MCI, formerly known as WorldCom, launched this week a virtual private network (VPN) service that relies on Web-based Secure Sockets Layer (SSL) encryption technology. Like competitors AT&T and Sprint, the company is reselling service from start-up Aventail.
The new MCI service provides an alternative to its current remote-access VPN, which uses Internet Protocol Security (IPSec) encryption. Unlike IPSec, which requires users to download a software client before they can connect to a corporate network, SSL allows access via a standard Web browser.
Over the past year, SSL VPNs have gained in popularity among enterprise customers looking for an easier and more-flexible remote-access service. In 2003, companies spent roughly $200 million at telecom carriers to install SSL VPNs, according to Infonetics Research. That amount is expected to grow to $1 billion by 2005.
But according to market research firm IDC, more than three-quarters of companies install the service themselves. That means the bulk of the money spent with carriers on SSL VPNs goes toward transport services and not toward managed services, which generate higher profit margins.
"One of the benefits of SSL VPNs is that they are easy to set up and maintain," said Jeff Wilson, an analyst with Infonetics Research. "Without all those clients to manage, you take away the incentive to outsource."
Carriers are working to wean customers away from that approach by offering them a broader suite of services that make up a complete package. Buyers can choose from different types of VPNs: multiprotocol label switching (MPLS) and IPSec VPNs for connecting different sites together, and SSL VPNs for remote access. In addition, the telecom companies are bundling SSL VPN service with access technologies like wireless, digital subscriber line (DSL) or Ethernet, and they're adding managed security services, like firewall and antivirus protection.
"SSL VPNs are part of a whole suite of offerings," said Carol Ballengee, the product manager for remote access services at MCI. "We differentiate ourselves not just based on this service, but through the entire suite of services."
Wilson said that SSL VPN services are likely to appeal more to small and medium-size companies, which typically don't have the staff to manage SSL appliances. "There will always be some customers that want to outsource," he said. "And carriers want to have SSL VPNs in their arsenal, but I don't think any of them expect it to be a huge market."
With the MCI announcement, Aventail now counts all three U.S long distance carriers as customers, making it the primary supplier of SSL VPN technology. Other SSL VPN vendors--such as Netscreen Technologies (recently acquired by Juniper Networks), Cisco Systems and Nortel Networks--sell hardware exclusively. Aventail has taken a different approach, in that it sells a prepackaged service alongside the appliance that it sells directly to service providers or enterprise customers.
Aventail installs the hardware at the customer's site and manages the appliances from its network operating center. Users access the VPN from any Internet connection and are authenticated at the SSL appliance, where a session is initiated. While Aventail supports the service, the carriers themselves bill the customers.
AT&T, the first major carrier to resell the Aventail service, said that customers are very interested in the service, but it wouldn't disclose how many have signed up for it.
"Aventail has done very well, because their service model meshes well with carriers," said Steven Harris, a research manager at IDC. "They also have real customers that prove the service works."
Aventail counts GlaxoSmithKline, Ernst & Young and Mount Sinai NYU Health among the more than 400 large corporations that use its SSL VPN service.