By Tim Greene
Network World, 09/24/01
VPNs are indeed replacing wide-area frame relay and dedicated
links. but they come with some pain, suffering and slippery cost savings.
Britton Choi, network operations engineering manager for Hogan
& Hartson, a Washington, D.C., law firm, says his company uses a VPN to
connect with its European offices, at only 60% of the cost of frame relay
links.
Advertisement:
|
|
Paul Chambers, enterprise technologist at storage vendor EMC,
says after his company makes an acquisition, he quickly integrates the new
company's network into EMC's by running site-to-site VPN links over the
Internet, instead of waiting weeks or months to install frame relay lines.
Paul Forbes, network engineer for Trimble Navigation in Sunnyvale,
Calif., says he's found latency across Internet-based VPNs is, on average,
as good as or better than that of frame relay.
Glowing endorsements. But before you tell your carrier to
turn off your frame relay links and ditch your private lines, consider the
issues that still need to be addressed with site-to-site VPNs, known in more
trendy circles as IP VPNs.
Vendors have to make managing large corporate VPNs simpler,
users say, and more ISPs need to make network infrastructure improvements
that let them reliably deliver the service with the kind of low latency Forbes
gets. Before counting up their savings, users must also factor in VPN support
costs and be prepared for a steep learning curve
IP VPNs rely on dedicated links only to connect a site to the
Internet; after that, traffic is carried through the Internet
cloud. Just as dial-up VPNs reduce remote access costs by eliminating
the need for toll calls and toll-free numbers, IP VPNs are intended
to cut costs by using the Internet for long-haul WAN links instead
of private lines and frame relay.
Users are getting the message. By the end of this year, 45%
of companies with 100 to 1,000 employees will use IP VPNs for at least some
network connections, according to an Infonetics Research study of 1,401 businesses
in the U.S. and Canada. And 68% of companies with more than 1,000 employees
will use IP VPNs that connect corporate buildings via the Internet, the study
says. While many of these companies use VPNs sparingly, the figures still
point to widespread interest in the concept.
To Top
Climbing the curve
Trimble has a better-developed VPN than most, but getting
there wasn't easy. While any new technology can be a challenge to learn,
for VPNs the curve is steeper because the technology is still evolving.
Forbes has worked on Trimble's 15-site international VPN
for 18 months. Given that Trimble is a Cisco user, he initially felt a VPN
based on Cisco VPN concentrators was the way to go. Later, he tried Cisco's
PIX firewall/VPN gear, but decided building tunnels between routers was a
better option. And now he feels that running routing protocols through VPN
tunnels based on the IP Security (IPSec) standard is the best choice.
"We have sites that are vastly different in their configuration
from a site that was built three or six or nine months later,"
Forbes says. "But we are converging on a common implementation
of the [generic routing encapsulation (GRE)]-IPSec model."
Forbes lauds the ability to rout through IPSec tunnels, a
capability made possible using the GRE capabilities of his Cisco VPN gear.
While this GRE capability was available when Forbes started his VPN quest,
he was unaware of it. Instead of simply traveling from one site to another
via static point-to-point tunnels, traffic can now be routed among Trimble's
15 sites as necessary, with routers on either end sharing network status data.
In fact, tunneling routing protocols through IPSec is one
of the advances making VPNs more acceptable for widespread WAN use, says Chuck
Horvat, director of network infrastructure for Divine, a portal software developer
in Lisle, Ill.
Building individual tunnels between each pair of sites, as
he does for the 20 sites on Divine's VPN, is a laborious process, Horvat
says. It takes so much effort that Divine feels discouraged from creating
a fully meshed VPN, thereby forfeiting one of the key attractions of IP, which
is the ability to easily connect any device to any other on the network.
"Configuring tunnels manually is OK now because we don't
have that many sites," says Horvat, who uses NetScreen's firewall/VPN
appliance. "But if you could use traditional routing protocols within the
tunnels, then you could really scale. You could have 150 or 200 sites fully
meshed."
Cisco's GRE/IPSec combination attempts to address this,
as does Lucent's VPN equipment. "Anyone who is working on equipment for
large IP VPNs is working on that in some way or another," says Jeff Wilson,
an analyst with Infonetics.
To Top
Management and money
Another challenge is managing security policies, which can
vary from site to site, user to user and application to application. "When
a large corporation has hundreds of sites, all with specific security policies
regarding what can go in and what can go out of them, how do we centrally
manage and support that globally? That's the type of thing I wonder about,"
EMC's Chambers says.
He hopes a new version of Check Point Software's firewall
and VPN software, dubbed NG for Next Generation, will help solve the problem.
The bulk of changes to the Check Point software are geared toward easier management,
such as automated software and policy updates configured at a central location.
NG also centrally logs data from Check Point gear and third-party security
tools, such as intrusion detection systems. Vendors including Avaya, NetScreen
and Lucent already have similar management tools, and others say they are
working on them.
