• United States



by No Analyst or Consultant

VPNs: Two Models, Many Choices

Jul 06, 20019 mins
CSO and CISOData and Information Security

Talk of Internet Protocol Virtual Private Networks (IP-VPNs) is common. However, purists say that much of what is being sold as an IP-VPN, isn’t. Rather that “Customer Premise Equipment (CPE)-based IP-VPNs” are not really private at all, as data goes over the Internet. The other side says, “but network-based IP-VPNs don’t meet the needs of travelers, and vanilla Internet access just isn’t secure.” Will the real IP-VPN please stand up?

Analytical Summary

“IP-VPN” has grown to include both CPE- and network-based IP connectivity. Each has strengths relative to the other: CPE-based solutions makes low-cost, secure remote access a reality. Network-based solutions take some of the guesswork out of IP-class of service, performance and multi-service integration. Between the two, IP-VPN handles data at levels previously only available with Asynchronous Transfer Mode (ATM) and Frame Relay. Security concerns are largely resolved, IP class of service and QoS is within reach. There is room for two IP kids on this street.


By pure definition, a virtual private network (VPN) is the interconnection of multiple sites via a private backbone network, thereby skirting security and performance issues of the very public Internet. But this term has become muddled, and “VPN” has been applied to virtual networks based on the public Internet (The term “IP-VPN” does NOT necessarily connote data transmitting the public Internet, though some assume as much.) As IP is an “open” architecture, many have worried about the security concerns of using it and the public Internet for transmitting sensitive information. Frame Relay and ATM have supported these sensitive applications, but the popularity, and scalability of IP, and the general availability of the Internet are driving improvements in IP-based networking.

The definition of IP-VPN has always been soft. For many service providers, it has been the “P” in VPN that was overstated they put firewalls at the customer sites and send traffic between them via the very public Internet. Calling that “Private” is obviously stretching things. IPsec added additional privacy and security, and has proven to be a popular means of connecting two sites via an “encrypted” tunnel across the public Internet. In the last year the IP-VPN definition has evolved beyond, “IP-based networking over a service provider’s wholly-owned IP backbone network.” Today this is known today as a “network-based IP-VPN,” and “IP-VPN” includes using the Internet to carry traffic, while employing firewalls, digital certificates, encryption, and user authentication to make the communication “safe.” This firewall-and-Internet-based IP networking combination is known as a CPE-based IP-VPN.

It is no surprise that both forms of IP-VPN have evolved, and that each has certain advantages over the other. There are business and technical drivers pushing the growth of IP-VPN technology: i) the popularity of the IP and the wide acceptance of the Internet, ii) the potential cost savings associated with using IP rather than multiple networking protocols, iii) the need for security while using IP, iv) the ability of remote workers and travelers to access the Internet from most anywhere, and v) the relative ease of maintaining IP networks. Another driver in the growth of IP-VPNs is the interest in the integration and support of long distance voice and data services in one solution.

While voice over the Internet is not mainstream, talk of voice over IP is hot, and VoIP is improving in quality. The strongest appeal for VoIP is from enterprises that affect long-distance, international phone calls. Being able to drop voice traffic, in with data traffic on an MPLS-supported, private network makes for potentially large cost savings. The two flavors of IP-VPNs handle these drivers in their own ways. So what types of IP-VPNs are providers offering? What are the advantages of each?

The advantages of network-based IP-VPNs (over CPE-based solutions) are higher throughput and performance, the ability to apply classes of service and QoS, ATM-like security, ability to support jitter-sensitive applications (e.g., carrier-grade VoIP), and the ability to support multiple (integrated) applications with one networking service.

Network infrastructure costs have come down with the proliferation of wide-area fiber optic cable (and competitors who own this fiber), and service providers have been able to reduce their costs of running networks, as well as network subscription rates. Technology can bring network-based IP-VPNs to the point that they (if engineered intelligently) suffer from little more congestion or delay than is common with ATM and Private Line networks.

Relatively recently, MPLS has been accepted as a means of tunneling across the network, improving security even without encryption, and it allows for traffic prioritization and better support of delay-sensitive voice and video. These are possible, (thought they do require network upgrades) as long as the traffic stays on the private network, and the provider maintains control and integrity of the traffic flow. The advantages of CPE-based IP-VPNs (over its network-based brother) include supporting a remote user’s VPN connection when he currently uses third-party ISPs, mobility, and cost advantages over traditional VPNs.

