A taste of VPNs

By Tim Greene AND BOB BROWN
Network World, 11/01/99

ATLANTA - Get together with the CEOs of four virtual private network (VPN) start-ups, and you'll hear some surprising things. We did just that over dinner in Atlanta recently and learned the following:

VPN product interoperability isn't all that important, but management sure is.
Cisco isn't such a big threat in the VPN world, but Nokia, Siemens and Alcatel are.
Customers are throwing money at VPN vendors, but most start-ups still aren't in the black.

These were some of the insights from our guests at Network World's second such gathering of VPN executives. Our scheme? Treat the execs to food and drinks at the bustling Veni, Vidi, Vici bistro, turn on the tape recorder and let them go at each other.

Indus River Networks CEO Per Suneby got things rolling by asserting that complete interoperability among VPN vendors' gear is not essential, particularly between implementations of the IP Security (IPSec) authentication and encryption standard.

"All this talk about IPSec interoperability is a big red herring, and it's pushed by vendors that in many cases don't have a real operational solution for customers today," Suneby said. His Acton, Mass., company specializes in remote access VPNs and prides itself on client software that can select the least expensive option for dialing in to a VPN. The IPSec standard isn't stable enough yet to expect interoperability, he said.

"I don't know if I buy that," retorted Mike Allen, CEO of VPNet, a San Jose vendor that is pushing hard to get carriers to base managed VPN services on its hardware and software. "Interoperability exists today to some limited extent. We interoperate with Cisco, TimeStep, Radguard and Check Point."

Another opinion was offered by Robert Thomas, CEO of NetScreen, a Santa Clara, Calif., firm that makes appliances that combine site-to-site VPN capabilities with a firewall and traffic-shaping technology. Thomas said individual corporations can live without interoperability because they can just buy one vendor's gear. But when it comes to extending a VPN to communicate with business partners, customers need interoperability, he said.

"Everyone wants to give everyone else access to their data - their suppliers, their customers. They want to do that securely, and they're not all going to use the same VPN equipment," Thomas said. "So you have to move to interoperability very quickly for the VPN market to achieve its true potential."

"With extranets, you'll get a trading group with one dominant partner who says this is the way it's going to be: 'All you 28,000 banks are going to interoperate this way, according to these rules.' That will work," Indus River's Suneby said.

"That won't work forever," Thomas shot back.

"It will start that way, though," said Kenny Frerichs, CEO of Network Alchemy, a Santa Cruz, Calif., company that focuses on selling hardware and software for VPNs that link corporate buildings in which many users want to tap resources at other sites.

Management is key

Frerichs and Suneby were veterans of our first VPN executive dinner, held last spring, whereas Allen and Thomas were additions to the guest list. What happened to the other two executives from our original meeting? TimeStep CEO Tim Hember declined his invitation because his company was in negotiations at the time to be acquired by its affiliate, Newbridge Networks. Meanwhile, Red Creek CEO Tom Stedding turned us down - or at least someone answering his e-mail did - because Stedding had quietly left Red Creek to "pursue other interests," as the company put it.

As for our new crew, all four CEOs agreed that network management is key to any VPN, whether it is run by an enterprise or a service provider.

"The issue is having an operational VPN," Suneby said. "How can you take care of your remote user and manage him? How can you enforce policies at these remote points? Management is fundamental."

"Enterprises also want statistics on service-level agreements so they can tell whether or not they are getting what they're paying for," VPNet's Allen said. "Service providers want to provide those statistics."

VPN product vendors need to develop a management system that gives customers and service providers a window into the management data the service provider is collecting, Allen said. That same management system needs to let customers set priorities for different traffic types so they can shape traffic that gets onto the VPN, he added.

"You can do a lot of things, but you'll never get it right for everybody," Network Alchemy's Frerichs warned. "It depends on what market segment you go after. The ISPs want you to manage anything and everything way beyond what you planned or intended."

Suneby said VPN vendors could meet more of customers' management needs by tying directory services in with VPN management tools. His company is working with Novell to devise a way to use directories to set policies for classes of VPN users, he said.

