VPN growing pains

When IBM Canada decided to deploy a virtual private network, it did so for the same reasons most other companies choose to: to connect remote users in an effort to cut costs.

The results for IBM – again as with most other VPN users – have been beneficial. The computing giant’s employees are able to gain access to IBM’s network while working remotely, simply by connecting to a local ISP.

Alex Bichuch, principal for Linux and VPN services at IBM Canada’s Global Services Group division in Markham, Ont., said the company is using a VPN service provided by AdvanTel.

“The reason we selected them is because it is a service, and because it is allowing us the most flexible VPN offering on the market today,” Bichuch said. He explained that IBM Canada requires flexibility, as its employees are often spread far and wide, from customer sites to hotels in other continents.

According to Leslie Stern, senior product marketing manager for Redwood City, Calif.’s Check Point Technologies’ VPN-1 offerings, experiences like IBM Canada’s have become commonplace since VPNs first appeared on the scene about five years ago.

“The biggest application driving VPN adoption is remote access,” Stern said. “That’s certainly where the technology fits nicely and where the cost savings are completely compelling, as opposed to having a 1-800 number, (for example). We hear consistently from our customers that they’ve used VPNs to replace 1-800 numbers that cost them several thousand dollars per month per employee.”

Compare that to the several hundred dollars many VPN solution vendors charge per client, and the savings are obvious.

As VPNs mature, the issue surrounding security also appears to be working itself out. Concerns about the inherent nature of the VPN, which uses an IP backbone like the Internet to carry a company’s WAN traffic, are being alleviated as VPN vendors settle on a de facto security standard, dubbed IPSec, when designing new equipment.

The VPN industry has also been helped by the uncertainty surrounding the telcos’ so called “dedicated” leased lines, which are, in fact, shared in many instances. But frame relay and/or leased lines still carry much of the traffic for large enterprises.

“Right now, the biggest challenge we see is people have tried VPNs, they’re using VPNs, and they want to go completely to VPNs,” Stern said. “So the needs we’re seeing across the board are ones of scalability and reliability and other factors that go into deploying really big VPNs.”

A new lease on life

Bichuch agreed with Stern’s assessment. Despite having success with VPNs, IBM Canada still leases dedicated trunk lines from the telcos because the company’s bandwidth going from site to site is fairly large.

Bichuch figures a VPN could handle the bandwidth anyways, but he said “there are some issues with rolling a national VPN on a large-scale network.”

Primary among them is what Bichuch identified as a reluctance on the part of the big phone companies to market VPNs as an alternative to leased lines.

“They’re not ready for it, and they really don’t want to give away their traditional legacy bandwidth business,” Bichuch said. “There’s still significant profit margins in bandwidth. VPNs just shave it off.”

The problem is not isolated to Canada, according to Tim Smith, vice-president and chief analyst, public network infrastructure at Dataquest in San Jose, Calif.

“It’s a problem with service providers everywhere – the idea that (VPNs) could possibly cannibalize other revenue streams,” Smith said. “But I think that if a service provider is looking at it that way, that’s extremely short-sighted, because if they don’t recognize the opportunity and seize it and somehow try to generate market growth and expansion by doing something in a smarter way, then someone else will. And it won’t matter at all whether they’re trying to protect some legacy revenues because those are going to go to somebody else anyway.”

In Canada, both of the country’s major telecom carriers offer VPN solutions. Vancouver’s Telus Corp. operates a Canada-wide dual fibre network, and it partners with U.S.-based service provider Genuity to make use of its network in the States. Bell Nexxia, a member of the gigantic BCE family, also offers its own VPN services.

The problem with both, Bichuch said, is that Canada’s major carrier networks do not cover the country’s less-populated areas well enough. He said the opportunity to address this problem was dismissed after Stentor, an alliance of Canada’s Incumbent Local Exchange Carriers (ILECs), was disbanded in the late 1990s.

The small and mighty

But if the service providers aren’t marketing VPNs well enough, it doesn’t seem to have affected the small- and medium-sized business markets’ enthusiasm for the technology. Industry observers say it is the small and medium-sized businesses (SMBs) that are driving VPN deployment, for several reasons.

The most obvious one is cost savings, but IBM Canada’s Bichuch said the number of start-ups in the SMB market must also be taken into account.

“There are more companies that start up in that arena, which means they don’t have the legacy (infrastructure that others) bought five or 10 years ago,” he explained.

