VPNs: Carriers make the case for packetizing vitual private networks

Like many other innovations spawned by the Internet, IP-based virtual private networks still sit at some point on the trial curve. Whether you place them low or high depends on your viewpoint and your technological optimism. Some important structural problems have been solved to most industry watchers' satisfaction; others remain in limbo, with solutions still being tested, standards not quite formalized and architectures drawn up only in theory.

Meanwhile, life goes on at ground level. IP VPNs are being sold; they are attracting customers. One particularly impressive example, the Automotive Network Exchange, is out of pilot phase and in operation.

Perhaps most significant, IP-based VPNs are attracting the attention of some of the biggest players in telecom. A year ago, the regional Bell operating companies hardly figured in the IP VPN story, but today, through their existing or planned data subsidiaries, most have taken an aggressive stance on creating private networks over the Internet. Their interest comes in response to the energy behind newly packaged IP VPN efforts from carriers such as AT&T and GTE, as well as to the long-standing efforts of MCI WorldCom, Concentric Networks and others.

For some users, the economics of communicating securely over either the Internet or a private IP network are compelling enough to overcome the technical questions that remain. And the numbers of those users will grow explosively in the next few years. According to a study by Frost & Sullivan, total revenues for the VPN market in the United States-including circuit-switched, IP and satellite, as well as hardware and software-were about $3.5 billion in 1998 and will grow to almost $18.8 billion in 2004 (Table 1). In that time, IP-based VPNs will rocket from an estimated $220 million in 1998 to $1 billion this year and $13.59 billion-or 72.4% of total U.S. VPN revenue-in 2004, the Frost & Sullivan study says.

In contrast, U.S. revenues for public network-based VPNs were estimated to be about $3.1 billion last year. In 2004, the study says, they should reach almost $3.6 billion-a compound annual growth rate of 2.2%.

Lower costs, faster deployment Most analysts agree that a boom in VPNs of all kinds is coming as corporations try to put the high costs of dedicated leased private lines behind them. Greg Howard, senior analyst at Infonetics Research, breaks down the three main types of VPN this way for 2001:

* Individual remote access users will grow to 62 million; 15.5 million will use VPNs.

* Organization sites worldwide will reach 6 million; almost 1.5 million will use VPNs.

* Extranet partners will grow to 1.4 million worldwide, and 91% of them-almost 1.3 million-will link up via some form of VPN.

Of these three lines of business, remote access will be most important this year because of a growing numbers of telecommuters and day-extenders, Howard says. "1999 is the year of the remote access VPN," he says.

The act of switching telecommuters to IP-based VPNs is viewed by many enterprises as a test case, a pilot for a larger migration of their intranets and extranets, says Susan Scheer, senior manager of marketing for Cisco Systems' service provider division. "There's a lot of demand for remote access among the very big players right now," she says. "They're reaching a needed comfort level by starting low down on the adoption curve. Nobody gets fired if someone can't log into the headquarters network from the road; they do get fired if they can't do their financial reporting."

Extranets are perhaps the most significant to service providers because they represent new traffic. Much of the growth in remote access and site-to-site VPNs will simply replace or add to existing connections, but the growth of e-commerce-especially business-to-business transactions-will feed into organizations' corresponding drive to connect cheaply but safely with suppliers, partners and customers.

According to a Frost & Sullivan study published last November, the factors driving expansion in the IP-based VPN market are also behind other new telecom uses for the Internet: its availability and its cost-effectiveness compared with switched networks.

"The big applications are to reduce the transport costs on an international or long-haul network and to get a manageable remote access solution to dial into your dedicated sites once you have them set up," says E.J. Dieckman, senior product marketing manager for AT&T CERFnet. "If you have roaming international users, [VPNs are] a very cost-effective way to call back to headquarters without paying those 1-800 charges." Figure 1 shows AT&T CERFnet's IP-based VPN solution.

GTE Internetworking has also found that IP-based VPNs are effective for some customers that think private networks are too costly and too inflexible, says Jeff Aliber, a senior product marketing manager for the company. "With frame relay, you're not in a position to do something like add another supplier to your network by tomorrow. An IP VPN can do that."

