You have three months to expand your corporate network overseas to satisfy the chief executive's push for a global sales and distribution strategy. You could take the safe route and buy a few more leased lines-but when you're talking about dozens of connections in places like Mozambique and Tajikistan, is it really worth the cost and headache? Many CIOs are turning instead to virtual private networking because it takes advantage of the Internet's reach while bumping up its point-to-point reliability and security. Although the technology is still immature, a virtual private network (VPN) can slash networking costs by 50 percent or more. What's more, while it can take months to install a leased line in certain parts of the world, it's possible to add a user or office to a VPN in a day. The bottom line: CIOs are finding they can lower the technical barriers to entry in distant markets, where standard services like frame relay and T1 lines are unavailable, unreliable or unprofitable.
The arguments about VPNs' value are clouded by disputes over definitions.
Unfortunately for the CIO seeking clarity, the VPN nomenclature is used to describe a whole knot of networking technologies: frame-relay services, secure Internet connections and private IP-based networks from "premium" network service providers like Digital Island, IBM, CompuServe Interactive Services, GTE, Sprint, AT&T, UUNet Technologies or MCI WorldCom (a few more are probably agitating in the spin factory right now). In this story, we define the VPN as a simple point-to-point Internet-based network-the most popular form of the technology, according to Greg Howard, senior analyst with Infonetics Research Inc. in San Jose, California, and other network analysts.
Everything Old Is New Again
It may be the networking trend du jour, but the VPN concept is hardly new.
Remember tie-lines back in the 1980s? Telecommunications providers connected private branch exchange (PBX) boxes between corporate sites, enabling services like four-digit dialling between campuses. But the whole thing ran over the public voice network.
Similarly, VPNs carve out a private tunnel in the shared, public network of the Internet, carrying data from a remote office to the corporate mother ship.
They're cheaper than leased lines because users make only a local phone call to the nearest access-point, or point of presence, of a service provider (whether network or Internet). Because leased lines arepriced on the distance between their end points, the savings for international sites rerouting onto the Internet can be astronomical.
While it works well for branch offices, the technology is also becoming popular for mobile workers. Typically, users dial a long-distance or toll-free number from their laptops to access the corporate network-which is not only expensive but a management nightmare when modem banks and remote access equipment require upgrades or troubleshooting. With VPNs, road warriors require only dial-up software (part of Microsoft Windows 95 or available in standalone packages), VPN software and an Internet account. The Internet service provider (ISP) takes care of the rest.
Using a VPN for remote access, a company with 350 users and 31 hours of connection time per user per month can save $US 525,000 annually, according to Infonetics analyst Howard. While network providers like IBM and CompuServe also offer remote access services enabling local dial-up to their private frame-relay networks, the cost savings are not as great as with an Internet-based VPN. The ability to have users dial in through the Internet from places other than a branch office has inspired CIOs to consider VPN technology as a platform for connecting to partners and suppliers. "Imagine trying to connect 10,000 third parties," says Dan Merriman, vice president at Giga Information Group Inc. in Cambridge, Massachusetts. "That would be a nightmare with frame relay or private lines. With the Internet, all you do is ship out your IP address and you're off and running."The following stories illustrate that while your network doesn't have to make your head throb, VPN is not a miracle drug. As is evident in the sidebar, "Where VPNs Fail" (Page 55), the industry has yet to resolve some of the problems inherent in the technology. And even Merriman admits, "I don't see the Internet replacing everything but evolving to fill in this nice continuum where you'll have different options."Making Remote Offices Less RemoteTwentieth Century Fox Film Corp. raked in record revenues of $US 2.7 billion in 1998, thanks to films like Titanic, There's Something About Mary and The Full Monty. Still, CIO and Senior Vice President Justin Yaros didn't want to spend all of Rupert Murdoch's profits on a new network, and he's banking on a VPN to keep costs down. As demand for the company's films, home videos and interactive games surged over the last two years, the presidents of Fox's international businesses lamented their lack of tools to set strategy across regional offices around the world. To address this, Yaros envisioned a $US 10 million suite of Web-based enterprise systems supporting sales, marketing, finance and distribution, set to be in place by 2000.
But the cost of installing leased lines in all 31 international sites left Yaros with sticker shock. "It would have changed the entire economic model of these projects," he says. Instead, Fox is connecting the sites to corporate headquarters with 128Kbps dedicated connections to UUNet's Internet backbone, using Novell Inc.'s Border Manager VPN product. The London, Mexico and Tokyo offices are already up, and 18 more sites are scheduled for deployment this spring. Employees are using the network to access e-mail, the Internet and customer, sales and other business data from Fox's servers in Los Angeles.
