VPNs:

Forrester Research Inc. analyst David Goodtree estimated as recently as 1997 that Internet protocol-based (IP) VPNs represented only about $40 million in carrier revenue. But that's grown by leaps and bounds. VPN revenue was just less than $2 billion last year. And VPNs are positioned to replace services, such as frame relay and private line, for which U.S. firms spend $10 billion annually, argue analysts at Forrester Research.

For those reasons, virtually all observers expect continued high rates of growth for VPNs. Infonetics Research Inc., San Jose, Calif., estimated in 1997 a global market of $9 billion for service provider VPN services in 2001, growing at more than 100 percent a year (see chart).

Of course, remote access is the process by which branch offices, mobile workers and home-office workers connect to office computing resources. Remote access represents a growth market for competitive local exchange carriers (CLECs) and Internet service providers (ISPs) because networking is becoming indispensable, the number of mobile workers continues to expand and work increasingly is conducted at many dispersed locations, including home offices, trade shows and customer sites, for example. Stamford, Conn.-based GartnerGroup Inc. projects a worldwide total of more than 100 million remote workers by 2002 (see chart, "Global Telecommuting Market").

A 1997 study by Cambridge, Mass.-based Forrester found that half of large company network managers would be supporting 2,000 or more remote workers before 1999. And since most of those remote workers now connect back to company computing networks using long distance networks, the operating cost of remote access is relatively high, according to report author Brendan Hannigan.

VPNs can help control those costs. Building a remote access solution can cost $975 a year for each user, while an outsourced, VPN-based remote access solution can cost $700 a year, according to Cisco Systems Inc., San Jose, Calif. The in-house solution cost includes dial-up modem ports, local access line charges, modems and toll-free access charges. Meanwhile, Infonetics Research estimates that a VPN is 50 percent to 80 percent cheaper than a typical leased line/dial-up network, whenever 100 users connect for 40 hours a month at an average cost of 14 cents a minute. In this scenario, Infonetics assumes the alternative is Internet access accounts costing $20 a month. And analysts at Boston-based The Yankee Group (a subsidiary of Primark Corp.), meanwhile, estimate VPN cost savings at 25 percent to 56 percent, with bigger savings coming on longer-length managed services contracts (see chart, "Managed Virtual Private Network Savings, Multiyear Contracts, in Percent").

The other clear attraction of VPN-based remote access and networking is the ability to collapse and simplify networks, running voice, fax and data over a single, integrated transmission network. The motivation for moving to a single data network is simple, say executives at Ascend Communications Inc., Alameda, Calif. Both service providers and their business customers can save as much as 50 percent on long distance telephone calls and fax transmissions.

In a recent analysis of a three-node VPN, Fairfield, N.J.-based Lynx Technologies Inc., a firm that tracks tariffs, reduced first-year costs by 60 percent by moving to a VPN. That scenario modeled a U.S.-based firm with offices in Boston, Houston and Los Angeles, and one connection to London; all sites were connected directly to all other sites.

Each of the connections represented a 64-kilobits-per-second (kbps) link. Local connections from each site to the long distance carrier point of presence (POP) were based on three-mile distances. In the Lynx example, the company replaced leased line connections provided by a major global carrier with an Internet-based VPN (see chart, "Four-Node Leased Line and Virtual Private Network Cost Comparison").

Purchase, N.Y.-based MasterCard International Inc., meanwhile, is a real-world example of the benefits of VPNs. In essence, MasterCard member merchants are part of a giant remote access network, set up to authorize charges. MasterCard's older network had to be sized around peak holiday season shopping patterns, and was based on private-line technology, so there was excess capacity for most of the rest of year. Its new VPN, on the other hand, not only speeds transaction processing times, but also is a "bandwidth-on-demand" system, according to MasterCard International Global Technology & Operations President Jerry McElhatton. Before the VPN was put in place, members had to pay the cost for unused network capacity, he notes.

High Margins

VPNs also offer an excellent way for CLECs and ISPs to offer high-value, high-margin managed services to small and medium-sized business customers. Medium-sized companies, with 100 to 999 employees, especially those in high-growth mode, may lack in-house expertise to create VPNs. They also may want to conserve capital and plow it back into the core business.

But even large firms are increasingly eager to outsource networking infrastructure, especially as networking becomes more complex and electronic commerce (e-commerce) support becomes more strategic. In its 1998 survey of wide area network (WAN) managers, researchers at International Data Corp. (IDC), Framingham, Mass., found that 43 percent of medium- and large-sized companies outsource their remote access activities.

But remote access built on a VPN platform is a strategic--not simply tactical--issue. VPNs can save end users money while creating a more efficient carrier network. VPNs also create a platform for e-commerce, and enable multiservice networking. VPNs are the foundation for both intranets and extranets as well. And, longer term, VPNs will pave the way for a new generation of business networks based on IP.

There are at least three major types of VPNs:

• Access VPNs (telecommuter remote access to company networks using the Internet);
• Intranet VPNs (intracompany communications using a private packet network); and
• Extranet VPNs (customer and supplier access to company resources using the public Internet).

A VPN creates a secure "tunnel" through a shared packet network. In many cases, traveling workers will encounter their VPN as they log on to the public Internet as a way of accessing their company networks. The advantage is cost savings. Companies pay a flat fee for Internet access, rather than 800 or other long distance charges. In a March 1998 report on the subject, IDC estimated there were 20,000 U.S. access VPN connections in service. IDC also estimates that 85,000 access VPN connections will be in service by 2002, a 50 percent growth rate (see chart, "U.S. Access Virtual Private Network Connections in Service").

