VPNs

An Overvi ew f or
Net work Execut i ves
IP
V P N S P E C I A L R E P O R T
www.nwf usion.com
Produced By:
By
Steven Harris
Research Manager
International Data Corporation
Feat uri ng excl usi ve cont ent
f rom IDC Research Manager
St even Harri s
Sponsored By:
Table of
Contents
IP VPNs An Overview for Network Executives
By Steven Harris
Definition of IP VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Business Case for IP VPNs . . . . . . . . . . . . . . . . . . . 3
How IP VPNs Are Being Used . . . . . . . . . . . . . . . . . . . . . 6
Implementation Types. . . . . . . . . . . . . . . . . . . . . . . . . . 6
IP VPN Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
1
Steven Harris
Research Manager
ISP Markets/Business Network Services/IP VPNs
IDC
Steven H arris is research m anager in ID Cs ISP M arkets,Business N etw ork Services,and IP VPN research
program s. Steven is responsible for IP telecom m unications services and Internet Service Providers (ISPs),
including com pany strategies,m arkets,and technologies.H e is the author of IP VPN Services:U.S.M arket
Forecast and Analysis,2001-2006and IP VPN Services:A D em and-Side View,2001.
Prior to joining ID C,Steven w as an industry analyst w ith the U.S.D epartm ent of Com m erce,w here he w as responsible for
covering the data com m unications industry and prom oting the sale of U.S.data products abroad. H is w ork included
tracking industry trends,helping governm ent officials understand industry concerns/issues,and prom oting exports through
international trade show s and m issions.
Steven graduated w ith a B.A.honors degree in Econom ics and International Relations from the U niversity of W isconsin,
M adison and a M .S.from the School of Foreign Service at G eorgetow n U niversity,W ashington,D.C.,w ith a specialization in
international business.
Steven can be reached at sharris@ idc.com .
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
2
IP VPNs
An Overview for Network Executives
BY STEVEN HARRIS
RESEARCH MANAGER, INTERNATIONAL DATA CORPORATION
Definition of IP VPN
IP VPN usage
Market Trends
Definition of IP VPN
Internet protocol (IP) virtual private netw orks (VPN s) are a
collection of technologies that ensure the privacy of data over a
shared IP netw ork infrastructure.The tw o key points as to w hat
constitutes an IP VPN are privacy and an IP netw ork.
Privacy is accom plished in one of several w ays.The m ost com -
m on form s of data privacy are through encryption or through
the partitioning of data traffic for the custom er.
Encryption used for IP VPN s is closely associated w ith the IP
Security (IPSec) standard.IPSec is a reasonably w ell developed
standard incorporated into the IP protocol.IPSec com es in tw o
varieties: the D ata Encryption Standard (D ES),w hich uses a 56-
bit key,or 3D ES (triple D ES),w hich applies the 56-bit key three
tim es for stronger security.
Traffic partitioning used for IP VPN s is closely associated w ith
M ulti-protocol Label Sw itching (M PLS),w hich separates one cus-
tom ers data traffic from that of other custom ers on the sam e
shared netw ork.Traffic partitioning is essentially the sam e type
of privacy m ethod used in fram e relay netw orking.
IP VPN s require the use of an IP netw ork.D ata traffic that uses
a fram e relay or ATM netw ork can be classified as a VPN ,but not
as an IP VPN .
H ybrid solutions that m ay be of interest to m any users of tra-
ditional data services such as fram e relay are available in the
m arket.IP-enabled fram e relay allow s for the addition of m any IP
functions and features over a traditional fram e relay infrastruc-
ture.IP-enabled fram e relay is not considered an IP VPN ,how ev-
er,because an IP netw ork is not being used for such a service.
M ultiple term s and technologies are often associated w ith IP
VPN s,including encryption,authentication,RAD IU S,firew alls,
IPSec,tunneling,digital certificates,extranets,L2TP,and M PLS.
Som e or all of these technologies,protocols and functions m ay
or m ay not be part of an individual IP VPN im plem entation.
D ont let their inclusion confuse you or their exclusion w orry
you.IP VPN s com e in m any flavors and varieties.
