As a homebuilder in the Southeast, John Wieland Homes has employees who are constantly on the move, but who are just as constantly in need of information. In addition to site crews who work out of mobile offices that literally follow the work, the company employs real-estate agents scattered throughout the region and operates a corporate headquarters in Atlanta.

Networking all these sites had been a headache. In 1998, the company set up its own virtual private network (VPN), primarily using ISDN lines, IPsec VPN technology and a VPN concentrator its own staff managed.

In 2003, Wieland moved to a network-based VPN service from BellSouth, but that operated on T-1 lines and also proved cumbersome, said Chuck King, network systems manager for John Wieland Homes. Whenever the office site shifted, it would sometimes be weeks before new connections were established.

“The trailers our construction crews work out of are temporary facilities but permanent to use in that the project manager is always going to be in a trailer,” King said. “It may move from subdivision to subdivision, but that's the office. We need to provide them with as good a network connectivity as anyone else in an office.”

So this year, the company looked at new VPN proposals from a number of companies and chose BellSouth's Managed Network VPN service, a multiprotocol label switching (MPLS)-based offering that allows Wieland to use DSL access or other forms where available. Most important, however, is that BellSouth manages the service entirely.

“BellSouth owns the network from end to end, so they are able to provide a DSL line, and using the MPLS technology, they send our data across their network through their data center back to our corporate office without having to have end routers connect IPsec tunnels to each location,” King said.

“For the ISDN users, they went from 64 [kb/s] connections to 1.5 [Mb/s] so for our end users in these construction trailers and sales centers, it is night and day difference,” said Dave Cochran, chief information officer of John Wieland Homes. “Now they can use the full functionality of hosted applications at corporate. And for disaster recovery purposes, everything doesn't have to come through the headquarters office.”

As a company that needed to keep its employees networked but was increasingly overwhelmed by the complexity of doing so, John Wieland Homes could be poster child for the booming network-based VPN business.

While the overall market will grow by about 2% over the next four years, the MPLS-based VPN market will grow by 12%, and the market for MPLS-based VPNs with additional security features will boom by 23%, said Jeff Wilson, Infonetics Research analyst.

VPN services may have started life as a means of creating secure data connections over the Internet, but during the last few years, they have grown to be the cornerstone of converged networks, both for the service providers that offer them and the businesses that use them.

Enterprises increasingly look to network-based VPNs as a means to reduce complexity as they try to connect multiple locations that often are using different access forms. And the growing popularity of voice over IP (VoIP) is helping pour even more fuel on the network-based VPN fire.

“Enterprise networks are becoming complex as we start to see medium and large networks implementing MPLS-based applications and services like VoIP, and IP VPNs,” said Imran Kahn, industry analyst with Frost & Sullivan, a global growth consulting company. “It requires a lot of talent in-house to manage those complex networks. The offshoring of business processes such as customer support, contact centers and call centers means there is a need to seamlessly connect all these branch offices.”

Regulatory requirements, such as the Sarbannes-Oxley financial reporting requirements, also create new demands on enterprises to handle network upgrades more quickly, he said. All these drivers are increasing the demand for managed network services, including VPNs.

Service providers have responded to this burgeoning interest with a host of ever more sophisticated VPNs, most of which draw on MPLS gear that offers flexibility, quality of service (QOS) guarantees and cost-effectiveness in one technology bundle.

“If we can get an MPLS VPN in place, it allows us to sell additional IP-based services on top of that, whether it is VoIP or some of our security solutions or all along the continuum of services we would want to bring that customer on top of core network infrastructure,” said Michael Marcellin, senior director of VPN and data product marketing for MCI.

If there are any looming clouds over the VPN market, it may only be the profusion of options and choices, which may confuse customers and create competitive nightmares for carriers, Kahn said.

“Differentiation is becoming more and more difficult,” he said. “Most service providers have deployed MPLS; they claim to be access agnostic — the differentiation between their services is becoming a little unclear.”

Added Wilson: “There is no dominant trend in how carriers offer managed VPNs. It's all over the place.”

Initially, VPNs represented lost revenue for service providers when, in the late 1990s, enterprises bought customer premises equipment (CPE) that used IPsec or predecessor protocols to establish “tunnels” that provided secure data transmission over the Internet for intranet traffic, corporate e-mail and other data. This approach basically reduced high-speed data pipes to dumb transport and cut service providers out of the data service value chain. Service providers began offering their own VPNs to combat this trend.

“Broadwing has had a network-based IP VPN since 2000,” said Jamey Heinze, director of product management for Broadwing. “But we were a little ahead of our time. We didn't see the IPsec rocket ship launch the way the industry had said it was going to at the time. Throughout that period of time starting in 2001 to 2002, customers started clamoring for MPLS.”

MPLS as a standard was under development — and the subject of much hype — from 1997 on, as the Internet community looked for a way to merge the security of private virtual circuits on ATM and frame networks with the any-to-any connectivity and the speed of router-based networks.”

“We started with ATM and RFC 2457 [an MPLS VPN standard] since we weren't sure what was going to happen, then we consolidated those onto one architecture,” said Anthony Christie, chief marketing officer for Global Crossing, which claims to have the first global VPNs based on MPLS. “Initially, these were utility networks, but they are convergence networks today.”

As a widely deployed technology today, MPLS brings a host of new attractions to network-based VPNs.

First and foremost is the any-to-any mesh network connectivity that makes MPLS-based VPNs a better choice for enterprises with many different locations, said Amy Hollister, product marketing manager of network-based VPNs for BellSouth.

