Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Reviews /

A market divided

Today's breaking news
Send to a friendFeedback

VPN products run the gamut from simple encryption devices to multiprotocol tunnelers. One commonality is a lack of management finesse.

By Joel Snyder
Network World, 05/10/99

Business is booming for virtual private network (VPN) vendors. Every week, it seems, we receive word of a new product to add to our VPN watch list. Unfortunately, though, the VPN market is as fragmented as it is populated. While you'll have no trouble finding products to encrypt traffic and build private networks, there's no single solution that will solve all your problems - linking remote users to corporate LANs, building secure tunnels to branch offices and trading partners over the Internet, and encrypting sensitive internal traffic.

The bulk of the VPN market is focused on tunneling and encryption. Other features, such as quality of service, which might make sense for vendors to build into a VPN package, are generally not bundled with them. This makes life harder for network managers who want to build a true private network, but easier and less expensive for those who need just one feature, such as encryption.

Without universal agreement on how to build VPNs, vendors have divided into three camps based on Layers 2, 3 and 4 of the seven-layer OSI reference model. We've sorted out many of the details, including price, in our interactive buyer's guide. We'll continue to update this online resource, containing information on more than 50 products.

At the lowest level, Layer 2 VPNs encapsulate IP protocols as well as non-IP protocols, such as IPX and AppleTalk. They also provide platform independence because client systems typically don't require special software or hardware other than a dial-in networking adapter. However, Layer 2 VPN technology is aimed at the remote telecommuter, not the branch office, and lacks the flexibility that some LAN-to-LAN managers need.

Layer 2 VPNs include products based on the older protocols, Layer 2 Forward-ing (L2F) and Point-to-Point Tunneling Protocol (PPTP), as well as the new standard that replaces them both, Layer 2 Tunneling Protocol (L2TP).

We expect to see growth in this segment as the Ciscos and 3Coms of the world sell L2TP products to ISPs and phone companies, but little of the growth in Layer 2 VPN sales will come from the corporate side. Enterprise network managers will instead spend their money on maturing Layer 3 VPN technology for branch-to-branch and extranet networking.

While Layer 2 products encapsulate all protocols in IP, Layer 3 products encapsulate IP in IP. The Layer 3 VPN market today revolves around IP Security (IPSec), the IP encryption, authentication and tunneling protocol standardized by the Internet Engineering Task Force. Earlier encryption and key exchange standards, such as Sun's SKIP, are being replaced by IETF versions. Products based on IETF standards benefit from a rigorous peer review by the best minds in the business, which is particularly important when it comes to encryption, the cornerstone of these VPN products.

Standardized IPSec VPNs also provide the ability to mix and match vendors. In theory, you can choose client software for PCs, Macs, and Unix systems, branch office VPN hardware, and central site VPN hardware from different sources, playing on the strengths of each vendor. Our first-hand interoperability tests, however, suggest that you can't take vendors' claims of interoperability for granted (see graphic, page 92).

Like their lower-layer brethren, Layer 4 VPN tools are basically encapsulating encryptors. However, products at this level are often tied to a single application, such as e-mail. Common implementations, such as HTTP over Secure Sockets Layer, are present in every browser - Type https:// and you're using a Layer 4 VPN. Encrypted e-mail, or Simple Mail Transfer Protocol over Transport Layer Security, and encrypted shell using the semi-proprietary Secure Shell protocols are continuing to spread.

With commodities come choices

But the bulk of the VPN market is the Layer 3 products. They're everywhere, packaged in routers, firewalls, software, and dedicated hardware. And though VPN standards and implementations are complex, this complexity is hidden from the network manager, leaving little evidence to differentiate products, even across different platforms.

The most obvious distinction among VPN products is in the management interface. Right now, management utilities are the weakest part of Layer 3 VPN products. Most vendors require you to handle each VPN device separately, which is OK when you have two sites to connect but impossible when you have 200.

Vendors such as Internet Dynamics, VPNet and Check Point Software offer good tools that allow you to manage multiple VPN sites from a single management domain. Similarly, the ability to handle hundreds or thousands of remote users gives vendors such as Intel and Microsoft a chance to shine. We expect to see more vendors catching on and better management tools beginning to appear over the next year.

Layer 3 VPNs are inherently simple, which makes it difficult to add bells and whistles. While IP compression - which is a standardized way of compressing IP traffic before the encryption scrambles it - would seem to be important, it hasn't become a universal feature. About one-third of the products included in our online features chart support compression.

Other additional features are rare. Newcomer Network Alchemy (whose products don't ship until June, when they will be added to our online chart) is the only vendor we surveyed that includes load sharing and clustering in its VPN products.

One reason for this shortage of distinguishing features might be due to the large number of VPN vendors. Stiff competition is driving product managers to push sales rather than spend resources on major product upgrades.

On the plus side, the increasing number of products has put a great deal of downward pressure on prices. Some hardware-based vendors, such as Intel, Nortel Networks, Lucent, and VPNet, have opted to use largely off-the-shelf PC hardware as the core for their products, in order to cut design costs and decrease the time it takes to get a product to market.

Ultimately, though, we think hardware vendors who have taken the time to design their own equipment, such as Radguard, RedCreek and TimeStep, will have the advantage in a price war. Once the design process is complete, production is less expensive because these vendors aren't paying for unnecessary parts.

You might think software-based VPN vendors would have huge profit margins. However, network managers are well aware of the additional money they'll have to spend for an NT server to house a software VPN from Check Point, Data Fellows or Axent, for example. This ancillary expense makes it impossible for software-based VPN vendors to corner the VPN market.

Where's the infrastructure?

One of the key pieces still missing in the VPN market is a true public-key infrastructure (PKI). With a global PKI, users can have secure communications without requiring a special pre-established relationship. For example,with PKI, users could send securely encrypted e-mail by knowing each other's address and little else. Without a PKI, real Internet VPNs are going to be limited to company-specific solutions. Even within a single company, building a trusted PKI to support thousands of users is a major task.

Some VPN vendors, such as TimeStep and Check Point, understand the importance of a PKI in large VPN implementations; their products ship with a PKI. Microsoft, too, has quietly added PKI components to its Windows NT and Back Office products. (More than a certificate authority, a PKI also includes other pieces such as key request managers. See story)

It's clear that Layer 3 VPN products are here in force, and organizations are learning that they can easily and inexpensively add military grade encryption to their IP traffic. However, weak interoperability, few distinguishing features, and the lack of a PKI make adopting any vendor's VPN risky business. Despite the commodity nature of some of the products, building VPNs is still an adventure.

RELATED LINKS Review: VPNs
We take 15 out for a spin. Network World, 5/10/99.

Interactive buyer's guide
Find the VPN that best matches your criteria. We have detailed specs for 57 models. You can search on specific criteria or compare two or more products against each other.

Forum: VPN tips
Discuss VPNs with Joel Snyder and other Fusion users.

How to choose the right VPN product

A market divided
The state of the VPN market today. Network World, 5/10/99.

VPN Net Resources
Additional info, from primers to more advanced topics.

Snyder is a senior partner with Opus One, a consulting firm in Tucson, Ariz., specializing in e-mail, security and networking. He travels the world helping people build bigger, faster, safer and more reliable networks. He can be reached at joel.snyder@opus1.com.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.