IP VPN Usage
IP VPN usage is grow ing rapidly and is w ell established,espe-
cially in the U nited States.International D ata Corporation (ID C)
conducts a survey (W AN M anager Survey) of 400 w ide area net-
w ork (W AN ) m anagers of m edium and large enterprises in vari-
ous regions of the w orld each year.According to the 2001 survey,
48% of m edium and large businesses in the U nited States are
using IP VPN s now.In 2000 the figure w as 30% .
The 48% of enterprises currently using IP VPN s include those
that are trying the technology out in parts of their W AN or for
rem ote access.ID C has not seen,and does not expect to see,
w holesale replacem ent of traditional data netw orks by IP VPN s
in large num bers of com panies.IP VPN s w ill join other tech-
nologies as a m ature W AN technology.
Internap Network Services Corporation
H ow ever,IP VPN s are grow ing both extensively (in the num ber
of com panies using IP VPN s and trying them out) as w ell as
intensively (in the num ber of corporate sites or num ber of
rem ote users connected via IP VPN s).
Europe,Asia,and Latin Am erica also show gains in IP VPN
aw areness and usage,albeit to a lesser extent than in the U nited
States.H ow ever,IP VPN s are a global phenom enon that w ill con-
tinue to grow.
Market Trends
W hat is driving the grow th of the IP VPN m arket?
The need for rem ote access to the corporate LAN
The potential for cost savings
The increased deploym ent of IP-based applications
The increase in better outsourcing options
Rem ote access is the m ain reason com panies are deploying
IP VPN s.A ccording to the W A N M anager Survey,83.5% of U.S.
com panies have deployed an IP VPN for use as a rem ote-access
technology.
The reason that rem ote access is so popular for IP VPN usage
is sim ply the lack of other good options.Telecom m uters,em ploy-
ees w ho are traveling,or em ployees w orking at hom e on w eek-
ends or evenings can dial into the corporate LAN over the
Internet w ithout any security m easures (sim ple dial access) or
they can use security m easures like IPSec encryption.Fram e
relay connections are not portable.
The Internet is ubiquitous and that is its prim ary selling
point for corporations seeking to connect em ployees outside
the office.
Cost savings are not necessarily inherent in IP VPN technology.
A dedicated IP connection m ay or m ay not be cheaper than an
equivalent fram e relay connection.W hether IP or fram e relay
m akes sense for connecting corporate sites on a W AN depends
on m ultiple factors,including the degree of m eshing needed
betw een sites and the bandw idth speeds required.
W here IP VPN s dem onstrate clear cost advantages is if tw o
connections are currently being used at a corporate site and one
of those can be elim inated by using an IP VPN .
For instance,nearly 99% of all m edium and large U.S.busi-
nesses provide Internet access to som e or all of their em ployees.
As a result,an IP connection is present at m ost such locations.If
com panies are connecting their corporate locations via fram e
relay,then they have both an IP connection for Internet traffic
and a fram e relay connection for W AN traffic.If the W AN traffic
can go over the IP connection using an IP VPN ,then the fram e
connection can be elim inated.W hile additional bandw idth m ay
be needed on the IP connection to handle the additional traffic,
the cost of a higher-speed connection is dram atically low er than
a second W AN connection.The elim ination of redundant site
connections is w here IP VPN s m ake the clearest cost sense.
The deploym ent of IP-based applications,including intranets,
CRM ,ERP,and sales databases,has been another significant dri-
ver of IP VPN s.Applications that are IP do not need to be con-
verted back and forth into various protocols w hile traversing the
W AN .IP-based applications are IP on the headquarters loca-
tions LAN ,stay IP in the W AN ,and end up IP on the branch
offices LAN .
W hy does this m atter? It is considerably m ore efficient.
Protocol conversion is easily done,but such a process adds com -
plexity,and errors occur.Errors require retrys,w hich cause delay.
An IP VPN is a m ore efficient m ethod of transport for IP-based
applications.
Better outsourcing options are currently available than in the
past for those w ishing to deploy IP VPN s.In 1999,IT consultants
and carriers w ere just getting their feet w et w ith IP VPN s,and the
im plem entations that w ere available w ere relatively rudim entary
and often cam e in a one-size-fits-all variety. Carriers have
im proved these services considerably and have m ultiple options
available for different custom er needs.
The Business Case for IP VPNs
Reasons to Deploy
W hy bother w ith a relatively new and com plex technology
w hen there already exist m any long-established W AN options in
the m arketplace today?
