The dawn of a new, commercially viable, mission-critical Internet is at hand, say industry analysts, but only if the setup and tear-down of secure, private networks can be automated for large scale and high reliability. To make it so, vendors have begun to unveil policy-based automation systems designed to turn the provisioning of even the most complex WAN interconnections into a simple point-and-click operation.
Cahners In-Stat Group (www.instat.com) pegs IP VPN revenues at more than $2.67 billion in 1999, growing to more than $32 billion in 2003. By that time, says Infonetics Research Inc. (www.infonetics.com), more than 65 percent of that $30 billion VPN market will come from managed VPN services managed by service providers, rather than by end-user businesses themselves.
According to those and other researchers, the early market driver of IP VPNs, remote dial-in access to corporate networks for traveling workers, will soon be superseded by demand for site-to-site, intracompany links and for extracompany links with trading partners. Because the configurations of such networks may change on a regular basis--as a new branch office is added or a trading partner project dissolves--VPN advocates argue that the Internet's global addressing schemes and flexible reach, combined with encryption and other security technologies, offer the perfect solution.
"The current Internet is a kind of loss leader based on populism," says Tom Nolle, president of consultancy CIMI Corp. (www.cimicorp.com). "Service providers need to create a whole new image of public IP based on commercialism, not populism, and then the real issue becomes new features to win customers away--features customizable down to the per-user level."
IP VPNs provide one key entry point to such a "next-generation, business-enabled network," says Bill Jefferis, senior product manager of VPN services for Bell Atlantic Data Solutions Group (www.bellatlantic.com), which along with its national IP backbone partner GTE Internetworking (www.bbn.com), launched managed VPN services for businesses last June.
"Call it 'my business-enabled network portal,' or 'my VPN portal,' but we'll create services portals for business information managers who will order secure IP connections to a range of business-enabled networks--for voice over IP, unified messaging, multimedia conferencing, business-to-business commerce, enterprise resource management," Jefferis says. "You want to add 15 new users to a network with trading partners, then go to the portal and upload their access and security profiles. The bottom line is allowing the customer to do everything he does today, but with a much more far reaching, flexible and economic infrastructure than his private frame relay network."
To achieve that goal, Jefferis adds, "policy-based quality of service, traffic management and prioritizing, truly enforceable service level agreements, nearly instant provisioning--all that has to be part of the next phase of VPNs."
Rules and Templates
Both the suppliers of customer-located VPN equipment, which is now mature and widely available, and of network-based VPN equipment, which is only now emerging in field trials, are attempting to accommodate rapid, large-scale VPN set-up and management by leveraging directory technologies and policy-enabled networking tools.
In the first quarter of this year, for example, Ennovate Networks Inc. (www.ennovatenetworks.com) promises general availability of its new EnSight Service Automation System, a directory-enabled management system for the company's network-based Envoy 1600 IP Service Switch. The system applies predefined policies to customer data that is entered through a point-and-click web interface.
In other words, rules are set for the whole VPN, then those rules are translated into router, encryptor, firewall and other device configurations that are automatically distributed to each site participating in the VPN. By using this rules-based automation, says Kevin Vadenais, Ennovate's senior product line manager for network management, service providers will be freed from manually performing low-level, repetitive, command-line configuration tasks, such as determining VPN members, creating interfaces and virtual routers, or configuring links and IP layers for each VPN site.
"Corporations want IP VPNs on demand, as projects demand, which is not currently possible with the four to eight weeks it takes to get a business network online," Vadenais says. "We believe most VPN traffic will be among company sites, so you'll see a VPN for sensitive financial information, maybe a VPN per business unit so you can charge back wide-area network costs easily, or a VPN per business partner, or a VPN to connect to hosted enterprise resource planning applications."
To help service providers accommodate such projects on demand, Ennovate is leveraging database standards, such as the lightweight directory access protocol (LDAP), to streamline the creation of provisioning policies and repeatable templates. "If you want to add a new site to the VPN, you enter minimal information, then the network configuration is automated and verified, and the switch, with embedded LDAP, writes the configuration information in LDAP language and sends it to the directory," Vadenais explains. "Then third-part accounting or billing or other applications don't need to go through any mediation process to get to the configuration information."
Like Vadenais, executives for the former Xedia Corp. (www.xedia.com)--now part of the Enterprise Internetworking Systems WAN Group at Lucent Technologies Inc. (www.lucent.com)--a leading provider of customer-located VPN gear, also expect branch office and trading partner connectivity demands to drive the need for scale, flexibility and quality in VPN provisioning and performance.
"We see site-to-site intranet and extranet demand really picking up," says Karen Barton, vice president of marketing for that group at Lucent, whose QVPN gateway is used in national, managed VPN services provided by MCI WorldCom subsidiary UUNet (www.uu.net) and Concentric Network Corp. (www.concentric.com). "The e-business agenda is where everything is headed, so that means web hosting, application hosting, basic commerce all require high-quality, secure public infrastructure."
To address that need, Xedia last summer delivered software designed to automate the creation of secure VPNs. The QVPN Builder system presents what are effectively "knobs" to the network administrator, who determines which office sites to connect, what security level each user will have, who is allowed behind firewalls, and which users and/or applications should be given priority classification for preferential queuing in the former Xedia's QVPN gateway routers. This configuration information is determined centrally, then distributed via simple network management protocol version 3.0 to the QVPN gateways at each customer site in the VPN.
