When virtual private networks (VPNs) first emerged, they were promoted as a relatively simple means of cutting the costs of wide-area networks (WANs). But recent trends in the burgeoning VPN market are making implementation less easy to justify on the basis of cost savings, and are blurring the distinction between VPNs and traditional leased line services.
The benefits of VPN technology were probably more obvious to IT managers in the early days than they are now. VPNs first appeared as a way for technically savvy users to bypass the telecoms operators. As with other Internet ideas, VPNs have been appropriated by the service providers and are now firmly established as one of a range of wide- area network (WAN) services that they offer to corporate buyers.
WAN extensions
The underlying idea of Internet Protocol (IP) VPNs is very simple. Business users want private networks, to send information between offices easily and securely. Traditionally they have paid heavily for leased lines and secure circuits on service provider networks, implemented using technologies such as Asynchronous Transfer Mode (ATM). Then came the Internet  a public network based on IP, which is cheap to access, but which is considered insecure.
Network experts came up with a simple idea to solve this security problem. By encrypting data packets, it is possible to set up a secure 'tunnel' between computers across a public IP network. Packets are encrypted at one end and decrypted at the other, so they cannot be read while on the public Internet. With a VPN set up, users would be able to get secure communications between two computers, even if both were connected only by primitive links to the Internet.
Taking advantage of these secure links could be complicated. IT managers had to understand cryptography, get encryption hardware and/or software for each site on the VPN, ensure it all worked with the Internet connections and with the applications, and be ready to sort things out when it went wrong. As such, take-up of user-installed and supported VPNs was never very high, with the exception of leading-edge users. For most people, the savings on WANs did not justify the extra effort, uncertainty and unreliability, especially as WAN connection prices had been coming down fairly sharply anyway.
At this stage, the service providers woke up to the potential of IP VPNs. Although they had been conceived as a way to bypass expensive WAN options, the more farsighted providers realised that VPNs could be a good way to extend their own WAN services, as WAN services were traditionally limited to places where service providers could lay cables or reach the end-user with a service from another provider.
Quality of service
Traditional telecoms carriers feared IP VPNs would undermine the profits from their more expensive WAN offerings. But carriers with limited WAN services realised VPNs could be a strong competitive offering. As a result, all major service providers now offer, or plan to offer, IP VPNs. They see it as a way to take WAN services to a wider market, and offer more sophisticated services to their customers.
There is evidence that users are welcoming these new services. A 2001 study of European firms by Infonetics Research found around 20 percent of users were making some use of VPNs, and the proportion was set to rise rapidly, especially in the more technologically advanced corners of Europe. In Scandinavia, 57 percent of the sample said they expect to be using VPNs by 2005, for example. Infonetics predicts that European expenditure on VPN services will rise from $972m in 2000 to about $12bn in 2005.
Unfortunately the telecoms providers face many of the same problems as the VPN pioneers. Traditional VPNs require a lot of effort to install and maintain and, for a service provider, it can mean a lot of costly visits to customer sites. This activity eats into the profit margins.
To reduce these overheads, service providers would therefore like to move VPNs on from being based on equipment at customers' sites to being network-based offerings that can be set up remotely and maintained entirely at the service providers' own premises.
Many are often thwarted in this ambition, however. Service providers cannot completely eliminate the need to have equipment on site. One of the most popular uses for VPNs is for remote access, to link mobile users and teleworkers to corporate networks. In most cases, this can only be achieved by installing VPN equipment at the customer's premises.
Nor is the competition between VPNs and traditional WANs quite so clear-cut as some VPN promoters suggest.
Companies may fear reliability problems if their traffic travels over a public IP network such as the Internet. Many companies are used to paying a lot of money for very reliable leased-line connections, and if they are happy with the service they receive they may be reluctant to move to VPNs.
Also, WAN costs are still falling rapidly, making it harder for firms to justify moving to VPN technology on the grounds of cost savings alone.
But the biggest hurdle for VPNs, at least in Europe, is likely to be problems with coverage and quality of service.
Corporate customers usually expect guarantees for quality of service, but it may be difficult for a service provider to offer guarantees unless the network is entirely under its own control. This means they are finding it hard to offer VPNs that really compete with traditional WANs. The service providers' VPNs either have a very limited geographical coverage, or they have sections carried by other service providers, where no service level agreements apply.
It may well be that with Multiprotocol Label Switching (MPLS) networks and other developments  see MPLS makes VPNs cheaper, left  service providers will be able to pass traffic between each other, maintaining specific service levels, but this capability is some way off at the moment.
The shrinking number of service providers in the European marketplace may make it easier to develop the multilateral agreements needed to provide these service level guarantees. But for now, VPNs as delivered by service providers still fall short of their promise.
MPLS makes VPNs cheaper
Traditional VPNs use hardware or software installed at the user's site to set up and manage the encrypted tunnels that link computers on the VPN across the public network. This is what service providers call customer premises equipment (CPE). The drawback is that because the equipment is dispersed, it needs a lot of effort by the service provider to install and maintain.
As an alternative, if a service provides owns the network over most of the distance between customer sites, it can set up encrypted tunnels within the network itself. In many cases, the last step of the VPN is over a leased line or a dial-up link, where there is no danger of packets being intercepted, so it is only necessary to encrypt traffic on the service provider's network. The ability to set up VPNs for multiple clients is being added to network 'edge' equipment  the devices that connect directly to subscribers.
Beyond this, Multiprotocol Label Switching (MPLS) may be added to IP networks. It allows network operators to engineer traffic and set up circuits between parts of the network, while rigidly separating traffic flows and supporting quality of service guarantees.
Service providers can set up VPNs without encryption, relying on MPLS to keep individual users' traffic apart. MPLS is expected to become widespread, and MPLS-based VPNs should be cheaper and more flexible than encrypted VPNs, even network-based ones. Of course, with this step, Internet Protocol (IP)-based VPNs become very similar to the ATM virtual circuits that already exist. However, as with most things IP, they should be cheaper and more flexible when they are implemented.
