What are IP VPNs good for?

You may be surprised to hear it's a debate about more than technicalities such as IPSec and MPLS

You may be surprised to hear it's a debate about more than technicalities such as IPSec and MPLS

IP VPNs are now perceived as secure, so what are companies using them for? As Simon Marshall explains, location, maintaining control and an old application called voice are all key issues... So you decide you want to reduce costs or support remote users by integrating an IP VPN into your convergence strategy. Yet you're worried about becoming a fashion victim. After all, your competitors seem to be doing the same thing. Your confidence is undermined. That is unless, of course, you can make the case that IP VPN support for your apps is growing and that a maturing managed service approach from telecoms providers is the way forward. Well, probably the first point to note here is that IP VPNs are actually happening after years of talk. "IP VPNs are coming off the business wish list, and there are a number of companies beginning to seriously examine their infrastructure for data and voice," says Mike Gatty, sales director at virtual network operator Vanco. Businesses currently looking to sweat their customer premise equipment (CPE) investments are looking to replace their permanent WAN links with IP VPN virtual circuits to gain a competitive advantage. In infrastructure terms, they generally have three choices. IP VPNs use either the public internet or a private IP network as their WAN link. Those that 'tunnel' across the public internet rely on Secure Sockets Layer (SSL) and IPSec technologies to secure data across this economy solution, which is most popular for supporting remote workers and sites. Premium IP VPN service is provided over a private IP network supported by Multi Protocol Label Switching (MPLS), which effectively prioritises traffic in accordance with application type. So who's doing it? "All retailers are looking at inventory control as their supply chain gets more sophisticated and they roll out ERP applications such as SAP," explains Gatty. "The financial organisations want HR access and to put applications online that facilitate them doing business. The government sector is very buoyant and is not averse to technical risk, and we are also targeting the travel sector." While it's clear these verticals, plus manufacturing, are beginning to look beyond a plain ROI argument, they must still balance the cost effectiveness of IPSec and SSL IP VPNs against the performance of MPLS. SSL is an economy solution that provides a basic level of security using a clientless connection to the IP VPN and relies on simple browser technology. IPSec provides meatier security as it encrypts traffic between remote sites over the public internet, a feature that also marks it out as an economy solution. The problem is, it's slow. "There are difficulties with IPSec," says Mark Logan, head of IP VPN products at BT Global Services. "If a business is running several big apps simultaneously, like Siebel or SAP, which are time critical, then IPSec is not good at handling them. If you're using an IPSec IP VPN, keep it simple is my message." Because IPSec encrypts data before forwarding it over the IP VPN and then decrypting it, there's a delay that makes using these apps together tough, and practically prohibits voice packets. However, because MPLS only supports traffic in the network core – it doesn't yet extend out to cover local access networks such as the local loop – choosing between the two is not as clear-cut as it should be. This situation may change as vendors such as Nortel Networks begin tempting service providers with equipment that couples the benefits of IPSec and MPLS in a single platform. If these vendors find traction, then service providers could build IP VPNs that combine both more easily because they would no longer have to build and operate two separate networks. Margaret Hopkins, associate telecoms analyst at Analysys, says: "A lot of users simply just want the security, and IPSec with its encryption largely gives them that – it's actually fairly robust." While acknowledging IPSec's role in supporting users at satellite offices, BT's Logan says the bulk of big corporate network users are plumping for an MPLS IP VPN, perhaps because it handles voice so well thanks to its prioritisation capabilities. But the way IP VPNs are sold by BT and service providers such as COLT, Equant and Infonet shows there's no common voice-first or data-first strategy to IP VPN convergence from their business customers. Although appearances might dictate that data traffic should be migrated onto an IP VPN first, before voice – as is BT's method – growing interest in IP telephony as a money-saver seems to be stimulating exactly the opposite approach. "Infonet is now saying that businesses can buy packet-switched voice over an IP VPN as a standalone product, and then add in other data traffic later on," says Henning Dransfeld, senior analyst for enterprise IP services at Ovum. "They're getting so much drive from offering IP VPNs this way." They're also introducing a new service class to handle voice alongside the usual Gold, Silver and Bronze prioritisation capabilities of MPLS. The main question now from businesses is likely to be how much they're willing to leave their voice and data in the hands of the service provider. In general, smaller companies go for a managed IP VPN, which normally leaves them in control of the CPE but makes the service provider responsible for everything else. According to Ovum's Dransfeld, there's evidence that corporates are looking at fully outsourced IP VPNs, where they relinquish even CPE management to the service provider. "There's definitely a trend towards a fully outsourced service," he says. "But in the financial sector, there's some reservation because they already have a lot of in-house management resources. So they're reluctant to outsource but they still want to reduce their costs." It's clear that in these circumstances that convincing IT buyers in most verticals to invest in outsourced IP VPNs is like getting turkeys to vote for Christmas. However, some service providers do seem to have taken a few user demands on board. "We're looking to add Wi-Fi and wireless components to our IP VPN service to give users the option of a single log-in," says BT's Logan. In mid-May, Equant claimed it was the first to launch mobile GPRS access to IP VPN customers, giving travelling employees more options. Providing the GPRS or Wi-Fi connection itself is secure, then there are generally no additional security concerns from accessing an IP VPN in this way. "IP VPNs are now perceived as being secure and they're certain no more prone to attack than the Frame Relay services they are replacing," Ovum's Dransfeld adds. If any residual security fears can be conquered, then there will be a number of new applications available, facilitated by MPLS IP VPNs. Analysys' Hopkins lists streaming video, for business TV broadcasts to employees, and video conferencing as two possibilities that will maximise MPLS's capabilities. She says: "But really, the use of all of these IP VPN technologies is as much about location as it is application." And that might mean IPSec users will eventually have to look at other options if they want to indulge in voice or run a full range of apps smoothly.