Their cost effectiveness appeals to corporate managers. Their novelty and technological sophistication add an aura of sexiness to them. And some industry analysts predict they will take over the remote access and WAN markets. They are the VPNs.
For Black & Veatch, the principal benefit of using IBM Global Network's virtual private network (VPN) service for remote access can be simply stated: no more $200 overseas phone bills from foreign hotels.
"In some countries, hotels charge $5 to $6 per minute, so we could get a bill for $200 for a single night" when engineers dial home to check e-mail or to access financial or product information, says Jim Baird, manager of networked systems at Black & Veatch Solutions Group, the information tech-nology arm of the US construction and engineering firm.
Engineers can now make a local call to an IBM Global Network point of presence pretty much anywhere they travel overseas. They can then log on and communicate with corporate systems over the carrier's IP backbone. The cost: 5 to 12 cents per minute. Better still, "We don't have to pay the cost of caring [for] and feeding a bunch of modems or remote access servers around the globe," Baird says. "We're paying a carrier to extend the boundaries of our IP network."
Black & Veatch is far from alone in perceiving the VPN's potential as a remote access vehicle. "Interest in VPNs is very high because of the potential cost savings," says Cherry-Rose Anderson, an analyst at research company GartnerGroup. "Nearly 100 per cent of the enterprises I talk to on a regular basis about remote access are looking at the role VPNs could play in their enterprise."
According to industry watchers, Black & Veatch, along with a handful of other bleeding-edge firms, is at least a couple of years ahead of the rest of corporate America, let alone the rest of the world when it comes to implementing VPNs.
The basic VPN concept is to create a virtually private connection over a shared IP-based network medium: either the Internet or a service provider's IP backbone. That's accomplished by IP addressing - which sets up a point-to-point flow between, say, a remote PC and a corporate VPN server - and by security mechanisms like user authentication and encryption.
VPN cost savings over a traditional remote access server or modem banks and dial-up lines range from 30 to 70 per cent, depending on the type of VPN equipment and service implementation used and where users are located, says Eric Zines, a senior consultant at Dallas-based research firm Telechoice.
For example, when FormFactor switched from dial-up remote access to Intelispan VPN service, connect charges from Asia to the data centre in California plummeted from $US150 per hour to $21 per hour, according to Gene Donlan, IT director at the computer chip testing probe manufacturer.
From Europe to California, Intelispan charges $9 to $12 per hour of connect time, compared with typical European long-distance charges of $40 to $60 per hour. Anywhere in the US, it's $2 to $3 per hour for the VPN service.
VPNs can also mean big savings in the man-hour costs of administering remote access equipment, users say. "Say you want to support concurrent [remote] access for up to 200 users: that means 200 outgoing lines, 200 modems and 200 connects into your firewall - all of which need to be managed," Donlan says. "That's pretty labour-intensive" compared with a single VPN concentrator.
Even with carrots like those to tempt them, however, corporate IT departments are hardly racing toward VPNs. "Almost no one I've talked to has deployed a VPN network on any significant basis," Anderson says. "Penetration right now is very low, although we expect significant growth over the next couple of years."
What's holding users back? Many are waiting for the technology to mature and the industry to stabilise, analysts say. A lot of key products are only starting to ship.
For instance, the Communications Network conference in January saw a slew of vendors, including Altiga Networks, Network Alchemy and VPNet Technologies, announce high-end VPN concentrators that can handle thousands of remote users concurrently.
More important, perhaps, is that users want to be sure VPN products can address what many see as the Internet's main drawbacks as a business communications vehicle: its lack of security safeguards and the impossibility of guaranteeing end-to-end network performance for high-priority or latency-sensitive applications.
When Telechoice recently surveyed more than 500 telecommunications and IT managers, security and performance were the two areas most cited as "very important" by those respondents who said they were buyers planning to implement a VPN within the year.