The need for such central controls for rapid setup and tear-down of VPNs will be driven by corporate needs to accomplish specific tasks, then move on. "If you need to get an accounting application done across all your branch offices at the end of each quarter, then we need to enable you to tune the networking for those participants and that application for those few days," says Mark Showalter, vice president of marketing and product management for CoSine Communications Inc. (www.cosinecom.com), another manufacturer of network-based IP service switches.
Like Ennovate's Envoy 1600 switch, CoSine's IPSX 9000 integrates thousands of virtual routers and virtual firewalls in a single network switch, which stands at the outer edge of the service provider network. CoSine's InVision management system provides a point-and-click interface to the service provider to automate provisioning of all those VPN components across multiple switches in multiple service provider offices. "A VPN connecting even a handful of sites multiplies into a complex mesh of secure IP tunnels, and you can't configure each of those by hand," Showalter says. "We allow you essentially to select virtual router sites, then push a mesh button, and the system interconnects all those sites, so we minimize the information entry and automate the rest."
Service Ready Networking Chart
My VPN Portal
The new class of service provider-managed VPN and security services platforms also begin to hint at Nolle's vision of per-subscriber customization.
British Telecommunications plc (BT) (www.bt.com), for example, is using technologies from Alcatel Internetworking (www.alcatel.com) to offer a menu of managed security services that include site-to-site VPN, firewall, bandwidth management, website filtering and remote access. "The customer clicks on the menu to order varied levels of service at different dollar values," says Mitch Strobin, vice president of product marketing for Alcatel Internetworking. "The customer literally checks off what he wants, and the thing we do behind the simple VPN is offer the ability to create policies."
Alcatel's system lets the service provider and its customer share this process of defining the users, resources, time periods and applications associated with each policy. For example, remote sales people may be allowed 24-hour access to e-mail using client-to-site VPN, firewall and e-mail server resources. Policy automation enables BT and/or BT customers to list all the individuals in the sales force, then automate the application of those rules to those individuals.
Then as each user enters the service provider network, says Judy Beningson, Edge Routing Switch line manager for another IP service switch provider, Unisphere Solutions Inc. (www.unispheresolutions.com), "the system authenticates the user, picks up policies associated with this VPN, then applies transport, which might be encrypted IP or IP over an ATM virtual circuit."
Indeed, many vendors believe mission-critical business needs will require that the automated provisioning menu grow to include not only secure tunnels, but also QoS levels, a requirement that ATM switching was designed to handle.
For example, ATM-based DSLAM maker Promatory Communications Inc. (www.promatory.com) recently introduced a suite of software modules designed to leverage the dynamic, bandwidth-on-demand capabilities of ATM switched virtual circuits (SVCs), as well as intelligent rerouting capabilities of standard ATM private network-to-network interface (PNNI) protocols. Promatory is working with Nortel Networks (www.nortelnetworks.com) to develop interworking between Promatory's per-SVC QoS controls and Nortel's Shasta Broadband Subscriber Node IP service switch (www.shastanets.com).
To target the VPN market, leading ATM switch maker Fore Systems Inc./Marconi Inc. (www.fore.com) will apply technology based on the Internet Engineering Task Force's (IETF's) (www.ietf.org) emerging multiprotocol label switching (MPLS) standard. Whereas standard IP routing sends a data packet through any number of possible routes to a destination, MPLS pro-vides tags or labels to packets to direct them through a consistent, end-to-end label switched path, there-by better assuring congestion-aware routing, QoS and over-all management of traffic for the service provider.
With this IP friendly road map, Fore also expects to integrate into its ATM/MPLS switches all the firewall, encryption and other VPN functions associated with IP service switches from CoSine, Shasta and others. "In the majority of broadband DSL and cable modem networks, services are already terminated in ATM VCs," says Jarrod Siket, product line manager for Fore's Forethought management software. "So why not leverage the ATM switch, rather than introducing whole new sets of boxes and software?"
Service providers may gradually cede some VPN provisioning control to customers. For example, the WideSpan service management system from Bridgewater Systems Corp. (www.bridgewater.com) provides a distributed policy database system that can be partitioned for administrative purposes, while still shielding the service network from unwelcome intrusion. "The policies surround the user, not the network," says Marketing Vice President Dave Curley. "A gold user has a certain number of mail accounts, space on the website, or access to a video server, and so we answer whether this user has access to this or that tunnel to this or that service."
In the case of a GTE Internetworking service package for the real estate market, Curley says, WideSpan enables GTE to control the level at which each customer can turn knobs on the service, such as adds, moves and changes in a hosted real estate multiple listing application.
Vendors and service providers are wary that too many cooks can spoil the network management soup. "If it's a commodity service, we see a lot of comfort in letting customers turn it on or off, but higher value services like firewalls are much more complex and prone to error," says CoSine's Showalter. "However, there's a great deal of room for letting customers tweak knobs for levels of access and for user adds, moves and changes."
In the long run, such self-provisioning may translate to self-customization.
"If we can move all routing, firewall, VPN gateway, extranet capability, site-scanning--all those IP security functions--into one platform, then we'll be able to remotely provision any combination of these functions to each customer site through a few simple systems in a few operations centers, all accessible to the customer via the web," says Bell Atlantic's Jefferis. "Then we've really got something."
