IP-VPN: The new favourite

No technology in the world can block the progress of another. Gone are the days when ATM and Frame Relay were found very effective options for secure networking and remote connectivity over WAN. Now better, lower-cost and more effective options have emerged—first VPNs, then VPNs riding the IP backbone, says RAHUL NEEL MANI

According to Avinash Purwar, VPNs save money because they use the Internet and not costly leased lines

Today’s enterprises are making efforts to expand in different directions. At multiple locations they have personnel, telecommuters and field officers, all of whom need to connect securely to both the Internet and the intranet.

Implementing such a system is not simple. The variety of communication media, spread of locations, and demand for enabling employees to access critical data from anywhere make it a challenge to set up a secure point-to-point and multi-point connection. Making a wrong choice could result in loss of money and vulnerability of confidential data. A virtual private network (VPN) has thus emerged as the most popular solution on a worldwide basis. (An IP-VPN is nothing but a VPN that uses the Internet Protocol for routing packets; by default, IP represents the vast majority of data traffic in use today.)

Two large research companies—IDC and Infonetics Research—have stated that the adoption of IP-VPN is on the rise worldwide, and back home in India the figures provided by IDC endorse its findings at the international level. A survey conducted by global research firm In-Stat/MDR indicates that out of 200 business groups (each with over 1,000 workers), 81 percent currently use IP-VPN while 9 percent plan to use it in a couple of years. About half of those who already have an IP-VPN are also thinking of carrying voice traffic over it. The indicators additionally suggest that many of these companies are planning to extend IP-VPN connectivity to their employees who work with wireless devices outside the office.

All in all, In-Stat estimates the total VPN market to be worth $8 billion, with the potential to grow by 33 percent every year through 2006. IDC India currently expects the segment’s revenues to grow from Rs 230 crore in 2003 to Rs 1,141 crore in 2008, at a compounded annual growth of about 26 percent during this period.

Reasons for adoption

According to these research firms, the primary reason for adopting IP-VPN is security, which is a little surprising. Says Arup Chakraborty, director, network services, HCL Comnet, "IP-VPN natively does not have security features, but the adoption of IPSec and tunnelling addresses the issue to a large extent. VPN providers also offer authentication, but not as extensively as encryption. Service providers offer encryption for the remote client using either encryption software or a hardware encryption device." Ashok Agarwal, director for Broadband Operations at Hughes Escorts Communications (HEC), says that encryption till 3DES is common today.

The second major reason for adoption of IP-VPN is cost-cutting. "The total cost of ownership (TCO) of an IP-VPN is much lower than that of a dedicated point-to-point network. Agarwal says that in most cases the service provider takes care of the entire WAN network management. In an ever-tightening market where top line growth becomes a casualty, enterprises need to strike a balance between retaining their competitive edge and remaining profitable. "IP-VPNs help enterprises do this effectively. They seamlessly address connectivity needs for all constituents: intranet across boundaries, value chain (supply and demand), mobile workforce, and travelling employees and customers," affirms Rahul Swarup, president of Enterprise Solutions at Sify, a top VPN service provider.

IDC India feels that compared to technologies like VSAT, ATM and Frame Relay, VPNs are more cost-effective and easier to implement. Unlike VSATs, they require no government permission for installation, and no additional hardware needs to be present for implementation. On a worldwide basis, Infonetics found that the low-cost, high-availability factor was the most crucial reason for adopting IP-VPNs, followed by ease-of-use, quality of service (QoS) and bandwidth management. Declares Avinash Purwar, business development manager with Cisco, "VPNs save money because they use the Internet and not costly leased lines. Prior to VPNs, many companies with remote offices communicated through WANs or by having remote workers make long-distance calls to connect to the main office server. Both can be expensive propositions."

The In-Stat/MDR research mentions that IP-VPNs are attractive because they are secure and less expensive than point-to-point, dedicated, digital circuits such as T1 lines. They also cost 20-40 percent less to operate and maintain than traditional VPNs, so cost is the paramount reason to stay with IP-VPNs.

IP-VPN natively does not have security features, but the adoption of IPSec and tunnelling addresses the issue to a large extent, says Arup Chakraborty

Security issue

The most important inhibition in adopting IP-VPN is security. It must be as secure as WAN and leased-line solutions. The security features should enable users to protect the data that is transported from any interception or tampering.

