Network-Based VPN Services

Winging It

We witnessed the vast price difference when carriers and providers of IP VPN services responded to the RFI we created for a fictitious aircraft manufacturer, Wing and a Prayer (WAAP). The one MPLS proposal we received was the most expensive solution.

In our RFI scenario, we informed vendors that WAAP intends to eliminate frame relay if it finds a solution that's more cost-effective and equally secure (see "IP VPNs on a Wing and a Prayer,"). WAAP has offices and manufacturing plants in Atlanta; Chicago; Fort Worth, Texas; Palmdale, Calif.; and Wichita, Kan. Employees use the company's simple frame relay network to transfer files and e-mail from one plant to another. Currently, the Wichita corporate office employs a full T1 line; Chicago has 768 Kbps, and the other offices each have a 512-Kbps connection. WAAP is looking to cut costs and maintain the same level of service.

We asked our respondents to provide a comparable IP network scenario and discuss its security and SLA (service-level agreement). MCI, Qwest Communications International, TManage and Virtela Communications all provided responses that met our requirements, and offered several workable options. AT&T, BellSouth Corp., Masergy Communications, Sprint, SBC Communications and Verizon Communications declined our invitation to participate, each citing time constraints.

We graded our respondents on the ease of migration to the carrier's network, ability to make bandwidth changes, options for traffic prioritization, data security, SLAs and price. We felt the last three criteria were the most important, weighting each at 25 percent of the overall score (see our Report Card).

Where's MPLS?

MPLS will evolve into the preferred replacement for frame relay and private-line networks by 2006, according to Gartner, but none of our respondents has jumped on that bandwagon yet. Of the five proposals we received, only one was an MPLS solution: MCI included MPLS as an option along with its public Internet solution. The MPLS proposal was far more expensive than any other in the group, and $2,000 per month more than MCI's alternative. Still, MCI's MPLS security level came closest to the existing frame relay network's security. Qwest, TManage and Virtela all proposed tunneling over standard IP networks, which is less secure than MPLS would be.

Two carriers, MCI and Qwest, run the data over their own networks, while Virtela and TManage rely on other carriers and Tier 1 networks to tunnel data. In addition, Virtela can service only those areas that are near one of its PoPs (points of presence). We thought this setup might be a problem for the Wichita office, but Virtela had no issues with any of our addresses. TManage doesn't place its own equipment at the PoPs, but instead places equipment at the customer premises to handle the data tunneling. Although this method of doing business has placement and price benefits, the up-front equipment costs were a little higher than we would have liked.

After considering WAAP's requirements, we gave the Editor's Choice nod to Virtela. Its combination of security, ease of migration and a comprehensive SLA offered the best value.As the youngest company to take part in our RFI, Virtela came out fighting. In addition to offering good value, the vendor also provided us with the most comprehensive and information-packed RFI response we could ask for.

Founded in April 2000, Virtela has created an IP VPN infrastructure that spans 190 countries. The company's approach to providing VPN services reminds us of Savvis in its early days, which lacked a network of its own but provided access to those of other carriers. Virtela operates in a similar manner, by placing traffic on the best network available. Because Virtela's VPN hardware remains at the PoP, not the customer premises, WAAP would not require any equipment changes. This method of deployment also makes software upgrades easier as Virtela only needs to upgrade its own PoPs, not the customer premises, with new VPN technology. And the initial installation fee is low--just $2,700, followed by a $4,130 monthly charge, based on a two-year contract.

For actual network traversal, Virtela interconnects its PoPs from multiple Tier 1 backbone providers, which deliver network resiliency and the best path between two points. Virtela chooses the optimal path for each customer connection based on latency, packet loss and jitter.

Virtela leverages the vast amount of unused bandwidth on Tier 1 networks around the country for its solution. Creating a worldwide network without laying any fiber or paying for huge network operations enables the vendor to keep its prices down.

In its response to our RFI, Virtela provided a detailed outline of how it would switch WAAP from frame relay to its own network. The transition would be complete in 30 to 45 days, on par with most of the proposals.

Virtela also provided impressive sample reports. VirtelaView, the vendor's secure, Web-based customer NMS (network-management system), lets customers view usage and network-performance stats, as well as monitor, provision and manage their connections from any Internet browser. Reports provide end-to-end statistics on latency, packet loss and jitter, as well as application-level reporting. Customers can see what type of traffic is moving between locations, and this data can be graphed over time for easier reading and comparison.

