Managed Business Services

Based on numbers from the U.S. Department of Labor, business services represent an $82.1 billion opportunity in the United States alone. Despite numerous efforts to get a larger piece of the pie, cable operators today have a market share of less than 3 percent in business services. But changing circumstances have put the cable industry in a much stronger position. Highly successful residential voice rollouts have served to increase cable operators’ voice expertise and credibility, and Internet protocol (IP) expertise is strong. At the same time, operators have been deploying fault-tolerant, carrier-class networks to support these rollouts. As a result, cable operators now have both the networks and the expertise to offer an alternative to the telecom service providers in this lucrative market—and are well-positioned to increase market share significantly. The key to maximizing the business services opportunity lies in managed services. Beyond just offering “dumb fat pipes,” operators can now offer a suite of services—including managed security (for example, firewalls, intrusion detection and prevention, protection from denial of service attacks), managed voice (for example, IP Centrex, IP private branch exchange, toll bypass), virtual private networks (VPNs), and others. Fiber or coax? The cable industry has the option to base its managed services offerings on coaxial or fiber access technologies. In either case, the industry can take advantage of the fiber backbone built for residential services. On a fiber network, cable operators can most cost-effectively deploy metro Ethernet technology. Examples of services include Layer 3 VPNs, Layer 2 VPNs and high-speed Internet access. With the appropriate customer premises equipment (CPE), voice services, security services and other managed services are also feasible over the metro Ethernet infrastructure. If fiber is not available in all targeted locations, new fiber must be installed before a service is introduced. Deploying with coax has other challenges. Many businesses—particularly those located close to residential areas—have coax available to them. Services can be offered to these customers using the same cable modem termination systems (CMTSs) used to deploy residential services. But there are still a lot of questions to answer. Should business customers be deployed on the same media access control (MAC) domain as residential subscribers or on a separate domain? How will data capacity be allocated? Will the throughput be guaranteed? How will service level agreements (SLAs) be guaranteed? Are the appropriate back-office systems in place? Clearly, both fiber and coax deployments come with their own sets of advantages and challenges. As a result, most cable operators use a combination of fiber-based and coax-based business services—depending on cost, location and customer size. SLAs A significant challenge that cable operators have faced is how to offer the SLAs that business customers demand. SLAs typically guarantee performance on such criteria as network uptime, allowable packet loss, latency and jitter. Business customers will ask for compensation when SLAs are not met. SLAs can be monitored in a number of ways. One basic “pull” method is to simply poll management information bases (MIBs) in the various devices throughout the network. Many devices include some type of service-assurance agent that can be used to collect information for SLAs. A more sophisticated method is to use IP Detail Records (IPDRs) or a similar protocol to “push” statistics to a collection device. Once the data has been collected, it must be fed into an SLA-management application. These applications can monitor, manage and report on SLA violations. Managed services Business customers require a variety of services, and each has its own specific set of technical and business requirements. To achieve the maximum stickiness and reduce churn, it is best to bundle multiple services. Each service offering must be evaluated on both market demand and the readiness of the operator to support it. The key for the cable operator is to: (A) go after services representing a large revenue opportunity; (B) ensure that the correct support system and backend system are in place; and (C) put in place equipment that enables future add-on services with minimal incremental investment. That said, three managed services offerings stand out as perhaps the largest opportunities to consider: voice, VPN and security. Each of these will be considered in turn. Voice According to Ovum, about 57 percent of the business services opportunity in the United States lies in voice services—about a $47 billion total opportunity. Since business customers typically purchase both data and voice services from a single service provider, a competitive business voice service dramatically increases the likelihood of success for a cable operator’s business services as a whole. While some would argue that voice is the stronghold of the telcos, cable operators have proved themselves to be competitive in residential voice services. Consumers have been very willing to migrate to a cable voice offering, and cable operators have been experiencing rapid subscriber growth. Furthermore, cable operators have won accolades for the quality of their services; J.D. Power and Associates ranked cable operators highest in customer satisfaction for five of six regions. Voice services can be offered via either fiber or coax. Fiber services over a metro Ethernet infrastructure typically make use of voice over IP (VoIP) and use Ethernet or multi-protocol label switching (MPLS) quality of service (QoS) mechanisms. For voice services over coax infrastructure, two technology options might be considered: PacketCable 1.x or session initiation protocol (SIP) and PacketCable Multimedia (PCMM).
