Mature product sectors are not generally known for their high level of innovation. Virtual private networks have been established for several years and you would expect these products to remain relatively static.
Nevertheless, VPNs are showing a level of technical creativity and industry activity generally seen in much younger products. And the sector is offering new alternatives to security-conscious users.
The VPN market breaks down into two main areas: the customer-based "VPN in a box", and managed VPN services on a private corporate network operated by telecoms providers. Research from Gartner Dataquest found these have grown by 27% and 40% respectively in the past year. The uptake of off-the-shelf VPNs has grown particularly strongly in medium to large enterprises worldwide.
Cisco is still the market leader in enterprise VPNs, followed by Checkpoint and Nokia. The companies, which continue to integrate VPNs and firewalls, control more than 60% of the market.
Analyst Peter Hulleman of IDC said there has been a flurry of activity around enterprise VPNs, particularly with the introduction of Secure Sockets Layer into newer products. Companies such as Neoteris and NetScreen have converted what was previously a browser-only security protocol for e-commerce into a mechanism for remote access.
"Although SSL VPNs are growing fast, it will still be a while before they really hit the mainstream," said Hulleman. "In the meantime, there is a whole range of companies fighting for market share and I would not be surprised if one of the more established players buys one of them."
Companies such as Aventail, which sells an SSL-based hardware VPN as a "clientless solution", are quick to promote the benefits of SSL over the traditional IPSec VPN encryption technology.
While SSL enables remote workers to access corporate computers from any client device on any network, as opposed to IPSec, which usually requires a client to use preconfigured software on a given network with a particular IP address.
While IPSec is considered to be more suitable for secure communication between fixed sites, SSL VPNs can be used anywhere. Aventail's datacentre SSL VPN appliance serves a Java agent to a client machine that operates as a temporary SSL VPN, making it possible for remote workers to use kiosk devices or internet cafes.
Senior staff at clinical laboratory equipment provider Dade Behring are using SSL VPNs from Aventail. Craig Ross, director of global communications services at the firm, said the key benefit is that it lets directors access the company's Domino groupware while travelling.
However, there have been some glitches. So far, the company has been unable to get its new SAP-based employee portal to work with the clientless SSL system. Ross said this is a temporary setback, but he is nevertheless cautious about SSL VPNs. He expects IPSec VPN equipment to remain a prominent part of the company's security infrastructure for at least the next 18 months.
Another alternative to IPSec is Crypto IP Encapsulation (Cipe). VPN supplier Equiinet is selling Cipe VPNs as an easy way of getting around some of the limitations of IPSec. These include difficulties with dynamic IP addresses which can cause problems when operating behind network address translation boxes, according to Keith Baker, director of special projects at Equiinet. One of the other main advantages of this technology is that it uses fewer tunnels than IPSec, making it easier to manage VPN links, Baker said.
If SSL is the watchword in the corporate VPN market, multi-protocol label switching (MPLS) is equally exciting to carrier-level VPN watchers. This packet labelling technology, from the Internet Engineering Taskforce, enables carriers to assign quality of service data to traffic travelling through the network without using data encryption. Instead, carriers create virtual private circuits between different MPLS endpoints over a shared IP network. They can be seen as an evolution of the Frame Relay and Asynchronous Transfer Mode technologies that have been popular since the late 1990s.
The fact that the MPLS Forum completed its merger with the Frame Relay Forum on 15 April is no coincidence. According to analyst Jill Finger Gibson of IDC, its use is peaking in many countries.
Frame Relay provides a basic quality of service facility over private circuits using its committed information rate facility. Moving to IP increases flexibility, but also creates the problem of protecting data running over a shared core.
MPLS provides tunnelling capabilities that eliminate the problem while retaining a different class of service for different traffic. Gartner expects MPLS to replace Frame Relay and ATM as the preferred technology by 2006, and this is already starting to happen.
UK data carrier Telewest has introduced a managed MPLS VPN service to complement its frame relay. Colin Dean, IT director at timber merchant Arnold Laver, used the Frame Relay service from Telewest to link the company headquarters with 18 regional offices after switching from dedicated kilostream links. He is now trialing the MPLS service which he believes will cut network costs further.
The type of VPN solution customers choose depends not only on security requirements, but also on the size of the company, the number of offices and the working practices of employees. With both IPSec and SSL VPN products now becoming available for personal digital assistants, we have not yet seen the end of innovation in this increasingly interesting market sector.
Secure Sockets Layer VPNs
SSL enables remote workers to access corporate information from any device, on any network at any location. Aventail's datacentre SSL VPN appliance serves a Java agent to a client machine that operates as a temporary SSL VPN, enabling remote workers to use kiosk devices or internet cafes.
Crypto IP Encapsulation
VPN supplier Equiinet is selling Cipe VPNs as a way of getting around the limitations of IPSec, which can include difficulties with dynamic IP addresses when operating behind network address translation boxes. Cipe uses fewer tunnels than IPSec, making it easier to manage VPN links.
Multi-Protocol Label Switching
Packet labelling technology from the Internet Engineering Taskforce enables carriers to assign quality of service data to traffic travelling through the network without using data encryption. Carriers create virtual private circuits between different MPLS endpoints over a shared IP network. Gartner expects MPLS to replace Frame Relay and ATM by 2006.
This was first published in June 2003