In other cases, especially where companies operate intranets, users log onto a private frame relay, asynchronous transfer mode (ATM) or IP network designed for company employees. Companies also may build extranets that allow customers and suppliers to access selected information and conduct transactions such as checking account balances or bills, and placing orders. The extranet, in fact, is expected to be a major method of supporting tomorrow's advanced e-commerce networks.

On a more practical note, a key VPN advantage is the ability to run internal voice and fax traffic over the data network. Since most companies with branches find that as much as 40 percent of all voice traffic is between employees at each of the branches, long distance cost savings can be significant, with the highest savings on international routes, of course.

It also is possible to create very large internal private branch exchange (PBX) networks using VPNs, so that internal calls anyplace on the VPN can be made by dialing just four or five digits, for example. In an extranet environment, where a company is dealing with external suppliers or key customers, local calls can be routed to a local VPN node and transported over the VPN, thus saving the cost of a toll-free 800/888 call.

Bigger Benefits

As is always the case, the size of monthly revenue streams CLECs and ISPs can earn varies according to network bandwidth and the number of networked sites. Management of firewall software, as well as router installation and maintenance are other pricing factors. Generally speaking, recurring monthly charges and usage fees are part of the equation. So end-user fees can range between $1,000 to $10,000 a month.

Dial-up remote access users may be charged $4 to $10 an hour, or perhaps $5 to $15 an hour for integrated services digital network (ISDN) or international access. Domestic dial-up connections run $3 to $6 an hour, Internet VPN connections about $2 to $4 an hour, according to analysts at Giga Information Group Inc., Norwell, Mass.

When VPNs are used as a WAN backbone, charges can range from $1,900 a month for each site connected at 128kbps, up to $3,500 or so for sites connected at data rates ranging from 512kbps up to T1 (1.544 megabits per second) speeds. Carriers also can charge as much as $6,000 to install each VPN node. A larger corporate user may be charged $5,000 a month for access to the VPN by all of the company's teleworkers, up to perhaps 1,000 hours of total usage.

The opportunity for managed services, in which the CLEC or ISP offers to supervise VPN operations on behalf of the customer, likewise is significant. According to Chief Technologist Daniel Gasparro of McLean, Va.-based Booz-Allen & Hamilton Inc., the management chores associated with use of a VPN as a WAN backbone is relatively minimal. "Management and support responsibilities won't be much different than those required for a conventional leased-line backbone," he argues.

Matters are quite different, however, for a large corporation with thousands of remote workers. Management of extranets, likewise, does impose significant management chores. Setting up an extranet or remote access VPN serving as many as 5,000 users, for example, typically requires 120 days worth of work by a network administrator. Obviously, for a large network, outsourcing the job to a firm that can set multiple administrators to work immediately will speed installation time.

Extranets also are more expensive to operate, and that represents another business opportunity for CLECs and ISPs. Gasparro says 1.5 administrators are required to handle moves, adds, changes (MAC) and password resets for a large extranet. MAC represents the day-to-day labor to add and delete users from the extranet. That represents a typical cost of about $150,000 a year. Help-desk costs also can rise 5 percent to 8 percent, he says.

And where the extranet connects key customers and suppliers internationally, costs rise to about the equivalent of two full-time network administrators, adding about $200,000 a year in annual cost when a company decides to manage its own network. All of that should provide incentive for CLECs and ISPs offering a "managed service" program and handling all the details on behalf of a business client (see chart, "Virtual Private Network Pros and Cons: A Customer Perspective").

Outsourcing network headaches is a key advantage of managed services, and VPNs are clearly such a case. CLECs and ISPs should, as part of their sales pitches, point out all the tasks required when a customer wants to set up and operate a VPN using internal resources. As always, the fundamental trade-off is between control and cost. "Building your own" means the business keeps full control of equipment choices, security policies and network performance, at the cost of increased staffing and administration. That means designing the VPN, purchasing and installing equipment, training staff and providing ongoing maintenance and support (see chart, "Internal Tasks Businesses Must Handle to Build Their Own Virtual Private Network").

Internal Tasks Businesses Must Handle to Build Their Own Virtual Private Networks

• Acquire local access lines at remote locations.
• Negotiate one or more remote dial-up connections (Internet service provider [ISP], typically).
• Secure dedicated access service for branch sites.
• Monitor traffic patterns on the remote access ports.
• Plan for increased traffic and user count, especially for an extranet.
• Possibly buy new personal computers (PCs) or laptops for employees using remote access.
• Install new client software on remote access PCs and laptops.
• Monitor and maintain network security.
• Attract and retain scarce, expensive networking personnel.
• Provide continuing help desk support for remote users.

Source: In-house research

From the CLEC/ISP perspective, the managed service offering can be offered on several different levels, depending on how much control the client wishes to retain. Where the client wants full control, the service provider supplies simple IP network access, either on a dial-up or dedicated basis. At the other end of the scale, the service provider can fully manage the entire process of setting up and maintaining the network, training users, supplying help-desk functions and monitoring the network on a full-time basis.

In an intermediate scenario, the service provider supplies the VPN hardware and software and provides network performance guarantees, while the customer supplies and manages all applications and help-desk support to users. Maintenance is the responsibility of the customer, in this scenario.

In other cases the service provider may provide the support for remote users, while the customer provides support to the central site users, including security management (see chart, "Financial Advantages of a Virtual Private Network, 100-User Network, Per Year").

Whichever tack is chosen, business end users increasingly will be turning to VPNs to support remote access, build extranets to connect with key suppliers and customers, and lower cost by supplanting leased-line internal networks with intranets. Reduced long distance charges for remote access, lower operating costs, lower capital investment, easier connectivity and simplified WAN administration are the clear benefits.