For managed MPLS-based network migrations to be truly successful, enterprises must apply due diligence

This next-generation of wide area network (WAN) connectivity is known as multiprotocol label switching (MPLS), a cheaper system that is replacing the increasingly antiquated frame relay and asynchronous transfer mode (ATM) models to route packets.

While the MPLS framework was devised more than a decade ago by the Internet Engineering Task Force, with the help of Cisco engineers, only recently has it seen widespread deployment. By last year, one-third of all North American enterprises employing 1,000 or more people had transitioned to MPLS, compared to a 19 percent adoption rate a year earlier, according to Forrester Research.

MPLS – which is almost always managed by a network carrier – eliminates the so-called hub-and-spoke architecture on which the frame relay and ATM techniques are based, experts say.

"It instantly creates a many-to-many relationship between all of your remote sites," says Adam Powers, CTO of Atlanta-based Lancope. "They all become directly connected to any remote location they would like to talk to instead of going through the data center."

But with this increased efficiency comes several security-related concerns of which enterprise customers must be cognizant, especially those bound by the Payment Card Industry (PCI) Data Security Standard, experts say.

MPLS segregates traffic among companies using the same service provider, lending an assumed level of privacy, and there has never been a publicized breach of data in flight. But the possibility at least exists that a malicious intrusion can affect an organization's data in transit – either through a service provider eavesdropping on those packets, or a hacker finding the way in through one of a number of internet gateways on the MPLS backbone, experts contend. Accidents can happen, too, such as the carrier misconfiguring its edge router, potentially permitting one company to obtain data from another company's virtual private network (VPN).

"Just by deploying MPLS, you are not completely securing your network," says Kunjal Trivedi, a former Cisco Systems engineering consultant who now is a product manager in the San Jose, Calif.-based company's managed security services division. "You need to do more than that given the nature of today's threat."

Organizations must ensure their carrier is doing everything possible to achieve security, in addition to deploying their own traffic monitoring solutions, experts say. As an extra step, businesses may opt for a private MPLS VPN to transport sensitive data or overlay encrypted IPsec tunnels to further protect packets.

MPLS uses a technique called label switching, where packets are routed at the provider edge and then switched in the core based on their tags, says Michael Hommer, engineering manager at Miercom, a Cranbury, N.J.-based network consulting company. "A failure of any given node shouldn't affect the ability of data getting from end to end," he says.

Instead of customers having to create and maintain pre-defined links, or private virtual circuits, between their remote sites and data centers, MPLS provides a cheaper and fully meshed topology that lets users create classes of service to prioritize different types of traffic over others, says Greg Davis, vice president of product marketing at MegaPath Networks, a Costa Mesa, Calif.-based managed IP communications provider.

"People today have PCs, PCs have applications, and they're not just connecting back to one data center, they're communicating with each other," he says.

Sitting between Layer 2 and 3 protocols, MPLS was built on an IP backbone and its scalability can extend to any site connected to the public internet. That means, in almost all cases, MPLS VPNs contain a number of internet "gateways" along the way. But MPLS contains no component allowing for packet encryption, even though new PCI mandates require that retailers encrypt data at rest and in motion.

"It's not a question of whether MPLS as a technology is more or less secure than frame relay," Davis says. "The difference is that when you allow access to the public internet, you need to take necessary precautions. You're using MPLS because you're using internet-based applications. Frame relay was designed for single business applications that didn't need access to the internet."

While MPLS provides as much security as frame relay and ATM models, organizations lose some visibility over their traffic, experts say.

"One of the things we've found really quickly is that MPLS really messes up the security architect's ability to see communication between the remote sites," Lancope's Powers says. "The carriers don't guarantee that the packet's going to make it across the cloud. All they have are SLAs [service level agreements] with the customer that they'll get your packet from here to there in this much time and you'll have this much throughput."

The risk exists that service providers could be "sniffing" companies' private information, say experts. Davis says his company has a number of systems and personnel controls in place to prevent employees from tapping into data.

Meanwhile, both carriers and corporations must deploy internet gateway technology to prevent cybercriminals from using the internet to access VPN data.

Enterprises, too, must do some work. Powers suggests they run their own firewalls and intrusion prevention systems at the data center and enable flow monitoring tools, such as Cisco's NetFlow, at their remote locations.

With today's sophisticated threat landscape, it is understandable when organizations think in terms of security. But when it comes to historically safe MPLS-based networks, companies need not overexert themselves to secure the framework, experts say. If simple due diligence is applied, network administrators and security chiefs should be able to sleep comfortably at night.


A competitor to MPLS?

For as long as it has been around, the Ethernet has largely been considered a local area network (LAN) technology. Traditionally reserved for college campuses and major metropolitan buildings that are wired for the connection, Ethernet is now steadily gaining momentum as a wide area network (WAN) protocol in an attempt to compete with MPLS.

"Ethernet is really available anywhere," says Keao Caindec, chief marketing officer for San Francisco-based managed Ethernet provider Yipes Enterprise Services. "Engineers aren't as familiar with running Ethernet in the wide area, but it's as simple as running it in their LAN."

Caindec says the technology is faster and cheaper. "With an MPLS, you need a router, which is pretty complex. With Ethernet, you can use a managed switch, which is lower cost."

In addition, he says Ethernet security is just as robust as MPLS. All traffic is segmented by a virtual LAN (VLAN) and then managed by a virtual private LAN service (VPLS).

But Forrester Research VP Lisa Pierce says enterprises should test their systems before deploying Ethernet in this fashion. "It was not until recently that something like a network interface was designed for Ethernet. It was never designed for a WAN. It's got some growing up to do."

-Dan Kaplan 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.