Access Intelligence's BROADBAND GROUP
Communications Technology
Current Issue
Subscribe
Advertising Information
Meet the Editors
Advisory Board
Annual Awards
Custom Publishing
WebEvents
Show Dailies
Reprints
List Rentals
Archives
Search Career Center Contact Us Calendar Industry Partners Home

Archives

Communications Technology

Feature: Virtual Private Networks
 Cable’s New Revenue Opportunity
 By

When it comes to making money, cable operators have focused mainly on the consumer market. Yet a huge opportunity exists in the business sector. As remote offices proliferate, so too will the need for virtual private networks (VPNs) to securely connect telecommuters to the corporate headquarters. By offering VPN services, cable operators can differentiate themselves above mere "transport" providers.

It’s no longer enough to be the first to grab market share. Instead, "time to revenue" has replaced "time to market" as a more relevant factor.

And so along with currently providing digital video, digital telephony, high-speed data and other last-mile advantages to a neighborhoods and business complexes, multiple system operators (MSOs) may now use VPNs to generate significant revenues from corporations.

The projections for growth are impressive. The Yankee Group, a Boston-based consultancy, estimates that by 2003, 70 percent of all businesses will run 90 percent of their data traffic over VPNs rather than private line services. Frost & Sullivan predicts the U.S. market for VPNs alone will reach $18 billion annually by 2004.

In short, a huge opportunity for MSOs to make more money now exists, and you ought to exploit it.

The benefits

VPNs afford an enterprise a secure wide area network (WAN) over a shared network, with all the pros of a private WAN without the expense. A private line network is not a new concept, but a private network over the Internet is new to the market. It offers a new business model for the digital age.

The network itself could be the infusion of an MSO’s private backbone and exclusive hybrid fiber/coax (HFC) plant, and what is passed over the public domain of the Internet. Many technologies are involved to achieve the same goal—increased revenues.

MSOs may charge for VPNs with varying levels of management and service level agreements (SLAs). An SLA is a guaranteed level of service based on chargeable criteria and even compensation for nonperformance. Criteria may include latency, packet loss, packet delay, mean time to repair, port availability by percent and various performance guarantees. These services may be leveraged to expand on other value-added offerings that lead to bundling and customer loyalty.

The ability to add IP-based services such as voice, e-commerce, unified communications and Web hosting nurtures that partnership. Product differentiation that is feature-rich and allows for scalability improves margins for the MSO and productivity for the business subscriber. It’s more evident that IP networks will function under a different economic model than the PSTN, and as such, the pricing and marketing strategies must be equally different.

The business subscriber

Companies with employees who work remotely from the corporate local area network (LAN) and all the valuable information and resources within it may enjoy the benefits of having a VPN. Enterprises with satellite offices or small office, home office (SOHO) scenarios may be linked securely to their larger entity. Small- and medium-sized businesses with telecommuters also may stay connected.

Those telecommuters will not only be on the LAN as in the office, but also have private branch exchange (PBX) extension functionality. Road warriors will need a dial-in capability, either through an 800 service or a local system offered by the same cable operator. These users may connect to the main entity via an intranet VPN for offices and access VPN for telecommuters and mobile users. All these entities may link to vendors, customers and partners with selective transfer of information and data via extranet VPNs. Outsourced partners may gain access to information on a "need-to-know" basis that is controlled by the business. That access also may be instantly severed by the business if need be.

The Internet economy is reshaping traditional work models. Businesses are merging, and LANs need to become WANs affordably. Resources no longer need to be localized, and information need not be kept within the immediate corporate walls. More employees work part-time or full-time from their homes. The cost savings for the virtual network is significant over traditional private lines as is the overhead savings from supporting office-based employees.

Subscriber requirements

Let’s assume subscriber requirements are demanding. What’s it going to take to lead that subscriber to success? Basically, your service must be reliable, secure, manageable and of the highest quality—just as service offered within a corporate LAN. You’ll need to provide quality of service (QoS) guarantees, high network availability with SLAs, fully or partially managed IP VPN services, integrated access VPN and dedicated VPN capabilities along with extended extranets across the public domain of the Internet. All this in addition to the core high-speed Internet access and e-mail capabilities already offered.