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
3
NetScreen Technologies
There are various answ ers to this question.The results from
ID Cs W AN M anager Survey show a few of them ,as show n in
Figure 1.
FIGURE 1: Reasons for IP VPN deployment.
Security tops the list.It is likely that m any respondents have
rem ote-access IP VPN s in m ind w hen responding to this ques-
tion,not only because rem ote access is the m ost popular use of
IP VPN s but also because sim ple Internet dial-up is really the
only rem ote-access option available to users.
That security scores highly in 2001 represents a big change
from 2000,w hen m ost people associated IP V PN s w ith the
Internet and hackers.It seem s that the concept of IP V PN s is
beginning to set in that IP V PN s use the Internet in a
secure w ay.
The one category w here IP VPN did not show up as highly as
expected w as the last one:needed for other IP initiatives.ID C
expected IP VPN s to be deployed because IP-based applications
are proliferating throughout the enterprise.That m ay still be the
case,but it did not score as highly as anticipated.
There w ere several otheransw ers from the survey that
allow ed for short w ritten answ ers.A lthough otherw as not
popular,those that did offer this response listed w ay of the
w orldand m anagem ent m ade the decisionas reasons for
deploym ent.
These are terrible reasons to deploy an IP VPN .There are
enough good,solid reasons w hy IP VPN s m ake sense a com -
pany should not need to resort to follow ing a trend or letting
som e CEO that read an article on IP VPN s decide on W AN
options.A reasoned,em pirical analysis of a com panys site and
rem ote user W AN needs m ay very w ell conclude that an IP VPN
is the m ost effective W AN option for a w ide variety of com panies
(see Figure 1).
Reasons Not to Deploy
There also are reasons for w hy a com pany m ay not w ish to
deploy an IP VPN .The W AN M anager Survey indicates a few such
reasons (see Figure 2).
The m ost consistent reason com panies have not deployed or
are not planning to deploy an IP VPN is that they are happy w ith
their current W AN solution.For m ost com panies,that W AN solu-
tion is fram e relay.
Fram e is a very established technology,and W AN m anagers
have a great deal of experience w ith it.Carriers that offer fram e
relay are also very experienced,since the technology is a staple
in W AN netw orking.
FIGURE 2: Reasons for Not Deploying IP VPNs.
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
4
ZyXEL
Happy with current
solution
Dont need
Cost
Too new
Too complex
Security
Source: IDC, WAN Manager Survey 2001.
Q. What are the reasons your company is not planning
an IP VPN?
0% 10% 20% 30% 40%


Security
Cost
Access/remote access
Lack other secure options
Needed for other IP initiatives
Source: IDC, WAN Manager Survey 2001.
Q. What is your companys primary reason for
implementing an IP VPN?
0% 10% 20% 30% 40%
In 1999,ID C publicly stated that IP VPN s w ould not displace all
other W AN technologies,and w e w ere criticized for saying that
fram e relay w as here to stay.Com paniescom fort w ith tradition-
al data technologies is a big part of the reason ID C believed
fram e w ould rem ain and w hy it does indeed rem ain.Very few
W AN technologies ever die com pletely.Fram e relay w ill have a
place in corporate W AN s for a long tim e to com e.IP VPN s w ill
grow faster,how ever.
In a related response,dont needIP VPN s w as a popular reply.
Som e com panies sim ply m ay not require the advantages that IP
VPN s provide.If a com pany does not have secure rem ote-access
needs,or extranet requirem ents,or if it has a good deal on fram e
relay for connecting corporate sites,then IP VPN s w ill be a rela-
tively com plex and unneeded W AN solution.
Security show ed up as a reason not to deploy,but in m uch
low er num bers in 2001 than in the past.Som e respondents still
associate IP VPN s w ith the dangerous and insecure Internet.
Com paring Figure 1 and Figure 2,you w ill notice that cost
show s up both as a reason to deploy and a reason not to deploy
an IP VPN .There are several explanations for this apparent anom -
alous result.
For som e com panies,IP VPN s m ay have dram atic cost savings
(elim inating redundant data connections,for instance).O thers
m ay not save m uch if their fram e relay netw ork connections are
not com plex and they have good financial term s w ith their
fram e provider.
