Assessing the IP-VPN Market

Internet protocol-based virtual private networks (IP-VPNs) consist of a set of protocols that when laid on top of a conventional IP network, provide businesses with secure connections between locations - whether over the public Internet or private IP networks. The technology has two core components: IP tunneling (a.k.a. encapsulation), which lets devices on an IP-VPN appear directly connected to each other on the same corporate network, rendering the underlying IP network invisible; and IP encryption, which protects information from being intercepted en route. There are also two ancillary components common to IP- VPNs. First, some carriers use gear that can reserve bandwidth for individual IP-VPN connections; the most famous technology using this technique is the multi- protocol label switching (MPLS) protocol. The second component is IP security services, such as managed firewall services, which are used to keep the individual end-points that are employing IP-VPNs secure.

Because VPNs are an application running on top of IP, they're as versatile as the Internet protocol itself. A carrier with the right equipment can set up and run IP- VPNs from inside its IP network and/or Internet backbone. It's also possible to use customer premises equipment, managed by the carrier or by the enterprise customer, to establish IP-VPN links connecting locations from an IP network's end-points. Yet another common use is software- based VPNs that run directly on individual computers, which is commonly used to provide remote access inexpensively to roaming employees. Different types of IP- VPN services have met with varying levels of success because not only do carriers compete with each other, but they also need to convince customers that outsourcing their IP-VPNs is a better option than a do-it-yourself in- house solution.

As a market, IP-VPNs are poised to take over where frame relay and ATM networks leave off. So far it is a stop-and- go process, because most customers that already have a frame relay or ATM business network in place are slow to make changes. Nevertheless, IP-VPNs are steadily taking over new enterprise locations, especially where enterprises are experimenting with using a single IP connection to mix both Internet and business data applications.

Market Review:

  • Many Options: IP-VPNs are as versatile as the networks they ride on. They can be set up through CPE managed remotely by the carrier, or set up with appropriate gear inside the network. In CPE, IP-VPN features can be incorporated in an existing router, consist of a standalone box, or just be a software-based VPN running on a desktop or mobile computer. Carriers also have VPNs that are for internal use only, which they use to manage their IP/Internet backbones by splitting them up into virtual networks.
  • Protocol Soup: For those who like to keep their options open, the two core components of IP-VPNs - tunneling (a.k.a. encapsulation) and encryption - offer plenty of alternatives depending on which gear they choose. IPSec tunneling and Triple-DES encryption are the most common IP-VPN combination. But other tunneling options include PPTP and L2TP, while other encryption protocols employed include standard DES, AES, and RC-4.
  • Key Link to Convergence: Just as many carriers moved their frame relay backbones onto ATM a few years ago, ATM and frame relay backbones are now being ported onto IP networks, supported by internal IP-VPNs. This convergence allows customers to mix and match ATM, frame relay, and IP-VPN services, and pass their business traffic between each of these networks. It also lets carriers manage just one backbone (IP), while still selling their whole portfolio of business network services.
  • The MPLS Juggernaut: Multi-protocol label switching (MPLS), a protocol used by some IP networks to reserve VPN bandwidth, has become the perceived de facto standard for next-generation IP-VPNs. The technology provides security and dedicated bandwidth features that rival those of frame relay and ATM, while taking network speeds to whole new levels. Thanks to market misperceptions that crown MPLS as the future, even carriers with no real need for the technology are being pressured to show off an MPLS strategy.
  • IP Service Switch Pariah: As MPLS has gained prominence as the de facto next-generation IP-VPN protocol, the perception toward lower-speed in-network IP- VPN gear has suffered. These "IP service switches," like Nortel Networks's Shasta gear, provide an array of useful IP-based services that customers want and will pay for, including network-based IP-VPNs. But amazingly, carriers are reluctant to talk about these capabilities. Blame MPLS, which caused some observers to call IP service switches a strategic misstep.
  • Frame Relay Co-opetition: Frame relay services and IP-VPNs have a complex relationship: Both services compete with each other, but also are complementary. Unlike most business-class IP-VPNs, frame relay has built-in quality- of-service support, and IP (and Internet access) over frame relay is increasingly available. Many carriers have gateways connecting the two types of services, and some go so far as to use IP's DiffServ feature roughly to translate frame relay's quality of service information.

Near-Term Market Drivers:

  • Web-ification of IP-VPNs: The most recent addition to the IP-VPN protocol soup is secure sockets layer (SSL) support, an IP-VPN standard pioneered by Web browser developers to conduct transactions securely. SSL-based IP- VPNs free up remote access from requiring special software. With SSL support, any modern Web browser can handle an IP-VPN session, though the session is limited to the browser's Web applications.
  • Many More Launches: More carriers will make the leap into CPE-based IP-VPN services because it is a cheap way for carriers to launch a new service, requiring no major new construction or infrastructure investment. Some carriers group these IP-VPNs under the banner of security services, or with their managed services. If the service provider already sells IP services, adding IP-VPNs just entails hiring talent that can remotely manage the CPE. A small service provider on a shoestring budget could launch IP-VPN support with just a couple of engineers.
  • Touch Every Service: IP-VPNs are often interconnected to existing carrier ATM and frame relay networks on the business services front, and with their DSL, ISDN, and dial-up networks on the remote access front. IP-VPNs can also share the access link with dedicated Internet access, and can be extended across Internet links supplied by third-party ISPs. Some carriers have extended direct IP-VPN support to cellular and Wi-Fi networks. It's becoming increasingly difficult to find services with neither direct IP-VPNs support nor connecting gateways.
  • Competitive In-Sourcing: Since CPE-based IP-VPNs can simply be layered on top of any IP network, many potential corporate customers will have internal IT departments questioning the merit of outsourcing IP-VPNs, arguing that the service could be designed and built in- house. As enterprise IP-VPN needs grow more complex, internal IT will probably become more amenable to handing off the business to a carrier. Either way, the most common IP-VPN competitors to carriers' services are customers exploring do-it-yourself, in-house IP-VPNs.

