Much like version 1.0 software, the first wave of VPN technology suffered its share of bugs and blunders. For some users, VPN setup hasn’t been the carefree experience the system vendor described. Many IT staffers have felt the fallout of skimpy management features. Others who opted for managed services have been cast adrift in a sea of Service Level Agreements (SLAs), security features, and connectivity options they don’t fully understand. And then there are those who’ve endured fidgety meetings with the CFO, trying to explain why the organization’s VPN hasn’t saved quite as much money as originally projected.

Compounding the situation has been the disproportionate hype that has swirled about in the VPN market. In reality, neither user adoption rates nor cost savings have lived up to initial forecasts.

But VPN technology, as well as the market forces affecting its development, is changing. Recent advances in security and QoS, new outsourcing opportunities, and the rising number of carriers and service providers offering VPN solutions are just some of the forces shaping this evolution.

As interest in VPNs has increased, so have the number of VPN services. VPNs are now being used for remote access, site-to-site connectivity, extranets, and intranets. They’re also being used to secure internal traffic within individual organizations—in effect, supplanting VLANs.

A study conducted by TeleChoice (www.telechoice.com), a telecommunications consulting firm, shows how adoption trends and users’ concerns are evolving. According to its “TeleChoice VPN Market Report,” which surveyed 501 organizations, 130 companies indicated they already have a VPN, while 175 said they are planning to implement the technology in the next 18 months.

One factor affecting the adoption rate is user priorities. According to the TeleChoice report, performance, security, ease of use, and price (in order of ranking by respondents) are the top criteria for choosing to adopt a VPN. While progress has been made in many of these areas, work still needs to be done to overcome some of the barriers that have made organizations reluctant to use the technology.

Another factor affecting VPN adoption rates is the option to outsource remote access. According to a recent study by Forrester Research (www.forrester.com), this is the primary driver behind users’ growing interest in VPN technology (see Figure 1).

The report also indicates that 46 percent of survey respondents plan to build their own VPNs, while 33 percent will opt for a managed service. Figure 2 shows why some respondents would rather keep VPNs in-house. (For more on outsourcing, see “External Affairs below)

External Affairs

One of the most important decisions to make about VPNs is whether to implement the technology in-house or to hand it off to an outside provider. Today’s market boasts an increasing number of outsourcing options, and more and more service providers are offering additional flexibility for customers’ individual requirements.

For example, an organization may decide to purchase only bandwidth or Internet connectivity from the service provider, or it may also offload functions such as VPN design, equipment installation, management, security, and help desk support.

Many outsourcing decisions are determined by company size. Smaller organizations often don’t have the internal resources to plan, implement, and maintain a VPN. “As VPNs become more ‘main street’ and start getting sold in greater quantities to small and medium-sized businesses, you’ll see the percentage of managed [outsourced] VPNs start to go up dramatically,” says John Lawler, VPN product manager at Concentric Network (www.concentric.com). Lawler also says carrier-managed VPNs will become more popular as these service providers develop the capacity to deliver end-to-end QoS.

Even if you choose to outsource your entire VPN, you’ll need an in-depth understanding of how your provider is implementing and maintaining it. Otherwise, you won’t be able to accurately evaluate your VPN’s effectiveness and integrity, and how well the service provider is meeting Service Level Agreements (SLAs).

The outsourcing trend has also provided fertile soil for the growth of application service providers in the VPN market. For instance, Bizee.com recently established a Web portal site that includes VPN services. The company’s Global VPN offering, available free of charge to business users, includes e-mail, chat rooms, request-for-proposal posting, and auctions. The service is based on Triple DES security licensed from V-One.

Such services could provide e-commerce capabilities to organizations that lack the financial resources, security infrastructure, or expertise to implement their own e-commerce strategy. Although some companies will be reluctant to conduct such transactions over a portal as opposed to a traditional private connection, others will likely accept the risk as an inherent tradeoff.

Regardless of the Web portal strategy’s success, however, VPNs will become an increasingly important technology for the advancement of e-commerce. 

When considering a VPN implementation, a major issue for potential users is whether to connect over a private network or a public IP-based VPN. While numerous options are available on both sides of this fence, organizations need to carefully evaluate the properties of each alternative.

On the public IP network side, QoS across the Internet is not yet a reality. In addition, these networks raise security concerns among some potential users. On the up side, Internet-based VPNs are widely available and relatively economical.

VPNs delivered over private networks, such as frame relay or ATM, provide a level of QoS control that can be difficult to duplicate over the Internet. However, these configurations can be expensive and don’t necessarily offer more solid security features than their Internet-based counterparts.

Many recent developments in VPN technology have centered around performance issues, particularly QoS. Both service providers and vendors are scrambling to address this major concern.

The customer’s primary tool in effecting QoS is the SLA. User demand for such agreements is growing, and providers and carriers are responding with more stringent SLAs. For example, Concentric Network’s (www.concentric.com) ConcentricQoS service includes a 100 percent, premises-to-premises network availability guarantee and a maximum latency guarantee of 80 milliseconds (ms) for VPN connections.

Concentric’s guarantees are based on performance as measured by Inverse Network Technology (recently purchased by Visual Networks), which provides service-level management software and Internet benchmark services.

GTE Internetworking’s VPN Advantage includes separate SLAs for dedicated and remote access. For dedicated access, the company has an availability guarantee of 99.9 percent, and a maximum latency guarantee of 125ms.

For remote-access VPNs, the SLA stipulates a busy-free dial availability of 97 percent, or less than the industry average (as measured by Inverse Network Technology). The latency guarantee specifies an initial modem connect speed of 26.4Kbits/sec (minimum) at 99 percent, or less than the industry average (also as measured by Inverse Network Technology).

Living up to SLAs means overcoming some significant hurdles. “QoS is challenging from a carrier perspective because we’re now becoming even more involved with the LAN,” says John Lawler, VPN product manager at Concentric Network. “It used to be very simple to be a carrier—we stopped at the router. But now we’re going further and further into the [customer’s] network.”

At the heart of the QoS issue is effective traffic prioritization. Current mechanisms include Multiprotocol Label Switching (MPLS), Differentiated Services (DiffServ), Class-Based Queuing (CBQ), and Common Open Policy Service (COPS).