Indus River's Suneby, in fact, sees working with established vendors as a key to moving the VPN industry forward. In addition to working with Novell, Indus River has accepted funding from Novell and MCI WorldCom. Suneby also has a more conciliatory view of Cisco now than he and our other guests had during our spring gathering.

In May, the start-up CEOs saw Cisco as vulnerable and talked about challenging the network giant to a VPN shootout. Now, however, Indus River is a member of the Cisco Security Alliance program, whose goal is to certify that members' equipment works with certain Cisco gear. The change of heart is pure pragmatism.

"Our customers are saying, 'Look Cisco, look Indus River - figure out a way for Indus River stuff to work well within the Cisco IP ecosystem.' If I'm a customer, I see no reason to throw out a Cisco router if I can upgrade it to a VPN gateway. So we are working toward that level of interoperability," Suneby said.

With Windows clients offering VPN support and the prevalence of Cisco routers, one thing is inescapable, Frerichs said: "At the end of the day, all that matters is that you interoperate with Cisco and Microsoft."

Thomas, though, says Microsoft's plan to make Windows 2000 a full-blown IPSec VPN client is too ambitious to ever turn into reality.

"They say you'll have a fully functional operating system that does everything for you. Well, I think it's rubbish," Thomas said. "Windows is too complex already. It's too hard to install already. There are too many holes in it already. It's too slow already. It's never going to happen."

Competition heats up

Which established companies look to be the top VPN competitors? Our guests said Nortel Networks was the consensus pick.

"Nortel is everywhere," Frerichs said, noting this is good for start-ups. To counter Nortel's threat, Cisco is willing to make alliances with the VPN start-ups, ensuring that Cisco has a variety of VPN options. Cisco's alternative is to roll over and let Nortel grab VPN customers uncontested.

"Cisco would rather give the business to us than defer it to Nortel," said Frerichs, who worked briefly for Cisco after it acquired a previous start-up of his. "The bottom line is, it's easier for them to cede the business to us now because they can take it away later. Nortel's the real competitor."

So far, Lucent is not having much of an impact on the VPN market, Frerichs said. He speculated that the company is still busy digesting Ascend. "Lucent is like three companies inside one fighting for superiority," he said.

A larger threat looms from European telecom giants Ericsson, Nokia, Siemens and Alcatel, the start-up CEOs said.

"They're sitting out there with a lot of money," Frerichs said. "They have their own device plans, so they've just been waiting in the corner. Everybody here is duking it out and making absurd acquisitions, and these guys are just watching."

Suneby said the European firms need to advance beyond their traditional areas of dominance. "Nokia realizes they have to move beyond wireless handsets," he said. "Forming Unisphere [a Siemens start-up comprising three U.S. firms] is a very bold and necessary move for Siemens because the company needs to move into the IP data network business. The company also has to do it in a way that breaks with Siemens' German culture."

Meanwhile the CEOs said they think it is important to do more than just sell VPN gear; they have to install it as well.

NetScreen has a customer planning a VPN with 13,000 end users, and the customer wants to avoid installing the technology itself.

"They're saying to us they're willing to pay eight, nine or 10 times the price of a VPN client for a hardware solution they can plug in and configure themselves automatically over the network," Thomas said.

"There is a perception and a reality that installing VPNs is extremely difficult to do, especially for people who are not IT professionals," he said.

"The last I looked, most enterprises didn't have IT resources sitting around with nothing better to do than go out around the world and install VPN boxes. So if you can offer this service, that is valuable," said Allen, whose company acquired NeWorks Networking in August to provide VPN design, monitoring and management services.

Indus River's Suneby said many VPN customers are comfortable with outsourcing already and welcome a service that will set up a VPN.

"We'll offer customers project management for rapid deployment, and we'll charge them a pretty penny for it," he said.

Customers' willingness to pay indicates how important VPNs are to their overall network schemes. "It just says it's a major network implementation," Suneby said.

As the evening wore down, the CEOs agreed that the VPN market is still churning and that there are too many companies fighting for a piece of the action. Some, no doubt, will be weeded out in coming months. Regardless, each agreed to come back in the spring to break bread and update us on where the industry stands.

"Hopefully there will be four people here for dinner," Allen said.