Long-Term Market Drivers:

  • End-to-end SLAs: While CPE-based IP-VPNs are easy for carriers to jump into, the underlying IP network doesn't actively police quality of service. Rather than trying to retrofit quality of service onto IP, the common solution in this case is to overbuild networks dramatically - since IP equipment delivers great bang for the buck - and rely on lightly loaded networks to perform within the range of SLA guarantees. Network-based IP-VPNs do offer ways to reserve bandwidth, but are less common. Lower-speed IP service switches aren't getting as much attention anymore, while MPLS is geared for industrial use inside carrier network backbones.
  • Lack of MPLS NNIs: Carriers interconnect readily with one another to transmit frame relay and ATM traffic worldwide, and IP (thanks to the Internet) is one of the most prolific protocols supported around the world. But when it comes to MPLS, network-to-network interconnect (NNI) agreements are still virtually nonexistent. With AT&T, MCI, and Sprint all building out global MPLS-driven IP-VPN networks, and with many other carriers (e.g., Qwest, Level 3, and BellSouth) strong users of MPLS, it's ironic that IP is an interconnect love-fest, but when it comes to MPLS IP-VPNs, carriers just haven't connected with each other.
  • Security Conscious: While IP-VPN links are generally secure, the endpoints - where the VPN link terminates and the corporate network begins - present an attractive target to network crackers, especially on links that run Internet and IP-VPN applications alongside each other. Carriers have opportunities to package managed IP- VPN, managed router, managed firewall services, and additional security monitoring and consulting services in service bundles for customers, under the banner of security services.
  • Frame Relay/IP-VPN Balancing Act: Most large carriers inevitably offer both frame relay and IP-VPN services, which puts them into a complex situation. Pricing IP-VPNs too high means the carrier won't attract new clients; pricing too low risks the ire of frame relay customers feeling they're paying too much. Some frame relay customers will want to migrate to IP-VPNs quickly, some slowly. Others will want to keep a mix indefinitely or will have no interest in anything to do with IP. Every customer will have a different opinion, and it's going to be a tough balancing act to satisfy them.
  • Remote Access Expansion: Remote access dial-up was one of the first markets for IP-VPNs. There are still plenty of remote access market niches for carriers to explore, including cellular, Wi-Fi, and DSL/cable modem- based broadband. The issue for infrastructure owners is how to make IP-VPNs pay off: any carrier can extend remote access nearly anywhere in the world via the Internet, and knuckling down on remote access users of IP-VPNs risks losing them as Internet customers - killing the goose that laid the golden egg.

Offensive vs. Defensive Responses:

More IP-VPN Launches

  • Offensive The beauty of IP- VPNs is that they aren't some mystical concept that only Tier 1 carriers can master after throwing scores of engineers and millions of dollars at the problem. Smaller carriers can provide more personalized service at a very competitive price, while bringing to the table other advantages they have over much bigger competitors.
  • Defensive True, there's a low bar for carriers for initial entry into the IP-VPN space. But once a customer's needs are no longer simple, the cream rises to the top. Customers benefit if they buy from a carrier with experience, with sufficient resources to address sophisticated issues, with a substantial network footprint to reach wherever the customer goes, and with a good spread of IP- VPN services.

Touch Every Service

  • Offensive Customers still not convinced that IP-VPNs are the future of business networks should simply take a look around. Carriers are rushing to push the technology into every service nook and cranny, and MPLS already has been, or is now being installed in most major carriers' IP backbones. It's no longer a question of how IP-VPNs can benefit the customer, but in how many ways the technology can benefit the customer.
  • Defensive Customers shouldn't be hoodwinked by carriers that proselytize about connecting IP-VPNs to everything. Different types of IP-VPNs have little in common besides some core concepts, and they're used for very different purposes. Experience in one area doesn't mean competence in another. The customer's buying decision should be purely based on the extent to which a specific IP-VPN service offered by a carrier meets its needs.

IP-VPN Web Browser SSL Support

  • Offensive Web-based SSL is the perfect complement for existing remote access support. It frees up roaming employees to use any platform that supports a Web browser to access the corporate network securely. Employers benefit because they don't have to pay for proprietary VPN software, or support it out in the field.
  • Defensive SSL support for remote access is a gimmick at best, and dangerously unsafe at worst. First, allowing anyone with a Web browser to log onto the corporate network is going to result in a lot more site cracking attempts. Second, remote users should never use an untrusted computer for corporate access, because browser caches and specialty logging software let even a rank amateur compromise security.

Competitive In-Sourcing

  • Offensive Enterprises find it extremely tempting just to go it alone, set up a few informal IP-VPNs, and save a couple bucks. Time and again, these in-house projects balloon out of control as requirements become ever more sophisticated. By the time the IT department is screaming for help, it has a major, expensive migration project on its hands, and no idea where to turn to fix it. These enterprises would save themselves time and money in the long run if they'd just go with carrier- provided IP-VPN services at the outset.
  • Defensive Sure, enterprise customers can handle their own IP-VPNs competently. But it never hurts to sit down with a carrier representative and do a cost/benefit analysis of outsourcing these services, to reveal any hidden costs and the value of features not available in-house. Once the customer has a clear picture of how the numbers add up, it should be much easier to decide whether outsourcing IP-VPNs is worth the price.

Copyright © 2004 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)