A hosted MPLS-based VPN “is well-suited to companies that have a mix of different sites, large and small, like branch locations or remote offices,” she said. “In the frame relay environment, it wasn't cost-effective to bring them on to the network. In the MPLS world, you can use DSL access, which is lower priced, so it makes financial sense to loop those folks in.”

The need for full mesh networks becomes more important as applications, including voice service, move to IP, Christie said.

And like the John Wieland Homes organization, many business customers like the idea of a fully meshed network for business continuity reasons in case of disasters or outages, said Burt Winter, executive director of Layer 3 networks at SBC Communications.

“Network-based VPNs mean we deal with all of the complexity involved in setting that up, and it's a fully managed service,” he said.

As more enterprises explore using VoIP, they are also attracted to network-based VPNs because MPLS enables service providers to establish classes of service and guarantee QOS for each class so that voice traffic isn't subject to latency.

“Voice is the killer app that is driving a lot of folks to these services,” Winter said.

“VoIP is definitely a driver,” agreed Broadwing's Heinze.

But MPLS, while increasingly dominant, is not the only basis for network-based VPNs. Most service providers also either continue to offer IPsec-based services or combine the two to provide additional security for customers who are particularly concerned about that.

“The carriers are eyeing MPLS, for sure, but customers like IPsec,” said analyst Wilson. “They like encryption, and they have been taught that VPNs equal encryption and security, but there is no native security component to MPLS. That's why I think you see a lot of hybrid services — IPsec running over MPLS.”

This is, at least, an interim step that may be more permanent for some segments of the market.

“The primary use of IPsec will diminish because people are comfortable with MPLS to provide security,” Hollister said. BellSouth offers both an equipment-based IPsec VPN and the MPLS service as part of its network-hosted offerings. “But there are some industries that require encryption, and for them, IPsec is necessary.”

As network-based VPNs continue to evolve, the role that IPsec plays is likely to change, according to Christophe Masiero, head of VPN services for Equant, which made VPNs the base of its advanced services back in 1999.

“IPsec is going to disappear or be like ATM — it will probably evolve to more of an access technology,” he said. “MPLS is becoming the de facto architecture to support VoIP. MPLS today is as secure as frame relay and ATM networks have been. What I see probably happening is financial and defense companies, that want a higher level of security, overlaying [secure socket layer] over their MPLS as they need it.”

The introduction of IP V.6 also will address some security issues, Masiero said, because it embeds IPsec characteristics in the protocol.

In the meantime, however, service providers continue to cater to customers' security needs with hybrid services that combine MPLS with some form of encryption or additional security.

The variation in the way service providers do this is just one of a few ways in which they are trying to differentiate their network-based VPN offerings and court the broadest segment of the market, said Frost & Sullivan's Khan.

“The competitive structure is growing more complex,” he said. “A growing competitive structure is good for the end user, but it makes it harder to select the right partner, service provider or carrier to help them manage. It is also making it more difficult to separate one provider from another because they are offering more or less a similar set of services.”

A combination of large-scale competition, the need for differentiation and the complexity of enterprise networking problems has very quickly made VPN services a consultative sale — and that's as it should be, Khan said.

“Differentiation is going to be defined by the customer and not by the service provider,” he said.

Enterprises will use a number of criteria, including geographic coverage, to pick the best VPN provider, Wilson said.

“The breadth of the coverage, the security expertise they can layer on top of their network expertise, the quality of service and support, the previous relationship with the customer — these are all factors,” he said. “Service providers will differentiate based on whatever their strengths are.”

SBC is addressing this challenge by stressing the flexibility of its network offering, Winter said. Among other things, the company offers both a network-hosted VPN service and a managed IP-PBX offering that lets customers who prefer to use a premises-based approach offload those concerns to the service provider.

“The biggest differentiator for us is our flexibility and our ability to sit down with our customers and assess their needs and then design, deliver and manager a network that appropriately meets those needs,” Winter said. “Whatever type of management, whatever type of applications they need, our goal is to design the network that works for them.”

Broadwing uses its converged network capabilities to deliver both Layer 2 and Layer 3 VPNs for a broad range of customer options.

“People expect any-to-any connectivity, a secure network and class or quality of service so they can run different application types,” Broadwing's Heinze said. “Both our Layer 2 and our Layer 3 services offer all of those similar characteristics.”

The difference is that Layer 2 VPNs allow customers to retain control of their own routing tables, which appeals to larger enterprises that have staff to manage that segment of their network and want a higher level of security, he said. Layer 3 VPNs, on the other hand, can support any kind of traffic, including legacy computing protocols such as SNA.

The consultative sales approach is more expensive for service providers and — here's the serious irony about network-based VPNs — at the end of the day, a converged IP-based service should cost the customer less than the multiple networks that existed before. Since many VPN customers are moving off frame relay and ATM networks and may soon integrate their voice traffic onto the MPLS-based service, service providers are talking total cost of ownership (TCO) rather than specific cost of bandwidth. Because enterprises can save on staffing, training and often on CPE costs, they need to factor that into the overall value of a network-based VPN service, providers agree.

“Your price for an on-net megabit might be higher but your net TCO can be lower,” said Broadwing's Heinze.

But he believes there is already a price competition, as the growing number of VPN providers compete for enterprises ready to move off of their legacy frame relay and ATM networks.

“Customers have the perception that IP is cheap and MPLS should be cheap,” he said. “And that is exacerbated by the fact that legacy carriers want to move customers off of those [older] networks and are artificially lowering the prices of their new services.”

In addition, service providers face competition from other segments — systems integrators and CPE gear makers — that want to capture the consultative piece of the VPN pie.

“This is going to be a very competitive market for some time to come,” Kahn said.