There’s more. Your network must be scalable so that your business may grow along with your client’s business but without expensive rebuilds or upgrades. Let’s add provisioning, billing and centralized management, all from the same MSO. Corporations don’t just need "me too" transport—they want new services.

It becomes difficult to differentiate your service offering if you provide only basic transport. One frame relay network is the same as the next, and you can’t compete only on price. To maintain long-term competitive advantage, MSOs must focus on developing a full range of value-added services on top of their VPN network.

These value-added services that will set an MSO apart from other service providers are all IP-based—such as VPNs, voice over IP (VoIP), Internet protocol television (IPTV), Web hosting, unified communications and virtual call centers, to name a few.

Basic VPN architectures

The choice of which type VPN to use will be up to the subscriber and MSO. A hybrid design using multiple solutions is perfectly viable and may provide a better alternative for the MSO wanting to offer its customers a choice of expanded VPN services. That design architecture may be focused at the customer edge, cable operator edge or a hybrid solution. An MSO or enterprise chooses the kind of VPN its employees may use to access the Internet, and may block that access at any time.

Following is a list of basic VPN architectures:

  • Access VPNs may link the telecommuter in his SOHO through the MSO’s metropolitan area network (MAN) via cable modems on the HFC plant. The client may be software-based or have a hardware security appliance such as a small broadband router. When the MSO manages either method, the subscriber may be assured of SLA and QoS advantages. Cable market projections indicate up to 10 million cable subscribers by 2003 with 10 percent penetration in U.S. markets by 2005. The mobile user may dial in with a software client.
  • Intranet VPNs may connect the entity via the direct broadband HFC plant as well as wireless point-to-point (PTP), wireless point-to-multi-point (PTMP), or simple wireless bridge connections. Also, the entity may use a private line connection such as T1, 10 Mbps, Ethernet, asynchronous transfer mode (ATM), or T3/fractional T3. Not just for homes and companies, hotels have expressed great interest in cable VPNs and other cable managed services because many hotel guests are telecommuters.
  • Extranet VPNs connect the same as intranet VPNs to the MSO, but differ in that they link in noncorporate entities such as partners, vendors and customers. These connections may be long-term or short-term, and financial analysis may determine the most viable method.

The hardware vendor equipment usually consists of three or four elements. In general, a VPN has devices like concentrators, routers, firewalls, cable modems, broadband routers and software.

  • The VPN gateway consists of one or more devices that sit on the customer’s premises. It may include the following functionality: tunnel termination, firewall/packet filtering, telecommuter authentication, routing, network address translation (NAT)/port address table (PAT) or channel service unit (CSU)/data service unit (DSU) functions. This component may interface with existing routers and CSUs/DSUs, firewalls, dynamic host configuration protocol (DHCP) servers and lightweight directory access protocol (LDAP) servers.
  • The VPN security appliance is a hardware-based device that resides at the telecommuter’s residence. A security appliance typically handles functions such as initiating a VPN tunnel and hardware-based encryption/decryption and associated keys and/or digital certificates. In addition, this device also may provide routing, NAT/PAT, packet filtering or firewall and other capabilities.
  • The VPN client software typically is a PC-based software client that processes tunnel management and encryption/decryption capabilities by first initiating a VPN tunnel.
  • The VPN element management system is characteristically software that resides on a server in the network and can manage multiple hardware and software clients.

Adding value

The cable network must offer the MSO and subscriber more than just the technical capabilities of routing packets—it also must offer profitability. By managing the planning, provisioning, operations and billing of your services, the MSO may realize more profitability from its network. The integrated use of management protocols across all platforms in the network provides the MSO with the capability to manage the VPNs for the customer and charge accordingly.

Provisioning an IP VPN service is slightly more complicated than simply provisioning an access port and circuits, but the benefits of providing automated provisioning far outweigh the difficulties.

The impact of adding each new business subscriber or service now must be considered across the total network. Scaling is a major issue to the deployment of VPN services. Traditional private line/network services will not scale well enough to support IP VPNs because of the configuration requirement at every endpoint. The growth of extranets into a vast web, with one enterprise in the middle, requires a scalable solution set that the MSO can provide. This enormous scalability feature is available to the MSO at a fraction of the cost of expensive rebuilds or upgrades of old services and equipment.

Service provider of choice

Because most new services and applications are being developed around the Internet and IP, cable operators may quickly port new services on top of their basic VPN offering, reducing capital and operational costs, while increasing margins. Cable VPNs are access VPNs with the shared infrastructure being a DOCSIS cable network and the MSO’s network as a whole.