Such tools will be important because the staff required
to distribute software to each desktop, and administer and monitor
a VPN add to the bottom-line cost, says Joel Snyder, a senior
partner at OpusOne, a technology testing firm in Tucson, Ariz.
"Support kills you, as well as having to touch every desktop."
Savings can also be offset by factors such as the need for
additional Internet-access bandwidth at major sites to accommodate the VPNs.
And you can't take for granted that a VPN will always be cheaper than frame
relay or leased lines.
To Top
 |
|
Questions to ask IP VPN vendors
Does your service-level agreement measure latency between my actual sites or just across the service provider's own network?
Has your VPN gear proven to actually interoperate with equipment from other vendors, as opposed to merely being labeled ěstandards compliant?î
Does your VPN management platform distribute centrally generated policies to remote VPN equipment to promote scalability?
Are applications and resources available to authorized users from any device?
Will this VPN save me money, even when factoring in maintenance costs and the need for additional bandwidth at hub sites?
|
|
On one hand, Choi says Hogan & Harston now pays just $5,500
for an E-1 Internet connection to an office in Warsaw, Poland, whereas
the company previously paid $11,000 per month for an E-1 frame relay port
with a guarantee of 128K bit/sec. Similarly, Divine saved $41,000 per month
by migrating an 18-site frame relay network it inherited in an acquisition
to a VPN, Horvat says. But Divine elected to stick with dedicated T-1 links
to tie together four offices near Chicago because the T-1s cost just $500
per month. "Cost rules on this," he says.
To Top
A good response
Performance woes can likewise mitigate any cost savings. Users
find the delay between sites on VPNs varies from 40 msec in the U.S. to 700
msec between Europe and the U.S. That's not necessarily bad, but not being
able to accurately predict the delay can be crippling. For instance, Trimble
uses a manufacturing and finance application that times out if delay is too
long. So the company monitored VPN performance carefully to ensure it would
support the application. Frame relay lines that used to carry this traffic
are used for backup and for packet voice trials, Forbes says.
Placing application servers regionally might solve the problem.
If all the traffic to a server is from nearby sites, the average VPN latency
is low enough to give a response time as good as frame relay, Forbes says.
"If you are trying to do it globally, your latency can get really, really nasty," he says.
Using only one service provider's network can likewise give
good response times, but users would ideally like to get service level guarantees
for traffic that crosses multiple providers' networks. That will require
providers adopting a standard such as Multi-Protocol Label Switching (MPLS),
an IP traffic shaping and signaling technology.
Major router vendors support it, but interoperability is still
poor, and with service provider cutbacks, installing MPLS gear will be delayed
until the economy improves, says Erin Dunne, an analyst with Vertical Systems
Group. "The overwhelming majority of carriers have no plans to install MPLS
because at this point their backbones are working," she says. "Or if they're
planning it, they're talking late 2002 or early 2003."
Some carriers, such as AT&T and Equant, use MPLS in delivering
services, but don't pass MPLS quality-of-service (QoS) data to other providers'
networks. Other providers, including WorldCom, offer QoS on their own networks,
but use technologies other than MPLS to support it, such as ATM and frame
relay. A new provider, CoreExpress, has sprung up specifically to address
this problem. Its U.S. network supplies an MPLS backbone that supports service
level guarantees. Customers use ISPs' access networks and link them via
CoreExpress' MPLS network.
For users who run only IP-centric applications, current
services should suffice in most cases, Dunne says. The exceptions
are applications that are highly sensitive to latency including,
voice, video and certain legacy applications.
Still, users are frustrated by service providers that can't
offer meaningful service-level agreements (SLA). What they want is delay guarantees
that are similar to those offered through frame relay services.
"[VPN] SLAs are not worth the paper they are written on,"
Forbes says. "There's just been too many times when the [promised performance]
has been dramatically off. Plus some of them are hub-to-hub SLAs. That doesn't
deal with any of the local loop issues."
As a result, users such as Choi piece together services from
different ISPs, depending on which seems best in a given region. "In Miami
we use BellSouth, for example, because they get their pipes in a lot faster
and provide us better bandwidth and a little bit better support," he says.
In addition to actual shortcomings users find with IP VPNs,
there is also the perception among corporate bean counters that VPNs are not
reliable. "Network engineers are more comfortable with it than business
people are. A lot of my job is to work with the business people to explain
the strengths and weaknesses," Horvat says.
While keeping those weaknesses in mind, remember also that
as compared to dedicated lines, frame relay and ATM, IP VPNs are still in their
infancy. If you're aware of the shortcomings, and use VPNs judiciously,
you can reap the benefits that are to be had now and be well positioned for
those to come.
As Forbes says, "As long as you're not dealing with traffic
that is highly latency sensitive, I'd say pull the trigger, go for it, get
into it."
To Top
Related links:
VPN Breaking News page
VPN Research page
VPN Reviews page
Network
World on VPNs newsletter
