Market research firms and vendors are predicting that the worldwide market for VPNs will reach, if not exceed, $10 billion by 2003. Conservatives estimate that the growth rate will be 300%, while others predict a growth rate of up to 1000%.
To gain a historical perspective, one might consider X.25 to be the forerunner of VPNs. X.25, an early internet packet switching protocol, and once the cornerstone of Internet WAN links, used virtual private circuits on public networks similar to how VPNs are being implemented today. However, in recent years, X.25 has seen little use in the U.S., primarily due to faster technologies such as Frame-Relay, opening the door for VPN opportunities.
Unquestionably, VPNs are hot. But what are they? Most experts will agree that the acronym stands for Virtual Private Network, however, what a VPN is depends on whom you ask. According to Eric Wolford, Director of IP marketing for AT&T Internet services "VPNs tend to now be what the market says they are." The best way to find out what a provider means when they talk about VPNs is to review its VPN Service Level Description. If a VPN provider does not have a Service Level Description, you can be sure that it is not clear on what a VPN service is supposed to offer.
So is a VPN a product or a service? The answer is both. A VPN product is a product used to facilitate a VPN service. Different vendors will give you different VPN definitions, depending on what kind of product they are trying to sell, and clearly there are multiple types of VPNs. In trying to ascertain VPNs, you need not chase your tail further. Defined simply, a VPN is a private encapsulated network service that runs over a public network. VPNs evolved as a response to the high-cost of private leased lines and frame-relay, and utilization of VPNs is a way of creating secure network services without having to rely on third-party providers who charge monthly usage or bandwidth fees. With VPNs, there is an initial setup and implementation cost, but unlike leased lines and frame-relay, there are no monthly service provider charges.
VPN implementations typically fall into three categories: intranet, extranet, and secure remote access. Within each of these three categories there should exist some element of Access Control, Authentication, and Encryption. VPNs can also be static or dynamic. Static VPNs are up fulltime. Dynamic VPNs operate on demand and are more commonly used for mobile workers and telecommuters.
Intranet VPNs connect multiple sites within an enterprise, and are important for safeguarding interoffice communications, i.e. connecting an East Coast office with a West Coast office over publicly available internet POPs. The second VPN category is secure remote access VPNs, which we believe will grow as the need to connect mobile workers increases. We believe secure remote access VPNs will slowly start to replace modem banks and RAS servers as companies phase out traditional datacommunications for more inexpensive, secure, and flexible VPN solutions. As Global Electronic Villages emerge, extranet VPNs will also become a significant growth market. Extranet VPNs connect one enterprise to multiple enterprises. Suppliers want to be connected to their inventory markets. Hospitals want to be connected to primary care providers. Companies want to be connected through their ISP or ASP to their website. Financial institutions need to secure monetary transactions. Business partners need to share pieces of their networks with other partners.
Unfortunately, as any seasoned network administrator who has implemented VPNs can tell you, installing and configuring VPNs is not easy. In fact the complexity of the installation and on-going management has created an entirely new service market. Due to popular customer demand, many ISPs, ASPs, and webhosting companies are now offering Managed VPN Services to resolve the complexity problem.
Since VPN technology includes both a network and security component, it is not surprising that current VPN market leaders are the networking and firewall companies such as Nortel, Cisco, Lucent, Checkpoint, and Axent. Many smaller vendors are also starting to get into the market. The challenge will be to deliver a VPN product that not only runs on all the major platforms, but also is easy to install, configure, and provision. The encryption algorithms used in today's VPNs are fairly standard and will not likely be a determining factor for users, but integration and interoperability with cousin technologies like switches, firewalls, and routers, as well as Network Monitoring Systems, will be key in determining which vendors assume a leadership position. Both Checkpoint and Nortel have done an excellent job of partnering with appropriate vendors, and we expect them to be market leaders in the long term VPN market.
VPNs will dig into the leased line market, but those providers that play their cards right will offset this by offering managed VPN services. The challenge will be provisioning VPNs in a timely manner. Service providers typically take six weeks to deploy new service lines, and with a dearth of VPN savvy provisioning engineers, this slow deployment time will not improve over the next 12 months. A darkhorse is San Jose based VPnet, a newcomer in the VPN provider market, who is well positioned to take on the bigger networking giants due to its highly functional solution. Nokia's new, highly available, Checkpoint based VPN is another example of a solution that achieves redundancy without having to build two boxes.
Providers who offer VPN services before their Service Level Description is written will lose customer credibility in the long run as customer expectations for uptime and support grow. Vendors who fail to partner with appropriate vendors of cousin technologies such as switches, routers, and firewalls will not last as technologies merge and businesses start expecting one technology component to integrate with another. Organizations that purchase a VPN solution from a provider who does not yet have a VPN Service Level Description written are taking an unnecessary risk.
The VPN market is expanding at a rapid rate. As it matures, expect to see less frame-relay outsourcing, and more similarity of product offerings as vendors begin to better understand business requirements for managed VPNs. VPNs that can be provisioned quickly and integrate seamlessly with Network Monitoring Systems will emerge as the winners.
Many people consider Microsoft's PPTP to be the first VPN tunneling standard out of the gate. For better or worse, it has suffered an untimely death due to the ubiquitous security vulnerabilities in Microsoft's implementation. Since then, IPSec, an IETF standard, has emerged as the leading VPN tunneling protocol. Typically, VPNs are sold as a feature to a larger security or network picture commonly embedded in firewalls, routers, switches, and other remote access devices. Microsoft will be bundling IPSec in Windows 2000, and the implementation will be interoperable with many leading network house VPN solutions. Early reports indicate that Microsoft has botched its IPSec implementation as badly as it botched its PPTP implementation. Nonetheless, it goes without saying that any VPN product that cannot talk IPSec is likely to become an antiquity in the near future. So if a VPN product does not support protocol encapsulation so that IPX and Appletalk can cross IP networks, it will not likely gain much yardage on the VPN playing field.
Vendors that are trying to offer Managed VPN Services need to also understand their customers' requirements before making product and implementation recommendations. Does the customer need to implement an intranet, extranet, or secure remote access VPN?
Businesses should exercise due diligence in purchasing managed VPN services. If the purchased VPN service costs more than a monthly leased line, the gains of using a VPN are debatable, especially if the encryption algorithm employed causes a performance bottleneck. Ensure that a potential vendor or service provider understands your specific requirements for a VPN product and/or service. VPN service providers should have a detailed Service Level Description, which describes what the client will receive from its managed VPN service. The Service Level Description should include things like the Event Management Escalation Process, support processes and timeframes, backup schedule for VPN endpoints, network monitoring, change management, and performance reporting statistics.
About the Author
Laura Taylor, former Director of Research for Security at TEC is now the Chief Technology Officer at Relevant Technologies, Inc.
For more information go to http://www.relevanttechnologies.com/.