The building blocks for a VPN service are security, QoS, management, scalability and reliability. Businesses may reduce costs by bundling video, voice and data traffic onto a single service offering or network.

MSOs may generate new revenue streams by developing a range of value-added services in addition to the VPN transport service. Organizations may focus on core competencies while the cable operator manages their IP VPN network. The ubiquitous nature of the Internet and IP-based routed networks will allow businesses to extend their VPNs anywhere in the world via the Internet. All this can be made possible through their MSO.

Mark C. Roderick is an MBA student at the University of Southern California, Marshall School of Business. He may be reached at .

Benefits of VPNs: Quality of Service

Subscribers purchasing virtual private network (VPN) services want to be confident that when the shared hybrid fiber/coax (HFC) network gets congested, their employees will continue to receive at least a minimal level of service. Working together across multiple routers, the quality of service (QoS) mechanisms below complement each other through the VPN. They create a comprehensive end-to-end bandwidth management solution that must be integrated throughout every link of the VPN to be effective. Single-point solutions cannot ensure predictable performance.

QoS mechanisms include:

  • IP precedence uses three bits in the IP header to indicate the service class of a packet. Enforced through the core, this class is set at the edge of the network.
  • Packet classification provides the foundation for bandwidth management by classifying traffic for downstream application of QoS bandwidth management policies within the VPN.
  • Committed access rate (CAR) enables mission-critical traffic to receive an appropriate share of VPN bandwidth, while limiting the amount of bandwidth dedicated to less critical applications (such as policing). When a threshold is met or exceeded, the network may be asked to take a variety of responses, from queuing packets at a lower service class to dropping them. Classification may be set by the multiple system operator (MSO) at the edge of the network or by the business subscriber and enforced by the MSO.
  • Weighted fair queuing (WFQ) delivers congestion management and bandwidth allocation among specific applications and allows traffic to be sorted into flows or classes while allocating bandwidth to those flows or classes via sophisticated packet scheduling. Bandwidth allocation is driven by the weight assignments.
  • Weighted random early detection (WRED) complements transmission control protocol (TCP) in predicting and managing network congestion on the VPN backbone and ensures predictable throughput rates. It is a congestion-avoidance mechanism, set to prevent overloading by monitoring traffic load on an interface, not to manage it. It selectively discards lower-priority traffic when the interface starts to get congested. It’s well-suited for avoiding congestion on high-speed backbone links, and it slows down traffic flows before overcrowding occurs. It even slows according to service class, so low-priority traffic is slowed first.
  • Generic traffic shaping (GTS) smooths out bursty traffic and "packet trains" to ensure optimal average utilization of VPN WAN links.
  • Security goes beyond sophisticated firewalls. It may be managed by the subscriber at the enterprise or enhanced by the MSO. Its protection of information is based on tunneling at layers 2 and 3 and enables secure private communications over the Internet or any IP network. It integrates key features of VPNs, such as tunneling, data encryption, security and firewalling that provide a secure, scalable platform, to better and more cost-efficiently accommodate remote-access, remote-office and extranet connectivity using public data services.
  • IP security (IPsec) is an open standard for ensuring secure private communications over any IP network. It ensures confidentiality, integrity, digital certification and authenticity for secure data encryption.
  • Multiprotocol label switching (MPLS) is used to create an extended address to solve reachability and private addressing issues. Labels are applied at the edge, with no impact on the customer addressing or routing schemes. MPLS is a standards-based technology that was originally based on Cisco tag switching and was later ratified by many members of the Internet Engineering Task Force (IETF).
  • Data Over Cable Service Interface Specification (DOCSIS) 1.1 will allow for improved upstream and downstream parameters with regards to layer 2 QoS over an MSO’s HFC plant via a cable modem termination system (CMTS).

 Back to December Issue


Access Intelligence's CABLE GROUP
Communications Technology | CableFAX Daily | CableFAX's CableWORLD | CT's Pipeline
CableFAX Magazine | CableFAX databriefs | Broadband Leaders Retreat | CableFAX Leaders Retreat
Access Intelligence, LLC Copyright © 2005 Access Intelligence, LLC. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Access Intelligence, LLC is prohibited.