Another explanation revolves around w hat costs are included
by survey respondents and w hat is in their m inds w hen asked
this survey question.N o doubt som e com panies com pare only
the cost of fram e relay to the cost of IP VPN connections.Som e
other respondents no doubt include the cost of transitioning to
a new W AN technology.Still others m ay include IT staff tim e and
training for IP VPN deploym ent.
Why Deploy an IP VPN?
Cost
Ease of use
IP-based applications
Remote access
So w hy does ID C think IP VPN s m ake sense for m any com pa-
nies? There are several reasons:
There m ay be significant cost savings for IP VPN s,depending
upon a com panys current W AN configuration.As m entioned
above,if a com pany can elim inate a redundant W AN connec-
tion,the cost advantages can be large.
It is not fair to say that IP VPN s are alw ays m uch cheaper than
fram e relay and other data technologies.The price of fram e is
decreasing,and m uch anecdotal evidence exists to suggest that
fram e relay carriers cut their pricing significantly w hen existing
fram e custom ers talk about IP VPN s and im ply they m ay jum p to
another carrier.
Som e configurations of fram e m ay also yield low er prices than
som e IP VPN configurations.The sam e holds for private lines.
M ultiple point-to-point private lines w ill surely cost m ore than an
IP VPN solution.The degree of savings depends greatly on the
individual custom ers netw ork and needs.
It is incorrect to say that IP VPN s alw ays and everyw here cost
less.IP VPN s are likely to reduce the overall cost of a W AN solu-
tion,but m ultiple factors are at play and no blanket statem ents
can be m ade.
IP VPN s m ake changing W AN configurations easier.The num -
ber of IP VPN connections do not m ake as m uch of a difference
to the com plexity of the W AN as it w ould w ith a private line or
fram e relay solution.Custom ers do not need to w orry as m uch
about the num ber and location of various sites as they w ould for
a m eshed fram e netw ork.
IP VPN s m ake sense if a com pany is planning the deploym ent
of IP-based applications like intranets or global sales databases.
Rem ote access is a particular problem for W AN s,since there
are few alternatives.The Internet is ideal for rem ote access,
because it extends just about everyw here.U sers can dial into
local PO Ps from nearly anyw here they are likely to travel.Fram e
relay connections do not travel.
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
5
Sygate Technologies, Inc.
So the rem ote access options are Internet dial w ithout securi-
ty and IP VPN s w ith security.If the com pany is going to allow
access to LAN resources,IP VPN s m ake definite sense.
How IP VPNs Are Being Used
There are basically three w ays in w hich IP VPN s are being
used: rem ote access,site-to-site connectivity,and extranets.
Figure 3 show s survey data on how IP VPN s are used and w hat
they are used for.M ultiple responses w ere allow ed,and it is clear
that IP VPN s are typically deployed in order to m eet m ore than
one of these connectivity needs.
FIGURE 3: IP VPN Usage.
O f the com panies currently using IP VPN s,83.5% of them are
using them for rem ote access.This result is not a surprise,since
there are few other options for rem ote users.Site-to-site is also
popular 75% of the com panies using IP VPN s use them for
this purpose.
Extranets deserve special m ention. The response rate for
extranet usage is 38.4% ,but this result is actually quite high com -
pared to survey results from past years.Extranets are often dis-
cussed by som e in the m arketplace as a service in and of
them selves.ID C view s extranets as an increasingly com m on use
of IP VPN technology,or as an additional benefit or reason to
deploy site-to-site and rem ote-access IP VPN services.
The reason extranets are not ranking as high as rem ote access
or site-to-site in usage is that extranets are often seen as an extra
bonus in IP VPN deploym ents.Com panies have few options for
extranets.ED I is a tried-and-true technology but it is rather
expensive.Extranet IP VPN s can be done w ith very little addi-
tional cost if an IP VPN is deployed for either rem ote access or
site-to-site purposes.
W hile few com panies w ill roll out an IP VPN only for use as an
extranet,over one-third of com panies using IP VPN s use them in
part for extranets.
Implementation Types
Network vs. customer premise equipment (CPE)
Common device options
Firewalls
IP VPN-specific CPE
Routers
Servers/PCs
Network-based
Network-based Versus CPE-based IP VPNs
The equipm ent and softw are to run an IP VPN service can
either be located in the carriers netw ork or on the custom er
prem ise.It is the location of the equipm ent and w here IP VPN
functions are perform ed that determ ine if an IP VPN is netw ork-
based or CPE-based.
