Although the prices of private WANs have fallen radically over the past few years, mainly due to competition, does one really need to employ a private WAN? With so many manufacturers trying to persuade us to use their Virtual Private Network (VPN) kit, surely there must be at least some motivation for us to throw away the traditional corporate WAN model and adopt a VPN.
One of the key benefits of a private WAN is that, well, it’s private – that is, you have no worries about the security of the network. But is this really true? In reality, unless you’re a ‘dark fibre’ customer – that is, you rent the bit of fibre between A and B and put your own network equipment at each end – you are sharing the physical medium with others. All you really have is a virtual circuit, and your packets travel down the wire alongside possibly hundreds or thousands of other companies’ data and voice.
Private networks are, of course, considered secure – but this is only because the telecoms suppliers have shown their security processes and systems to be reliable over many, many years. To be fair the average telco’s equipment will be inherently more secure than, say, a public IP network because the public doesn’t have direct access at management level from the public network into the configuration side of the switching infrastructure. But the fact remains that a private network still runs over a shared piece of string.
Even though the Internet is, by its nature, potentially insecure, the technology people have addressed this problem using strong encryption and authentication techniques. True, the risk is still much higher than in a traditional private network – but one can consider it as multiplying next to nothing by an order of magnitude.
One of the benefits of private networks that has historically been lacking in VPNs is the ability to guarantee service levels. When the various ATM vendors were trying to promote the Quality of Service (QoS) capabilities of their pet technology in the mid to late 1990s, some customers saw the benefit of being able to switch ATM natively across public networks whilst preserving performance and privacy, but the prices were just too high for the majority to take up the technology. It was only when companies such as Cisco, Nortel (then Bay Networks) and 3Com started coming up with ways of implementing faster forwarding decision-making and performance guarantees on the ubiquitous Ethernet family that wide-area implementers started to see an alternative for their customers.
Multi Protocol Label Switching (MPLS) was derived from Cisco’s proprietary Tag Switching mechanism, and was quickly adopted by both the traditional WAN hardware providers (i.e. all of the above) and some new kids on the block, notably Juniper Networks.
Because the Internet appears to be an amorphous blob of networking, one would think it impossible to use a protocol such as MPLS to direct traffic policies on the Internet. In reality, though, the number of brands of kit used to actually implement the various arms of the Internet is limited, which means there is every chance one can find an MPLS-capable route between a given pair of endpoints.
Real service guarantees
Of course, in any shared network there will be casualties during router outages (which cause traffic redirects and thus congestion) and even during the usual busy periods that happen daily or weekly. The fact remains that while telephone networks adopt overprovision of bandwidth in order that 0.00000 percent of calls are dropped in the event of a network outage, data circuits will always play second fiddle. It’s inevitable that Internet circuits will often sit below private data circuits in the pecking order, so it’s the VPN (which is using the Internet as its transport mechanism) that gets shoved out when the going gets tough. In reality, though, such instances are infrequent and short-lived, and so in the average case one can live with the foibles of the Internet taking a lower priority than the private circuit world.
In short, then, with the technologies in place today, the Internet is usable as an alternative to private circuits. In the average case, end-to-end performance over the Internet is perfectly acceptable, and if you need additional performance then MPLS is the way to achieve at least 90 percent of that desire. It’s essential that strong encryption and authentication are used, of course, and that keys are changed frequently using secure methods in case someone does manage to crack a key.
It’s also important to bear in mind that private circuits still do have their uses – if you’re heavily telecoms-oriented then you may not be content with the minority of times that things do slow down. In general, though, the VPN is a money-saving, secure, effective alternative to private wide area networking for the majority of businesses.