The VPN survey results

(March - April 2006)

Survey objectives:

  • To investigate the current state of VPN use within the JANET community: which kinds of organisation use VPNs and for what reasons.
  • To understand the community’s needs for and expectations about a possible centrally managed VPN service (this might be the production transport service or some sort of an advisory service).

Respondents:

  • 121 answers have been received, which is quite representative.
  • Most organisations that answered represent the HE sector, with the FE sector in second place. Only 1   school answered. Participation by providers was minimal: 1 RNO and 1 RBC. Also, 1 RSC responded.

Conventions used in the text:

  • All results are given in percentages. Where readers might be confused, the results are given both in percentage and in the absolute number of organisations.
  • Comments on the results are given in italic.

Section I. Current state of VPN usage

The first part of the survey aimed to determine current VPN usage and reasons for using (or not using) VPNs of any kind. Responses show:

  1. Currently 81.7% of organisations (89 organisations) use VPN. About 55% of the remainder (10 organisations) are going to use VPN in the near future.
  2. More than half the respondents who use VPN (56%) use it both as an access VPN (i.e. when remote users access central site resources) and as a tool for site-to-site connectivity. Slightly less than half the respondents (44%) use VPN only as an access tool.
  3. 95% of VPNs in use are self-provisioned (by the organisation’s IT support staff). 1 organisation uses a VPN service from its RNO and 3 from a commercial provider.
  4. Generally, in most organisations (64%) less than 10% of the users use a VPN service; however, in a quarter of organisations this figure is between 10% and 25%.
  5. The most popular types of VPN among organisations that use it are (please note that some organisations use more than one VPN service):
    • Encrypted VPN: 85.1% (74 organisations)
    • GRE/L2TP VPN: 24.1% (21 organisations). 20 of these support GRE/L2TP themselves (self-provisioned service), while 1 organisation uses a commercial provider (NTL).
    • MPLS VPN: 6.9% (6 organisations). 3 organisations use a provider-provisioned MPLS VPN service from Synetrix, THUS and an unspecified RNO. Others described their service as ‘self-provisioned’ but this probably refers to an encrypted VPN service, which was listed as well as MPLS VPN in the possible answers.
    • UKLight or other optical services: 6.9% (6 organisations).
    • Frame Relay: 1 organisation (Institute of Astronomy University of Cambridge) which says that the service is self-provisioned and connects 1-3 sites.
    • Other VPNs: 5 organisations. 3 of these use encrypted VPNs (Microsoft PPTP); 1 uses IPv6-in-IPv4; 1 didn’t specify the type of service in place.
  6. The reasons for VPN use. (As many organisations use more than 1 type of VPN, different reasons might relate to different kinds of VPN):
    • To protect data when they are transferred across public networks: 83%.
    • To protect sites from unauthorised access: 48%. Both the first and second reasons relate to security but the second could be managed by firewalls as well; however, results show that the feature is important (and hence desirable) for VPN too. These two aspects of security were separated to investigate (implicitly in this case) to what extent users might appreciate VPNs which protect sites from unauthorised access by means of tunnels (in other words – by means of traffic separation) but without encryption. Question 22 asked about this directly and the percentage of positive answers to it (47%) corresponds to the figure above.
    • To use private addresses: 28%. This feature might be viewed as security or as simplifying LAN interconnection (which was the next choice for answering the question) and hence some answers in this category might be absorbed by other questions. Very close to this reason is ‘To restrict access by the institution range of addresses’, which some respondents (5 organisations) gave as ‘Others’.
    • To simplify site’s LAN interconnection: 24%. What respondents meant by this answer needs further investigation. Usually this feature is supported by 2nd Layer VPNs such as L2 MPLS VPN, L2TP or Frame Relay; however, only 6 organisation which use L2TP and 2 organisations which use MPLS VPN specified this reason, which means that others managed to achieve this goal by means of Layer 3 and higher VPNs.
    •  To provide guaranteed bandwidth and low latency between VPN sites/users: 8% (7 organisations). 2 out of these 7 organisations use MPLS VPN, 2 use UKLight and 2 use encrypted VPN. It is understandable why this feature is not a wide-spread reason for VPN use, because it needs QoS support for VPN connection and JANET currently doesn’t support QoS as a production service.
  7. Remote sites. The vast majority of respondents (89%) have more than 1 site and the average number of sites exceeds 4 (some organisations have more than 8).

    Data exchange between sites is quite intensive: 98% of organisations exchange almost every day with speeds between 10 Mbit/s and 1Gbit/s (however, this could be access link bandwidth, not real throughput).
    Remote sites could potentially use inter-site VPN (or intranet VPN) to exploit known patterns of traffic distribution between sites and to provide any-to-any connectivity, more suitable for an organisation’s needs, different from best-effort. VPNs are also very popular now for remote users.

    Extranet VPN deployment prerequisites also exist, as about half of the respondents (58%) exchange data almost every day with partner organisations at less than 10Mbit/s.