The Tokyo office is a shining example of how a CIO can shave the monthly telecom bill. Fox is paying $US 350 a month in charges to a local ISP, considerably less than the $US 7,000 to $US 9,000 a leased line would cost, says Nader Karimi, Fox's executive director for client computing services.
Karimi predicts the company will save at least $US 600,000 a year in e-mail transmission and file sharing costs from the first 21 sites-even after spending $US 6,000 to $US 8,000 to install new equipment at each site. Karimi's staff will also be able to monitor the network from Los Angeles, which will help the company maintain its goal of 99.9 percent uptime.
Still, both Karimi and Yaros acknowledge that the VPN is no silver bullet.
Because of security concerns on the Internet, Fox will maintain a leased line to parent company The News Corp. Ltd. in Sydney, Australia, for the exchange of confidential financial data. It's also keeping its CompuServe dial-up lines in place as a backup for recovering e-mail and will configure the network to route data through other hubs such as London in case the Los Angeles connection fails. Yaros says the VPN has not caused performance problems. Managing expectations, however, is another story. "People think they can send a 10MB PowerPoint presentation now that they have a network connection," Yaros laughs.
If all goes well, Fox will extend the VPN to its distributors and joint venture partners around the world and may even consider a VPN for telecommuters in the United States. More important, says Yaros, the VPN is providing the roots for a companywide intranet that will create a global community for Fox's thousands of international workers who are largely isolated today.
The Intranet Becomes an Extranet
While Fox is a big company using VPN on a small scale, The Forum Corp. is a small company using VPN on a big scale. A Boston-based global training and consulting firm, Forum is relying on a VPN to network both internal and external users. Several years ago, Forum's customers began to demand training programs that would serve their employees anywhere in the world. To do this efficiently, Forum needed a way for its 350 staff members to share knowledge.
At the time, the company relied on the only methods it could afford: fax machines and a few carefully located integrated services digital network (ISDN) connections.
The company established a VPN linking its Boston, Hong Kong and Toronto offices in early 1997 and added a link to its London office in early 1998. Initially, salespeople, consultants and software developers used the network for e-mail, intranet and file access, order processing, financial tracking and technical support. More recently, Forum added real-time collaboration, videoconferencing and online learning to the VPN. "At the time, we didn't even know it was a VPN," chuckles Enno Becker, Forum's director of technology infrastructure.
Today Forum's VPN supports all applications and communications (with the exception of telephone and fax) between the U.S. and international sites, and it's also bringing the company closer to its customers and suppliers.
Using security technology from Check Point Software Technologies Ltd. and Internet access with UUNet, Becker killed two birds with one stone. The VPN provides the same 128Kbps bandwidth as the ISDN line in the Hong Kong office, but at roughly $US 3,000 in monthly ISP fees compared with the $US 9,000 monthly ISDN bill. In London, a larger, busier office where speed is more important, Forum was able to quadruple the bandwidth from 56Kbps to 256Kbps between its office and the ISP for an added cost of only $US 1,000 a month.
Such improvements in speed and the resulting productivity boost help Forum be more responsive to its clients, Becker says. The one caveat, however, is that companies can control the bandwidth only from their sites to the ISP on both ends of the connection. In between, data is subject to the whims of the public Internet.
Most recently, Becker allowed several of Forum's customers and software development partners to collaborate in real-time on the development of training software over the VPN, essentially using it as an extranet. "Having secure connections with our customers is the thrust behind our ability to provide online learning," he says. Users can test software, access technical documents, run customer demos or download information from Forum's servers.
A simpler, cheaper and more accessible network may allow small, growing companies like Forum to stay nimble and win business in new markets. Becker says it's only a matter of time before Forum has standardised all its networking on the VPN, allowing users to connect directly to the Internet and headquarters from wherever in the world they may be.
Staying in Asia, Despite Hard Times
Forum's ability to base its entire network on a VPN is the exception rather than the norm, of course. For bigger companies, VPN technology works best as a stopgap. Black & Veatch Corp., a $US 1.8 billion engineering construction company for the power industry, is using a VPN to meet a temporary but urgent need. When deregulation in the U.S. market slowed growth in construction of new power plants five years ago, Black & Veatch began to look overseas for customers. The company now earns 55 percent of its revenues overseas, primarily in Asia, South America and the Middle East, where demand for new plants is still growing rapidly.
