VPN Forecasts Reveal

Range of Roles, Promise

By John Makulowich

The din surrounding virtual private networks from a handful of industry stakeholders might give one the impression this suddenly popular approach to connecting local area networks is the newest candidate for the Internet's killer app of the month club. Whether the promise turns into the productive awaits the test of time.

Part of the din arises from the question about just what counts as a VPN. Traditionally, a VPN has been defined as a private network for voice and data built with carrier services. More recently, however, VPN "has come to describe private, encrypted tunnels through the Internet for transporting both voice and data between an organization's different sites," notes Tom Sheldon, author of the "Encyclopedia of Networking, Electronic Edition."

Disregarding the confusion, numbers gathered by the networking information research firm Infonetics Research Inc., San Jose, Calif., indicate ripe fruit for this market is only a few seasons away. The VPN market, which weighed in at $205 million in 1997, should grow more than 100 percent annually through 2001, according to a report released last year by the firm. The report, "Virtual Private Networks: A Partnership Between Service Providers and Network Managers," projects the market will reach $11.9 billion just after the turn of the century.

"Our report just covers data VPN," admits Larry Howard, vice president of Infonetics. "From our standpoint, VPN means using an IP [Internet protocol, the building block of the Internet] backbone for private data services."

Howard distinguishes three types of VPN: individual remote access used by "road warriors," that is, mobile workers, telecommuters and day extenders (those who continue working at home after office hours); site-to-site connections for company divisions and branch offices; and extranets offering access to suppliers and vendors. The common thread through all types is reduced cost of operation and secure communication, mainly IPSec, the Internet Engineering Task Force security protocols for VPN.

"Clearly, cost considerations are a major factor driving the market. There's no need to upgrade equipment and a burden is removed from the information services manager. Instead of a pool of modems, you can log into POPs (Point of Presence). One of the benefits is geographical reach," notes Howard.

In fact, he sees huge opportunities marketing to companies with offices overseas, based on the costs savings they can achieve by conducting communications over the Internet through a secure VPN. If VPN companies are to be successful in this sector, he said, they must make security not only easy but easy to understand.

Among the companies competing in the VPN space are: Secure Computing Corp., St. Paul, Minn.; VPNet Technologies Inc., San Jose, Calif.; and WatchGuard Technologies Inc., Seattle, each with a different approach and a different solution to the problem of secure communication over the IP network.

Vendors and Markets

At one extreme is WatchGuard, which calls its bright red Firebox offering a network security appliance and prices it at the low end of the market, less than $4,000. Featuring simple installation, the Firebox containing its Branch Office VPN software plugs in between the router and the trusted network on both ends of the connection. The software selectively encrypts, or creates a secure "tunnel," between Fireboxes.

Mike Martucci, vice president of marketing for WatchGuard

"We offer a lot of functionality in an appliance," says Mike Martucci, vice president of marketing for WatchGuard. "We combine a VPN with a firewall and O/S [operating system] independence."

Like the other VPN products on the market, WatchGuard's offers substantial savings over leased, dedicated lines or long-distance, dial-up connections for global communications.

While the company currently uses a proprietary protocol for security, Randy Boroughs, vice president of product management, says it will introduce an IPSec compliant Firebox within the next four months. "It's becoming the de facto standard for VPN and we're just following the momentum of the market."

Another approach to VPN, the Sidewinder Security Server with IPSec from Secure Computing Corp., is already on order by the Defense Department's On-Site Inspection Agency for use over SIPRNET (Secret Internet Protocol Routing Network).

An International Data Corp. report ranked Secure the 1996 firewall leader in the federal government, with a 33 percent share of the Defense Department market and 25 percent overall.

Secure Computing started out as a small branch of Honeywell, which pioneered modern data security in the 1970s, and was spun off in 1989. The firm comes to the VPN market with a suite of products and services for network security, including firewalls, World Wide Web filtering, identification, authentication, authorization, encryption, extranets and consulting. One of the larger network security companies, Secure claims more than 4,000 customers worldwide.

Momentum for VPN in the On-Site Inspection Agency comes through a directive from the Defense Information Systems Agency that defense agencies migrate from dedicated leased lines to SIPRNET.

The agency has just purchased five Sidewinder servers for each of its locations worldwide. The Sidewinder is a network security gateway between the network and the Internet and uses the patented Type Enforcement system for so-called perimeter security to prevent crackers from penetrating the protected network.

Keith Scott, OSIA network manager, says he is now in the process of installing the servers.

"The problem we are trying to solve is the high cost of maintaining dedicated leased lines throughout the world, especially in light of DISA's directive and our major concern with security. We need to protect what's inside the network yet provide services to remote locations. VPN represents a nice solution," says Scott.

