Understanding the Value of MPLS Ethernet Encryption

Similar documents
The Evolution of Ethernet

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

Evolving Your Network with Metro Ethernet and MPLS VPNs

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

WAN and VPN Solutions:

MPLS/IP VPN Services Market Update, United States

Best Effort gets Better with MPLS. Superior network flexibility and resiliency at a lower cost with support for voice, video and future applications

EVALUATING NETWORKING TECHNOLOGIES

Terms VON. VoIP LAN WAN CODEC

MPLS: Key Factors to Consider When Selecting Your MPLS Provider

How To Get More Bandwidth From Your Business Network

Using Carrier Ethernet to Create Cost Effective and Secure Wide Area Networks How Layer 2 Encryption Enables Better Use of Bandwidth.

MPLS L2VPN (VLL) Technology White Paper

Preparing Your IP network for High Definition Video Conferencing

November Defining the Value of MPLS VPNs

Multi Protocol Label Switching (MPLS) is a core networking technology that

MPLS VPN basics. E-Guide

WHITEPAPER. VPLS for Any-to-Any Ethernet Connectivity: When Simplicity & Control Matter

The Keys for Campus Networking: Integration, Integration, and Integration

Virtual Privacy vs. Real Security

1.264 Lecture 37. Telecom: Enterprise networks, VPN

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling

WAN. Introduction. Services used by WAN. Circuit Switched Services. Architecture of Switch Services

How To Understand The Needs Of The Network

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

MPLS and IPSec A Misunderstood Relationship

SECURE AVAYA FABRIC CONNECT SOLUTIONS WITH SENETAS ETHERNET ENCRYPTORS

Blue 102. IP Service Architecture Futures. Geoff Huston May 2000

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

Understanding PBB-TE for Carrier Ethernet

MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

MPLS in Private Networks Is It a Good Idea?

The term Virtual Private Networks comes with a simple three-letter acronym VPN

The Business Case for Ethernet Services Whitepaper Sponsored by Time Warner Cable Business Class

CONNECT PROTECT SECURE. Communication, Networking and Security Solutions for Defense

Mastering Network Design with MPLS

ethernet services for multi-site connectivity security, performance, ip transparency

Cisco Which VPN Solution is Right for You?

SingTel MPLS. The Great Multi Protocol Label Switching (MPLS) Migration

Enterprises have turned to cloud-based applications

Frame Relay vs. IP VPNs

How to cut communications costs by replacing leased lines and VPNs with MPLS

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

Business Services. Is Ethernet the Right Choice for Your Network? Learn More: Call us at

APPLICATION NOTE. Benefits of MPLS in the Enterprise Network

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

Virtual Private LAN Service

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise

Secured Voice over VPN Tunnel and QoS. Feature Paper

How To Understand The Benefits Of An Mpls Network

Virtualized Security: The Next Generation of Consolidation

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Simwood Carrier Ethernet

White paper. Business Applications of Wide Area Ethernet

CTS2134 Introduction to Networking. Module 07: Wide Area Networks

Virtual Private LAN Service (VPLS)

ROGERS DELIVERS THE SPEED, POWER AND RELIABILITY OF FIBRE RIGHT TO YOU.

Best practices for protecting network data

Getting on the Road to SDN. Attacking DMZ Security Issues with Advanced Networking Solutions

WHATARETHEKEYBENEFITS OFMPLSTECHNOLOGY?

Monitoring Service Delivery in an MPLS Environment

Enterprise Business Products 2014

Best Practices: The Key Things You Need to Know Now About Secure Networking Layer 1 (SONET), Layer 2 (ATM), and Layer 3 (IP) Encryption Technologies

WAN Data Link Protocols

VPN. Date: 4/15/2004 By: Heena Patel

Preparing Your IP Network for High Definition Video Conferencing

10 Gigabit Ethernet: Scaling across LAN, MAN, WAN

OPTIMIZING THE NETWORK FOR APPLICATIONS

Converged TDM and IP- Based Broadband Solutions White Paper. OnSite OS-10 Multi-Service over SDH Provisioning

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Transport for Enterprise VoIP Services

Ethernet is service provider terms can be delivered from speeds starting from 1mb all the way up to 1Gb+.

Carrier-class Ethernet: A Services Definition

High Speed Encryption Made in Germany

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Bandwidth Management in MPLS Networks

White. Paper. The Rise of Network Functions Virtualization. Implications for I/O Strategies in Service Provider Environments.