Residential VoIP services based on PacketCable 1.x use network call signaling (NCS), a variant of media gateway control protocol (MGCP), to provide public switched telephone network (PSTN)-like services. PacketCable specifications address how to enable interactive services such as voice over DOCSIS networks to provide QoS as well as security, billing, and lawful intercept requirements that impact the delivery of voice services over a shared cable access network. One practical challenge with PacketCable-based services is that the highest capacity PacketCable embedded multimedia terminal adapter (EMTA)—with a single cable modem—has 16 lines. While this is insufficient to address the full business voice services market, it is enough for the small office/home office (SOHO) market and small businesses—and these smaller businesses are the sweet spot for many cable operators. Furthermore, multiple EMTAs can be deployed to enable more lines. The second option is to use SIP phones or other SIP devices in conjunction with PCMM. SIP is used to access the more advanced set of business services, and PCMM is used to provide QoS guarantees to ensure a high quality service. Figure 1 shows the PCMM architecture for business services. At a high level, initiating a SIP call using PCMM requires the following steps: 1. Cable service router uses the SIP to signal the application manager, which is in this case the SIP call manager, with the request. The cable service router is shown in Figure 1 as a single device. Separate IP router and cable modem can be deployed, but this may drive up cost or make management more complex. That said, PCMM was specifically designed to enable QoS when these functions are kept separate.
2. The SIP call manager sends a request to the policy server to install a policy on the CMTS.
3. The policy server validates the request and sends a “policy set” to the CMTS.
4. The CMTS performs admission control. If sufficient capacity or throughput is available, the policy is installed and the service flow established with the appropriate QoS level. It is possible to offer certain business voice services using Business Services over DOCSIS (BSoD)-time division multiplexing (TDM) emulation service, as defined in the CableLabs TEI specification. While both PacketCable and SIP/PCMM use VoIP and VoIP signaling to provide voice services, TDM emulation provides a pseudowire that carries the unmodified contents of the original T-1, E-1, or nxDS0 transparently over the DOCSIS network. This includes clock synchronization over the packet network between the DOCSIS CPE and the CMTS. Just as any TDM network, the emulation of TDM requires clocking to interwork properly with other network components. TDM emulation is completely transparent to the customer; it looks like a T-1 replacement. This makes it useful for connecting private branch exchanges (PBXs) with voice features that require inter-PBX signaling. The trend, however, is to replace T-1 with less expensive broadband technologies and use VoIP for voice connectivity. By using TDM emulation over the DOCSIS network, the cable operator is unable to offer converged services such as unified messaging and Web conferencing because the voice traffic is separated from data with TDM emulation. PacketCable and SIP/PCMM should therefore be preferred for the majority of applications. Cable operators can offer a number of different cable voice services of varying complexity. Two opportunities for cable operators follow. (See Figure 2.) The first service option is PBX connectivity. The simplest option here is to provide telephone services via a SIP trunk to the customer’s own IP PBX, thereby providing all-IP voice capability. A more sophisticated and operationally challenging extension is to actually manage the customer’s PBX—which can be owned by either the customer or the operator. The PBX itself might be either an IP PBX or a traditional PBX connected into a VoIP gateway. In either case, the cable operator must manage the dial plan, call control, QoS assurance and support. This enables site-to-site calling over the cable operator’s network, but all other calls go over the PSTN. A second option is to provide IP Centrex-like functionality where EMTA devices, SIP phones, or integrated access devices (IADs) are provided to the customer site, and all call control is centrally managed by the cable operator’s network-based softswitch or call manager. This option is more cost effective for smaller businesses with just a handful of lines, but requires provisioning and administration to be handled by the cable operator. To scale such services and reduce the operational burden, cable operators may provide self-provisioning and administration capabilities. VPN services Based on Ovum estimates, managed VPN services in North America represented a $3.6 billion market in 2005. Options for VPNs include network-based VPNs based on MPLS and CPE-based VPNs based on IP security (IPsec) or secure socket layer (SSL). See Figure 3 for a typical VPN network architecture. As an initial step short of offering full managed VPN services, cable operators can provide a teleworker enablement service. The idea here is to have the business manage its own VPN services, thereby enabling the cable operator to avoid the management and monitoring requirements for the service; the cable operator then provides low-cost Internet connections to ensure a high-quality VPN connection. Cable operators can optionally use PCMM as a means of ensuring QoS for the VPN service, or they can simply provide a premium-tier Internet connection. Organizations in the education, government and health care vertical segments might be initial targets for such a service. Network-based VPNs typically make use of MPLS. MPLS-based VPNs can be point-to-point tunnels; Layer 2 multipoint VPNs based on virtual private local area network (LAN) services (VPLS); or Layer 3 VPNs based on RFC 2547bis. Layer 2 Tunneling Protocol version 3 (L2TPv3) is sometimes used as an alternative to MPLS for Layer 2 VPN services. Point-to-point tunnels are the simplest and are best for connecting two sites, since it does not require