Says Agarwal, "It is as secure as a point-to-point dedicated link. One can have Layer2 technologies like Frame Relay to offer secure links on a shared media. Depending on the technology being employed, one can even have encryption on the VPN, making it an encrypted IP-VPN." HEC offers the combination of IP-based VPN and private IP-based networks for secure IP-based transport of packet data. Adds Swarup, "IP-VPNs offer comprehensive security. Sify became the first Tier-1 service provider by deploying Cisco GSRs across its network. These allow the network to route up to 30 million packets per second with maximum security ensured." Nevertheless, according to Ravi Kanchandani, senior systems engineer with Nortel, network architects need to ensure that security is not compromised just for the sake of open access. "Using encryption technologies like DES, 3DES and AES in IP-VPN ensures the highest level of data confidentiality. Also, IP-VPN technologies include techniques for authentication and authorisation."

Security and IP-VPNs are often mentioned in the same breath nowadays. As organisations migrate towards an extranet model, security will play an increasingly important role. Most VPN providers offer authentication services via protocols such as PAP/CHAP, or RADIUS for dial-in users, or via firewall technology. "Nearly all ISPs provide security in the form of a firewall, and offer authentication and encryption services. Some ISPs also support secure, encrypted tunnels from the remote client. IDC expects that IPSec ratification will accelerate VPN acceptance since most vendors will employ the new standard. IPSec is a security standard which is working its way through the IETF (Internet Engineering Task Force) ratification process," explains Purwar.

However, Bharti Broadband Networks (BBN) CEOAshok Juneja says there are many gaps such as viruses attacking routers and causing them to overload. "Engineers maintaining networks may accidentally leave open ports, providing entry to hackers and viruses. Overall security on IP-VPN is still not as good as secured dedicated private networks," insists Juneja. Amit Kumar, national marketing manager, Tata Telecom, has a very interesting thing to say about IP-VPN security. "The old way of thinking about IP-VPN security was—trust internal users, authenticate external users, and firewall internal data and users. The new way of thinking is different—trust no one, authenticate everyone, and protect important resources wherever they are."

Deployment options

There are four popular options of deploying IP-VPN:

• Customer-managed CPE (Customer Premise Equipment)
• Provider-managed CPE
• Network Hosted
• Hybrid VPN Solution

Earlier, the CPE kind of solution was preferred to a provider-managed solution, but this is slowly changing. Again, according to a recent report from In-Stat/MDR, of those companies that now have VPNs in place, a whopping 74 percent will switch over to provider-managed services. This makes sense since the latter reduces the TCO. Moreover, traffic engineering and QoS are complex technical challenges. "An enterprise will never be able to achieve scale, quality and security on its own IP network without surmounting tremendous difficulties and without paying a significant price. Thus, provider-based CPE is the best option available," opines Swarup of Sify, which has ISO 9001 certification for customer service, network operations and data centre management. Chakraborty of HCL Comnet is of the same opinion: "While enterprises can set up their own IP-VPN networks, managing them does not seem to be feasible. Large enterprises are outsourcing network management services to take advantage of the expertise and cost benefits offered by service providers." Outsourcing provides them the combination of the newest of technologies with virtually zero lead times and without major commitments of capex (capital expenditure) and opex (operational expenditure). "I don’t see many organisations going in for their own IP-VPN network. However, the expectations from a shared network are very high—and still growing," feels Agarwal of HEC.

In a CPE-based solution, all functionality and equipment is deployed, managed and monitored by the enterprise itself. This is suitable for large organisations. Provider-based CPE solutions are similar, but the difference lies in the responsibility for the management of the CPE and the connectivity between the two locations. A third provider, network-hosted solution is also available where all functionality is hosted on the carrier’s network on powerful carrier-grade platforms; this can be useful in IP services delivery. Finally, there is the hybrid solution. Some of the functionality here resides on the carrier’s network, some on the customer’s premises. One suggestion for users is that while considering provider-based CPE, users should not just consider the cost but also the versatility of the services, TCO, and QoS.

According to Ravi Kanchandani, one of the biggest benefits of IP-VPN is that each office can have a local connection to the Internet, as well as a secure tunnel to the branch location

Many applications

With traditional IP-VPN services, bandwidth for each application is consumed on a first-come, first-served basis. However, most sophisticated IP-VPNs offer Class of Service (CoS) capabilities that enable the assignment of different priority levels to specific applications in order to differentiate priority enterprise applications (voice, video, ERP, SCM and CRM) from non-mission-critical applications (FTP, e-mail and Web browsing) for allocating bandwidth. Although IP-VPNs can support business-critical applications, they are primarily being used to run less critical applications like intranets. "A vast majority of businesses are focusing on fine-tuning their VPNs for file transfer, e-mail, Web traffic and business applications over IP. While voice, video and collaborative applications (to a lesser degree) are attracting lots of attention through trials, there haven’t been many deployments so far," Chakraborty points out.

