VPNs unlock access mysteries

For years, leased lines were the only option for carriers' business customers that needed to exchange large amounts of data between remote offices. Although the solution provided security, it came at a price-literally. The economics of secure leased lines kept many smaller potential customers from embracing the idea. And the providers of these lines-the phone companies-weren't particularly worried about lowering prices because competition wasn't yet a viable factor in the marketplace.

Then along came the Internet and the concept of virtual private networks (VPNs). Combined with a dramatic shift in the regulatory environment, VPNs have helped relegate the concept of leased lines as the only option to the dustbin.

Although most business customers still use leased lines, the acceptance of VPNs is gaining speed thanks to the economic model they present, the up-and-coming on-line players that are marketing them and the services they can deliver that leased lines can't.

"Only now are people beginning to appreciate what VPNs can do," says Ed Birss, vice president of the Defender business unit of Axent Software. "The telecommunication carriers aren't seeing a lot of slack in leased lines, but for many companies, the economics are too compelling to ignore."

These economics also are too compelling for service providers to ignore. Two distinct types of service providers are emerging: large carriers that have created Internet divisions and can cannibalize an existing base of leased-line customers; and newer, Internet-focused companies that are positioning their VPN offerings to take advantage of the technology's versatility.

"How these two groups will proceed is being evolved on an individual basis," says Amy Snyder, a partner in the Braxton Associates division of market researchers Deloitte and Touche. "Ultimately, though, the adoption of VPNs on a broad scale is going to mean the disappearance of a special market for Internet access and the shift to [Internet protocol] for the public network."

The concept of VPNs is based on the idea of efficiently and securely "tunneling" data from one point to another. In tunneling, a remote access server converts data into IP packets, which are routed through the provider's network-or across multiple networks in the case of the Internet-to the tunnel endpoint. There, the tunneled packet is unwrapped and forwarded in its original form. Tunneling uses point-to-point session protocols to replace switched connections, linking data addresses over a routed network to replace the linkage of telephone numbers over a switched network.

An IP tunnel can accommodate nearly any type of payload. A user with a desktop or portable computer can dial into a VPN to access a corporate network transparently-regardless of whether it's an IP, Internet packet exchange or AppleTalk network. Tunnels can accommodate many users and different kinds of payload by using encapsulation types such as generic routing encapsulation.

Because VPNs carry private data over a public network, security is a key issue. For most VPN services implemented with Layer 2 tunneling, the tunnel is terminated at the customer premises. This presents potential security issues for customers because the customer's network is susceptible to both unauthorized users and viruses through the Internet connection. In some network designs, tunnels are terminated behind firewalls at the customer premises behind the Internet routers. This restricts Internet access to corporate resources.

Layer 3 tunneling gives the service provider an opportunity for extra revenue because the tunnel may be terminated at the service provider's gateway. In this case, the Internet connection is then made only to a frame relay device.

Administering a VPN requires service providers to offer both network layer address management (NLAM) and tunnel management. Tunnel management applications are used to set up tunnels to maintain subscriber information and perform subscriber-level billing and accounting. NLAM refers to the capabilities found within the architecture of a VPN that handle tasks such as network layer address assignment for remote nodes, other network layer protocol-related configuration and domain registration.

In many ways-the need for management, the provisioning of circuits and the establishment of direct connections-VPNs parallel the traditional switched world. For business users, however, the versatility of VPNs and their ability to handle diverse types of traffic promises the technology will provide an economical method of moving data from place to place in ways that would have been prohibitively expensive over leased lines.

Today, though, VPNs are being used in one of three ways. The most traditional manner is a LAN-to-LAN approach, used to tie remote offices together. A newer approach is the use of VPNs for personal remote access to allow business travelers or telecommuters to dial in from any location and then tunnel in to corporate resources. The third technique connects suppliers and customers through an extranet (Figure 1). Internet service providers also employ VPNs to outsource their remote access services.

Leased lines can provide some of this functionality. However, for up-and-coming VPN providers, "the sweet spot is outsourcing and delivering value-added services to the customer," says Nick Magliato, vice president and general manager of the network solution group at Digex, a Beltsville, Md. service provider that focuses on VPNs.

"Customers are looking for solutions much more than they're looking for pure bandwidth."

These solutions allow companies focused on the VPN environment, such as Digex, Concentric Networks and VPNet, to differentiate themselves through mixes of service designed to meet individual customer needs. For example, Digex offers a Web site management service for businesses' Internet sites and intranets, and other companies provide sophisticated security services, faxing and other applications.

