Mailbag: The hidden costs of VPNs

In a recent newsletter headlined “The Hidden Costs of VPNs” (see editorial link below) I wrote about the disappointment some users felt when they installed VPNs in the hopes of saving money only to see the savings dwindle away with increased administrative and help desk costs.

Since then readers have written in to say there’s something wrong if someone replaces a frame relay network with an Internet-based VPN and can’t save money. They either don’t have a grasp of the technology or they were getting a great deal with their frame network, they say.

One reader wrote: “On average, customers are paying anywhere between $450 and $1,200 a month per site on dedicated circuits. Compare that with $45 a month (average) per site DSL connections and the upfront cost (anywhere from $350 to $1,295) of the VPN hardware per site.” So based on these numbers, the savings are significant enough to support a three-month payback in the worst case.

This same reader, who says he has installed hundreds of VPNs as a systems integrator, also says that once site-to-site VPNs are set up properly, they should be very stable and require little maintenance. “If they are properly installed and configured, then your only worry would be losing the actual connection, which is certainly beyond the customer’s control. Aside from that, they just work!”

A different reader had similar experiences and said the reason was that site-to-site VPNs required nothing from technically untrained end users. “The problems we have encountered invariably arose from trying to connect non-technical remote users with client software. The cost of installing the client software, teaching the user how it worked, maintaining dropped connections, etc., became more trouble than it was worth.”

As a result, this reader moved to Secure Sockets Layer (SSL) remote access, which requires no client setup. Another reader who shifted to SSL says the cost of setting up remote computers – in some cases buying new ones – to support a VPN client and buying KVM switches to take control of the remote machines when they ran into trouble, cost too much. It was worth the expense to stop using IP Security (IPSec) remote access and switching to SSL. “Not to mention a serious reduction in help desk calls,” he says.

These responses support speculation that SSL remote access will become the preferred way for individual users to access networks over public IP networks, and IPSec or MPLS VPNs will become the way in site-to-site configurations. It will be interesting to see whether this plays out to the extent that vendors cut back on their IPSec remote access offerings in favor of SSL.