Is the Internet the New WAN?

After close to two decades — a lifetime in information technology — the traditional corporate wide-area network (WAN) may be headed for the endangered-species list. The usurper: Internet-based virtual private networks (VPNs). Instead of depending on dedicated leased or owned lines, VPNs use a variety of technologies to carry data traffic over public networks in a secure and private manner. And as they are becoming increasingly competitive in terms of cost, flexibility and capacity, organizations of all sizes are taking notice.

However, migrating from leased lines to broadband isn’t a slam dunk. IT managers must select VPN vendors with the appropriate levels of support and technology, and make sure the system meets the enterprise’s needs for security and performance on an ongoing basis.

Expert Advice on Call

IT departments can choose between the do-it-yourself approach — installing their own software and building their own VPNs in-house using a standard business broadband connection — and purchasing VPN services from a carrier.

In general, the availability of in-house expertise is one of the most significant issues an IT department faces in implementing a VPN. IT managers should assess their department’s skill sets and decide whether the in-house expertise exists to plan, design, implement and monitor a VPN. If such expertise is lacking, it makes more sense and may be more cost-effective to use a carrier-provided VPN.

In a recent survey by In-Stat, an industry analyst based in Scottsdale, Ariz., the key reasons enterprises gave for using carrier-provided VPNs were higher cost-benefit ratios and the desire to converge voice and data services on the same transport facilities. Converging voice with data offers opportunities to save overhead costs, but it can be technically challenging, since changes in data traffic can easily affect the quality of voice service and vice versa. “When carriers provide the IP VPNs, they bring their expertise to the table,” explains In-Stat senior analyst Steve Hansen.

But that doesn’t mean they do all the work. Even with carrier-based VPN, the IT department may be in charge of much of the day-to-day administration. Typically, the vendor will be called upon to address issues beyond the scope of the in-house team’s capabilities, such as solving difficult problems or assisting with planning. The vendor also usually takes responsibility for fundamental requirements, such as meeting service-level agreements for network availability and mean time to repair.

How Private is “Virtually Private”?

Security can be the decisive factor in choosing between DIY and carrier-based VPNs. Because security administration is complex, some DIY VPN implementations have proved to be less than fully secure. But even though carrier-based VPNs have rarely presented security problems, Hansen argues that “it’s dangerous to say that security is not an issue.” His advice: Find a carrier that will perform a security audit, offer advice about security vulnerabilities and suggest the best ways of addressing them in each particular situation.

Most carrier-provided VPNs use the IPsec protocol, which operates at the network layer, for security. However, a recent report by Infonetics Research in Campbell, Calif., found that enterprises with heightened security needs were increasingly choosing the Secure Sockets Layer (SSL) protocol, which now accounts for about 21 percent of VPNs.

“SSL allows companies to limit user access to a few specific applications or data sources, and does so at the application layer, which is an improvement in security over IPsec,” says Jeff Wilson, principal analyst for VPNs and security at Infonetics Research. Another benefit: SSL can be quickly set up as a disaster recovery solution, decreasing network downtime when other forms of access fail.

Ensuring High Performance

Some IT managers are reluctant to move critical services from leased lines, concerned that a broadband IP connection may not provide the level of performance they require. Migrating from a DS3 leased line to a DSL broadband line with equivalent bandwidth may not present a problem, but migrating from a high-capacity fiber leased line might degrade performance unless fiber-based Internet access is available. “You have to make sure what you’re moving is compatible with the network performance criteria of the network you’re going to,” Hansen says.

Bandwidth isn’t the only requirement for high performance. In applications where quality of service (QoS) is the driving factor, such as voice, videoconferencing and an increasing number of data applications, Multiprotocol Label Switching (MPLS) is emerging as the preferred standard. Many enterprises are finding that with a VPN based on MPLS, they can more easily meet service-level agreements for metrics like latency (the time it takes for a packet to get from one point to another), packet loss (signal degradation due to congestion) and other equally important components of QoS.

The bottom line: Implementing and managing a broadband-based network is not a trivial task. Before migrating enterprise applications from a dedicated-line infrastructure to an Internet-based VPN, you will need to address issues of security and network performance, and put a team in place — using in-house or vendor resources, or some combination of the two — that can set and meet appropriate service levels for the network.