N etw ork-based IP VPN s are closely associated w ith M PLS,
w hich is a protocol that allow s an IP netw ork to sw itch various
data technologies.M PLS also allow s the first netw ork router to
determ ine the path of the first and all subsequent packets in a
data stream .This functionality is very helpful for real-tim e appli-
cations like voice and video,in w hich the quality of the service
is greatly im pacted by the order in w hich packets are received.
You w ant the first syllable of your w ord to reach the listener
before the second syllable,of course.
These traffic-engineering capabilities are relevant for IP VPN s,
because it is one w ay that data privacy is ensured.M PLS sepa-
rates different custom erstraffic on the netw ork in a w ay that is
very sim ilar to fram e relay perm anent virtual circuits (PVCs).
M PLS partitions custom er traffic.
Thus,a carrier that has deployed M PLS in its netw ork,by defi-
nition,m akes all of its IP custom ers attached to it IP VPN cus-
tom ers,by virtue of the traffic-partitioning feature of M PLS.
M PLS has quality of service (Q O S) capabilities that allow users
to give packets various priorities.Q O S ensures that tim e-sensitive
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
6
Extranets
Site-to-site
Remote access
Source: IDC, WAN Manager Survey 2001.
0% 20% 40% 60% 80% 100%
applications receive priority status over the IP connection and
on the IP netw ork.
W hile netw ork-based IP VPN s are closely associated w ith
M PLS,the tw o are not synonym ous.N etw ork-based IP VPN s can
use the traffic-partitioning capabilities of M PLS,or the carrier can
sim ply place IP VPN equipm ent in the netw ork cloud,often in
data centers on the carrier netw ork.
Thus,a netw ork-based IP VPN service could be based on fire-
w alls in the carrier data center.This is one exam ple of a netw ork-
based IP VPN that does not use M PLS.
Device Options
Virtually any device w ith a m icroprocessor can perform IP
VPN functions,such as creating tunnels and encrypting packets.
These can be routers,servers or even PCs.Softw are,such as fire-
w alls,can also perform IP VPN functions.
N o one device or m ethod is necessarily better than any other.
The best im plem entation depends on the custom ers needs,
existing netw ork devices,and cost considerations.
Figure 4 show s w hat im plem entations w ere used and in w hat
intensity in 2001.
FIGURE 4: Implementation Type Usage, 2001.
Firew alls are the m ost popular IP VPN service im plem entation
(see Figure 4).The reasons,perhaps,are not surprising.Firew alls
are often already present on the corporate site,m any carriers
already offer m anaged firew all services,and firew alls are already
associated closely w ith security.W hy not add IP VPN functions
w ith their related security features right on a device or piece of
softw are that handles this function already?
M any of the do-it-yourself im plem entations use the firew all
m ethod. Its a relatively inexpensive and easy-to-im plem ent
solution,and corporate LA N adm inistrators already use and
operate firew alls.
H ow ever,firew alls w ere not originally designed for IP VPN
functionality,and new features have had to be added to m ake
them IP VPN ready.M ost firew all vendors have done this,recog-
nizing the m arket dem and and the logical fit betw een firew all
security and IP VPN security features.
IP VPN-Specif ic Devices
A com m on m ethod of im plem enting an IP VPN from a carrier
is to use a device specifically designed just for this purpose.
These devices have the advantage that they are designed
specifically for IP VPN s.The devices do not tap the resources of
other devices that have functions other than that of a VPN ,such
as routing or protecting the corporate netw ork from intrusion.
A disadvantage of these devices is that they represent one
m ore box that needs to be placed som ew here at the corporate
location or in the netw ork.And since other,already existing
devices at the corporate site can perform these sam e VPN func-
tions,a VPN -specific device m ay becom e just one m ore piece of
hardw are taking up space.
Routers
Several carriers have IP VPN im plem entations that include a
router im plem entation.Routers w ill inevitably be a com m on
im plem entation for the do-it-yourself m arket,w hich w ill run IP
VPN s on their existing routers at corporate sites.
The m ajor advantage of this choice is that the corporate site
probably already has a router existing at the location and routers
exist in the carrier netw orks.A m ajor disadvantage is that m any
routers are already fully tasked w ith im portant functions,and
adding VPN tasks m ay reduce the perform ance of the routers for
routing traffic in theory their prim ary function.Router ven-
dors often offer acceleration cards that w ill speed processing
pow er to perform IP VPN tasks m ore efficiently w ithout addi-
tionally taxing the routers processing resources.
