Are Multi-protocol Label Switching (MPLS) VPNs the way to go? For many corporate network needs the answer is yes, absolutely, and the transition to MPLS is well underway.
Look at the data. MPLS VPNs have been eating away at frame relay for years, and within the next 18 months there will be more MPLS VPN connections than frame relay connections, according to Vertical Systems Group. By 2011, there will be more than 1 million MPLS VPN connections in the United States alone, Vertical says.
That means that businesses – in many cases prompted by their service providers – are buying MPLS connections as their connectivity needs expand and they need to connect new sites. But even more of them are migrating from frame relay altogether as the providers themselves make the transition to MPLS, says Rosemary Cochrane, an analyst with Vertical Systems Group. The number of frame relay connections in use is actually declining.
Worldwide, MPLS services reaped $13 billion last year, a growth of 20% in revenues, according to Infonetics.
The reasons are many. MPLS VPN services offer fully meshed networks as a matter of course; any site connects to any other site. To do the same with frame relay means expensive virtual circuits laid out between every site and every other site. MPLS lets customers shed complexity and cost.
MPLS also supports multiple qualities of service at varying prices to give business customers options to buy less-expensive VPN services for less-critical traffic.
“With globalization of business more and more enterprises are looking for cost effective ways to provide quality networks for high bandwidth and intolerant traffic types such as telephony and video. Clearly the advantages of MPLS, such as traffic engineering providing full control of network resources, enabling admission control, QOS, bandwidth protection, constraint based and explicit routing allows enterprises to effectively deploy bandwidth intolerant applications. With the need to keep data secure and with the rapidly growing list of MPLS VPN providers in the world, MPLS VPN’s are fast becoming the de-facto option for business when it comes to choosing secure connectivity type,” says Guru Prasad, GM-Networking, FVC.
Rabih Dabbousi, Systems Engineering Director at Cisco Gulf & Pakistan, explains why more and more service providers taking the MPLS route: “Service providers today look at the core network as their most important revenue generating investment. With this in mind, most service providers utilize intelligent networking and routing technologies to maximize the use of the network without jeopardizing customer security, privacy and reachability. MPLS VPNs allow the service provider to establish numerous virtual networks over a single physical network infrastructure. MPLS VPN technology is receiving good adoption among service providers and is welcomed by customers.”
Though MPLS VPNs are gaining traction worldwide, it would be wrong to assume that it can save you money. If you do an even swap-out MPLS for frame relay, the costs of the lines may in fact drop, says Cochrane, but not the price of the service in aggregate. “When companies make that switch the overall price might not go down but the ability to connect to more sites and the flexibility to manage the network may go up,” Cochrane says. “We do not see tremendous price declines in going to MPLS from frame, simply because you're using T-1 access and then you start adding on features like security and management and voice.”
Now, the next important question is should you build your own VPN? If you do, you won't be alone, but prepare to spend time and develop expertise in-house.
According to Cochrane, more WAN connections are made over build-your-own VPNs – where businesses buy their own VPN gear and attach it to WAN connections they have purchased separately – than are made over MPLS VPN services.
This can range from installing and configuring MPLS gear at each site – an expensive proposition – or using site-to-site IPSec equipment that is often packaged with firewalls and is generally less expensive.
The trade-off vs. VPN services is the do-it-yourself part. Businesses have to provide the time and expertise to design, install, maintain and troubleshoot the VPN, says Mark Lewis, a networking design consultant and blogger for Network World. And that means training. Without it, troubleshooting VPNs can be “random, time consuming, and will often not resolve your problem at all – it might even exacerbate it,” he says.
IPSec or Secure Sockets Layer (SSL) for remote access VPNs?
SSL. In almost all cases, SSL VPNs can be set up to deliver the same access that IPSec VPNs do. And SSL offers more options.
“While IPSec VPNs are well-suited to secure site-to-site connectivity, we advocate the use of SSL VPNs for remote access into corporate network resources. We recommend a layered approach to security, with different technologies scaled to fit different areas of the network,” says Taj El-Khayat, Head Of Enterprise Channel Group – Middle East & Africa
SSL VPNs offer application-layer secure access over the Internet using capabilities common to most browsers, which means not having to distribute and maintain client software on remote machines. The limitation is that browsers access only Web-based or Webbified applications.