IDC Canada in Toronto estimates that 90 to 95 per cent of Canadian businesses qualify as SMBs. And many of these are eager to outsource their VPN requirements to service providers for a monthly fee.

It is market forces such as these which are creating a mad rush among large networking players to supply service providers with VPN-enabled equipment.

Major players like Brampton, Ont.’s Nortel Networks and San Jose, Calif.’s Cisco Systems now offer VPN-enabled routers and switches. And Lucent Technologies spin-off, Basking Ridge, N.J.’s Avaya Inc., recently spent US$120 million in cash to acquire Milpitas, Calif.’s VPNet Technologies, Inc.

In a press release announcing the purchase, Avaya cited industry sources as saying the VPN equipment market is expected to grow by a compound annual growth rate of 40 per cent to US$4.3 billion from 1999 to 2003.

Getting better with age?

With all this excitement over VPNs, one might assume the technology is maturing to a point where it will likely become ubiquitous. Unfortunately, that’s not the case, due mainly to the nagging problems of interoperability and software distribution.

Though much of the industry has settled on IPSec as a security standard, in most cases VPN vendors have still not managed to enable their equipment to work with other vendors’ equipment.

Therefore, a VPN gateway which provides access into the corporate network must be able to work with the VPN client software installed on a remote user’s laptop. Usually, this means buying VPN software and hardware from the same vendor.

Within a corporate intranet, where the purchasing decisions are made internally, this doesn’t have to be a problem. In the new business-to-business world, though, where companies want partners, suppliers or good customers to have access to its network, it is.

Many corporations are striving to correct this problem by partnering with other leaders in the VPN industry. Nortel, for example, is working with public key infrastructure (PKI) vendors Entrust and VeriSign to integrate the digital certificate capabilities that they provide into its own Contivity line of extranet switches, said Bob Reason, senior manager of Contivity productivity marketing for Nortel in Foxboro, Mass.

Reason said Nortel has also established partnerships with firewall vendors, Network Ice and Info Express.

Whether or not VPN vendors can achieve interoperability through select partnerships is dubious, according to Mark Fabro, senior scientist and global security adviser for Guardent Canada in Toronto, an information consulting firm.

Fabro suggested there is a possibility that governments may impose legislation requiring VPN vendors to come up with one standard in the future. But he does not expect this intervention to happen until VPNs are deployed on a mass scale by large enterprises, as well as by SMBs. And according to Check Point’s Stern, there are a number of issues slowing this development.

“Customers are worried about…software distribution, so if you’re managing a VPN for 100,000 users, how do you get the software out and maintain and support that software for those 100,000 users?” she said.

To many, the solution is as simple as distributing client software via a downloadable file from the Web. And while corporations prefer this method to sending out a software CD for the user to install themselves, security experts say both solutions have problems.

“If you are going to be deploying mechanisms for people to become road warriors or remote users, it is strongly recommended you do this in conjunction with a very accurate user education and awareness program with regards to security,” Fabro said.

Unfortunately, this can be very expensive, especially if it involves bringing employees to one central site for software installation and security education.

Fabro understood this, but said: “You will be introducing some serious vulnerabilities into your networking environment if you do not control the weakest link in the chain.”

He said the possible risks greatly increase if a remote user is accessing the VPN with a high-speed, always-on connection, such as cable modem or DSL. A hacker could find its way onto that user’s computer when he or she is surfing the Web, and lurk there until a connection is again made to the VPN.

Industry specialists recommend personal firewalls for all remote users, but again this increases costs immensely. Using a VPN appliance is also a possibility, and at around US$500 it is not exorbitantly expensive. But Fabro said forcing a remote user to carry not only a VPN client but a laptop as well for personal use is often unnecessary.

“For some instances, where the transmission and the control of the information is often very sensitive and there is an extremely high possibility that in the event of compromise it could be something known as an extinction-level event – where the corporation will be completely destroyed from a market-value, PR, or human resources perspective – then these VPN appliances are a great recommendation,” he explained. “For the most part, though, we think that…organizations around the world today can do their remote virtual private networking if proper education and a standardization of protocols of tools is actually delivered to the end users.”

The challenges are there for the VPN industry if it wants to continue growing. Enterprises are hungry for larger, more scalable networks that can perhaps be extended into an extranet for customers, partners, and suppliers. Once the vendors figure out how to guarantee these applications, the ubiquity of VPNs might make the words virtual and private redundant – and our networks will be called simply that.