Virtual Private Networks
Big Role Seen for Systems Integrators<@VM>An Alternate View<@VM>Knowledgeable Approach
By Heather Hayes
The market for virtual private networks is about to crack wide open, according to a number of industry analysts and players. And as agencies move beyond the cautious, early adoption stage to broader deployments, systems integrators can expect to reap the biggest benefits.
"It's going to be a huge opportunity for us," said Dave Bittenbender, vice president of network services for the federal civil group at Computer Sciences Corp., a systems integrator and IT consulting firm headquartered in El Segundo, Calif.
But a government agency cannot simply go to a telecommunications carrier and order VPN, he said.
"Deploying a VPN sounds easy, but it can be very complex, and that's because there are probably a half dozen different ways to do it, if not more. So you really need an integrator to do it successfully," Bittenbender said.
Even the numbers bear that out. According to Infonetics Research, a market research and consulting firm in San Jose, Calif., covering the networking and telecommunications industries, dedicated VPN hardware revenue alone recently reached nearly $250 million a year and will hit $506 million next year ? but services surrounding the technology currently top $2 billion annually.
"The most important piece in any of these VPN solutions is the integrator," said Ted Watson, VPN practice manager for GlobalNetwork Technology Services, a network consulting firm in Rochester, N.H., that offers a large VPN services portfolio. GlobalNetwork is a subsidiary of Cabletron Systems Inc. of Rochester, N.H.
Several factors drive the sudden popularity of the VPN, a technology that uses tunneling protocol and security procedures to create a kind of private data network over public networks such as the Internet. These include:
? The maturing of the technology;
? The growing number of VPN offerings on the market ? enough, in fact, to jumpstart competition and drive more innovation and lower prices;
? The recognition that VPNs offer greater security than traditional alternatives, such as dial-up services and personal e-mail;
? The increasing comfort with the VPNs triple data encryption standard;
? The growing number of high-speed Internet connections to the home, field offices and other remote access points.
The last factor is "really starting to underscore the need to have some type of secure remote connection that can leverage these big, fat pipes to the Internet," said Robert Lonadier, director of security strategies for the Hurwitz Group, a research firm in Framingham, Mass. "As more and more of them get out there, it starts to make overwhelming economic sense to take advantage of them."
Another factor is the psychological uncoupling of VPN and public-key infrastructure. Known as PKI, this technology uses a public and private cryptographic key pair obtained through a trusted authority to securely exchange data over an unsecured public network.
For years, the two technologies evolved at a comparable rate, and many organizations saw them as interdependent and were waiting until they had PKI in place before adopting a VPN. As PKI development has slowed, the wait has ended, and many organizations are deploying VPNs.
"People have found uses for VPNs in very small networks, especially in site-to-site deployments where key management is not a terribly difficult operation," said Bob Robinson, security practice principal for the e-solutions unit at Sprint Corp., a long distance provider and supplier of VPN services headquartered in Westwood, Kan.
"On the other hand, PKI is absolutely necessary if you have very large networks connecting a whole bunch of sites that have to talk to each other," he said.
Greg Marcotte, director of VPN access for Cisco Systems Inc., San Jose, said that business and government IT officials have gotten more comfortable with the notion that the VPN is simply an extension of a classic wide-area network.
"As soon as you get to the realization that it's just a part of the WAN and not some radical reinvention, it becomes a lot easier to make the decision to move in this direction," he said.
Some government agencies are well on their way to using VPNs, lured by the practicality, convenience and cost-savings of transmitting information over free public networks. The Air Force, for example, is in the process of deploying a VPN, and the Environmental Protection Agency is looking at incorporating both point-to-point and remote access VPNs.
But many government organizations are still taking a wait-and-see approach. "I've seen more people seriously considering a VPN than I see actually deploying it," said Bittenbender.
Why the hesitation? Two reasons: The complexity of managing the infrastructure and the security aspects of a VPN; and the uncertainty of sending sensitive government information over the Internet.
"We're finding that the government is moving towards VPNs very slowly and very unevenly, and certainly not as an official broad rollout," said John Pescatore, research director for Internet security for the GartnerGroup, a market research firm in Stamford, Conn. "They're just being a lot more conservative than the private sector right now."
Don't expect such caution to last for long, said Marcotte.
"There is a substantial cost savings inherent in VPNs that is probably easier to recognize for a government agency," he said, noting the federal government's traditional predilection for expensive private networks. "A VPN allows them to actually shut down the private networks and expensive connections and piggyback on top of public networks. That will save them an incredible amount of money."
Still, undergoing VPN deployments of any ilk has its challenges. Among those is the issue of managing the deployment while figuring out how to incorporate the new technology into existing IT infrastructure in a way that is flexible for users but doesn't compromise security.
And that, said Marcotte, is why there is such huge demand for integrator skills.