MAC learning to determine where traffic should be sent. VPLS enables connectivity between multiple sites and emulates an Ethernet LAN—including MAC learning. Last but not least, layer 3 VPNs are routed VPNs that can scale to a very large number of sites. All the network-based VPNs are meant for site-to-site connectivity where the various sites are “on-net”; CPE-based VPNs should be used for connectivity over the Internet. Any MPLS VPN method requires the network to be fully MPLS-enabled in advance. It is therefore a viable choice when: (A) the network is already MPLS-enabled for traffic engineering or other reasons; or (B) the cable operator wishes to market MPLS-based VPNs on a large scale, and there is a reasonable ROI on the investment required to MPLS-enable the network. CPE-based managed VPNs can be used for either site-to-site VPNs across the cable operator’s network or for remote access. Today they are generally based on IPsec. A “virtual tunnel” is set up between the client and the corporate network, enabling access to all applications. IPsec VPNs, when used for remote access services, typically require a client to be installed on all client PCs. This may be considered a security advantage, since unauthorized users must first get access to the software and configure it correctly before they can get into the network. However, it also makes the VPNs difficult to support, since every client machine must be installed, configured and maintained. SSL VPNs are now becoming more popular because an SSL client is built in to every Web browser, and SSL VPNs therefore do not require any special client software—and are therefore far simpler to maintain. However, this also means that SSL VPNs generally work only with Web-based applications. Security services Last but not least, cable operators should look at security services as a significant revenue opportunity—and one that is relatively straightforward compared to voice and VPN services. Furthermore, Ovum estimates the North American security services market in 2005 was approximately $1 billion, and the market size is growing at around 28 percent per year. Security services not only protect the “pipe” to the customer, but also act as a service enabler for other value added services. Today, almost all security services revenue comes from managed firewall services. However, service providers are now looking to differentiate themselves by expanding security services to include antivirus, anti-spyware, intrusion detection and other services. Security services should be part of any managed services offering. Like VPN services, security services can be either CPE-based or network-based. CPE-based security services rely on security features built into CPE devices. Many of today’s service routers have extensive security services built in, but it is more than a matter of simply enabling the security features; the cable operator must also be prepared to monitor the network for security issues and to take appropriate action in the event of a security breach. The most common CPE-based security services include firewall and intrusion detection and prevention. A firewall is a piece of equipment (or software in a multifunction CPE device) that controls communications flows based on configured policies. Any firewall service should use a stateful firewall—a firewall that keeps track of the state of network connections—for maximum flexibility and security. The firewall is configured with policies that determine which connections are allowed and which are not, thereby protecting against security threats. As part of the firewall service offering, cable operators will be required to configure firewall policies and monitor firewall logs. Intrusion detection and prevention means analyzing traffic on the network and searching for either “signatures” of security threats or statistical anomalies in the traffic flows. The security threats are typically assigned a threat level. Intrusion detection systems simply identify threats, whereas intrusion prevention means taking active steps on the network to eliminate threats. False positives—network flows that have been incorrectly identified as threats—pose a challenge to those offering intrusion detection and prevention services. Signatures must be updated regularly for intrusion detection and prevention to be effective. The CPE-based security services discussed earlier can be deployed without significant investment in network infrastructure. That said, when deploying over an MPLS-based infrastructure, it may be more cost-effective to offer network-based security, which is enabled by either centralized security services appliances or by security service modules installed in IP routers. Enabling security services in the network allows the cable operator to deploy lower-cost CPE devices, simplify management, and eliminate the need for truck rolls as customers purchase new services. Examples of network-based security services include virtual firewall services, virtual firewalls to MPLS VPNs, denial of service attack protection and virtual intrusion detection. In any of these cases, the “virtual” services should be indistinguishable from their CPE-based counterparts—but they can be managed from a central location with a management system designed specifically for service providers supporting multiple customers. The future is now The cable industry is enjoying tremendous momentum and has proved very successful at rolling out new services. Both traditional telcos and satellite operators have taken notice. Now, with the experience gained through residential voice deployments, it is time to take the next step—an all-out assault on the business services market. As discussed in this article, voice, VPN, and security services represent the best opportunities for cable operators. An $82.1 billion market and a whole slate of high-margin services are there for the taking. Carpe diem. John Mattson is director of cable marketing, Access and Aggregation Business Unit, Cisco Systems. Reach him at [email protected]. Dave Brown is marketing manager, Cable Products and Systems, Cisco Systems. Reach him at [email protected].