The firewalls will be distributed to the five remote sites in the next 30 days. Testing in a laboratory environment took only a week. How long implementation will take at each of the sites is unclear because of the new technology.

Scott admits that one of the major features that drew him to Secure Computing versus the other two products he reviewed was the use of IPSec. "We want to stay standard and open systems." He was also impressed with the ease of administration, the inexpensive short training that lasted three to four days and the graphical user interface-based interface for monitoring the network.

At the other extreme of VPN vendors is VPNet, the San Jose company that prides itself on being the first company formed with a singular focus on VPNs. Among corporate investors in the privately held company are Raptor Systems and Security Dynamics Inc. Founded in October 1995, VPNet develops, makes and markets its VPLink architecture to both end users and original equipment manufacturers.

The VPN product line includes the VSU-1000, introduced in May 1997, and VSU-1010 (August 1997), which combine IPSec-compliant encryption, authentication, key management and compression technologies. For example, the VSU-1010 can be deployed on the LAN side in any 10BaseT network, while the VSU-1000 is used over public networks for private wide-area communication.

The company also offers its VPNmanager Tool Suite, a Java application that allows the use of a Web browser to manage the VPN, configure and check the status of service units, add remote sites and dial-in users, monitor the performance of private data transmissions and troubleshoot existing configurations.

Richard S. Kagan, vice president of marketing for VPNet

"I don't see VPNs as simply an extension of firewalls and routers, the traditional security approach. It really represents a unified WAN infrastructure, one extending intranets, remote sites and extranets. Its value is the unique ability to do all of that over a single line, with security and convenience. It sure beats the dedicated leased line," says Kagan.

An Early Adopter

The browser interface was one of the features that attracted Dave Timpany to purchase a VSU-1010 last year. The Topeka-based network planning manager in the Bureau of Telecommunications for the state of Kansas was clearly a VPN early adopter. His division is a network service provider to other Kansas state agencies.

He currently manages a private IP network that connects 480 state and local governments in Kansas back to networking headquarters in the state capital. He decided to implement a VPN between the offices of the Department of Revenue in Topeka and those in Kansas City and Wichita when the department began migrating to a new IP-based tax application. That software required secure access and encrypted communications.

"We're part of the Department of Administration and support such services as the state phone system, SNA network, voice-video backbone and multiprotocol networks running IP and IPX," says Timpany. "In data services, our charter is now wider. We can work with local government, not-for-profits and K-12. It's an attempt to leverage the technology and share resources."

The majority of users share the infrastructure, with agencies wanting to attach to the network responsible for their own LANs behind the router.

With 480 frame-relay access points in the state and 530 routers, the bandwidth ranges from 56 kbps all the way to T1 (1.544 Mbps).

When the Department of Revenue needed to connect two remote offices with IP, it needed a solution that included encryption. Like a good navigator, Timpany went on the World Wide Web early last year seeking a solution. His solicitation for bids attracted only three responses.

"That's when I started to run into IPSec [the IETF security protocol for VPN]. When I put the bid out last July, only VPNet and two other encryption companies replied. Part of my requirements was that the system had to support Ethernet and IP and 56-bit encryption and offer a compatible mobile solution. Only VPNet met the specs," notes Timpany.

"The VPNet [VSU-1010] met my functional requirements and was the cheapest solution at around $5,000. For my money, the boxes have worked as advertised."

The bottom line for Timpany were the cost and basic encryption. However, he expects more in his next product.

Young Industry

"The VPN industry is still quite young. I'm sure the capabilities will change and so will the price. One of the products needed is an authentication server, where we can make encryption a network service vs. having each agency come up with their own solutions. We need that to avoid incompatibility. I was hoping that Cisco [Systems Inc.] would add that to the router, but that has not happened," says Timpany.

The youthfulness of the sector comes across loud and clear in the comments of Michael Zboray, vice president and research director for the Gartner Group, a Stamford, Conn., market research firm. He remains skeptical of VPN's promise and the range of roles to which they can be put.

"Clearly, one of the benefits of VPN is that once you pay for the Internet you can use that unused capacity. On the other side, however, is the fact that the latency of the connection as well as the bandwidth can be variable. It's a good use for e-mail or stored voice mail, but certainly not for mission-critical networks," says Zboray.

He cautions that often in the past with the Internet, users have gone with the vision and ignored the performance issues. With the need for multiprotocol support for networks from remote access, reliance on IP without reviewing the issues surrounding IPX could present problems.

Overall, he feels that current estimates and projections are fairly far off target. In a paper he will deliver this April on his own research into VPN, he quotes figures quite different from those gathered by Infonetics.

When read the data from the San Jose research firm, Zboray commented, "$205 million in 1997? Look, there are only about 15 companies in this space, none of whom does over $10 million. I leave the math up to you."