Virtual Private Networks

Customer Premise Equipment for VPN Services - continued

Software-based VPNs
One more option to consider is the software-based VPN server. Products like Aventail's Extranet Center are essentially software deployed on general-purpose computers—typically someplace inside the customer's firewall. Software-based VPNs may operate as proxies that intercept application traffic and redirect it to another server. From an ISP perspective, this alternative can be attractive because it involves a single, dedicated device with greater independence from routing and firewall concerns. However, software servers only scale so far, and some customers may consider a general-purpose platform to be a security risk.

Customer sensitivities
Of course, there are other alternatives to consider: adding VPN support to a router that sits inside the firewall, locating VPN hardware on a DMZ, or placing VPN CPE parallel to your customer's router or firewall. Placement of CPE is not a simple question, and there are no easy answers. However, service providers must pay attention to a number of customer sensitivities regarding CPE placement and management.

• Customers who already own a firewall or access router may prefer to purchase a VPN add-on from the same vendor, rather than introduce another vendor's product. This is most relevant for turnkey VPN services. ISPs may be wise to qualify several products and allow customers to select the product that best meets their business needs.
• Customers may more readily accept introduction of new CPE than installing new software on existing customer-owned CPE. Turnkey service providers may find it useful to offer preconfigured "drop in" VPN hardware; managed service providers are better positioned to absorb the reconfiguration and tuning required to add VPN support to an existing managed firewall or access router.
• Customers will look to ISPs to recommend placement of CPE with respect to access routers and firewalls. This does not mean customers will allow ISPs to dictate placement—but it does mean that the most successful ISPs will be those prepared to discuss network topology issues, identify obstacles before deployment, and recommend solutions that overcome them.

The bottom line: treat CPE selection as a critical component of service deployment. Don't be swayed by vendor pitches that argue the best kind of CPE is the kind they happen to market. Listen to vendors, weigh their arguments, and talk to your prospective customers before making this strategic decision.

—End

return to the top of the article

Questions? Comments?
Drop a line to the Author or the Editors.