  8. Applications which are in use by VPN users:
    • E-mail: 79.5%
    • Web access: 74.7%
    • Database access: 68.7%
    • e-Learning: 34.9% (half of these use something other than encrypted VPN, like GRE/L2TP, MPLS or UKLight
    • VoIP: 13.3%
    • Videoconferencing: 13.3%
    • e-Science: 7.2%
    • Other: remote login (terminal); remote support and maintenance

    e-Learning, e-Science, VoIP and videoconferencing might be driving applications for centrally managed VPN deployment as they require improved security (for stability of data exchange rather than data confidentiality as a lecture or scientific experiment can’t be interrupted or postponed) and performance (because of delay and loss sensitive real time data).

    Traditional applications like e-mail, database access and web access can tolerate instability and performance degradation to some extent and in this case can use user-provisioned encrypted VPN to provide data privacy.

  9. Private optical networks use. The questions in this section aimed to understand the usage of UKLight and similar services and at the same time to check the GEANT2 suggestion that we can use 1Gbit/s as a demarcation line between optical services (for demands with bandwidth higher than 1Gbit/s) and VPN with bandwidth guarantees and demands lower than 1Gbit/s.
    • 34 organisations use optical services across a range of bandwidths. The answers to this question contradict the answers to Q8 ‘What kind of VPN services are in use within your organisation’, where only 8 respondents think they use optical services. This needs further investigation.
    • Half of the organisations which use private optical networks use them in the bandwidth range 100Mbit/s to 1Gbit/s; about a quarter of the organisations (8) use them in a range higher than 1Gbit/s; and a quarter in a relatively low-speed range with less than 10Mbit/s bandwidth.

      The high percentage of low and mid speed connections gives an optimistic prospect for meeting medium bandwidth demands (i.e. demands do not exceed a certain limit of total links capacity and can’t monopolise a network) with a packet-switched service with bandwidth guarantees as an alternative to wavelength and SDH services (circuit-switched and hence having a dedicated bandwidth).
    • 37% of organisations consider that having 2 kinds of service with bandwidth guarantees (one for high speed connections with bandwidth higher than 1Gbit/s and another for less demanding connections with bandwidth less than 1Gbit/s) would be beneficial for their organisations. 32% said ‘No’ and about 27% ‘Don’t know’.

      There are several ‘Other’ answers. One is ‘Depends if there is a price difference else have the fastest’; another is ‘Would be nice if we could have 100Mbit/s provisioned, to use between JANET sites, and 10Mbit/s off-net, since transit seems to be the main cost factor of upgrading our connection.’

    10. Section II. Requirements for centralised VPN services

  10. 82% (100) of respondents answered the question ‘Do you think that centralised provider-provisioned VPN services could be of use for their organization’.

    44% (44) of these gave positive answers to the question with different levels of certainty (‘Certainly yes’, ‘Probably yes’ and ‘Yes but it depends on the functionality’). 39% (39) of these gave negative answers (‘Certainly no’, ‘Probably no’).
    The almost 50-50 split of the answers means that we have no clear indication of the prospects for a centrally managed VPN service for the JANET community.

  11. 68% (82) of respondents answered the question ‘Which VPN functionality would you like to have supported by centralised provider-provisioned VPN services’.

    The numbers show that some pessimists (about 20 out of 39 who answered the previous question negatively) made their choice about the desirable features of centrally managed VPN services. This may show some latent favour towards such services, or just politeness (‘I don’t think it is worth to deploy but as I was asked I will give an answer’) or creativity (‘Why don’t we think about this in a theoretical way?’) by the respondents.

  12. Desired functionality (rated: the lower the average rank the more desirable a function is):
    • Site protection from unauthorised access: 1.59
    • Strong confidentiality based on data encryption: 1.67
    • Traffic protection from non-VPN users with possibility of encrypting it: 1.97
    • Improved performance (low latency, low loss): 2.19
    • Improves bandwidth guarantees: 2.33
    • Independent addressing: 2.48
    • Non-standard connectivity between sites (e.g. multicast through unicast-only network): 2.79

    Results show that users put the security aspects of VPN at the top of the list. The fact that protection from unauthorised access is the most desirable feature, and ‘Traffic protection ... with possibility of encrypting it’ (but without a built-in encryption) is third, is encouraging for VPN types that don’t encrypt traffic, e.g. GRE/L2TP and MPLS based ones.

    It is interesting that the QOS functionality is in the middle of the list (i.e. is quite important); this can justify some kind of packet based services with guaranteed bandwidth and controlled connectivity only between VPN sites.

  13. The question ‘Would you use a centralised VPN service that provides some measure of security such as traffic separation (e.g. without data encryption), and allows you to encrypt the data yourself’ was answered by 73% of the respondents.

    The majority of these respondents (48%) answered ‘Yes’ and ‘Probably yes’ whereas 25% said ‘No’.

    This probably gives some grounds for non-encrypted VPN services.

  14. For the question ‘Would you require the centralised VPN services to allow you to add external sites that are not part of your organisation (e.g. clients) to your VPN?’, a narrow majority (41%) answered ‘Yes’ whereas 31% said ‘No’.

    This might be seen as a plus for centralised extranet VPN services, as managing external connections through the efforts of several organisations can cause some coordination problems whereas centralised management can simplify the establishing of many one-to-one connections from one centre.


 

 

 

 

Privacy Policy | Web Admin
© The JNT Association,
JANET(UK), Lumen House, Library Avenue
Harwell Science and Innovation Campus, Didcot, Oxfordshire
OX11 0SG