When Prudential Financial decided to create an IP VPN, it figured it would cut annual remote access charges by a hefty 50%, and that was reason enough to give a green light to the project.

But as the financial services company pioneered one of the nation's largest VPN projects, completed this year when the majority of its 25,000 telecommuting employees and business partners switched over, it realized that the VPN had become more than a mere cost-cutting exercise. Thanks to the new network, a "virtual enterprise" concept now prevails at Prudential.

Advertisement:

The company can attract and hire employees who want to work from home, need to work closer to customers, or are physically unable to withstand a daily commute. Through the VPN, these telecommuters can access the same database information they have at the office with a high-speed connection and set up connected sales offices in the field that can be built up and taken down in hours.

Prudential also negotiated a deal for business-class DSL services, letting serious telecommuters get voice over IP on their broadband connections and have extensions, just as they would in a traditional office.

Prudential Financial wins Network World's 2001 User Excellence Award for the scale of this VPN project, its immense return on investment, the creative acquisition of DSL services and the impact it has had on the company's corporate culture.

Reining in remote access charges

Prudential's VPN began to take shape in 1999, when the company realized it could reduce its annual $14 million remote access bill by moving from a private network to an IP VPN. And with the voice-over-IP option, Prudential also planned to move help desk personnel onto the new network.

At the time, employees and business partners accessed client information on Prudential's network by dialing in over a proprietary private-line network maintained by a third party. Many of the people dialing in were Prudential sales personnel in the field. Others were independent sales agents. Those thousands of users were being billed by the minute, and access charges piled up quickly. Yet the fastest connection available to these users was 128K bit/sec ISDN, much slower than emerging broadband technologies such as DSL, cable and wireless.

 So Prudential went hunting for a VPN vendor. Ed Mann, vice president of network planning, had the usual three considerations - cost, redundancy and scalability - but he also had another major need: security. The equipment had to work with RSA Security's SecurID tokens, and it had to be able to handle digital certificates, which Prudential wanted available as a later option. Furthermore, equipment had to handle remote and site-to-site connections. A final criteria was that the vendor had to be a well-established equipment provider.

"Two years ago there were a lot of guys around whose only product was a VPN box," Mann says. "With those guys you're always concerned about whether they're going to be bought up and disappear."

After looking at eight equipment vendors, six of them in-depth, the company chose Nortel. Its largest VPN switch, the Contivity 4500 Extranet Switch, can support up to 5,000 concurrent sessions, easily meeting Prudential's scalability requirements. It also works with SecurID tokens and supports digital certificates. For high availability, the switch comes with redundant power and storage systems.

 Nortel also provided the client-side software for free with the purchase of the company's hardware. Other vendors were charging for each software client in addition to the hardware, which would have been a particularly painful budget hit for a VPN project this size. "With between 25,000 and 40,000 clients, even if you're charging just $10 per client, it adds up," Mann says.

Prudential had the gear installed, and the first employees switched over to the VPN in March 2000. The bulk of remote users were shifted over by July 2001. Today, 90% of its remote access workforce operates over the VPN, netting the company about $7 million per year in savings from access charges. Prudential expects to boost that figure to $8 million once the project is completed later this year with the addition of one more business unit to the VPN.

The project was not cheap, coming in at around $1.5 million, but given the significant annual access savings, the return on investment was almost immediate.

Perhaps the biggest cost-saver Prudential hit on was to use the ISP service that employees already paid for at their remote locations, usually their homes. "Through VPN technology, we can leverage their personal ISP to allow them to access Prudential's client information and other data," says Robert Piccirillo, vice president of field infrastructure for Prudential.

For Prudential's telecommuters, the majority of which didn't already have ISP service, the company negotiated a contract with AT&T Global Network services.

Employees also can use broadband connections to connect to the VPN. More than 1,000 users already connect to Prudential through a high-speed link, and Prudential is trying to boost that number through an internal DSL product it is in the process of launching. The service, available through Exario Network Services, is a business-class offering, incorporating service-level agreements and help desk support. The program is open to all true telecommuters - that is, those working from home on a regular basis.

