MPLS means fast, secure data flow - as long as you apply due diligence, reports Dan Kaplan.

In the enterprise world, data packets arriving a few milliseconds behind schedule can seem like an eternity for time-sensitive applications. In their efforts to hasten the flow of their critical packets from one remote location to the next, performance-reliant big businesses are now migrating to a different data transmission technology.

This next-generation of wide area network (WAN) connectivity is known as multiprotocol label switching (MPLS), a cheaper system that is replacing the increasingly antiquated frame relay and asynchronous transfer mode (ATM) models to route packets.

Devised more than a decade ago by the Internet Engineering Task Force, the MPLS framework has only recently seen widespread deployment. By last year, one third of all North American enterprises employing 1,000 or more people had moved to MPLS, compared to 19 per cent in 2005, according to Forrester Research.

MPLS, which is usually managed by a network carrier, eliminates the so-called hub-and-spoke architecture on which the frame-relay and ATM techniques rely.

"It instantly creates a many-to-many relationship between all your remote sites," says Adam Powers, chief technology officer of network behaviour analysts Lancope. "They all become directly connected to any remote location they want to talk to, instead of going through the data centre."

But this increased efficiency has security implications enterprise customers must be aware of, especially if they are bound by the Payment Card Industry (PCI) Data Security Standard. MPLS segregates traffic among companies using the same service provider, lending an assumed level of privacy. So far, there has been no publicised breach of data in flight. But there is a possibility that a malicious intrusion can affect an organisation's data in transit: a hacker may find a way in through one of a number of internet gateways on the MPLS backbone, or a service provider could eavesdrop on packets as they pass through. Accidents can happen, too, such as the carrier misconfiguring its edge router, potentially permitting one company to obtain data from another firm's virtual private network (VPN).

"Just by deploying MPLS, you are not completely securing your network," warns Kunjal Trivedi, product manager in Cisco System's managed security services division. "You need to do more than that, given the nature of today's threat." Organisations must ensure their carrier is doing everything possible to bolster security, in addition to deploying their own traffic-monitoring solutions.

MPLS uses a technique called label switching, where packets are routed at the provider edge and then switched in the core based on their tags, explains Michael Hommer, engineering manager at network consulting company Miercom. "A failure of any given node shouldn't affect the ability of data to get from end to end," he adds.

Instead of customers having to create and maintain predefined links or private virtual circuits between their remote sites and data centres, MPLS provides a cheaper and fully meshed topology that lets users create classes of service to prioritise some types of traffic. "People today have PCs, PCs have applications, and they're not just connecting back to one data centre, they're communicating with each other," says Greg Davis, vice-president of product marketing at MegaPath Networks, a managed IP communications provider.

Keep an eye on gateways

Sitting between Layer 2 and 3 protocols, MPLS was built on an IP backbone and its scalability can extend to any site connected to the internet. That means MPLS VPNs contain a number of internet "gateways", but they have no component allowing for packet encryption, even though new PCI mandates require that retailers encrypt data at rest and in motion.

"It's not a question of whether MPLS as a technology is more or less secure than frame relay," Davis says. "The difference is that when you allow access to the public internet, you need to take the necessary precautions. You're choosing MPLS because you're using web-based applications. Frame relay was designed for single business applications that didn't need access to the internet."

However, compared to frame relay and ATM models, organisations using MPLS lose some visibility over their traffic. "One of the things we've found really quickly is that MPLS really messes up the security architect's ability to see communication between the remote sites," Powers admits. "The carriers don't guarantee that the packet is going to make it across the cloud. All they have are service-level agreements with the customer that they'll get your packet from here to there in this much time and you'll have this much throughput."

Both carriers and corporations must deploy internet gateway technology to prevent cyber criminals from using the web to access VPN data. Enterprises, too, must do some work. Powers suggests they run their own firewalls and intrusion prevention systems at the data centre and enable flow-monitoring tools at their remote locations.

Considering today's sophisticated threat landscape, organisations are well-advised to think in terms of security. However, as long as due diligence is applied, network administrators and CISOs should not need to worry too much about MPLS-based networks.

A version of this article appeared in the US edition of SC Magazine.


The Ethernet has so far mainly been considered a local area network (LAN) technology. Traditionally reserved for college campuses and major metropolitan buildings, it is now steadily gaining momentum as a wide area network (WAN) protocol in an attempt to compete with MPLS.

"Ethernet is available anywhere," says Keao Caindec, chief marketing officer for managed Ethernet provider Yipes Enterprise Services. "Engineers aren't as familiar with running it in the wide area, but it's as simple as running it in their LAN." Caindec says the technology is faster and cheaper. "With an MPLS, you need a router, which is pretty complex. With Ethernet, you can use a managed switch, which costs less."

Ethernet security is just as robust as MPLS, Caindec claims. All traffic is segmented by a virtual LAN (VLAN) and then managed by a virtual private LAN service (VPLS).

But Lisa Pierce, vice-president at Forrester Research, advises enterprises to test their systems before deploying Ethernet in this fashion. "It was not until recently that something like a network interface was designed for Ethernet. It was never designed for a WAN. It's got some growing up to do."