some that (VPNs) aren't that secure," Burney says. "The reality is that they are phenomenally secure."