One of Digex's services is the distribution of new applications that the provider can deliver instantly to every site on a VPN. "Because we focus on the applications, this was a need that became clear to us right away," says Magliato. "The life cycle for software has accelerated to the point that new software can be developed four times faster than it can be deployed." But by distributing these applications from a central location in a controlled manner, a service provider can update a customer's systems painlessly and quickly.

"The goal is to stretch what the traditional IP backbone can do," says Magliato. "A lot of our customers become frustrated by where IP technology stands, and they need help supporting these solutions from an [information technology] standpoint. We can help with that and work with the customer to spot problems and perform triage on applications to make sure that they're working efficiently over the network. So we aren't just a backbone provider-we try to work as a partner in many cases."

This model is expensive in terms of the manpower and expertise the service provider needs to keep on hand, but it's easier for a smaller, focused player to do than for a large Bell company, Deloitte and Touche's Snyder says. "Companies like Digex have it easy," she says. "They don't have to support 15,000 VPN users like Sprint or other large providers do and can focus their efforts on the key customers."

Where the large carriers have an advantage is in their ability to manage the backbone, and as a result, they can have greater control over quality of service. "Sprint recently decided to channel almost all its traffic over its own private backbone," says Snyder. "When the traffic is in-house, it's much easier to manage quality of service."

Sprint is building a parallel backbone-a private Internet, so to speak-for this very reason. Many large customers are reluctant to adopt VPNs without quality of service assurances, and the use of the Internet, with its multiple handoffs and uncertain routing, makes it more difficult to guarantee service levels.

The big carriers also have a marketing edge over the smaller, leaner competitors. Many of these customers are used to dealing with their phone companies for leased lines, value-added networks and frame relay resources, so adding VPNs to their suites of services does not require much adjustment.

"For these customers, VPNs aren't so much a way of opening up the business as they are of augmenting existing services," says Jonathan Zarkower, senior product manager for the Internet business group at Bay Networks. "Any adjustment is just a matter of sending the right traffic over the right network."

This puts large carriers in the unpleasant position of being forced to cannibalize existing revenues as customers reshuffle their network traffic between VPNs and the services they already have.

"It's sort of like the voice-over-the-Internet analogy," Snyder says. "VPNs may result in lower billings for the large companies, but if they also result in large customers staying with their carriers and being happier about the quality and nature of their service, then the larger carriers still win, ultimately."

This mix of services is likely to keep very large corporate customers with large carriers, Snyder says. "Large corporations will be apprehensive about the transition from the X.25 WAN world to the new world," she says. "As long as [interexchange carriers] are willing to not fight this change but to let it happen under its own power, they can put themselves in the role of shepherding their large clients into the packet-switched world. But if they get greedy and go for the short-term revenue by trying to maintain the status quo, the upstarts out there that are maniacally focused on packet-switched technologies are going to eat them alive."

Telcos also can off-load voice traffic from the voice networks to VPNs, giving their networks the ability to complement each other and further bolster the overall quality of their services.

While start-ups cannot rapidly build out their own networks, established service providers have the ability to add value-added services and the staff needed to run them.

"It's not impossible for people like AT&T and MCI and Sprint to compete for business with the smaller players," Snyder says.

"But MCI is still evolving its position while emphasizing it has the fattest pipes anywhere, and AT&T's strategy is still evolving, too. Meanwhile, [companies] like UUNet/WorldCom are sort of between these two camps. They have a big backbone, a great growth rate and they don't have the embedded base problem of trying to help X.25 corporate customers into the new world," she says.

This dramatically segmented market means that VPN providers must understand their customers-and their own businesses-if they hope to make a go of it. "The telcos have big data centers and the capital to deploy resources almost at will," says Digex's Magliato. "Companies like ours have to recognize that and not try to compete on a commodity bandwidth basis. We need to focus on the unique ways we can appeal to specific customers."

"These different solutions are built around one thing: remote access," says Zarkower. "After that, forget it. Each provider has a different philosophy, a different solution and a different target audience. Some customers want to roll their own services, others want to have solutions provided for them. They're going to select a service provider with the skills, size andtrack record that suits their needs.""Just now are people beginning to underst and what VPNs can do," says Axent's Birss. "This may not be the year that they really explode, but that year is coming. When customers finally seize on the economic power of VPNs and then realize the wealth of options at their disposal, you are going to see a transformation in the way these businesses communicate."