Choosing the Best Enterprise IP VPN or Ethernet Communication Solution for Business Collaboration

Chapter 5. Data Communication And Internet Technology

The Role of Carrier Ethernet in Business Applications

Enterprise Broadband Access:

CSE 3461 / 5461: Computer Networking & Internet Technologies

Using & Offering Wholesale Ethernet Network and Operational Considerations

Truffle Broadband Bonding Network Appliance

GR2000: a Gigabit Router for a Guaranteed Network

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Chapter 2 - The TCP/IP and OSI Networking Models

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

THE VX 9000: THE WORLD S FIRST SCALABLE, VIRTUALIZED WLAN CONTROLLER BRINGS A NEW LEVEL OF SCALABILITY, COST-EFFICIENCY AND RELIABILITY TO THE WLAN

Navigating to MPLS-Enabled Networks: The Search for Security, Flexibility and Simplicity

Computer Networking Networks

IVCi s IntelliNet SM Network

WAN Technology. Heng Sovannarith

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Corporate Network Services of Tomorrow Business-Aware VPNs

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

Transcription:

White Paper Understanding the Value of MPLS Ethernet Encryption By Jon Oltsik March, 2010 This ESG White Paper was commissioned by Thales e-security and is distributed under license from ESG. 2010, Enterprise Strategy Group, Inc. All Rights Reserved

White Paper: Understanding the Value of MPLS Ethernet Encryption 2 Contents Executive Summary... 3 MPLS for the Masses... 3 Layer 3 MPLS... 5 Layer 2 MPLS... 6 What about Security?... 6 Layer 2 MPLS VPNs: Outsourcing or Insourcing?... 7 The High-Performance Alternative... 8 Thales Provides a Leading Solution... 8 The Bigger Truth... 9 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.

White Paper: Understanding the Value of MPLS Ethernet Encryption 3 Executive Summary Multi Protocol Label Switching (MPLS) has been around for over a decade, so calling it new technology would be inappropriate. But MPLS continues to evolve, offering new types of carrier services and becoming the predominant wide area network (WAN) service offered by telecommunications providers. This paper examines the concerns of CIOs, CISOs, and network architects over the secure use of MPLS; looks at Layer 3 and Layer 2 services; and addresses the following questions: What is MPLS and why is it gaining popularity? What is the difference between MPLS Layer 3 and Layer 2 services? What are the strengths and weaknesses of Layer 3 and Layer 2 MPLS virtual private network (VPN) services? When is it appropriate to supplement generic/insecure MPLS with insourced cryptographic appliances? MPLS for the Masses First introduced in 1999, Multi Protocol Label Switching is one of the most successful technologies of the past ten years, yet few outside of the telecommunications community know anything about it. Just what is MPLS? The popular technology glossary site, whatis.com, defines MPLS as: Multiprotocol Label Switching (MPLS) is an Internet Engineering Task Force (IETF) standardsapproved technology for speeding up network traffic flow and making it easier to manage. MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet. MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and Frame Relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the Layer 2 (switching) level rather than at the Layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic. As an analogy, think of a three lane highway with a good amount of traffic. A driver in a hurry may be forced to weave in and out of each lane depending upon the traffic patterns ahead. In this scenario, the driver would take a fairly random route that sped up and slowed down depending upon other traffic. Now, think of an ambulance or police car with its siren and lights on. According to the rules of the road, all other cars are required to move aside and give the emergency vehicle the right of way. In this analogy, the first driver represents typical routed network packets while the emergency vehicle corresponds to MPLS. Even if this first driver is quite skilled, his/her speed will always be limited by other traffic. The emergency vehicle, on the other hand, is given a high-speed path to its ultimate destination since all other vehicles have moved out of the way (see Figure 1). MPLS performs a similar service by adding a label to network packets as they enter a network. This label then maps a pre-determined routing path for the packets from source to destination, eliminating the randomness of typical network routing and establishing a tunnel or Virtual Circuit (VC) from point A to point B on the network.

