5/1/98 America's Network. VPNs: Very profitable networks
The hot trends in ISP remote access strategies
[Very nice ASND references/quotes]
Arielle Emmett, 5/1/98
americasnetwork.com
Remote access" and "outsourcing" are fast becoming two expressions
network service providers are saying in their sleep. One of the fastest growing
trends in remote access is outsourcing all or part of a corporate network via
service providers' virtual private network (VPN) services. VPNs are in the
early stages of adoption, but provide tantalizing benefits to customers and
carriers-among them, security features, quality of service (QoS)-like
protocols, and significant cost savings over pure leased lines.
VPNs are also a stepping stone to premium and differentiated corporate data
services on the Internet. Given remote Internet protocol (IP) access and
streamlined network addressing over heterogeneous network infrastructures,
corporations can use the Internet (or an intranet or extranet) as a cost-effective,
wide area backbone for linking multiple enterprise local area networks (LANs).
"In essence, VPNs offer connectivity within a closed user group," explains Liza
Henderson, a broadband consultant with TeleChoice Inc. (Verona, N.J.)
"VPNs also provide directories, security, authentication, even content."
A year and a half ago, Internet service providers (ISP)-based VPNs were
largely a pipe dream. Today, "there's immense interest in Internet access,
whether ISP-based, carrier based- including competitive local exchange
carriers (CLECs)-or from customers who want to build it themselves," says
Eric Bocish, a director of core network services at US West !nterprise
Networking (Denver). "Many are using the Internet as a wide area network
[WAN], and as a vehicle to promote remote access to teleworkers, after-hour
workers, remote offices, travelers and remote employees."
In addition, carriers and ISPs are offering interconnected "frame clouds" for
data-multisite frame relay services that mimic some of the best traits of private
networks and VPNs-at lower cost. In effect, ISPs can woo customers with
these frame relay intranets, providing efficient remote connectivity between
headquarters and far-flung branch offices without the restrictions of
point-to-point, dedicated access.
Maturing technology
Most VPNs today are offered by large ISPs and interexchange carriers
(IXCs). For example, AT&T WorldNet Service (Basking Ridge, N.J.)
provides small business dialing access to the Internet, separate firewall service
programs, and VPN services with enhanced network management, secure
e-mailing and reporting capabilities.
However, VPNs are expanding in scope and definition. For example,
"Intranets and extranets can be considered subsets of VPNs, in that intranets
provide IP connectivity within a corporate business, and extranets provide
inter-company connectivity using IP," Henderson argues. The "pure"
ISP-based VPN is a fledgling phenomenon, he adds.
Using an IP backbone, small T1 or fractional T1 routers and firewalls at the
customer demarcation point (Figure 1), ISPs are also utilizing new types of
remote access concentrators, accommodating both analog and digital access
traffic and promoting higher level "bonding" of traffic streams. In addition,
VPNs can provide the IP approximation of QoS: specialized tunneling
protocols, such as point-to-point tunneling protocol (PPTP) or layer 2 tunneling
protocol (L2TP), which establish restricted, secure channels within the Internet
(Figure 2). Over these channels, corporate users can get specialized services,
including "vanity" domain names for e-mail (using their company's name, for
example), extended network services such as IP fax and IP telephony, video
integration, database access to corporate servers, as well as encrypted file
transfers.
While many companies are creating custom VPNs using tools provided by
carriers or integrators, "some want to outsource management of their networks
(or some part of their networks) to service providers," Henderson says. In
general, the progression of outsourcing is to give up bits and pieces of a
corporate network, or to use VPNs to enhance regional- or branch-office
connectivity. "A lot of companies that aren't in the communications business
don't want the headaches of day-to-day network firefighting," she adds.
Bandwidth appetite, low cost and ubiquity of Internet ports are driving
ISP-based VPNs. In effect, ISPs are adopting more flexible strategies (and
much more sophisticated access concentration devices and pricing deals) to
accommodate customer demands for better connectivity and value-added
services.
"From a demand point of view, larger carriers providing ISP services are now
looking for multipurpose, multiservice platforms for delivery of analog dial,
VPN, frame services, the whole gamut of access," says Kurt Bauer, a vice
president of access product management for Ascend Communications Inc.
(Alameda, Calif.). "The strongest demands we see today are for wholesaling
Internet ports and developing virtual private net services."
For example, many ISPs sell ports to smaller ones downstream, who then
provide remote access to enterprise customers-as an example, Bauer cites
Fairfax, Va.-based UUNet Technologies Inc.'s wholesaling of Internet ports.
Conversely, smaller ISPs can wholesale ports to larger ISPs.