"There appears to be a lack of IT staff to really deploy new large projects, so there's a heavy leaning back to the integrator or reseller to offer services such as configuring equipment, deploying systems and, even in some cases, managed services," he said. "We have found that organizations are turning specifically to integrators, because these folks not only have a very skilled, trained staff, but they can easily train those people on VPN and become the IT outsourcing team for a VPN project."
A key to how quickly VPNs are accepted en masse hinges on how quickly Internet Protocol version 6 is accepted and made ubiquitous. But that, unfortunately, could take as long as 10 years, according to analysts.
The standard, which is already being used in a limited way, features IPSEC, a standard protocol for transmitting encrypted data.
Bittenbender said that IP version 6 offers the kind of quality of service, including addressing capabilities and partitioning of services, and security controls embedded in the network that many organizations may want at their disposal before feeling comfortable with a VPN.
Robinson agreed: "Essentially, if we have universal IP version 6 running on the Internet, everybody will have automatic VPNs on demand. All traffic on the Internet will be encrypted if you want it to be."In much the same way Kool-Aid became an all-purpose word describing a sweetened drink, no matter what the brand, so too have virtual private networks that run over the Internet become generally known as VPNs.
These popular and much ballyhooed products, however, are not the only flavor on the street.
Crescent Networks, for example, recognized that emerging applications require more capacity and scalability than provided by Internet VPNs, and so recently came up with a new VPN called Dense Virtual Routing Network, an architecture that fuses trusted (private-line-like) and dynamic (Internet-like) networking.
The company hopes to do for routed IP networks what dense wave division multiplexing did for fiber networks-in short, boost capacity and enable dynamic provisioning.
"The Internet VPNs tend to be built for individual users with low bandwidth and remote access needs," said Curt Newton, senior director of product marketing for Crescent Networks, a new startup in Lowell, Mass. "The VPNs that we're building are much more dynamic, support any connectivity and operate at optical scale as opposed to dial-up scale."
As a result, a DVRN solution supports business collaboration, virtual teams, virtual training and new content applications.
"What an organization would see if they're dealing with a service provider that has DVRN is they'd be able to go from an environment today where their virtual network supports mobile workers and e-mail pretty effectively to an environment where they can add to that things like very high bandwidth, outsourced storage, outsourced applications, and very rich content delivery," Newton said. "Things that are a real stretch with the current tools that they get from a service provider."
Service providers are clamoring to take a look at DVRN, Newton said, a product that was released in May.
Laurie Gooding, manager of WAN and service provider research at Cahners In-Stat Group, a research firm in Newton, Mass., said the DVRN solution is "truly visionary, enabling service providers to transition gracefully to an IP/optical core network without abandoning existing infrastructures and revenue streams."
"This solution aims to increase a carrier's revenue potential by making it easier and more cost-effective to provision enhanced IP services," she said.
Newton said, "There's a tremendous pent-up demand from businesses for this type of virtual network. They've come to know frame relay and the leased line and they see the power of the Internet but they have yet to be able to fuse them into a solution that's useful to them. That's what we're trying to do."In the meantime, integrators will have plenty of work as organizations take their tentative steps towards implementing enterprisewide VPNs.
Most players believe government agencies will start with remote access VPNs so telecommuters and small field offices can more securely send and receive sensitive and private information.
"Remote access is a pretty quick kill," Bittenbender said. "It's easier to implement than a WAN or point-to-point solution."
The key to success in implementing any VPN, both integrators and vendors said, is the ability to take both an enterprise and a user-focused approach.
Integrators have to understand networking, along with networking operating systems, the interoperability between operating systems and the technologies involved in firewalls and PKI.
But they also have to recognize, Lonadier said, that "at the end of the day, the end users are going to drive the adoption of the technology. There will always be traditional alternatives to VPN, and because it's not on everybody's desktop today, they really need to have a focus more towards the end-user experience and away from the traditional IT management, glass-house type of approach."
Still, without an enterprise approach, Robinson said, organizations will face compatibility issues within their organization, with business partners, and with future systems.
Watson believes project management is critical to a successful VPN implementation.
"It's probably the last thing that people think of, but the most important one in my opinion, because typically these are very large deployments, so you have to be able to keep close tabs on what's happening at the various sites and work with all the different organizations involved," he said.
Ultimately, the work will get easier as the ever-growing list of products continue to evolve and become more interoperable, and more organizations move towards adopting IP version 6, said Robinson.
"As VPNs become more and more interoperable, they will become almost universal," Robinson said. "Almost every organization that has more than one site or that has remote employees is going to VPN, because they'll find it's more cost-effective than leased lines or frame relay systems."
Marcotte agreed: "I think we're actually on the way to realizing the dream of using public networks to their fullest potential, and we're getting to the point of getting real deployment," he said. "Now, it's just a matter of getting those deployments realized."