Securing the Link

To meet a federal mandate to reduce welfare rolls, the Florida Department of Labor and Employment Security needed to find a way to transmit data securely with new privatesector partners while allowing them access to internal databases.

To meet a federal mandate to reduce welfare rolls, the Florida Department of Labor and Employment Security needed to find a way to transmit data securely with new private-sector partners while allowing them access to internal databases.

Officials turned to a burgeoning security technology called virtual private networking, which uses the Internet or another public backbone to carve out a private passageway or tunnel by using encryption and authentication. The state has become one of the first to launch a statewide VPN, a technology many state and local governments are eyeing to secure data transmissions while whittling communication costs.

Using VPN client/server software from V-One Corp., the labor department has linked more than 350 partners to enable them to work together to train welfare recipients and help them find jobs, said Bob Endress, the department's chief technology officer.

The department, which operates a frame-relay network, turned to VPN technology after struggling to find a way to securely link business partners without requiring them to purchase costly frame-relay connections, he said.

"How do we get these external partners that we now have...with all their own separate networks connected to our network...and be able to maintain the confidentiality?" Endress said, stating the question facing his department.

Private-sector partners download V-One client software from the department's World Wide Web site. This software is used to encrypt data communications transmitted via the Internet and to authenticate that a partner is authorized to access information on internal labor department networks. Labor officials have been able to absorb the cost of the client software-about $70 to $100 per year per partner. It would have cost several hundred dollars a month per partner for frame-relay connections, Endress said.

The department's server limits external user access to specific networks required for the welfare recipient job assistance. "It keeps people from being able to roam around your network," he said. "It creates a virtual tunnel directly to the application that they're going to access."

Florida is using VPN technology to connect with external business partners in what is called an extranet VPN. The technology also can be used for a remote-access VPN, which connects telecommuters or other mobile users to an agency network, or an intranet VPN, which connects fixed locations, such as branch offices.

In a VPN scenario, a remote user or a branch office employee dials into a service provider and establishes a link to agency headquarters over the Internet or the provider's network. The user then authenticates himself for authorization to gain access to internal agency servers.

Because the technology can allow state and municipal governments to dispense with costly modems and dedicated leased lines, it can drastically reduce communications costs. David Dawson, chief executive officer of V-One, estimated that government agencies can save 30 percent to 40 percent on data communications costs.

"Virtual private networking technology has one of the highest return on investment of any technology to come along in recent history," Dawson said. "It's the type of technology that literally pays for itself before the installer is out the door."

Officials in San Antonio are evaluating VPN technology to replace the costly "800" numbers used by traveling workers to dial into the city's networks, said Karl Wahala, senior system programmer for the city. VPN capabilities would be extended to about 50 traveling city employees and those who work from the Texas city's branch offices in Mexico and Washington, D.C., he said.

"We have to have a secure way for them to get in and do their business...without incurring huge 800 costs," Wahala said. "For road warriors, it's hard to say what they accrue to 800 costs. We know it's a lot. Our 800 charges go away altogether [with VPN technology]."

City officials are interested in finding a solution that would support VPN, secure Web transactions and secure e-mail, he added.

In addition to data communications cost savings, government agencies using VPN technology do not have to have multiple infrastructures, such as frame relay or dial-up modem banks, said Tony Rosati, vice president of marketing and business development of TimeStep Corp.

"[VPN is] basically an Internet Protocol infrastructure.... It's very cheap to deploy," Rosati said. "The state and local networks are like extranets. It isn't just one person's network. The cost is usually shared between different organizations in government. All you need is an IP connection...connect each deploying standard VPN gear that is interoperable, and it should all work together."

For many state and local governments, managing and maintaining a VPN deployment can become a challenge, according to Jeff Barnell, vice president of marketing at VPNet Technologies Inc. Because of the dynamic nature of the technology, the typical network management scenario cannot routinely handle a VPN, he said.

"The technology is quickly outpacing the resources and knowledge of the Internet employees," Barnell said. "There's no reason to try to cobble together your own boxes."

VPNet has begun to offer fully outsourced VPN services, with the company designing a VPN implementation, installing it and managing and upgrading it for a monthly fee. Barnell said that because users do not own the equipment, they can start small and then move to technology with higher speeds and better performance as they scale up the size of the VPN without an investment in new equipment.

One of the drawbacks to VPN is that the technology depends upon the Internet or another public backbone. That means applications running over a VPN could be hampered by potential bottlenecks and other service-related problems that still plague the Internet.

Barry Smith, information technology director for Gaithersburg, Md., noted that although he is interested in VPN technology for a variety of applications, he will not rely on VPN technology for any time-sensitive applications.

However, the city plans to begin testing VPN technology to relay data on handheld wireless devices back to city hall, Smith said. For example, building code inspectors could key in notes from the field via a wireless device and transmit it to the office via a VPN, Smith noted.

"It would increase productivity because they wouldn't have to come back and key all that in," he said. "It would increase customer service because it would be more accurate information."

In addition, Gaithersburg officials may use the technology to enable police officers to use VPN via wireless devices from their cars to submit forms and check those forms against criminal information in police databases.

To combat the random nature of the quality of service provided by the Internet, Intel Corp. offers a solution that provides dial-up backup to VPN that can be managed from one software package.

"By installing a combination of VPN and direct-dial remote access...if there were some critical records that needed to be uploaded and an Internet connection were to go down, whoever is trying to send that information can establish a different connection," said Stephen Proctor, Intel VPN product manager.

Heather Harreld is a free-lance writer based in Cary, N.C.

***

How It Works

VPN technology is based on tunneling technology, which is used to transfer data between two similar networks over an intermediate network. One type of data packet encloses or encapsulates another data packet to shroud it from potential electronic eavesdropping, thus creating a private tunnel over a public backbone. The packets are encrypted so that the data is protected from an unauthorized user who may try to capture it during transmission.