(12/11/2000) – The VPN market is hot. Driven by fear of hackers and the economics of the Internet, VPNs – which create encrypted data tunnels through the ‘Net – are becoming almost commonplace. Every network manager should be thinking about how to fit them into their short- and long-term strategies.
Five trends dominated the VPN market this year: consolidation of major players; an introduction of high-performance products at lower prices; validation in the high-end enterprise market; heavy adoption of low-end products; and the lack of excitement over Windows 2000.
For 2001, there is an even rosier view for corporate network managers looking at buying and using VPN technology. With their favorite vendors finally getting serious about VPN hardware and software, the spectrum of possibilities has become broad enough to make even the most conservative network architect comfortable.
The promise of IP Security’s (IPSec) standards is also coming to fruition. Although the Holy Grail of all standards – multivendor interoperability – is still touchy, interoperability problems surrounding IPSec are more the exception than the rule now.
Consolidation that creates value
There are as many VPN players today as there were a year ago, but things have shifted considerably. Once dominated by dozens of small companies competing in the VPN hardware arena, the scope of the VPN market now has an expanded spectrum of products. Those include carrier-class hardware, network-based providers, managed services, conversion and compatibility service vendors, and super low-end VPN hardware and software products.
The heavy hitters in the network business have made their VPN moves. Cisco acquired Compatible Systems and Altiga, and has begun to push Altiga-based products hard to its customer base. At the same time, 3Com exited the enterprise VPN marketplace. Its outstanding Pathbuilder product line, which had excellent VPN performance, has fallen through the cracks in 3Com’s on-again, off-again corporate network strategy. Still, 3Com introduced a crypto-accelerated network interface card, showing that it’s not so uninformed as to completely leave VPN technology out of its product mix.
In addition, Timestep was gobbled up, first by Newbridge Networks, and then by Alcatel. Similarly, Network Alchemy became a Nokia subsidiary, while Indus River became part of the Cabletron spinoff Enterasys.
This continuing consolidation opened space for a variety of players at other levels of the VPN marketplace. For example, Cosine Communications, a manufacturer of carrier-class hardware, burst onto the scene with its VPN products, challenging Nortel Networks for the potentially lucrative carrier market.
Network managers should view this consolidation with caution, however. When buying VPN hardware and software, be absolutely sure the product offers total IPSec compatibility. Your vendor should be participating in the various industry VPN bakeoffs, and hold VPN Consortium membership or International Computer Security Association certification, as all offer some proof of interoperability.
An important result of all this motion in the VPN marketplace is the scaling of the “Intel wall,” a barrier present in standard PCI-based computing systems that has effectively limited CPU-based encryption to about 6M bit/sec. The general trend of the computer industry – faster and cheaper – has also been present in the VPN market. Vendors such as Chrysalis, RedCreek Communications and IRE, which have pushed high-end VPN acceleration products in the CDN$7,500 range, are seeing tremendous competition as hardware-based VPNs become cheap and commonplace. Vendors such as Nokia, NetScreen Technologies, Alcatel and Radguard are offering complete VPN systems with 50M bit/sec to 100M bit/sec encryption throughput for about $15,000. In general, the price for high-speed encryption at near 100M bit/sec speeds has dropped by approximately 50 percent in the past 18 months.
Network managers are already accustomed to budgeting for equipment in January that costs less in July. VPN equipment will follow the same trend. The biggest sweet spot for budgets is going to be in the greater-than-100M bit/sec market, in which products at 100M bit/sec to 1G bit/sec will continue to drop amid increased competition.
Ready for companies
Enterprise-level features, such as high availability and client deployment tools, are now readily available with VPN product offerings.
As recently as last week RedCreek teamed with Cyber IQ Systems to announce a high-availability VPN package called the ReD i-Cluster that ties together two RedCreek Ravlin 7160 VPN gateways using Cyber IQ HyperFlow3 clustering and load-balancing product.
In terms of high availability, vendors had only limited support for master/slave VPN servers in mid-1999. Now enterprise managers have no less than four load-balancing/high-availability VPN products available from Rainfinity, Foundry Networks, Stonesoft and Nokia. In addition, as our testing demonstrated, Radguard, NetScreen and Alcatel (Timestep) also make reliable and network-ready high-availability VPN devices that will help bring VPNs out of the lab and into production networks.
Another important corporate feature is client deployment tools for remote-access VPN configurations. Although we didn’t see a lot of new products in 2000, the market was still busily absorbing those introduced in 1999, including Intel’s (Shiva) remote-access client deployment tool, a new version of IRE’s SafeNet client and deployment tool, and the latest version of Indus River’s RiverWorks IPSec client and remote-user management tool.
At the same time, most products are lacking in enterprise management for large and meshed VPN networks, and we didn’t see new products this year that addressed this problem. Some vendors, such as VPNet, have had this capability for some time. However, corporate management is missing from most products, and we’ll be looking for this as a key feature for VPN vendors (new and old) to introduce in 2001 to keep VPNs in sync with the rest of the network.
Network managers who have been waiting for better management features will see some progress, but there’s still a long way to go before VPN products will be fully integrated into enterprise networks. Be prepared for higher-than-average management and operations costs for a few years.
Pervasive VPN technology
Because VPN technology has moved from “magic” to “mundane” this year, more products at the low end are being introduced and refined. For example, small office/home office firewall devices for DSL and cable modem users are now commonly available with VPN features. Vendors such as SonicWall, NetScreen and WatchGuard have pushed hard to bring VPNs to this marketplace at reasonable costs.
This isn’t limited to firewalls. Most routers now include some IPSec VPN features, and the open source community is working to get IPSec into freeware and commercial Unix implementations. FreeS/WAN and KAME, two open source IPSec implementations, are available on multiple platforms and have made important stability and compatibility strides this past year.
Network managers may be inundated with IPSec possibilities, but the danger is always in the management side. Getting it to work is now possible, but fitting it into the enterprise infrastructure is no easier than in recent history. IPSec standards writers are beginning to work on simplifying VPN management, but the results are still a few years out.
Windows 2000 fails to excite
The last 2000 trend is the lack of enthusiasm over Win 2000’s built-in IPSec VPN capabilities, particularly for clients. The abrupt collapse of the third-party TCP/IP stack market when Microsoft announced Windows 95 has not been repeated. Third-party VPN clients from leading vendors such as Nortel and Check Point have continued to go strong with heavy customer demand. VPN hardware manufacturers are working to ensure their client software will work on Win 2000, and OEM client vendor IRE/SafeNet shipped its Win 2000 client to an enthusiastic customer base at mid-year. But network managers watching Win 2000 carefully should keep third-party VPN clients on their radar screens as they evaluate and deploy Win 2000 to desktops and laptops.
These five trends are pushing the VPN market forward. While network managers have to be cautious about management issues and vendor consolidation, higher performance for lower prices as well as a spectrum of new products mean VPNs will be easier, faster and cheaper in 2001.
Snyder is a senior partner at Opus One, in Tucson, Ariz., specializing in messaging and security products. He can be reached at joel. [email protected].
Prices listed are in Cdn currency.