With those advantages, it makes sense that IP-based VPNs stand to garner the lion's share of the coming VPN explosion.

But is it safe? IP-based VPNs face some undoubted obstacles en route to these golden opportunities. Chief among these are customer concerns about security and network performance over the Internet. Transmission security is an issue because IP protocols are stateless-that is, IP packets by themselves carry no link to a particular connection-and TCP connections can be easily duplicated.

The security standard attracting the most vendors and service providers in the IP VPN industry is IPSec, the almost-finalized standard issued by the Internet Engineering Task Force for securing business traffic over the Internet. IPSec provides authentication, 164-bit encryption and integrity for each data packet.

GTE's newly launched IP-based VPN Advantage product uses IPSec as the basis for its security protocol for tunneling, authentication and encryption. It then goes a step further by employing digital certificates, unique identifiers based on public keys and issued by certificate authorities (Figure 2). GTE will issue digital certificates through its CyberTrust affiliate.

One problem: Digital certificates from different issuing authorities are not interoperable. VPN Advantage will ease that difficulty by offering certificates from market leader Entrust, Aliber says. This dual approach will be followed throughout VPN Advantage to avoid the problem common in an emerging technology: making equipment decisions that lock the carrier into a particular architecture. "As a general approach in bringing this service to market, we've decided that we always want to support the market leader, and we will also support what we think is the best implementation," Aliber says.

AT&T CERFnet is also using IPSec-thanks to the endorsement of the Automotive Industry Action Group's ANX network. "We have a lot of customers like Ford and Chrysler that are involved in the ANX project, so it's important for any of our VPN solutions to be compatible and ANX-certified," says Dieckman. Again, to avoid technology freeze-up and to give varied customers a menu of security choices, AT&T is also looking at another lower-layer tunneling protocol called L2TP.

After security, performance is the biggest worry among information technology managers thinking about switching to an IP VPN. AT&T CERFnet's service level agreements (SLAs) are still in flux, but the company says it will offer both SLAs and quality of service (QOS) guarantees, including latency, with proactive credits.

GTE Internetworking offers a fairly specific SLA package: 99.9% availability and round-trip latency of 125 msec. or less for site-to-site VPNs; for remote access, 97% busy-free dial-up and 99% initial modem connect speed of 27.4 kb/s or higher. "We decided it was time for someone to plant a stick in the sand, especially on the remote side, where people have been reluctant to pony up numbers," says Aliber.

Bill Jefferis, director of access services for the network integration arm of Bell Atlantic's Data Solutions Group, says his company will launch its IP-based VPN effort in the first quarter with strong SLAs-"port availability, network availability and latency guarantees from the end user all the way around through our [point of presence]." Bell Atlantic's consortium and peering arrangements with 1000 global POPs outside its own footprint have been in place long enough for complete interoperability testing, he says, so the company can extend its SLAs to cover those networks, too.

But how sturdy can SLAs be when data travels over several networks? GTE's Aliber agrees that interconnections are a problem at present. The company will monitor the network of a VPN business partner through another service provider and offer to call the other Internet service provider if trouble arises, but it will not extend its SLA to the other network's environment.

The ISPs take control Despite continuing difficulties with quality and interoperability, most service providers say one thing about the VPN environment has changed for the better: Fewer customers want to do IP VPNs all by themselves (Figure 3). Managed services are quickly becoming a standard offering for ISPs seeking customers of all sizes.

The appeal of outsourcing depends on the size of the VPN client. A high percentage of very large corporations are still "running their own railroad"-deploying and supporting their own VPNs. But some very large enterprises are going with a fully outsourced approach. For example, NTT and Concentric hand over some management functions such as network security, network audit, security design, local replacement and on-site maintenance to VPNet Technologies.

