Dial VPNs: Revenue Opportunity or Headache?

If you haven't yet started thinking about Virtual Private Networking, it's time to get cracking: VPN service offerings are already a clear value-add for ISPs, however, there are still significant hurdles to deployment.

Lisa Phifer
VP Core Competence, Inc.

The promise held out by VPNs of reducing enterprise networking costs by leveraging shared infrastructure creates a compelling business opportunity for ISPs. By replacing privately-operated modem pools and terminal servers with Internet-based remote access for corporate travelers, teleworkers, and business partners, enterprises can achieve dramatic return on investment.

Several top-tier ISPs, from GTE Internetworking to Concentric Networks, have already launched dial VPN services that capitalize on this fast-growing market. Recent surveys show that by 2000, thousands of ISPs plan to be offering VPN to their business customers—and expect fully 20 percent of those customers to use VPN. It's looking like an act-now-or-fall-behind-the-curve situation.

Choosing the best way to offer a dial VPN service, however, is a complex equation of technologies, protocols, and topologies, with no one-size-fits-all solution. But when asked to name the biggest barrier to VPN deployment, "VPN Day" panelists at Networld+Interop Las Vegas readily agreed: the "lights out" environment represented by the corporate user's PC. This won't surprise anyone who's rolled out an enterprise service requiring desktop software installation or configuration. So how can ISPs improve dial VPN service uptake by minimizing impact on end users?

Make it compulsory.
One approach is to eliminate custom software at the end user. So-called compulsory VPNs accomplish this by placing the remote end of the "tunnel"—the authenticated/secure path between users and the enterprise network—at the ISP network access server. The enterprise contracts an ISP to provide a compulsory VPN; users dial into POPs operated by that ISP. What's the catch? Toll savings depend upon ubiquity of dial POPs; this approach may limit suitable POPs. Traffic on the link to the NAS is unsecured; traffic from the NAS to enterprise may or may not be secured, depending upon tunnel protocol. This may be perfect for some customers, but may not satisfy security policies elsewhere.

Use built-in protocols.
Another approach is to utilize software already present at the end user—specifically, tunneling support built into the operating system. Only PCs running Microsoft Windows NT RRAS or Windows 98 Dial-Up Networking meet this description today. Over the next year, expect to see OS vendors integrate standard tunneling protocols like L2TP and IPsec into native TCP/IP stacks. This eliminates the biggest headache experienced by early-to-market VPN providers: installing software on a seemingly infinite variety of desktops. That said, companies can be slow to roll out OS upgrades, and remote tunnel configuration is still required.

Get creative.
Innovative solutions here represent a largely untapped market for service providers:

• Enable centralized configuration and automated distribution by you or your customer. For example, Microsoft's Connection Manager allows an admin to generate and distribute Windows DUN entries to client PCs. Check out the growing crop of VPN products offering policy-based management.
• An ounce of prevention is worth a pound of cure. For example, GTE Internetworking provides its VPN Advantage customers with a browser-based Prep Tool that allows a server to interrogate a user's PC, identify required OS upgrades, apply patches, and verify correct configuration of Microsoft Networking, TCP, and hardware profiles before VPN client installation.
• Don't underestimate the need for hand-holding. The quality of your help desk may ultimately determine customer satisfaction. VPN technology is new and complex; train support staff accordingly.

Minimizing end-user impact is essential to keep your customer's customer happy. ISPs who successfully meet this challenge can turn the end-user VPN deployment "barrier" into a business opportunity.

—End