Of course, setting up a VPN requires some work. You'll need extra hardware (a VPN server at each location), and VPN software. If remote users will be calling in to the VPN, you'll have to configure their computers with VPN software as well. And you'll have to untangle the astonishingly confusing VPN marketplace, where vendors can't even agree on what a VPN is, much less on VPN standards. The number of vendors has proliferated dramatically, with everyone from small regional shops to big Internet providers getting in on the action.

Some vendors provide managed VPN solutions, so you can hire someone else to manage your VPN while you administer the Domino servers you truly care about. Before you hire someone to provide a VPN, be sure to look closely at the vendor's service record, because you'll be in bad shape if the vendor turns out to be unreliable or incompetent.

What about Domino?
Using a VPN to provide secure transmissions between Domino servers sounds great. But if you look a little closer, there are some problems.

One of the strongest arguments for using a VPN is that it encrypts data. However, Domino servers have their own encryption capabilities. Any port on a Domino server can be configured so that all traffic over that port is encrypted automatically. Indeed, only one port needs to be used. So if a remote Notes user happens to have disabled port encryption on his laptop when he dials into the Internet to replicate, the security of the transmission will not be compromised -- as long as one port on the server has been set to encrypt data.

Some administrators have been wary of using port encryption, perhaps because of rumors that it adds as much as 50 percent overhead to a server's activities. But these rumors are untrue. According to Lotus, port encryption increases processor overhead by no more than five to ten percent. If your Domino servers are running at 95 percent capacity without port encryption, it might make sense to use a VPN, rather than port encryption, to encrypt network traffic over the Internet. Then again, it would probably make more sense to upgrade your servers so that they aren't in danger of maximizing their processors.

You might argue that using a VPN in addition to native Domino encryption will double your security. In theory, that's true. But it will also degrade performance, not to mention adding another layer of authentication and administration -- more things that can go wrong. One layer of security should be enough.

Another point to keep in mind is that, by using a VPN, your Domino servers will no longer be connected directly to the Internet, which may seem like a security advantage. In reality, connecting your Domino server to the Internet to communicate with other Domino servers only requires exposing port 1352, which is used exclusively by the server, and so the security risk is minimal. Using the Internet tasks of the Domino server, such as HTTP and NNTP, require exposing additional ports, but these ports accept only certain commands, which means that the danger of exposing them, in my opinion, to the Internet is somewhere between small and negligible.