Managed services have been a tough sell to date, but VPN offerings are getting a shot in the arm as a variety of companies are bringing network-based VPN solutions to market.
There are two types of managed VPN services, ones for which the VPN equipment is at the customer's site and another for which the VPN equipment is network based, explains Jeff Wilson, executive director at Infonetics Research (www.infonetics.com). UUNET (www.uunet.com), a WorldCom Inc. (www.wcom.com) company, came out with the first commercially available VPN offering in the service provider space in 1997, Wilson says.
"UUNET has taken a strange position and doesn't look like it wants to build that kind of [network-based VPN] network, because then you have to populate all your PoPs with network-based equipment," he says.
Chart: VPN Equipment Vendors and VPN Service Providers
In a CPE-based model, which UUNET is using, the provider pays for equipment only after having signed up a customer, Wilson adds.
But companies such as Qwest Communications International Inc. (www.qwest.com) and AduroNet Ltd. (www.aduronet.com) in Europe are now offering VPN services that are network based, using equipment from CoSine Communications Inc. (www.cosinecom.com). Wilson says other vendors in this space include Cisco Systems Inc. (www.cisco.com) through its acquisition of Compatible Systems; Ennovate Networks Inc. (www.ennovatenetworks.com), Lucent Technologies Inc. (www.lucent.com) through its purchase of Spring Tide Networks, and Nortel Networks Corp. (www.nortelnetworks.com) through its purchase of Shasta Networks Inc. Redback Networks Inc. (www.redbacknetworks.com) plans to build this type of product as an evolution of its subscriber management boxes.
Meanwhile, a new breed of carrier has emerged specifically to offer network-based VPN services. This new group includes names such as eTunnels Inc. (www.etunnels.com); GlobalNetwork Technology Services (www.globalnts.com), a Cabletron spinoff; mVPN (www.mvpn.net), a spinoff of network equipment value-added reseller Atrion; OpenReach Inc. (www.openreach.com); and SmartPipes Inc. (www.smartpipes.com ; for more on SmartPipes, see "At Your Service Layer" December 2000 xchange).
SmartPipes, which launched the beta version of its Global IP Services in early October with carriers such as XO Communications (www.xo.com), plans widespread availability of its offering this quarter. Unlike traditional service providers, companies such as eTunnels and SmartPipes don't build their own networks, notes Wilson. Instead, they either collocate their VPN equipment at carrier hotels or other carriers' switching offices or data centers, or they install VPN equipment at the customer site and manage it remotely from a NOC, he says.
For its part, Qwest offers both CPE- and network-based VPN services. In the fall of 1999 it began quietly rolling out, and in May 2000 announced its flagship product, Network VPN, as well as Check Point Managed Firewall VPN. This summer it made a CPE-based service called Windows 2000 VPN generally available, which uses the inherent IP security (IPSec) over Layer 2 tunneling protocol (L2TP) capabilities of Windows 2000.
Scott Cassell, senior product manager of VPN at Qwest, believes that it's the network-based services that will enable carriers and their customers to scale VPN in terms of network size and in terms of revenues.
About two years ago, analysts predicted that VPNs would replace frame relay and other solutions in the next few years, achieving "incredible revenue figures," says Cassell. But early CPE-based solutions didn't scale, they were difficult to manage, and they faced interoperability problems, so the market clearly never realized what was predicted, he adds.
"Over the last couple years there have been lots of VPN implementations, but they were usually less than 15-node hub-and-spoke implementations," Cassell says. "Qwest, meanwhile, has legitimized the construction of large-scale any-to-any intranets and extranets with integrated remote access. This remote access includes support of on-net and off-net connectivity such as dial, DSL, cable modems, ISDN or anything else."
But when a service provider goes to a fully meshed network, it becomes much more complex to manage and provide security for it, Cassell says. So Qwest has added special provisioning tools. The company's business support system/ operational support system "gives us extremely robust flow-through provisioning so customers have web-based management tools to view and change VPN configurations such as changing policies," he says.
Wilson believes the adoption of VPN services to date has been limited because of scalability and management problems.
"These are early generation products that are really complex," he says. "VPN is a fully meshed network--every box has to be aware of every other box."
But the industry is starting to address that, he says, explaining that vendors such as Cisco, with its Tunnel Endpoint Discovery, have built proprietary software that enables new equipment to register itself with the network so service providers don't have to spend a lot of time doing it manually.
Wilson explains that the scalability issue had to do with problems such as remote authentication. Passwords can be used to authenticate small groups of users, he says, but for thousands of remote access users, there must be a more sophisticated setup such as public key infrastructure/digital certificates.
Apparently, analysts believe that many of these problems are being overcome. The Yankee Group (www.yankeegroup.com), for instance, expects that IP-based VPNs will be used by 70 percent of all companies for up to 90 percent of their data communications needs by 2003.
Cisco Unveils Network-based IPSec VPN Product Line
By Paula Bernier
Cisco Systems Inc. (www.cisco.com) recently debuted its complete network-based IP security (IPSec) VPN solution.
The Cisco VPN 5000 consists of the 5001 customer premises unit and "carrier-class" 5002 and 5008 concentrators for remote access or site-to-site IPSec network-based VPN deployments. Up to 256 customer virtual contexts (CVCs) can be created per platform, each providing separate IGP routing, RADIUS authentication and accounting servers, VPN groups, filter sets and tunnel mappings.
In addition to IPSec, the VPN 5000 series supports tunnel mapping features including Layer 2 tunneling protocol (L2TP) LNS, 802.1Q VLANs (virtual LANs), frame relay private virtual circuits (PVCs) and generic routing encapsulation (GRE). Since each CVC has its own virtual router, numerous customers can seamlessly use the same overlapping IP ranges, including private request for comment (RFC) 1918 addresses.
The 5002 and 5008 units are available in two-slot and eight-slot versions, respectively. The 5008 can scale up to 40,000 simultaneous remote access or site-to-site VPN tunnels, with 760mbps 3DES throughput. Cisco VPN 5000 customers include Electronic Data Systems and Lockheed Martin Global Telecommunications.
The 5001 sells for $19,000. Pricing for the 5002 ranges from $85,000 to $105,000 (depending on configuration). Pricing for the 5008 ranges from $90,000 to $400,000.