VirtelaView also lets customers generate and view trouble tickets, which can be organized by site, date, status, type of trouble or end resolution. The only time a customer probably wouldn't be able to generate a trouble ticket is if the local loop--the only piece of the network without backup--were down. Service changes, such as bandwidth changes, can also be made through VirtelaView. Such requests, made via the Web interface, take no more than three days to implement, assuming the increase doesn't exceed physical line capacity.

Virtela provides three CoSs (classes of service): gold, silver and bronze, each based on a combination of queuing and DSCP (DiffServ Code Point) markings. Traffic leaving the customer premises is marked with a DSCP value derived from the traffic mapping for that particular application or traffic type. Any traffic not mapped to a specific type or traffic from the public Internet is always marked as bronze service.

Virtela offered one of the best SLAs, with 70-ms round-trip latency, less than 0.1 percent packet loss and a four-hour hardware-replacement policy--pretty impressive, considering we would be utilizing our own existing hardware in-house, not equipment supplied by Virtela.

Virtela VPN. Virtela Communications, (877) 803-9629. www.virtela.comIf you're wedded to the notion of using a carrier for your IP VPN services, you'll be pleased to know that Qwest came in a close second to Virtela. Qwest's offering is based on a private routed network. It requires no additional hardware at WAAP's premises and provides all the VPN functionality at each of the PoPs. As such, its price is competitive--$3,000 for the initial installation and $4,350 per month. Qwest's only requirement, for the Cisco Systems gear we specified, was that our routers be configured with IOS 11.2 or 12.0(7), since these versions provide built-in encryption and tunneling. Easy enough.

Qwest provided a clear network description and explained how traffic would traverse the network from site to site or the Internet. This gave us confidence. All our site-to-site traffic would be encrypted by either DES (Data Encryption Standard) or 3DES (Triple DES) over the network, and all traffic to the Internet would go via NAT (network address translation) through one of Qwest's firewalls. With this method, each remote site could send traffic directly to the Internet without first going through the corporate site.

Installation would take about 45 days; only TManage's installation time was longer. To its credit, however, Qwest was the only respondent that provided and explained options on how the cut-over would be performed.

Qwest, like our other respondents, offers a browser-based reporting system, Qwest Control, which covers everything we would expect. Qwest Control also lets customers view firewall and NAT policies, as well as reconfigure those policies on the fly. Invoices can be viewed, and online payment is available.

Although firewall changes can be made on the fly, the same is not true for bandwidth changes. According to Qwest, these changes require five to 10 business days, assuming the loop bandwidth is available.

Qwest's SLA is attractive, with on-net latency guaranteed as low as 50 ms and off-net only 95 ms to certain other IP networks. (Qwest would not define which networks "certain" meant.) Packet-delivery guarantees are also acceptable, with Qwest promising not to lose more than 0.5 percent within the United States. Overall, pricing is almost, but not quite, as attractive as Virtela's. We asked Qwest for pricing over a two-year period (which is what Virtela gave us), but we didn't receive a timely response.

Qwest fell short only in its traffic prioritization: Basically, right now, Qwest doesn't have any. To get around this lack of CoS offerings, the vendor has overbuilt its private routing network to make sure that packets aren't sitting around the core routers waiting for bandwidth. CoS can be enabled at the premises routers to manage traffic heading toward the network, but from there, anything goes. Qwest acknowledged that customers prefer some sort of CoS, and said it's actively developing a future enhancement to rectify this shortcoming.

Private Routed Network and Dedicated Internet Access. Qwest Communications International, (800) 743-3793. www.qwest.com

MCI was the only vendor to come up with two different responses to our RFI. Both solutions, however, were extremely pricey.

Because our fictitious manufacturer's goal is to cut costs, neither solution would fit WAAP's need, even if the renamed WorldCom has returned to the level of service the classic MCI--known for being expensive but providing better service than its competitors--once offered. MCI's Private IP Service, the only MPLS-based service in this RFI group, would certainly bust our budget, with $9,282 in monthly charges on top of a $3,700 installation charge. The good news is that with Private IP, WAAP could keep its routers and have the new service within nine days. The bad news is that this option really doesn't eliminate frame relay at the edge, nor does it save money.

Private IP uses MPLS and rides on top of MCI's existing frame and ATM networks. This technology has several benefits: First, data travels as securely as it would over a conventional frame relay network. MPLS networks constantly change the routing of packets, based upon the type of traffic and bandwidth needed. And MCI's Private IP would provide the best security possible for our company's data as it traversed a network.