By pushing Java or Active X SSL VPN plug-ins to the remote machines on the fly, SSL VPNs can create network-layer connections comparable to IPSec, without having to distribute dedicated VPN client software.
SSL can also give more-detailed control of the resources remote users have access to. Whereas IPSec gives full network access, SSL can restrict access based on applications more readily.
If access to Web applications or Webbified applications is all users need, then the only client software required is a compatible browser. This means users can connect from home machines, borrowed machines or those found in business-center kiosks.
“SSL VPNs have superseded IPSec as the easiest choice for casual and ad hoc employee VPN access requests and for business partners, external maintenance providers and retired associates,” says Gartner analyst John Girard. While the sales of SSL VPN gear grew 43% between mid-2006 and mid-2007 to hit $340 million, the annual growth rate is expected to slow down, resulting in a projected average annual growth rate of 13.8% through 2011.
A separate study by IDC finds that IPSec VPNs accounted for more than half the $1.27 billion taken in with VPN appliance sales in 2007, but IPSec's share of that revenue actually dropped as a percentage by 9.8%, IDC says. Sales of SSL VPNs went up 18.2% in the same time period.
Still, customers are finding use for IPSec remote access in conjunction with SSL. Sales of Hybrid SSL/IPSec gear are lower , but growing faster, than SSL or IPSec gear alone, IDC says.
“I believe that companies may use both remote SSL-based and IPSec VPN technologies to connect user communities depending on their access environments and access requirements and its is for the organization to decide which suites them best , with both this technologies being demystified for ease of understanding and decision making,” says Devendra Kamtekar, Alcatel-Lucent, Business Development Manager for IP Networking for the Middle East & South Asia Region.
However, Cisco has a different take and endorses IPSec VPNs. “Although SSL is a good function to provide secure connectivity to web based applications, it is only limited to browser-based and web-based tools. IPSec based VPNS create a secure and encrypted tunnel to all user connectivity to the corporate network. Most enterprise customers today use corporate IPSec VPN tunnels to their employees for remote connections,” says Dabbousi,
Are VPNs good for VoIP?
MPLS VPNs can provide quality of service that guarantees deliver of VoIP packets on time for better voice quality.
MPLS also scales to accommodate very large numbers of sites fully meshed, so phoning among corporate sites via VoIP shouldn't be a problem.
Using an SSL VPN to carry VoIP over TCP actually improves voice quality, testing by Network World has found. Because TCP reorders packets and rebroadcasts packets that get lost, it can actually boost quality of the received call. If bandwidth is sufficient to accommodate the VoIP channel plus the rebroadcasts, it can improve quality.
VPNs can also provide security for VoIP calls running over Wi-Fi networks or wired networks, blocking eavesdropping.
“There are clearly jitter and latency issues while deploying VOIP with the overhead of VPNs. However MPLS VPNs would be the most desired network type while deploying VOIP application over VPN’s to reduce some of the latency and jitter challenges,” says Prasad.
VPNs are also used to protect data from smartphones and other handheld devices, including iPhones, although management for that is still rudimentary.
VPNs can also be a good fit in virtual environments, which helps to enhance VPN security too. Many vendors are coming out with versions of their VPN software that run on virtual server platforms. This is desirable for businesses in the midst of virtualization of servers as a way to reduce the number of devices and the electrical power expended in data centers.
The trade-off is that means not using VPN appliances, which are a popular means of deploying VPN gateways because they are separate devices managed separately.
On the client side of the VPN, a remote machine can help improve VPN security, according to VMware. Users can configure remote virtual desktops so that they must access corporate sites via a VPN gateway. At the same time, the physical host that the virtual desktop runs on can be barred from the VPN.
So the virtual machine becomes the entity that joins the VPN, meaning that any compromises of the host machine itself are isolated on the physical machine and cannot spread through the VPN into the corporate network.
Virtual machine policies can restrict virtual desktops so they can access nothing but the VPN, making them insulated from attacks originating outside the VPN. “You isolate the virtual machine from everything except the corporate VPN server,” VMware says.
Further virtual machine policies can encrypt all data in the virtual machine and block the data from being transferred out of the virtual machine, making it even less likely that data accessed via VPN can be compromised.
Virtual machine expiration policies can further secure VPNs. If a contractor, for example, is granted corporate VPN access via a virtual desktop on the contractor's own machine, the virtual machine can be configured to expire at a certain time, say, the date the contract runs out, VMware says.