Servers/PCs
Any com puter can be m ade to perform VPN functions.This
im plem entation is typically done on a server running softw are
such as a firew all.H ow ever,even a sim ple PC can perform func-
tions for VPN im plem entations that are not too com plex.
PCs and servers m ay be very popular w ith do-it-yourself cus-
tom ers because special equipm ent is not needed and cus-
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
7

Verylarge
growthin2001
Respondents including
remoteaccess here
Firewall-based IP VPN
Network-based (no-CPE)
Router-based
IP VPN-specific CPE
Source: IDC, WAN Manager Survey 2001.
Q. What kind of IP VPN implementation do you use?
0% 10% 20% 30% 40% 50% 60% 70%
tom ers w ill m ost likely not need to m ake special capital invest-
m ent in equipm ent.Also,IT departm ents are very fam iliar w ith
PCs and m ay not be as intim idated as by an IP VPN -specific
device w ith w hich they have little or no experience.
Network-Based VPNs
Perhaps the m ost logical IP VPN im plem entation for a carrier
is the netw ork-based IP VPN .All IP VPN functionality is located in
the cloud,or the hub,point of presence (PO P),or data center.
Several carriers offer a netw ork-based IP VPN service in w hich
all dial-user authentication is done by RAD IU S servers in the car-
rier netw ork,and all encryption and tunneling is done once the
IP traffic hits the carrier netw ork.
The advantages of a netw ork IP VPN are that no new CPE is
required,its relatively easy and painless for the custom er to
establish it and get it up and running,and it can be a very cost-
effective solution com pared w ith m anaging CPE internally by
already-stretched IT staff.
Also,num erous equipm ent options are typically available,w ith
all the equipm ent residing in the carrier netw ork.
The biggest disadvantage of a netw ork IP VPN is that encryp-
tion and decryption are done in m ost cases once the IP traffic
hits the carrier netw ork.Thus,traffic on the last m ile is not
encrypted or secured.This m ay not be as huge a security breach
as it m ay seem ,since that local loop is dedicated to that partic-
ular custom er,but given the hum an traffic in regional Bell oper-
ating com pany (RBO C) central offices and the fact that the loop
cannot be com pletely secured from a determ ined data thief,this
solution m ay not be adequate for custom ers that have very strin-
gent security requirem ents.
Another advantage (or disadvantage,depending on ones per-
spective) of a netw ork IP VPN is that configuration changes and
m aintenance,by necessity,are executed by the carrier and not
on the custom er prem ises.Som e overw orked W AN m anagers (or
those less at ease w ith the com plex technologies underlying an
IP VPN service) m ay be very happy to inform the carrier of con-
figuration changes that are needed and let the carriers staff alter
the IP VPN service as specified.
O ther m ore controlling,or paranoid,W AN m anagers (or those
very experienced w ith the various IP V PN technologies
involved) m ay w ell w ant to be able to see and reach IP VPN
equipm ent at a m om ents notice,or sim ply sleep better know ing
it is w ithin their reach.So the lack of CPE is either a big advan-
tage or big disadvantage depending upon the custom ers needs
and on the carrier and its range of IP VPN service im plem enta-
tion options.
IP VPN Providers
Do-It-Yourself (DIY)
D IY is still the biggest IP VPN service provider in the U nited
States.An increasing num ber of com panies are choosing a car-
rier-provided IP VPN solution,but D IY is still the m ost popular IP
VPN provider.The reasons are m any and varied,but ID C believes
the follow ing are the m ain reasons:
Cost. IP VPN s are being im plem ented prim arily because of
the perceived cost savings of this W AN alternative.W hat could be
less expensive than doing it yourself? But the W AN M anager
Survey results show that carrier im plem entations are grow ing in
im portance.ID C believes that m any com panies have tried IP
VPN s on their ow n and either failed to realize cost savings
(w hen the cost of personnel tim e is included),or the technolo-
gies proved too cum bersom e to adm inister w ith relative ease.
Control. The desire to m aintain tight control over the IP
VPN w as also a strongly cited reason for a D IY im plem entation.
