Data traffic: Express delivery

MPLS means fast, secure data flow - as long as you apply due diligence, reports Dan Kaplan.

In the enterprise world, data packets arriving a few milliseconds behindschedule can seem like an eternity for time-sensitive applications. Intheir efforts to hasten the flow of their critical packets from oneremote location to the next, performance-reliant big businesses are nowmigrating to a different data transmission technology.

This next-generation of wide area network (WAN) connectivity is known asmultiprotocol label switching (MPLS), a cheaper system that is replacingthe increasingly antiquated frame relay and asynchronous transfer mode(ATM) models to route packets.

Devised more than a decade ago by the Internet Engineering Task Force,the MPLS framework has only recently seen widespread deployment. By lastyear, one third of all North American enterprises employing 1,000 ormore people had moved to MPLS, compared to 19 per cent in 2005,according to Forrester Research.

MPLS, which is usually managed by a network carrier, eliminates theso-called hub-and-spoke architecture on which the frame-relay and ATMtechniques rely.

"It instantly creates a many-to-many relationship between all yourremote sites," says Adam Powers, chief technology officer of networkbehaviour analysts Lancope. "They all become directly connected to anyremote location they want to talk to, instead of going through the datacentre."

But this increased efficiency has security implications enterprisecustomers must be aware of, especially if they are bound by the PaymentCard Industry (PCI) Data Security Standard. MPLS segregates trafficamong companies using the same service provider, lending an assumedlevel of privacy. So far, there has been no publicised breach of data inflight. But there is a possibility that a malicious intrusion can affectan organisation's data in transit: a hacker may find a way in throughone of a number of internet gateways on the MPLS backbone, or a serviceprovider could eavesdrop on packets as they pass through. Accidents canhappen, too, such as the carrier misconfiguring its edge router,potentially permitting one company to obtain data from another firm'svirtual private network (VPN).

"Just by deploying MPLS, you are not completely securing your network,"warns Kunjal Trivedi, product manager in Cisco System's managed securityservices division. "You need to do more than that, given the nature oftoday's threat." Organisations must ensure their carrier is doingeverything possible to bolster security, in addition to deploying theirown traffic-monitoring solutions.

MPLS uses a technique called label switching, where packets are routedat the provider edge and then switched in the core based on their tags,explains Michael Hommer, engineering manager at network consultingcompany Miercom. "A failure of any given node shouldn't affect theability of data to get from end to end," he adds.

Instead of customers having to create and maintain predefined links orprivate virtual circuits between their remote sites and data centres,MPLS provides a cheaper and fully meshed topology that lets users createclasses of service to prioritise some types of traffic. "People todayhave PCs, PCs have applications, and they're not just connecting back toone data centre, they're communicating with each other," says GregDavis, vice-president of product marketing at MegaPath Networks, amanaged IP communications provider.

Keep an eye on gateways

Sitting between Layer 2 and 3 protocols, MPLS was built on an IPbackbone and its scalability can extend to any site connected to theinternet. That means MPLS VPNs contain a number of internet "gateways",but they have no component allowing for packet encryption, even thoughnew PCI mandates require that retailers encrypt data at rest and inmotion.

"It's not a question of whether MPLS as a technology is more or lesssecure than frame relay," Davis says. "The difference is that when youallow access to the public internet, you need to take the necessaryprecautions. You're choosing MPLS because you're using web-basedapplications. Frame relay was designed for single business applicationsthat didn't need access to the internet."

However, compared to frame relay and ATM models, organisations usingMPLS lose some visibility over their traffic. "One of the things we'vefound really quickly is that MPLS really messes up the securityarchitect's ability to see communication between the remote sites,"Powers admits. "The carriers don't guarantee that the packet is going tomake it across the cloud. All they have are service-level agreementswith the customer that they'll get your packet from here to there inthis much time and you'll have this much throughput."

Both carriers and corporations must deploy internet gateway technologyto prevent cyber criminals from using the web to access VPN data.Enterprises, too, must do some work. Powers suggests they run their ownfirewalls and intrusion prevention systems at the data centre and enableflow-monitoring tools at their remote locations.

Considering today's sophisticated threat landscape, organisations arewell-advised to think in terms of security. However, as long as duediligence is applied, network administrators and CISOs should not needto worry too much about MPLS-based networks.

A version of this article appeared in the US edition of SC Magazine.


The Ethernet has so far mainly been considered a local area network(LAN) technology. Traditionally reserved for college campuses and majormetropolitan buildings, it is now steadily gaining momentum as a widearea network (WAN) protocol in an attempt to compete with MPLS.

"Ethernet is available anywhere," says Keao Caindec, chief marketingofficer for managed Ethernet provider Yipes Enterprise Services."Engineers aren't as familiar with running it in the wide area, but it'sas simple as running it in their LAN." Caindec says the technology isfaster and cheaper. "With an MPLS, you need a router, which is prettycomplex. With Ethernet, you can use a managed switch, which costsless."

Ethernet security is just as robust as MPLS, Caindec claims. All trafficis segmented by a virtual LAN (VLAN) and then managed by a virtualprivate LAN service (VPLS).

But Lisa Pierce, vice-president at Forrester Research, advisesenterprises to test their systems before deploying Ethernet in thisfashion. "It was not until recently that something like a networkinterface was designed for Ethernet. It was never designed for a WAN.It's got some growing up to do."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.