States Agarwal, "Basically, all kinds of business applications such as ERP, e-mail, workgroup and Internet access are available on IP-VPN. If customers are comfortable allowing mission-critical applications like ERP on VPN, this speaks volumes about the acceptability of IP-VPNs."

Response to the market backed by real-time data is fast becoming a key need for enterprises today. "The need to expand reach is a logical outcome of any plan to grow a business, and getting the entire business ecosystem connected on a real-time basis is a trend that will fuel the growth of an evolved concept, like Sify’s holistic IP-VPN solutions," feels Swarup.

Any IP application can be accessed through an IP-VPN solution. This includes complex protocols like VoIP, H.323 and Real Audio as well as the regular applications like telnet, http, FTP, SAP, banking and all other IP protocols. "Current network technologies such as leased circuits, Frame Relay and ATM will not be sufficient to meet future requirements such as ubiquitous reach, scalability, real-time addition of new locations, enhanced security and quality of service. IP-VPNs can provide all these features and will be the preferred network of the future," insists Kanchandani.

Advantages

There are many advantages of using IP-VPN for secured connectivity. Employees are increasingly mobile and working from remote locations. "Companies need their employees to access corporate information from anywhere through a cheap medium without compromising on security, and IP-VPN fulfils this need. It also enables cost savings and ease of management," says Kumar of Tata Telecom. VPN provides a level of connectivity comparable to a WAN. Remote offices, mobile employees, clients, vendors, telecommuters and even international business partners can use IP-VPN to access information on a company’s network. This level of interconnectivity allows for a more effective flow of information between a large number of people. "It also provides access to both extranets and wide-area intranets, which opens the door for improved client service, vendor support and company communication. Customers can order equipment over the IP-VPN," says Purwar. Adds Kanchandani, "One of the biggest benefits of IP-VPN is that each office can have a local connection to the Internet, as well as a secure tunnel to the branch location. This significantly cuts down on WAN traffic, and enterprises can reduce or eliminate the need for dedicated Internet circuits at the headquarters."

It also offers improved scalability and flexibility, so customers need not subscribe to huge amounts of bandwidth from day one. "They can increase bandwidth as requirements grow, or they can take more bandwidth on certain days, like during the end of the month when the number of transactions go up," says Agarwal. Says Swarup, "IP-VPN provides asset intensity reduction, enhanced revenues, increased reach without increased assetisation, the highest uptimes and the minimum latencies."

IP-VPN natively does not have security features, but the adoption of IPSec and tunnelling addresses the issue to a large extent, says Arup Chakraborty

Future

An MPLS-based IP-VPN service is the forecast for the immediate future. Says Chakra borty. "MPLS VPN provides service guarantees with regard to bandwidth throughputs, latencies and availability. The technology enables secure VPNs to be built, and allows scalability."

HEC is eyeing this spot. "MPLS is the newest of the IP-VPN technologies to emerge, and is rapidly gaining ground. MPLS offers the flexibility of IP with the advantages of VPN. It also enables faster movement of traffic, and offers more QoS parameters," explains Agarwal.

Sify’s MPLS network supports end-to-end QoS, which requires marking, classifying and prioritising data packets of different types. Marking protocols supported are DiffServ (Differen tiated Service) and MPLS, while RSVP (Resource reserVation Setup Protocol) and IntServ (Integrated Services) are the classification protocols supported. Bharti is rolling out a state-of-the-art MPLS-based IP-VPN network in addition to the current private ATM/FR and SDH-based networks. This will offer more value-for-money options to customers, as well as provide (along with Singtel) a global network that connects to Singtel’s worldwide Connect Plus network using MPLS. BSNL, the state-owned carrier, has also launched a 17-city MPLS-based IP-VPN network to serve its customers.

IDC India has found that MPLS-based IP-VPNs are gaining in popularity in terms of technology. Service providers like BSNL and Tata Internet are providing them. Though service providers have also begun to offer value-added services like VoIP and video conferencing on the IP-VPN platform, these services have not picked up too well.

Offerings from service providers

Vendor offerings