W AN m anagers and LAN adm inistrators are not know n for their
ability to trust others.These individuals tend to like to have a
m axim um am ount of control over their netw orks,even if their
system s becom e so com plex that control is an illusion.The per-
ception that keeping the IP VPN in house gives the organization
the greatest am ount of control is a pow erful one in favor of D IY.
Slow rollout of carrier services. M any carriers cam e
out w ith IP VPN services around m id-1999 (w ith som e excep-
tions) and robust offerings in late 1999.Even in 2001,carriers are
im plem enting new IP VPN services,adding functions and m ulti-
ple service choices.Large-scale,robust and cost-effective IP VPN
services from carriers have not been particularly rapid in com -
ing.As a result,com panies that in the past had looked for an IP
VPN that m et their particular specifications often found that one
w as not available from carriers at the tim e.Carrier IP VPN ser-
vices,how ever,are considerably m ore m ature in 2002.
Carriers
W hy w ould a com pany go w ith a carrier w hen they can do it
by them selves? Lots of reasons.
Figure 5 show s survey data as to w hy com panies chose to use
a carriers IP VPN solution.
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
8
A preference for outsourcing (a com bined category from m ul-
tiple individual answ ers) is the biggest reason.This is not the
slightest bit surprising.
FIGURE 5: Reasons for Carrier IP VPN Solutions.
M ost W AN m anagers deal w ith fram e relay and other data ser-
vices providers.In a fram e relay W AN ,for instance,W AN m an-
agers are not setting authentication policies or m aking
configuration changes on their ow n.They have their provider
m ake those changes for them as part of the service.
A carrier-m anaged IP VPN frees up the W AN m anager to m an-
age the W AN and not force him /her to run the W AN .M ost W AN
m anagers and LAN adm inistrators are not very fam iliar w ith
W AN operational issues and m ay not feel com fortable w ith their
ability to m anage it w ell them selves.
Traditional W AN technologies are run and m anaged day to day
by a carrier,and m any W AN m anagers m ay w ant a sim ilar m an-
agem ent solution for an IP VPN .
The second-m ost-popular reason given in the W AN M anager
Survey for using a carrier w as lack of internal resources.Even if
W AN m anagers or LAN adm inistrators are capable of running an
IP VPN on their ow n,they m ay lack the tim e to do so.
What to Look for in a Carrier Solution
There are several criteria any potential IP VPN custom er
should use in evaluating carrier options.Som e of the item s here
m ay be of less im portance to som e users,and som e users m ay
have additional criteria.The essentials are listed here.
Financial security. W ill the carrier be around in 2003? An
IP VPN im plies that the connection is m ission-critical.You dont
w ant to outsource a m ission-critical elem ent to a carrier that
m ay shut you off if its business m odel fails.
Coverage. D oes the carrier you are considering provide
access in all locations w here your com pany does business? If
you plan a rem ote-access IP VPN ,does the carrier have local-
access num bers in all the locations w here your em ployees w ill
travel? If not,you w ill end up paying long-distance charges if the
carrier does not have its ow n netw ork or a roam ing agreem ent
w ith a carrier that does have local access in all those areas.
Remote access, site-to-site, extranets. D oes the car-
rier support all your IP VPN needs? If you are only planning a
rem ote-access or only a site-to-site IP VPN ,you w ill have m ore
options.But if you plan both types,the carrier should offer both
as a standard service.And if you plan to connect custom ers or
suppliers to your IP VPN to form an extranet,m ake certain the
carrier does not require those custom ers or suppliers to have
that sam e carriers connectivity to reach your IP VPN .It m ay be
easier to force your suppliers to change IP carriers,but dont try
to tell your custom ers they need to change providers.
Service level agreements (SLAs). A re the carriers SLA s
com prehensive,w ith m onitoring and credits w ith teeth? SLA s
are very technical and legal docum ents,and it is im portant to
read them carefully.D oes the carrier offer com petitive SLA s that
allow you to m onitor perform ance? D oes the carrier proactive-
ly notify you if a credit is m issed,or do you need to catch it your-
self and file a trouble ticket to get credit? D o the SLA s have
credits w ith real penalties for the carrier if m issed,or do they
have clauses that require the carrier to m iss the credit for tw o
consecutive m onths in order for the credit to be issued? D o the
SLA s include a provision to allow you to cancel the contract at
no penalty should the SLA s be badly m issed? Credits are need-
ed in SLA s,but you should find a carrier that has strong credits
on w hich they never pay credits.If your connection is m ission
critical,the credit am ount w ill not m ake up for dow ntim e or
poor perform ance.