However, with the Asian financial crisis of 1997 and 1998, business in the region suffered. Black & Veatch wanted to keep its Asian offices open but needed to economise wherever it could. Frank S. Becker, client services manager with Black & Veatch Solutions Group (the company's former IT department, now a subsidiary), decided that a VPN would make a thrifty alternative to leased lines in its smaller offices. "What would cost $US 1,000 a month here would be $US 11,000 in Asia," he says.
The company set up a VPN in its Indonesia, Singapore and Thailand offices, letting them dial in to a local ISP. Because it used the point-to-point tunnelling protocol (PPTP) built into the Windows operating system, Black & Veatch didn't have to buy additional software. The Solutions Group administers the network remotely from corporate headquarters in Kansas City, Mo. One hundred employees are now using the VPN as their primary network for Internet and intranet access, sending e-mail and downloading marketing and financial data from Kansas City. Becker says that for the Jakarta office, the VPN costs around $US 40 per person in monthly ISP charges. For those 25 employees, that comes out to about $US 1,000 a month.
The VPN is not an option for offices with users who need to access Black & Veatch's proprietary engineering design software (for which Black & Veatch won a CIO Enterprise Value Award; see "Reengineering the Engineering Business," CIO Section 1, Feb. 1, 1998). The software was developed as a client/server application, which Becker says would bog down the VPN. In the meantime, the company is working on a browser-based version of the system that could feasibly run over the VPN someday. When employees travel, they use IBM's network for remote access rather than the VPN because IBM's dial-up software is easier for users than finding numbers for the nearest ISP, Becker says. Even so, the company is still saving anywhere from 50 percent to 70 percent with IBM by avoiding long-distance charges.
Running a mixed network gives the company more flexibility and is well worth the added complexity, according to John Voeller, chief knowledge officer and senior vice president for Black & Veatch and chief technology officer for the Solutions Group. Applications like the engineering software that require the bandwidth and reliability of a leased line are costly, he says, but those costs are now offset by inexpensive VPN technology for users who need access only to the intranet or e-mail.
Is There a VPN in Your Future?
If you believe what the pundits say, everybody who's anybody will be doing the VPN thing before long: Infonetics' Howard predicts that the total market for VPN products and services will balloon from an estimated$US 755 million in 1998 to $US 5.75 billion by the year 2000. However, for large enterprises a VPN may simply provide redundant links with foreign subsidiaries in case the leased lines fail, Howard notes. In industries like health care, security concerns are still so high that VPNs haven't been a cure for much yet.
Forum's Becker gives three pieces of advice for VPN pioneers. First, choose a reliable ISP that can provide Internet access everywhere; using a single vendor avoids security and performance problems that may stem from hopping between ISPs. Second, for an easier implementation, stick with a single VPN vendor that incorporates firewall and encryption tools in one package. Finally, remember that simplicity enhances security: Avoid extra features from the vendor, and assign only one password per user.
Even as the world shrinks, it becomes apparent that no one networking infrastructure fits all companies, or even the same company in different regions. By using VPN technology as a flexible component of their global networks, CIOs can adapt their strategies as needed, quickly and inexpensively.
(Senior Writer Polly Schneider can be reached via e-mail at email@example.com.) Where VPNs FailBefore you decide to replace your global network with a VPN, consider the potential roadblocksShaky performance.
While the big ISPs that carry traffic entirely on their own backbone can guarantee some level of reliability and response time, most analysts warn against using VPNs for real-time interactive customer applications or transaction processing. "I think the gating factor is not security anymore but performance," says Edward M. Roche, vice president and research director of The Concours Group, a research, management consulting and education practice in Kingwood, Texas. "With frame relay you can buy performance and get 100 percent guarantees. With the Internet, you can't do any of that."Security and standards.
Strong encryption is widely available, and sophisticated network monitoring tools can alert companies to potential weaknesses before hackers find them. The real problem lies in exporting encryption engines outside the country.
Regulations in some countries require stronger products than U.S. export regulations allow (40-bit for most industries); others don't permit encryption at all. A lack of standards for interoperability between VPN software is also an impediment for companies wishing to extend the VPN to partners, suppliers and customers. Greg Howard, senior analyst with Infonetics Research Inc. in San Jose, California, says this will block the growth of VPN-based extranets for at least another year.
Trying to set up the encryption for his company's VPN kept Enno Becker, director of technology infrastructure at The Forum Corp. in Boston, awake an entire night in London. And Microsoft's point-to-point tunnelling protocol (PPTP) for dial-up users has been a bear to install and maintain. Often, companies have little support from the vendors, Becker adds. "In the case of frame relay, if something breaks, it's usually the telecommunications provider's responsibility," he says. While Forum decided to keep its technology in-house, CIOs can outsource the VPN to the network service provider and eliminate these problems.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.