However, there would be no cost savings in moving from WAAP's existing system to Private IP. When asked to explain the ROI of Private IP versus our company's current frame relay network, MCI refused to discuss hard cost comparisons. Instead, the vendor discussed the advantages of not needing to create PVCs between each site. We agree with MCI that MPLS has advantages for large configurations, where a fully meshed network can be a pain to manage. However, PVCs don't need to be created for locations that may have a small amount of traffic passing between them.

MCI also suggested that its CoS would allow the convergence of WAAP's voice, video and data needs onto one network. Although this is true, the same can also be accomplished (with increased network management) on an existing frame relay network via separate PVCs or traffic-shaping technologies. Again, no mention of dollars saved.

Like Virtela, MCI uses DSCP to mark and separate packets, based on type or even destination, into classes of service--in this case, gold, silver high, silver low and bronze. MCI provided us with sample reports for Private IP Service. Customers can view both real-time and historical data, thanks to Visual Networks Visual UpTime software. With Platinum management service, MCI will place Visual Networks' CSU/DSU equipment at your premises at no charge.

Private IP Service. MCI, (703) 886-5600, (877) 227-5624. www.mci.com

TManage, a MegaPath Networks company, takes a do-it-yourself approach to its IP VPN, though TManage would manage the network. Although the company offered a low monthly fee, it came up short in other areas. Up-front installation costs were high--about $15,000 for our six-location company and far more for larger companies that actually need hardware. TManage's routing and VPN equipment would sit behind our existing equipment, which would be rendered almost superfluous. And finally, TManage quoted us an installation time frame of 60 days--almost double that of the other companies.

TManage did agree to lower the installation fees if our company would sign a two-year contract. Even so, the vendor couldn't compete with Virtela on price.

At $4,240, TManage's monthly fee fell in the middle in our group of respondents. The vendor can keep this price down because, like Virtela, it doesn't have a network of its own, and instead relies upon the Internet for transmission. Locations are connected to the Internet via SDSL or T1 connections. TManage uses IPsec with 3DES encryption to tunnel between offices.

Since TManage uses other networks, an enterprise could put together the exact same solution. What distinguishes this offering from a do-it-yourself setup is that TManage acts like part of your IT department to manage the connection. This arrangement is different from Virtela's, because TManage's hardware resides at the customer's premises rather than at the PoP. The company also acts as a single point of contact for all Internet connections, regardless of what provider is delivering the service.

To manage the network, TManage connects an out-of-band modem to each location's routers. This line gives the vendor access to each router for configuration changes, diagnostics, status and statistics, even if the main connection is down. TManage also creates a tunnel from its network operations center in Austin, Texas, to the enterprise's corporate router for management.

Once the circuits are up and running, TManage provides reports on tunnel performance--availability, latency and packet loss--for each connection. Usage charts and management reports are also available, all from a Web-connected browser. Trouble and support tickets can also be viewed online.

TManage's service has one unique feature: bandwidth changes on the fly, loop bandwidth permitting. TManage asks for 60 to 90 days to install additional loops or make changeouts. As with its basic installation time, this window seems lengthy.

Since TManage utilizes the public Internet for transportation, whereas Virtela controls the traffic at the PoP, TManage's Quality of Service and SLA may suffer. On the QoS side, the vendor utilizes RSVP (Resource Reservation Protocol), WFQ (Weighted Fair Queuing) and IP Precedence for prioritizing traffic, but these protocols can break down at any point on the public Internet and wherever traffic might get routed. To manage portside traffic and help prioritize voice and video data, the routers perform traffic shaping.

TManage's SLA offers pale next to the competitors. The vendor's latency guarantee of less than 150 ms is almost double that of the others. Its stated packet loss of 1.5 percent, though not bad for Internet traffic, is high for corporate traffic.

Managed Branch Office Solution (including Branch Office Broadband Service and Managed Site-to-Site VPN Service). TManage, (512) 794-6000, (877) 929-2967. www.megapath.net

This alternative MCI offering included a managed router at each of our company's sites. Since MCI wouldn't support WAAP's existing equipment, the vendor suggested Cisco or Lucent Technologies that differed from what we specified, with features such as IPsec encryption and built-in firewall capabilities. The $700 initial outlay was the lowest we encountered, but the new routing-equipment costs showed up in MCI's $7,501 monthly fee.

