VPNs Branch Out
At last week's Supercomm tradeshow, BellSouth Corp. (NYSE: BLS) announced it would be the first Baby Bell to provide a fully managed VPN service to customers by the end of 2002. While the company didn’t reveal which vendor it was using to provide its VPN gear, it did state that it would be using Multiprotocol Label Switching (MPLS) technology and that the boxes would be located at the customer premises to provide remote users access to the network.
This is good news for the equipment providers that announced a slew of new gear and new enhancements to their existing VPN products at Supercomm.
According to an Infonetics Research Inc. report published today, managed, network-based VPN services will grow roughly 283 percent between 2002 and 2006, and managed CPE-based services will grow 178 percent. Unmanaged deployments are expected to decline 8 percent (see Infonetics Predicts VPN Boom).
“A lot of carriers go with CPE [customer premises equipment] devices first, because they can test it out without a huge investment in their network,” says Michael Howard, founder and principal analyst at Infonetics.
It seemed that every equipment vendor at Supercomm was chasing this potential VPN goldmine, with switching and routing vendors, optical networking companies, and firewall companies all touting VPN features. To make matters more confusing, none of these vendors seems to using the same technologies to lock-down Internet data connections for private use. Some equipment companies advocate deploying security equipment on the customer site. Some use IPSec technologies, while others advocate SSL technology. Some use MPLS, which is where it gets even more confusing: Equipment vendors are turning to varied flavors of developing MPLS standards to secure VPNs.
According to Infonetics’ findings, IPSec remains the dominant tunneling and encryption technology for VPNs, but MPLS and SSL are making headway. Worldwide end-user IPSec-based VPN service expenditures are expected to grow 49 percent, MPLS-based services nearly 800 percent, and SSL-based services more than 1,000 percent between 2002 and 2006, says the report.
The great variety of technologies involved has made "VPN" a somewhat generic term that now causes confusion, say analysts. “You can’t say 'VPN' and expect people to know what you mean,” says Infonetics' Howard.
Many carriers say they will be using a variety of products to roll out their VPN services. For instance, Verio Inc. announced a managed VPN service back in May at the Network+Interop show in Las Vegas (see Service Providers Jump on VPNs). The service they are offering will use network-based gear from CoSine Communications Inc. (Nasdaq: COSN) as well as MPLS-enabled Cisco Systems Inc. (Nasdaq: CSCO) routers, Cisco IPSec-enabled PIC firewalls, and encryption devices from NetScreen Technologies Inc. (Nasdaq: NSCN).
Vendors seem to have caught onto this trend and are adding multiple technologies to their products. For example, Nortel Networks Corp. (NYSE/Toronto: NT) announced a “hybrid” VPN solution last week at Supercomm (see Nortel Offerings Enable VPNs). It has integrated the management of its network-based Shasta 5000 Broadband Services Node -- a VPN switch that supports both IPSec and Layer 3 MPLS -- with its customer premises VPN offering, Contivity. While customers could always deploy both systems in the same network, Nortel says it has now made it much easier to manage and deploy. As separate products, service providers would have to deploy client software from both systems at the customer site. But now, only one software client is needed.
Nortel says that service providers want to give customers as many options as they can. One customer may want its data encrypted end to end, in which case Contivity would be the preferred option. Another may not require encryption but may want to include another kind of service, such as content filtering, into its package. Shasta would serve this customer better, says Nortel.
Matt Williams, director of product management for Verio, agrees. He says that when Verio is connecting several multinational remote sites together in a meshed configuration, the network-based solution works best. Hooking up hundreds of CPE devices eventually becomes impractical. He adds that even though CPE deployments outstrip network-based deployments in volume by at least two times, network VPNs make carriers more money. But the truth is, both approaches are needed.
“All of these product types will survive,” Williams says. “They can each play in different parts of our networks, servicing different customer needs.”
— Marguerite Reardon, Senior Editor, Light Reading