Ultimately, Prudential would like to use the VPN to support a larger number of telecommuters. "Whether it's DSL, cable, satellite or wireless, it doesn't really matter," Mann says. "Whatever people can get they can use. And once they get it they'll be able to connect to us at between seven and 20 times the speed they could before."

Focus on security and redundancy

While Internet-based VPNs have come under fire for not being as secure as private dial-up networks, Mann believes Prudential's new VPN may be more secure than its former private-line net.

One major reason is that Prudential has moved from the 30-day static passwords used on the old network to RSA's SecurID tokens, where passwords are changed every 60 seconds. To log on to Prudential's network, all users, local or remote, must have their SecurID token, issued by Prudential, which generates a dynamic password and a personal identification number (PIN). When users initiate connections to the network, they are prompted for their PINs and the passwords are displayed on the token.

Also, all traffic traveling over the VPN is encrypted through Nortel's client software on users' desktops, while traffic on the private network was not.

"We can put more sensitive customer data across the wire and not be afraid that someone is going to sniff it or intercept it in some way," Mann says.

For remote users to access the VPN, they simply log on to their ISPs, launch the software VPN client and enter the SecurID password. Once on the VPN, employees have the same rights and privileges they would normally have if they were at the office and connected directly to their corporate network.

Prudential maintains redundant VPN gateways at its headquarters in Roseland, N.J., and at its offices in New York, so if one site goes down, users can still connect to Prudential. The Roseland and New York sites also have redundant firewalls and redundant SecurID authentication servers.

The VPN sessions are maintained by four Nortel Contivity 4500 switches, two of which are located at Roseland with the other pair residing in New York. Each 4500 can maintain 5,000 concurrent VPN sessions.

So far, Mann says, the number of peak concurrent users on a single switch has hit 1,000, so scalability is assured.

Next year, Prudential may purchase some load-balancing technology that Nortel acquired when it bought Alteon WebSystems late last year. The load balancers would sit in front of the 4500s, letting users maintain a VPN session even if the 4500 they were connected to failed. The load balancers would reroute the session to the surviving 4500. Currently users lose their VPN sessions if the Nortel switch they are using goes down.

Site-to-site connections work in almost the same fashion. Employees connecting through Exario will travel exclusively over Exario's private network, which has connections to New York, and will be covered by service-level agreements.

Another difference is that some remote offices, including Prudential's international locations, will use a Cisco router, instead of multiple workstations, to handle the VPN duties. Mann says Prudential will begin adding the Cisco routers to the network shortly.

A virtual future

While Mann is happy with the money Prudential is saving by implementing the VPN, he becomes most animated when talking about how the VPN is serving business needs and its potential for doing more.

"Little by little, as we can extend services out to any location, I think it will cause people to think, and we'll get to the point where we have a virtual enterprise," he says.

For example, Mann says, Prudential will begin to roll out voice services to remote employees with the service-level agreement-backed Exario broadband connections.

"Eventually it will look like the telecommuters are actually sitting in the office," he says. "They'd have an internal four-digit extension, they'd have a high-speed connection to Prudential's network, and they'd have exactly the same services they'd have if they were sitting in the office."

This can lead to temporary telework, letting Prudential employees set up closer to customers at times.

"With a VPN you can really take the mobile concept anywhere," Mann says. "You could set up an office without it having to be permanent. You could set it up for something like the U.S. Open, have six agents with a DSL connection and a wireless LAN sitting in a kiosk in Queens, N.Y., and then pull it all down when the event was over."

More widespread broadband connections also will let Prudential save money by using videoconferencing and distance-learning programs over the VPN.

"Today, either we have to send training people out to the employees, or they have to come to a central location for training," Mann says.

With the VPN in place, a box and a broadband connection become more important than a brick-and-mortar office - a sure sign that Prudential's project has revolutionized the way the company does business.

Sign up for free Network World Newsletters

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Request a reprint or permission to use this article.