Setting up and running a VPN is so much more complex than Internet connectivity that smaller companies know they lack the resources to do it, says Rick Kagan, vice president of marketing at VPNet. "The problem before in connecting an IP was to have a service provider drop a channel service unit/data service unit and a router on your premises, verify that you've got the right IP addresses and you're off to the races," he says. Now managing a VPN entails dealing with security policy and parameters, making sure applications functions within latency needs and are compatible with IPSec. "All of a sudden, you're a lot deeper into your network than you first imagined," he says. "We got into this managed services business in order to help our provider customers start offering IP VPNs."

Cisco's Scheer agrees that setting up an IP-based VPN requires a holistic approach. "I hear the phrase 'VPN box' a lot, but that's a marketing term," she says. "VPN is an architecture-it's a series of products and software functions tied together and calibrated." Cisco works with service providers to design not only a VPN architecture but also a marketing plan for the service, then provides operational pieces for provisioning, managing and billing the service over that network.

Many service providers offering IP-based VPNs are seeing clients that bring with them legacy equipment and tales of low returns on investment. "Some have tried to build their own internal VPN with a firewall solution, a software solution or a router with VPN capabilities," says Jefferis. "They've determined the obvious thing-that the problem isn't so much the cost of implementing these solutions as it is the cost of managing and supporting them, as well as the cost of supplying transport."

Still, managed VPN service providers know customers want to retain control over certain functions-most notably, the access lists that determine who is added or dropped from a VPN. "We know customers want some control over their operation," says AT&T CERFnet's Dieckman. "They don't want to have to fax in an order to take out employees they've terminated; they want the administrator to be able to do that. We want that, too, because we don't want the overhead and the headache of managing every individual user."

GTE requires vendors to open an interface with their hardware so the company can capture more information than with an off-the-shelf solution. Customers then get this information under the rubric "shared control" by logging in through an authenticating Web server to get real-time and historical network reports, access lists and trouble tickets. This wider view makes the Internet less of a black-box mystery, says Aliber, and lets customers feel better about entrusting it with their critical traffic.

VPNet Technologies' new line of VPN products includes monitoring functions, but as important to service providers is its ability to customize billing (Figure 4). "Being able to account for each and every packet, knowing how long a remote user was connected, how much information they sent, and which sites are talking over what periods of time-that gives service providers the flexibility they need to do usage-based, metered or other types of custom billing programs," Kagan says.

Looking further out, Cisco's Scheer predicts that IP-based VPNs will eventually become a commodity like transport, at which point service providers will try to differentiate themselves just as they have done in the public network-with value-added services. She foresees applications hosting and IP telephony as two value adds for IP-based VPNs.

Tomorrow the world Logic dictates that if extranets are the growth market of the long-term future for VPNs, then the first provider that can offer a reach as wide as the span of global business will tap into a huge and very lucrative market of multinational traffic.

"International connectivity is going to be the magic bullet," says AT&T CERFnet's Dieckman. Margins for data transport over IP VPN are narrow enough to make some enterprises reluctant to switch off a frame network. "But over in China, you don't have that luxury-you can only get yourself as much bandwidth as you can find and try to choke your traffic over the Internet."

That kind of global connectivity takes the same old problems-performance and security-to a whole new level. Dieckman thinks the first will be solved by informal consortia of carriers agreeing to interoperate transparently, as certain overseas airlines now do. However they can, providers will have to find partners to offer global service.

"There's no one big enough today to be truly global all on their own," says VPNet's Kagan. "Relationships will be the key to worldwide coverage. We work with NTT, one of the largest single carriers left standing in the world today, and they are not big enough to do a global VPN service without outside help."

As for security, impending new encryption laws probably won't do anything to lessen the legal burden involved in exporting data with high code levels. GTE's Aliber says his company will support site-to-site VPNs for U.S.-based companies with international offices and in fact already operates one to a site in Australia. But depending on where the overseas sites are, getting export permission here in the U.S. may be no less tricky than getting import permission in the foreign country. Remote access is even tougher to work out. "In theory, if you've got the encrypter on your notebook, you can take it wherever you go," Aliber says.

Still, while domestic networks will make up the majority of GTE's VPN business for the next few quarters, the company plans to go after international clients aggressively. "The companies that have the most locations and the largest extranets have lots of international sites as well," Aliber says. "We want to be able to support them."