QOS. If you are running or planning to run real-tim e appli-
cations over your IP VPN ,does your carrier have Q O S capabilities
w ith M PLS,D iffServ or other protocols to ensure that they per-
form as needed?
Conclusion
IP VPN s are a collection of technologies brought together to
ensure the privacy of W AN data over IP netw orks.IP VPN s are
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
9
18%response in 2000
Prefer to outsource
Lack resources
Security
Cost
Convenient/Ease of
use
Design/implementation
help
Source: IDC, WAN Manager Survey 2001.
Q. What is your primary reason for choosing a service
provider IP VPN solution?
0% 10% 20% 30%
grow ing in popularity nearly half the m edium and large enter-
prises in the U nited States use them .
IP VPN s are grow ing so rapidly because they are m eeting the
needs of businesses.IP VPN s allow for secure rem ote access for
traveling or telecom m uting em ployees.Site-to-site IP VPN s can
offer a cost advantage over traditional data technologies and
also allow for the addition of added features like extranets,as
w ell as the relatively easy deploym ent of advanced IP services.
IP VPN s can function on the custom er prem ise or in the carri-
ers netw ork,and both types can use num erous devices and
technologies to accom plish IP VPN functions.W hat particular
im plem entation is best depends greatly on each com panys
unique business needs.
IP VPN s can be done in-house or purchased as a fully m an-
aged option from a carrier.W hile do-it-yourself is still the largest
provider in the U nited States,that position w ill be eroded over
tim e as carriers expand and im prove their offerings and as m ore
com panies choose to leave W AN s to the service providers w ith
expertise in day-to-day W AN m anagem ent.
Finally,the grow th of IP VPN s is not a fad or pie-in-the-sky idea,
like ubiquitous fiber to the curb or renting Excel from an ASP
per use.Rather,IP VPN s m ake a lot of sense for m ost com panies
because they are flexible,cost effective,and enable num erous
additional technologies and services that help m eet todays busi-
ness needs.
Steven Harris is research manager in IDCs ISP Markets,Business
Network Services, and IP VPN research programs. Steven can be
reached at sharris@idc.com.
Additional VPN & IP VPN resources on
the Network World Fusion Web site
www.nwfusion.com
Network World on VPNs newsletter
O ffers everything from how -to tips to analysis of the latest ven-
dor and carrier offerings to m ake VPN s easier to understand
and build.
ht t p:/ / www.nwf usi on.com/ newsl et t ers/ vpn/ i ndex.ht ml
VPN research page
G et up to speed on VPN issues,including w ireless VPN s,secure
VPN s,M PLS,Q oS and m ore.
ht t p:/ / www.nwf usi on.com/ research/ vpn.ht ml
Breaking VPN news
Keep up to date on the latest vendor,technology and
product new s.
ht t p:/ / www.nwf usi on.com/ t opi cs/ vpn.ht ml
VPN audio primer
In this 6-m inute prim er,learn how VPN s w ork,as w ell as if they
are right for your rem ote access needs.
ht t p:/ / www.nwf usi on.com/ pri mers/ vpn/ vpnpri mer.ht ml
Crafting service-level agreements for IP VPNs
O utlining key elem ents that are essential to include
in every SLA.
Network World,11/19/01.
ht t p:/ / www.nwf usi on.com/ col umni st s/ 2001/ 1119eye.ht ml
Know what you are getting with your IP VPN
IP VPN s have advantages,particularly flexibility,dynam ic band-
w idth and the ability to provide secure connectivity to outside
organizations.But not all IP VPN s are created equal.
Network World,11/05/01.
ht t p:/ / www.nwf usi on.com/ col umni st s/ 2001/ 1105eye.ht ml
VPNs: IP adds a new twist
IP VPN s are the latest w ave in site-to-site connectivity,but not
the least painful.
Network World,09/24/01.
ht t p:/ / www.nwf usi on.com/ buzz2001/ i pvpn/
IP VPNs An Overvi ew f or Net work Execut i ves S P E C I A L R E P O R T
10
2002 Network World Inc. All rights reserved.