White Paper: Understanding the Value of MPLS Ethernet Encryption 4 Figure 1. Highway Analogy Comparing Routed Packets and MPLS Source: Enterprise Strategy Group, 2010. In its early existence, MPLS was clearly in the right place at the right time. Since its inception, network traffic has skyrocketed as organizations embraced Internet communications and applications. As a result, MPLS enjoyed steady growth throughout the first decade of the 21 st century. According to multiple industry sources, roughly 80% of Global 2,000 companies have employed MPLS services as part of their WAN infrastructures. Why all the success? Users are moving to MPLS services in order to: Reduce IT capital and operating costs. As large organizations consolidate data centers, adopt virtualization technologies, and centralize applications, WAN bandwidth and equipment becomes more costly and complex. Rather than acquire networking technologies, develop technical skills, and manage the whole process, many organizations are opting for MPLS services from a variety of carriers. As ESG s research points out, cost reduction remains a major IT priority in 2010 (see Figure 2). 1 Clearly, MPLS WAN services are in line with this cost cutting priority. Address scaling needs. Large, geographically-dispersed organizations find it especially difficult to plan for the networking needs of users accessing web applications located in the corporate data center. Carrier investment in MPLS over the past decade created a network infrastructure suitable for most WAN requirements since it offers easy traffic engineering. Yes, MPLS still requires planning, vendor selection, and implementation, but this is far easier than traditional do-it-yourself network solutions. MPLS aligns with global expansion. MPLS isn t everywhere, but it is safe to say that it does extend to major business centers and developed countries. MPLS WANs are a great globalization solution: as organizations open R&D centers and sales offices around the world, new MPLS services can become a simple extension of the existing WAN infrastructure. 1 Source: ESG Research Report, 2010 IT Spending Survey, January 2010.

White Paper: Understanding the Value of MPLS Ethernet Encryption 5 Figure 2. Business Initiatives Impacting IT Spending Business initiatives that will have the greatest impact on your organization s IT spending decisions over the next 12-18 months? (Percent of respondents, three responses accepted) Cost reduction initiatives 45% 54% Business process improvement initiatives Security/risk management initiatives Regulatory compliance Business growth via mergers, acquisitions, or organic expansion Improved business intelligence and delivery of realtime business information Green initiatives related to energy efficiency and/or reducing company-wide environmental impact Research and development innovation/improvement International expansion New collaborative tools and business processes utilizing Web 2.0 technologies such as blogs, wikis, social networking services, etc. 31% 34% 25% 29% 24% 26% 22% 18% 21% 23% 19% 18% 16% 12% 13% 9% 12% 13% 0% 10% 20% 30% 40% 50% 60% 2009 (N=492) 2010 (N=515) Source: Enterprise Strategy Group, 2010. Layer 3 MPLS When MPLS first came out, most networking professionals believed that ATM would be the dominant WAN technology of the 1990s and beyond, replacing legacy technologies like Frame Relay and private circuits. This was probably an accurate prediction except for one thing: the Internet boom. By 1995, carriers realized that their networks had to support massive amounts of IP traffic and web-based application growth. MPLS proved to be a great solution for its protocol neutrality: carriers could use MPLS to consolidate existing transport and network traffic like ATM, Frame Relay, IP, or Sonet. As the Internet grew, MPLS came along for the ride. This led early MPLS developers and telecommunications carriers to do all they could to make MPLS services IP-friendly. The result? Early MPLS services were based upon OSI Layer 3. In this type of implementation, MPLS was a perfect fit for organizations with legacy WAN infrastructures. In the 1990s, more and more WAN traffic turned from legacy protocols like DECNet and IPX to all IP. As this transition occurred, it made sense to abandon costly WAN services like ATM and Frame Relay in favor of IP. MPLS made this switch easier since it creates predictable traffic paths, measurable service level agreements