VPN technology addresses the Internet security issue through tunnelling, in which two systems establish a secured point-to-point connection, or tunnel, across the Internet or a shared IP backbone through one or more security mechanisms. To set up a tunnel, the remote client first would have to know the receiving corporate system's IP address, then identify and authenticate itself before making use of encryption software that the receiving system also uses. Some companies use public-key infrastructure for added security.
Unfortunately, all of those security mechanisms add significant overhead, to both packets and the communications equipment that processes them, which can seriously degrade throughput.
While evaluating VPN equipment a year ago, for example, Californian company FormFactor concluded that tunnelling could mean an overall throughput reduction of 40 to 70 per cent, Donlan says. That was a problem because travelling sales and design engineers would be using those remote VPN connections to do critical tasks: process sales orders, answer customer service requests and coordinate new card designs. "We wanted those connections fast and secure, as if they were locally attached," Donlan says.
A third reason users are taking a wait-and-see tack with VPN: its nature keeps changing. First it was straight tunnelling over the Internet. Then Internet service providers and carriers like IBM Global Network and AT&T started offering VPN connections over their commercial IP backbones.
With such one-carrier VPN services, "throughput is a bit more predictable [than it is on the Internet], and security is better too, because [connections] aren't as public or accessible to the world", Baird says. To some users and analysts, however, those aren't true VPN services. That's because the customer must still install in-house equipment to take care of encryption and authentication.
But that's changing. The major providers are starting to provide authentication and encryption on their systems. And the latest generation of VPN offerings go further, offering to take more of the burden of administering remote user connections off customer premises - and off the shoulders of in-house telecommunications managers.
"A number of equipment and service vendors are working on VPN solutions that live entirely in the [wide-area network service] cloud," Zines says.
Two examples of value-added or managed VPN services are Intelipath, in Arizona, and Concentric Network in San Jose. Denver-based Qwest Communications in the third quarter plans to introduce what it calls a "network-based VPN service" that will provide authentication, encryption and firewall services within the network, "so there's no extra gear [such as a VPN concentrator] to be administered on the premises", says Bill McLeod, Qwest's director of Internet services marketing.
The comprehensiveness of Intelispan's VPN services was the main reason FormFactor chose it over rivals such as AT&T and IBM Global Network, Donlan says. Intelispan handles encryption and identification/authentication for customers and also provides an optional public-key identification security layer on its own systems. FormFactor's IT managers do the initial setup as well as updates of user access rights and new users, Donlan says, but the equipment is maintained by Intelispan.
"We're a relatively small company, and we didn't want to waste human resources managing our own wide-area network," he adds.
Other organisations share those sentiments. Fitchburg State College has been pilot-testing Massachusetts-based Digital Signal Communications' VPN services as a means of giving computer students and the telecommuting faculty access to on-campus computing resources.
"They said they could provide points of presence all over New England, which would mean a local call for everyone, instead of building up a remote modem pool and charging people for long distance or a [toll-free] number," says Joe Turner, associate director of MIS at the Massachusetts college.
Even better, from Turner's point of view, the service provider has offered to take over several administrative tasks. "We knew it would be harder to find [technical] personnel than to pay for the equipment," Turner says. Digital Signal Communications' VPN service includes help desk support, user bill-back services and the management of user authentication on its Radius server. Fitchburg State will still need to install a VPN concentrator to handle encryption and tunnelling, but the service provider supplied technicians to help implement and configure the Altiga VPN concentrator it sells to customers.
Even so, Fitchburg State - like many potential VPN implementers - is still far from an enterprise-wide rollout, Turner says. "I'm going to outline the technology and capabilities of VPN to key academic and administration people, and let them decide."
Fitchburg State's chief financial officer and key members of Turner's staff have been trying out VPNs as a way to access computing resources on a Windows NT server on campus. They previously used Symantec's pcAnywhere dial-up software. "PcAnywhere was a lot slower," Turner says. "But we'll see if they care whether we pull the plug on the VPN service after the pilot test is over. The last thing I want to do is force VPN down users' throats."