As I've mentioned, we manufacture hardware used in the manufacturing of semiconductors. We're required to notify the government just about every time we ship equipment to a foreign country.

We use SAP software to process our sales orders. It includes a U.S. Customs Management module to facilitate the printing of the required documents, and a more automated procedure, the Automated Export System (AES), for sending transit declarations electronically. We use AES, and that's the reason for this most recent change request.

Currently, we are using a dial-up connection to a U.S. Customs server hosted by a third party, since the Customs Service doesn't have the resources to host this reporting infrastructure. I learned about all of this when one day I reviewed a change request to open up our firewall to allow one of our SAP servers to establish a virtual private network (VPN) connection to an external server; the SAP server is located on our internal, protected network. I asked why one of our critical servers needed to make an outbound connection, and the engineer making the request explained that the Customs Service is discontinuing support of the dial- up method for transferring shipping information. Instead, we will need to use a VPN tunnel to transfer the required information.

After several rounds of e-mail messages with the engineer, I called a short meeting so that I could fully understand the requirement. (I do this often, whenever the e-mail thread for a particular topic amounts to a small novel.) I was thinking that if the only purpose of the VPN is to transfer information regarding shipments, then why couldn't we make a connection just once per day? I also wanted to know a little more about this VPN client.

I got my answers, and they made me uncomfortable. As it turns out, we will need to make a connection every half hour for 15 minutes. In addition, there is return traffic from the U.S. Customs server, which transmits acknowledgment reports back to us.