White Paper: Understanding the Value of MPLS Ethernet Encryption 6 (SLAs), and easy traffic engineering. Layer 3 MPLS VPNs also became a good fit for global organizations with large blocks of IP addresses, allowing them to implement overlapping VPNs with different security relationships. Layer 2 MPLS By the late 1990s, many carriers began offering yet another WAN alternative: Ethernet. Metro Ethernet was especially attractive to companies with distributed campuses in metropolitan areas because it allowed them to marry Ethernet s simplicity to the predictable performance of MPLS. Once again, developers and carriers saw an opportunity and responded with new Layer 2 MPLS offerings. As a result, Layer 2 MPLS was embraced by customers needing: Point-to-point or multipoint connectivity. MPLS provided a new WAN alternative to leased lines or basic Ethernet pipes perfect for hub-and-spoke network architectures associated with point-to-point or pointto-multipoint requirements. Using Virtual Private LAN Services (VPLS) as a way to also provide multipoint to multipoint communications over MPLS networks, they share an Ethernet broadcast domain and typically form a common architecture used in local campuses spread across a metropolitan area. Once again, MPLS also offers performance, scale, and cost advantages over homegrown alternatives. Easy deployment. Layer 2 MPLS is based upon Layer 2 Ethernet switching, so there was no need to share routing tables with carriers. This can result in much easier network deployment where Layer 2 MPLS services simply plug into a campus LAN. Multi-protocol support. Some organizations still need support for alternative network protocols. For example, a global organization may support IPv4 and IPv6 and thus require a WAN infrastructure capable of supporting both versions at once. Layer 2 MPLS fits this requirement like a glove. Tunneling IPv4 and IPv6 over a Layer 2 MPLS WAN is far easier than other types of protocol translation workarounds. Fast forward to today: MPLS has become a ubiquitous WAN service at both Layer 3 and Layer 2. Why? It is protocol neutral, offers predictable services, and is tremendously flexible. MPLS also provides cost benefits over other services: large organizations would typically pay about $40 to $50 per megabyte per month for Layer2 MPLS services as opposed to approximately $175 per megabyte per month for DS3 or Sonet. Ease of use, performance, and cost advantages are driving continued demand for Layer 2 MPLS services. The growing volume of data employed by enterprises to conduct day-today business requires a flexible, efficient, and cost-effective network transport alternative. The flexibility offered by Layer 2 MPLS services has been particularly appealing not only to enterprises, but also to U.S. federal government agencies and departments. Employing the Ethernet connection-oriented approach, Layer 2 MPLS services are facilitating the transition of existing infrastructure to fulfill the Department of Defense s net-centric vision of end-to-end network connectivity. What about Security? Common knowledge suggests that network security is an old problem that has been addressed for years. Yes, firewalls, intrusion detection systems (IDS)/ intrusion prevention systems (IPS), and VPNs are nothing new, but network security issues remain. In fact, ESG s 2010 IT Spending data indicates that mid-sized and large organizations believe that network security, closely followed by risk management and regulatory compliance, tops the list of security investments for 2010 beating out PC security, messaging security, and identity management (see Figure 3). 2 2 Ibid.

White Paper: Understanding the Value of MPLS Ethernet Encryption 7 Figure 3. Organizations Will Make Their Most Significant Investments in Network Security In which of the following technologies will your organization make the most significant investments over the next 12-18 months? (Percent of respondents, N=264) Network security 48% Desktop/endpoint security 38% Web and messaging security 29% Information assurance 28% Identity and access management 27% Source: Enterprise Strategy Group, 2010. Can MPLS meet these network security requirements? No. Think of MPLS as a wide area analog to Virtual LANs (VLANs). A VLAN allows separate network nodes to connect as if they were in the same Ethernet broadcast domain, regardless of their physical location. VLANs do separate traffic for access control and traffic engineering, but the bits still ride the network in cleartext. The same holds true for MPLS as it separates IP packets or Ethernet frames, but does not protect information confidentiality or integrity with encryption on its own. This is a big vulnerability even across a private carrier MPLS network. Confidential data is still vulnerable to a man-in-themiddle attack or data breach that could lead to public-disclosure and high unexpected costs. To get around this limitation, most carriers offer MPLS VPNs in either Layer 3 or Layer 2 offerings. MPLS VPNs encrypt network traffic, aligning information confidentiality and integrity with traditional MPLS availability. These services are fine for plain vanilla secure connectivity, but Layer 3 MPLS VPNs can be limited by performance and latency issues since cryptographic processing overhead can impact overall throughput. This is especially problematic for organizations running latency-sensitive applications like voice, video, or bulk data transfer (i.e., backup, data replication, etc.) over the WAN applications typically associated with Layer 2 MPLS connectivity as well. What about L2 VPNs? These are becoming a popular alternative, especially for campus-based implementations since they provide line speed encryption. Given this, ESG expects L2 MPLS VPNs to gain popularity and accelerate MPLS growth over the next few years. Layer 2 MPLS VPNs: Outsourcing or Insourcing? 0% 10% 20% 30% 40% 50% 60% There is no doubt that Layer 2 MPLS VPN services are a great WAN solution for organizations with simple connectivity needs, but these services may not meet the needs of large organizations with dynamic and complex networks, especially those in regulated industries. Why? Carrier-based MPLS VPNs can: Introduce network performance bottlenecks and latency. Layer 2 encryption may be implemented within carrier switches with limited processing horsepower. As these switches reach capacity, cryptographic processing can restrain overall throughput. When remote office users complain about application performance or network jitter, it could be a result of this encryption overhead.

