Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Retrofitting virtual private network security

The demand for better virtual private network security is driving the VPN market, but they aren't the best solution in all scenarios.

During the "big bang" growth of e-commerce, security took a back seat to establishing Internet connectivity. Now, with all that connectivity in place, virtual private networks (VPNs) stand to benefit from a great "security retrofit." Companies can save a lot of money by using the Internet to secure communications with remote offices, employees and partners around the world.

The demand for secure connectivity for an increasingly mobile workforce and decentralized offices is the prime driving factor in the VPN market. Intranets link remote offices dispersed around the world in an extended network. Traveling sales forces and telecommuters have to plug in to their enterprises securely. The explosive growth of the SOHO and telecommuter markets is fueling forecasts of soaring unit sales.

The VPN market is skyrocketing. Unit sales -- software and hardware -- went from about 12,000 in 1998 to more than a quarter million in 2001, according to research by Frost and Sullivan, an international marketing, consulting and training company. By 2008, unit sales will approach 4 million. Revenues in that period will rise from $67 million to a projected $1.8 billion.

It's About the Money

Saving money is where VPNs leave most security technologies in the digital dust. VPNs are usually justifiable simply on their cost-saving potential. Many security technologies are preventive measures, so demonstrating ROI is difficult. Not so for VPNs. The cost savings of VPN technology are easily calculated. A quick look at the options proves the point.

The alternative to a remote access VPN is a remote access server (RAS). The primary operating cost of the RAS is the 800 number that mobile workers must dial. For example, a sales force of 50 people who access their network an average of four hours each per day, over a line that costs 4 cents per minute, costs about $9,600 per month. Using a remote access VPN only requires the company to purchase Internet access for each employee, at $25 each per month, plus $1,500 monthly for a T1. That's $2,750 per month, $6,850 less than the RAS solution. How quickly could you pay for a VPN concentrator with $6,850 per month?

The alternative to an intranet VPN is a frame relay or ATM line. A leased line costs about $3,000 per month at each of the two endpoints -- $6,000 total. An IP VPN will cost $1,500 monthly for each endpoint's Internet connection, totaling $3,000 and saving $3,000 per month.

Not Quite So Fast...

VPNs still aren't the answer for all remote connections. Leased-line technology such as ATM and frame relay still offer significant competition, especially for environments such as streaming media and voice over IP (VoIP), which require robust quality of service (QoS). IP creates multiple points of failure, which undermine reliability and limit performance. Latency-sensitive applications such as voice and video can run into trouble on VPNs. For the time being, those applications may be best left to leased lines.

But users can expect new developments in VPN equipment to address these problems. For example, Asita Technologies has developed bandwidth monitoring into its VPNs. This device will sense performance degradation from one ISP connection and automatically reroute a higher load through an alternate ISP. More vendors are able to identify the type of content in the packet and give it express routing priority through the VPN device. Other capabilities will evolve in VPN products to help negate the QoS problem over the next couple of years as securing latency-sensitive traffic becomes a priority for more businesses.

Also, the demand for secure connections to remote offices and users is a double-edged sword. The risks associated with extending connectivity beyond the network perimeter has a chilling effect on the growth of the technology. Securing clients in the field has been a tough nut to crack for administrators struggling with installation and support issues with remote users.

Last year, vendors began turning this restraint into a driver, releasing SOHO and telecommuter VPN/firewalls in droves. These devices feature enterprise-grade firewall technology -- albeit without all the features and options of enterprise-level VPNs -- and secure, inexpensive (under $1,000) communication with the corporate network. The appliances make adoption easier for the nontechnical remote user via setup wizards that require only the input of a gateway IP address. Upon connection to the corporate VPN device, a policy is automatically downloaded and enforced upon subsequent connections.

Many of these capabilities are also built into software clients used to connect individual computers to the corporate VPN device. The advantage of the appliance approach is that it serves as a demarcation point of responsibility for the administrator. However, the software client is necessary for many mobile users, such as salespeople and traveling executives. For such users, the inclusion of a firewall in the VPN client software helps to protect the corporate network from a compromised PC.

Moving to Appliances

The case for appliance-based VPNs over software-based solutions is a characteristic not only of the SOHO market, but for the industry in general. In late 2000, the advantages of a dedicated appliance solution became clear. Bundling the software onto a hardened and dedicated security appliance lowers cost, eliminates the complication of purchasing server platforms, simplifies setup, dramatically improves performance and reduces vulnerabilities.

In 2000, appliance sales began to pull away from software-only solutions, as vendors released appliance product lines and reduced the end-user burden of installing security solutions. The delivery of VPN security solutions on independent appliances will continue to grow, accounting for four out five VPN unit sales by 2008.

In some cases, software VPN vendors have addressed this trend through partnerships with hardware vendors, rather than producing their own appliances. Market leader Check Point Software Technologies established a strong partnership with Nokia, which designed and built its IP series of products specifically to run Check Point software. The two companies have worked together very closely to offer a bundled product. This relationship was further strengthened when Nokia recently discontinued its competing Crypto Cluster (CC) product line. Other software vendors such as Secure Computing have entered into similar partnerships with platform vendors. The result is that IT managers no longer have to purchase separate general-purpose servers and install security software on them.