With IPsec, all office-to-office traffic would be tunneled with 3DES over MCI's IP backbone. An out-of-band modem and phone line would be included with each router for management purposes. MCI told us IP VPN service is typically installed within 32 days--sooner than what our other respondents promised.

For network traversal, MCI provided a detailed look at its IP backbone and built-in fault tolerance. The vendor's description shows a well-designed network, broken into three segments--access, regional and transit--which should eliminate downtime for its customers. The access segment is just that: the portion of the network that includes any area's local loops. The regional segment can be portions of the country or even parts of a large metropolitan area, while the transit segment connects all the regional networks together.

To route traffic efficiently, MCI interconnects nodes by discrete paths. Because traffic follows completely separate routes along different fiber paths, regions of the network can't easily be separated by a fiber cut. With MCI's extensive fiber runs, traffic can be rerouted to an area away from the cut trunk.

MCI guarantees three nines end-to-end availability for VPN customers with 10 or more sites, but only 99.8 percent uptime for customers with three to nine sites. MCI explained, quite obscurely, that it offers higher availability metrics for the larger networks because more sites mean more total hours per month, and therefore the vendor has a greater confidence that average network uptime (availability) will increase.

Latency is a bit on the high side, with 120 ms or less for all sites within the United States. And MCI requires customers to request a credit if one is due.

Reporting is handled through MCI's VIPeR (VPN Interactive Performance Reporting) interface. VIPeR provides reports on the VPN itself, along with individual tunnel utilization. Availability and latency reports can also be generated.

Burstable services offer a bit of extra bandwidth for short periods, or even a few days, assuming you're provisioned for less than the actual line service. Permanent changes to bandwidth can be handled within a few days, as long as the capacity is available on the local loop.

IP VPN Dedicated Service. MCI, (703) 886-5600, (877) 227-5624. www.mci.com

Darrin Woods is a Network Computing contributing editor. He has worked as a WAN engineer for a telecom carrier. Write to him at [email protected].

Post a comment or question on this story.

IP virtual private networks offer lower costs and higher bandwidth than dedicated frame relay networks, and have become a popular means of transferring data from remote locations back to the corporate network.

Most carriers implement this technology by tunneling data over the Internet, using various IP protocols. However, MPLS (Multiprotocol Label Switching) is slowly gaining ground--or at least attention--as an even more secure solution. Expect to pay a hefty premium for this service, if and when it becomes available in your neighborhood.

We sent an RFI in the name of a fictitious aircraft manufacturer, Wing and a Prayer, to 10 vendors, asking for their proposals to help WAAP find a less expensive way to network its offices and design plants in five U.S. cities.

Four vendors--MCI, TManage, Qwest Communications International and Virtela Communications--responded to our query. MCI, in fact, sent two proposed solutions: one standard IP VPN and one with MPLS technology. Although we thought all the offerings were worthy, we were most impressed with newcomer Virtela. This vendor put together a comprehensive response and came up with a solution that would be relatively easy to migrate to without busting the budget. Cinching the deal were the generous policies found in Virtela's service-level agreement.Wing and a Prayer (WAAP), our fictional company, is an internationally recognized aircraft designer and manufacturer based in Wichita, Kan., with design offices and manufacturing plants across the United States.

WAAP's frame relay network, provided by Carriers R Us, is configured in a hub-and-spoke topology. All connections go through WAAP's Wichita office. This setup has worked for several years, but traffic going through the corporate office has increased, and WAAP has been evaluating the addition of private virtual circuits among several offices. Although PVCs will eliminate some traffic on the Wichita connection, the company is also looking for alternatives to frame relay.

WAAP has concerns about using a public network. Because the company designs military as well as commercial aircraft, security is essential.

The company operates six offices. There are design offices in Wichita and Chicago, and manufacturing plants in Wichita; Atlanta; Fort Worth, Texas; and Palmdale, Calif. The Wichita corporate office has a full T1 connection to the frame relay network. The Chicago office uses a half-T1 (768-Kbps) connection, while the four manufacturing plants have 512-Kbps PVCs back to the Wichita office. Internet access is provided through the Wichita corporate headquarters.

Each office has a Cisco Systems 2500-series router connected to a frame relay network. Corporate headquarters uses a Cisco 7500-series router. Although WAAP hopes this equipment won't need replacement, the company isn't tied to a particular vendor. Each branch office includes workstations running Unix, Windows or Macintosh OS.

R E V I E W

Network-Based VPN Services

Sorry,
your browser
is not Java
enabled

Welcome to

NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon

above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.