White Paper: Understanding the Value of MPLS Ethernet Encryption 8 Federal agencies need certified solutions. Defense and civilian agencies demand FIPS-140 and Common Criteria certified solutions. Carrier offerings may or may not have these certifications in place, limiting their applicability for government use. Layer 2 MPLS VPNs may not be enough. Organizations that need secure encrypted LANs or those with fixed point-to-point wireless connectivity between locations will need encryption hardware and key management systems in addition to those offered by MPLS service providers. Integration of carrier and enterprise security systems will not be possible in most cases. The High-Performance Alternative Clearly, the limitations described above will impact a good number of large organizations. There is an alternative, however: CIOs and CISOs can divide and conquer by purchasing generic Layer 2 MPLS services and then adding high-speed cryptographic appliances at network demarcation points. This may seem counterintuitive to a network outsourcing strategy. After all, isn t the whole point to off-load capital cost and operations to a third-party carrier? Absolutely, and these benefits remain. But by adding a high-speed cryptographic appliance, large organizations can improve: Performance. Cryptographic appliances can encrypt Ethernet frames at wire speed from 10/100 Mbps all the way to 10 Gbps. This is especially important for latency-sensitive applications and/or bulk data transfer. Security control. While most carrier services offer only 128-bit encryption, stand-alone appliances often support more robust cryptography, employing the Advanced Encryption Standard (AES) with up to 256-bit key length -the strongest commercially available algorithm in the market. This is especially important for defense, intelligence, and law enforcement agencies. Additionally, stand-alone encryption appliances help enforce the separation between security management and network administration. As cryptographic appliances normally have built-in key management capabilities, this allows organizations to be fully in control of key material generation and distribution, critical for the overall security of the network. Finally, cryptographic appliances may have FIPS and/or Common Criteria certifications, important independent security validations required by government buyers. Enterprise Network Support. Cryptographic appliances can fulfill Layer2 encryption needs across multiple network technologies including Metro Ethernet, fixed wireless, or basic LANs. Organizations processing sensitive data in today s distributed environments typically employ multi-technology WAN architectures and will benefit from the flexibility offered by stand-alone cryptography. The best cryptographic appliances will support technology standards like VPLS and WAN point-to-point and multipoint requirements. In essence, this can help organizations reduce costs, improve business processes, address security vulnerabilities, and meet regulatory compliance guidelines the top four 2010 business priorities uncovered by ESG s research. Thales Provides a Leading Solution While cryptographic appliances are widely available, one leading solution comes from Thales e-security, an industry leader in IT security solutions. The Thales solution is a purpose-built cryptographic appliance for Ethernet networks called the Datacryptor Ethernet Layer 2. This appliance is built for enterprise security needs by supporting AES-256 encryption, fully automated key management, and FIPS/Common Criteria certification. What sets Thales apart, however, is that it combines strong security with networking features such as 10Gbps Ethernet throughput, low network latency, flexible interfaces, and point-to-point and multipoint support. In this way, Thales provides the combination of performance, security control, and enterprise network support described above. As such, large organizations with complex Layer 2 WAN architectures and high security needs would be wise to bring Thales in to see how Datacryptor Ethernet Layer 2 aligns with their requirements.

The Bigger Truth White Paper: Understanding the Value of MPLS Ethernet Encryption 9 MPLS has established itself as a fantastic WAN technology by providing guaranteed network paths, global reach, and pricing flexibility. That said, it is not a panacea by any means. By itself, MPLS is not secure. Layer 3 MPLS VPNs can severely limit performance like previous IPSEC offerings. Layer 2 MPLS VPNs seem like the best fit especially for a Metro campus network but these services also have performance and security limitations. Smart CIOs, CISOs, and network architects should go into MPLS decisions with eyes wide open. It is also worthwhile to evaluate networking and security options independently rather than just relying on carrier services offerings. As described in this paper, large organizations with extensive network architectures, complex WANs, and high security needs may be best served by outsourcing connectivity while insourcing security. This can provide the right balance of performance, security control, and coverage while maintaining the benefits of outsourcing the WAN.

20 Asylum Street Milford, MA 01757 Tel:508.482.0188 Fax: 508.482.0218 www.enterprisestrategygroup.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information