"On the VPN side, there is a concurrent demand for layer 2 and layer 3
tunneling protocols (Ascend's layer 3 version is known as Ascend
Telemangement Protocol)," he says. "Tunneling basically provides ways to
introduce QoS-like capability into the routing network. People are now
interested in running voice and data traffic over IP networks at the core."
Changing ISP Strategy
As a result of these changes, remote access solutions for VPNs and derivatives
are becoming more complex. For example, some ISPs are experimenting with
larger remote access concentrators and hubs at their points of presence
(POPs), many with integrated switching, routing and support for multiple types
of traffic. Many servers are Windows NT-based and offer faster setup and
backup domain control. Some ISPs and carriers are buying up additional
modems and ports to accommodate a new user trend: the bonding of analog
traffic streams to produce higher bandwidth (see "Solid bond?," March 1,
1998). The practice is similar to the bonding of integrated services digital
network (ISDN) two B channels, which combines both 64 kbps channels into
128 kbps. Still, others utilize traditional modem dialing pools while rapidly
converting their core networks from analog to digital with primary rate interface
(PRI) at the core. Some are acting as network integrators, developing virtual
private intranets-for example, multisite private IP networks over meshed
frame relay. Asynchronous transfer mode (ATM) interworking solutions with
frame and IP are also an option, especially for very large corporate customers.
"The whole desire for bigger pipes is the trend we see," says Vernon Walker,
director of business product development for BellSouth.net (Atlanta), which is
now offering VPN services. Aside from standard modems and routers, "our
whole suite of business offerings for access now includes anything from analog
dial all the way to 56 kilobits from CPE [customer premises equipment] to
ISDN (digital dial). We also have dedicated DS-0 and DS-3 services
available, and we're doing a consumer ADSL [asymmetrical digital subscriber
line] trial in Birmingham," Walker says. "DSL is high on the access radar
screen For business, the devices we put on the customer networks today are
boxes that do IP routing only-and we've standardized on relatively small
routers that handle Ethernet or Token Ring LAN interfaces along with serial
wide area network interfaces."
For many business applications, BellSouth.net is offering ATM on top of
ADSL for local loop infrastructure. "We're putting a lot of dollars on the ATM
horse," Walker says. "As it becomes economically feasible to build out our
ATM infrastructure closer to the customer, we'll be able to provide QoS
guarantees for voice, video and data." For business customers interested in
VPN services, "we're using standards-based tunneling protocols, carving out a
VPN from the public Internet," Walker explains. "And [we] will offer
customers the option of setting up secure intranets that do not involve any
hop-ons to the Internet at all."
An ISP such as Florida Internet Corp. (West Palm Beach, Fla.) is heavily
involved in network integration projects. The company's Internet access
strategy leverages fiber, frame clouds (interconnected with the frame networks
of national carriers) and conversion to digital facilities.
"We're fully fiber optic into our building," says Thomas Casey, director of
operations. "Whereas most ISPs are still using mostly old types of analog
phone lines and modems, many of our inbound lines are digital PRIs, so we
have dial-up numbers for both analog and digital."
Florida Internet utilizes a PortMaster 3 access concentrator made by Lucent
Technologies Remote Access Business Unit (Pleasanton, Calif.; Formerly
Livingston Enterprises), "with every one of our modems to take ISDN or
analog traffic simultaneously," he says. "One access trend we see is that we're
getting an increasing amount of ISDN PRI over our leased T1 lines from the
phone company. Several of our customers want access to overseas offices,
and they can do it going out to the Internet and exchanging data via the Internet
or having point-to-point connections, an expansion of their own WAN, which
we set up for them. We'll even configure their concentrators and routers."
Casey has identified several other intriguing trends. As a network integrator,
Florida Internet helps enterprises extend their data networks across the South
by establishing frame clouds rather than point-to-point connections for private
data interchange.
"Phone companies charge mileage and it's very expensive," Casey says. "So
we use the frame clouds of national phone providers to link corporate offices in
Florida with those in another state."
Regional Bell operating company (RBOC) frame clouds (Casey sites
BellSouth's) "don't mix with each other, so to hook up to another BellSouth
customer in Georgia, the RBOC has to charge extreme amounts," he adds. To
get around the pricing and logistics problem, "we use a long distance provider
instead, such as MCI or UUNet, to do long distance data communications
over frame clouds running over DS-3s."
The frame clouds of large providers are virtually everywhere, Casey contends.