As IP is an “open” architecture (traffic is essentially broadcast out to the Internet), many have worried about the security concerns of using the public Internet for transmitting sensitive information. Various “tunneling” methods (i.e., L2F, L2TP, IPSec, and MPLS) have taken a bite out of this security issue through encryption or improved forwarding methodologies. Add public key infrastructure (PKI) for end-user authentication and encryption, and the security of MPLS-supported VPNs may just be better than on ATM and Frame Relay networks.

However, PKI is not yet widely used by IP-VPN service providers (among large players, only AT&T and Genuity have implemented it to date). Only a majority, as yet, implement MPLS. Growth in telecommuting has provided some impetus in developing secure use of the Internet. Those working “remote” on a regular basis require access to corporate LANs, and intranets. In the past, remote offices connected to headquarters via Private Line, and Frame Relay services served to connect to headquarters. Frame Relay PVCs are permanent connections, however, and do not support a mobile worker that needs access from a hotel room. However, dial-up access to the internet is pretty ubiquitous. Install a VPN client on the user’s computer, dial into the Internet, enter password information, and you are into the corporate LAN. These CPE-based IP-VPNs do provide security. But they are no guarantee of a reliable Internet connection, and they do not provide the QoS, or level of throughput that the user at computer connected directly to the corporate LAN enjoys.

So, it is a trade-off. CPE-based IP-VPN solutions provide mobility and security, and they are relatively cheap. Network-based IP-VPNs provide high network performance and quality of service, and service integration and security. But they definitely will cost a few more shekels.

A small but growing number of serious IP-VPN providers (e.g. AT&T, WorldCom) offer hybrid IP-VPN solutions. Non-mobile, fixed-location users can benefit from the network-based portion of the IP-VPN service, while the traveling sales force or distance, remote office can be supported via a dial-up (or DSL) connection to the corporate VPN. Corporate offices get high reliability, and performance, yet mobile access is also available. There is nothing wrong with playing both sides of this street.

So what should providers do as they look at implementing IP-VPNs? First, identify targets – are you looking to provide a (low-cost) solution to companies with remote workers, companies primarily concerned with security? Lean toward the CPE/firewall-and-Internet solution. A majority of IP-VPNs users fall into this category. Or are you looking to help the higher-end – those looking to integrate multiple services while ensuring high QoS? This, a network-based service, is a much more expensive proposition – it requires maintaining a private network. Consider what you are willing invest in development of the product. Building a network (if the company does not already have infrastructure in place) to support network-based product is sure to be capital intensive. On the other hand, the cost of the CPE solution could be (simplified a bit) the cost of an IP-VPN client and firewall software for each end user, and a dial-up Internet account. Pick your target, and look into your pockets – are they deep enough for what you want to provide?

Vendor Actions

  • Vendors need to pick their targets – remote and mobile workers (security, CPE-based), enterprises wanting to consolidate network services including voice, data, Internet (network-based), or both (hybrids).
  • Vendors that don’t have a large network footprint, or don’t have a lot of bandwidth in the network, should look toward developing a CPE-based solution. Employ IPSec for encryption, digital certificates and/or PKI for user authentication and additional encryption, and market toward companies wanting to connect with remote users. Emphasize remote access and security, and target smaller and medium-size businesses.
  • Vendors that have a large network footprint, and are able to keep users’ traffic on-net in a LARGE portion of its service area (e.g., the continental U.S.) look at making IP-VPN solutions a network-based product. Emphasize ability to support QoS, traffic prioritization, ability to support voice traffic, and ability to integrate services. Target larger enterprises.
  • Vendors that are looking at Fortune 500 companies, should be prepared to support both network-based service, as well as CPE-based remote access to the VPN for salespeople, remote office, traveling executives, and vendor partners.
  • Vendors that plan to sell network-based IP-VPNs must work on developing the IP-VPN vs. Frame Relay argument, since Frame Relay has many of the reliability and throughput features, and may be cheaper.

Target Markets

  • Consumers

User Actions

  • Customers must identify their needs – is cost savings, service integration, or remote access the primary concern?
  • Customers should be familiar with the costs. Networks for service such as Frame Relay and ATM have been in place for some time, and are largely depreciated, so in shopping around, a cheaper Frame Relay service is easy to find.
  • Know that there is a performance and price difference between CPE-based IP-VPNs, and network-based IP-VPNs. One IP-VPN is not like every other (even though some would have you believe as much).
  • Pick a service provider with network footprint sufficient to support the chosen IP-VPN.
  • Consider future plans – will VoIP be necessary? Is the provider supporting MPLS also developing VoIP support? Don’t assume they are.
  • When using a consumer DSL-based Internet access service to access your company VPN, USE A FIREWALL. This is a hacker’s favorite target, and a backdoor into your company’s network.