VPNs based on Multi-protocol Label Switching are an innovative way to connect network resources. Because MPLS VPNs are rapidly deployable and more flexible than current WAN connectivity services, such as frame relay, they can help businesses reach new markets and increase revenue.
MPLS VPNs are as secure as most WAN products and services and can provide enhanced quality of service (QoS), increased reliability and competitive prices. Are MPLS VPNs the way to go? For many corporate network needs the answer is yes, absolutely, and the transition to MPLS is well underway.
Look at the data. MPLS VPNs have been eating away at frame relay for years, and within the next 18 months there will be more MPLS VPN connections than frame relay connections in the United States. according to Vertical Systems Group. By 2011, there will be more than 1 million MPLS VPN connections in the United States, Vertical says.
That means that businesses – in many cases prompted by their service providers – are buying MPLS connections as their connectivity needs expand and they need to connect new sites. But even more of them are migrating from frame relay altogether as the providers themselves make the transition to MPLS, says Rosemary Cochrane, an analyst with Vertical Systems Group. The number of frame relay connections in use is actually declining.
The reasons are many. MPLS VPN services offer fully meshed networks as a matter of course; any site connects to any other site. To do the same with frame relay means expensive virtual circuits laid out between every site and every other site. MPLS lets customers shed complexity and cost. MPLS also supports multiple qualities of service at varying prices to give business customers options to buy less-expensive VPN services for less-critical traffic.
“Though new uses for MPLS keep emerging, a consensus is building that the killer application for the technology is VPN, which can be used to support many premium services such as HDTV and other Managed, hosted Services. Carriers are now looking into using MPLS traffic engineering capabilities to simplify traffic management and deliver IP VPN services with SLA that some claim matches TDM network service level agreement we use to have. It also provides service providers tremendous cost benefits because MPLS VPN is an ideal foundation to offer multiple services over a single network. For instance, Fixed and Mobile network convergence is a key initiative many carriers are taken lately to save on operation and overlay network costs,” says Rony Attallah, Systems Engineering Manager, Cisco.
Tarek Abbas, Senior Systems Engineering Manager at Juniper Networks, lists out some other reasons fuelling the demand for MPLS VPNs: “While MPLS VPNs started initially in Service Provider Networks, most segments across the industry are utilizing or looking to utilize MPLS VPNs in their infrastructure. MPLS VPNs provide virtualized networks that can segment traffic based on user groups and applications, provide differentiated and guaranteed quality of service, and deliver security via virtualization. In addition to that, MPLS generally provides the reliability and resiliency for real time applications. “
MPLS VPN’s are also ideally suited to lower OPEX for Service Providers while raising their Revenue. “Through “Virtualizing” of their network they will share resources, they can manage the single Converged Packet Network (CPN) from a central NOC, and there is a faster time to market realized because managing and deploying a service from End to End become much simpler, and quicker,” says Terral Shelby, IP Business Manager, Alcatel-Lucent.
Is Ethernet a good fit?
They began as totally separate and distinct technologies: Ethernet as the standard in the LAN, and MPLS VPNs as an attractive alternative to frame relay and ATM services in the WAN.
But now they are starting to collide. Service providers are turning up Layer 2 Ethernet VPNs based on an MPLS derivative called Virtual Private LAN Services (VPLS) on a regional, national and eventually, global basis. And while some carriers say VPLS Ethernet is a complementary access or metro technology to MPLS national and global services, some acknowledge that users are reconsidering their Layer 3 VPN decisions.
VPLS is intended for businesses that prefer to maintain control of their routing, for security and staffing purposes, rather than share it with their service provider. Layer 3 MPLS VPN users choose to let the service provider manage the routing domain.
Virtual Private LAN Service (VPLS) makes the MPLS VPNs transparent to users and IP devices on the LAN, making it appear as though you have one large LAN extended across the network. VPLS can be used for IP services or it can be used to interconnect with a VPLS service provider to seamlessly network an enterprise across the WAN, says Abbas.