Who's Buying VPNs?

Currently, the three key VPN markets are finance, government and health care, but that's changing. Any industry that uses multiple LAN configurations and the Internet stands to benefit from the flexibility and security offered by VPNs. Since almost every vertical market has a use for the technology, the target market is expanding to include retail and Internet-based commerce. For this reason, the revenue from sales will be increasingly distributed over the next few years.

The financial and government markets are always early adopters of security technology because they have larger budgets and a greater stake in secure communications. More recently, the health care market has been getting a lot of traction because of security/privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA). VPN sales to health care facilities are expected to decline over the long term as HIPAA compliance takes hold. During the dot-com boom, Internet-based businesses were a key market. This market subsided quickly with the dot-com bust, but is expected to grow as the sector rebounds.

Retail is a newcomer to VPN technology. Convenience stores, mall outlets and fast-food franchises have started using VPN devices to communicate daily sales and inventory data to regional headquarters. This sector represents enormous growth potential for the VPN market.

The Next Wave: Extranet VPNs

In addition to the sizzling remote access and intranet markets, VPNs are starting to be deployed for extranets, securely connecting partners, customers and suppliers to the corporate enterprise. The extranet application market will rival remote access over time. VPNs are also being used to secure notoriously insecure wireless LAN connections, though the WLAN market share will be modest and gradually decline, as the IEEE adopts stronger standards to assure better wireless security.

Remote access applications are dominating the current market, and will continue to grab a strong share of the revenues because of the number of units required for corporate deployment. Consider that for every intranet deployment, at least two VPN devices will be purchased, then one for every branch or remote office that is added. For most enterprises, this number will not exceed 10 units. For remote access deployments, however, the number of telecommuters that would receive devices could easily climb into the hundreds or more, depending on the size of the organization and how many employees work outside the office.

The huge potential of the remote access market has spurred vendors to respond with SOHO and telecommuter product lines. Almost all vendors focused on improving the setup and manageability of these devices more than any other product improvement in 2001. As a consequence, although these low-end boxes will ignite skyrocketing unit sales, their cheaper prices will hold revenue growth to a lower -- albeit very healthy -- rate. The compound annual unit growth from 2001-2008 is projected at 47.1 percent, while the revenue growth rate will be only 15.4 percent. Extranets will play an increasingly important role in the applications of VPNs, moving from 5 percent of the market in 2001 to a projected 35 percent in 2008.

As partners gain access to an organization's internal network, VPN vendors will be challenged to develop their products to address the critical issues of authentication and access control. Another potential problem could be resolving differences in the security policies of the host and the visitor, whose employees become potential insider threats once they are authenticated.

The Players: Who's on First?

The first-tier IP VPN players are Cisco Systems, Check Point, Nokia and Nortel Networks. All held strong market share positions at the end of 2001. Over the next few years, these companies are expected to lose a few market share points to the second tier of competition -- Symantec, SonicWALL, and NetScreen. All vendors are focusing on the key competitive factors: price, performance, manageability, breadth of product line and ease of setup.

The VPN market is shaking out. In 2001 and early 2002, 17 companies were acquired by larger vendors. For the most part, the merger and acquisition spree is over, as the first- and second-tier companies have attained comfortable positions in the market. Acquisition poses little threat to existing customers, since acquiring companies generally work closely with the acquired customer base. For example, SonicWALL, which acquired RedCreek, and Secure Computing, which bought Network Associates' Gauntlet line, have been quick to provide information and support to their newly acquired customers.

The first- and second-tier vendors have made great efforts to fully develop their product lines to address price/performance points. These include the expansion of product lines to include SOHO and telecommuter devices on one end and ramping up development of high-performance devices on the other. Third-tier competitors can't match this range. Although each vendor tries to develop products that offer unique functionality and/or special value, the fact is that VPN technology is becoming a commodity. Vendors will begin to struggle to differentiate themselves as today's new product features become standard among competitors. Examples of this are:

  • Performance. Many vendors sell 100 Mbps TripleDES equipment, while most enterprises have only 1.5 Mbps Internet connections. Performance will become even less of an issue as vendors begin to support the newer AES, which improves performance by a factor of three over TripleDES.
  • Features. Load balancing and high availability are becoming standard.
  • Application integration. Most vendors partner to offer AV and content-filtering options.

To one-up the competition, some companies may start bundling full management console capability with VPN devices. While VPNs generally include modest management capabilities, many companies sell more robust management consoles separately. In most cases, these management consoles cost as much as the VPN appliance, so a bundled offering might be an attractive lure.

Overall, the strong levels of competition in the VPN market are generating rapid product development. The next stage in the product life cycle will begin to drive down prices. As vendors fight this trend by attempting to add features and capabilities, VPNs will become more powerful and simple to use. With the combination of low cost and high functionality, VPN devices will become an increasingly attractive solution.

About the author: Jason Wright is an industry analyst and program leader of security technologies for Frost & Sullivan, an international marketing, consulting and training company.

This was last published in June 2002

Dig Deeper on VPN security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.