"It's almost a joint bonding between their frame cloud and ours," he says, "and
it's like a point-to-point connection." The carrier arranges the pricing, which is
cheaper than dedicated access; and the ISP mediates for the corporate
customer. Casey advocates frame relay VPNs as an alternative to straight IP
VPNs because "there's a potential for people to break into an IP address."
Florida Internet isn't alone in the frame relay arena. PSINet Inc. (Herndon,
Va.), an exclusively business-oriented ISP with 30,000 corporate customers,
and POPs in the United Kingdom and Western Europe, also develops VPNs
based on intranet frame relay architecture and security features.
"We don't use tunneling for security over our VPNs," says Earl Finnis, product
manager for PSINet. "But currently we are using a Cryptocard (a form of
challenge response authentication) to allow access-and that's our version of
what people offer as VPNs. It's an intranet service implemented over our
private network, a switched frame relay network. For the customer, we create
a multisite, private IP network over frame, and we have managed Internet
access. [Customer] traffic is routed over switched private virtual circuits, so,
for example, corporations with multiple sites and countries can get Intranet
connection, with all its advantages, at data rates ranging from 56K to DS-3
speeds."
For corporate customers requiring wide area connectivity between several
corporate LANs in small-to medium-size branch offices, an IP backbone
solution is also possible, adds Florida Internet's Casey. For example, Florida
Internet uses a RAD Data Communications WebRanger II T1-a small
T1/fractional T1 access router with integral channel service unit/digital service
unit (CSU/DSU) capability and a firewall to segment a corporate network
while connecting to IP services, either intranet or Internet, via the ISP's own
router equipment (Figure 3). The solution is becoming increasingly popular and
economical-simply put, small access routers with multiple protocol support
are coming down in price. Corporations can use these devices at their network
edge to leverage the ISP's extended VPN services, including simultaneous
connection of private branch exchange (PBX), LAN and fax traffic, Web
connection and e-mail.
"The technology for VPNs is getting easier to maintain," Casey contends.
"Although we're not using point to point tunneling features for security, with
devices like WebRanger and its built in firewall features, it keeps [undesired
Internet users] from getting through the [enterprise network's] front door very
often."
Channel Bonding
Another important access trend is analog channel bonding, "Since bandwidth
requirements for the Web are going higher, you have to assume `double' on
analog channels," Casey says. "For example, the `Shotgun' modem technology
[Made by Diamond Multimedia Systems Inc.; Vancouver, Wash.] allows
analog connections to be bonded just as ISDN gets bonded. The end user
buys two modems, orders two phone lines and dial us up twice; then two
modems bond together to give them twice the bandwidth."
From an ISP point of view, that increases costs and demands on the remote
access concentrator side. "We had one modem to every seven people. Now
we're having one modem for every five," Casey continues. "Much the way
ISDN has channels [two 64 kbps, in which ISDN modems are combined to
make a 128 kbps connection], the new analog modems-up to 56 kbps-are
being produced to do the same thing. The push, therefore, is to buy more
modems and phone lines."
There are many other access trends that ISPs will examine as they move to
accommodate a full gamut of user requirements. These can include anything
from broadband (384 kbps and higher) wireless remote access, to 56 kbps
analog to growing 128 kbps ISDN for business access to multimegabit ADSL
for teleworkers and branch offices-plus a gamut of IP-based corporate
interconnections, DS-3 dedicated links and ATM/frame interworking solutions.
Most important, though, may be the variety of access concentrators
available-today, for example, a high-end concentrator such as Ascend's Max
TNT (which includes a WAN access switch) can do a full DS-3s worth of
analog access, or a full DS-3s worth of digital access, BRI or PRI switching, in
addition to frame switching up to OC-3 speeds in a single system.
This kind of flexibility may be required for the spate of new VPN services that
ISPs will offer to win the corporate marketplace against CLECs, IXCs and
other carriers.
"Many analysts are bullish about VPN adoption," says Ascend's Kurt Bauer.
"But we don't expect mainstream enterprise operations doing wholesale VPN
outsourcing applications. We expect to see VPN to do regional coverage,
specific kinds of applications, and then do more and more VPN work as time
goes on."
For U.S. customers, "they'll want to check out VPN for awhile," Bauer says.
"On the service provider side, everyone is getting away from the
`all-you-can-eat' model for Internet access-flat rate $19.95 won't cut it.
What VPNs let ISPs and carriers do is branch out and realize other methods
for creating carrier revenue. And they're still providing a net decrease in
communications costs for the enterprise."
Arielle Emmett is a telecommunications writer based in
Wallingford, Pa.
May 1, 1998 table of contents
Copyright 1998 Advanstar Communications. Please send any technical comments or
questions to the America's Network webmaster. |