MPLS VPNs have been around a few years longer than VPLS. But as VPLS continues to mature and become more functionally complete, the decision to pick one over the other will become harder – and the ability of carriers to keep one from cannibalizing the other will be tougher as well.
“VPLS is a good bet for users who want the flexibility of Ethernet. However, there are complexities when you try to simulate your LAN environment and extend to other sites, and scalability could be a concern if not carefully designed and implemented,” says Attallah.
Should you build my own VPN?
If you do, you won't be alone, but prepare to spend time and develop expertise in-house. Mo re and more WAN connections are made over build-your-own VPNs – where businesses buy their own VPN gear and attach it to WAN connections they have purchased separately – than are made over MPLS VPN services.
This can range from installing and configuring MPLS gear at each site – an expensive proposition – or using site-to-site IPSec equipment that is often packaged with firewalls and is generally less expensive. The trade-off vs. VPN services is the do-it-yourself part. Businesses have to provide the time and expertise to design, install, maintain and troubleshoot the VPN. And that means training.
IPSec or Secure Sockets Layer (SSL) for remote access VPNs?
SSL. In almost all cases, SSL VPNs can be set up to deliver the same access that IPSec VPNs do. And SSL offers more options. SSL VPNs offer application-layer secure access over the Internet using capabilities common to most browsers, which means not having to distribute and maintain client software on remote machines. The limitation is that browsers access only Web-based or Webbified applications.
IPSec VPNs are more suitable for securing site to site communication and can scale well for similar deployments. For remote user access, SSL VPNs are recommended as they are easier to administer and can offer application based access that is typically required for securing and controlling individual access.
“In the current corporate scenario, manageability is key for VPNs that organisations deploy. With the current trend in home-office workers and increased travel, SSL is more often the choice as it helps organisations meet these requirements and manage an ever changing IT environment,” says Dharmendra Parmar, GM of Marketing, FVC.
Are VPNs good for VoIP?
Yes. MPLS VPNs can provide quality of service that guarantees deliver of VoIP packets on time for better voice quality. MPLS also scales to accommodate very large numbers of sites fully meshed, so phoning among corporate sites via VoIP shouldn't be a problem.
Using an SSL VPN to carry VoIP over TCP actually improves voice quality, testing by Network World has found. Because TCP reorders packets and rebroadcasts packets that get lost, it can actually boost quality of the received call. If bandwidth is sufficient to accommodate the VoIP channel plus the rebroadcasts, it can improve quality. VPNs can also provide security for VoIP calls running over Wi-Fi networks or wired networks, blocking eavesdropping. VPNs are also used to protect data from smartphones and other handheld devices, including iPhones, although management for that is still rudimentary.
Can you use VPNs in virtual environments?
Yes, and doing so may enhance VPN security. Many vendors are coming out with versions of their VPN software that run on virtual server platforms. This is desirable for businesses in the midst of virtualization of servers as a way to reduce the number of devices and the electrical power expended in data centers. The trade-off is that means not using VPN appliances, which are a popular means of deploying VPN gateways because they are separate devices managed separately.
On the client side of the VPN, a remote machine can help improve VPN security, according to VMware. Users can configure remote virtual desktops so that they must access corporate sites via a VPN gateway. At the same time, the physical host that the virtual desktop runs on can be barred from the VPN.
So the virtual machine becomes the entity that joins the VPN, meaning that any compromises of the host machine itself are isolated on the physical machine and cannot spread through the VPN into the corporate network. Virtual machine policies can restrict virtual desktops so they can access nothing but the VPN, making them insulated from attacks originating outside the VPN. “You isolate the virtual machine from everything except the corporate VPN server,” VMware says.
Further virtual machine policies can encrypt all data in the virtual machine and block the data from being transferred out of the virtual machine, making it even less likely that data accessed via VPN can be compromised. Virtual machine expiration policies can further secure VPNs. If a contractor, for example, is granted corporate VPN access via a virtual desktop on the contractor's own machine, the virtual machine can be configured to expire at a certain time, say, the date the contract runs out, VMware says.