Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
Server makers rushing out Heartbleed patches
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch
Big data drives 47% growth for top 50 public cloud companies
Here are the options with Heartbleed-flawed networking gear (Hint: there aren't many)
Akamai admits its OpenSSL patch was faulty, reissues keys
Second Google Glass user attacked in San Francisco in two months
Microsoft puts the squeeze on Windows to shoehorn it into 16GB devices
An unnecessary path to tech: A Bachelor's degree
Heartbleed Bug hits at heart of many Cisco, Juniper products

Tester's Choice: MPLS takes on security role

Ed MierHow does a complex new Internet Engineering Task Force protocol, which was developed to deliver quality-of-service capabilities over IP networks, end up as a promising new technology for VPNs? That's the current story line for Multi-protocol Label Switching.

Companies warmly embraced VPNs as the best way to practice safe networking over the Internet. VPNs have become such a hit that users today face a half-dozen implementation alternatives. For example, VPNs can be built with stand-alone VPN controllers, via VPN software that's part of a server operating system, or via the VPN software in your routers or firewalls. You can also engage a service provider to deploy and manage your VPNs. That's happening more as word of VPN benefits spreads to midsize and smaller organizations. They want VPNs for all the same reasons as the big companies: to securely link their remote sites via the Internet and for secure remote access via the Internet.

So how does MPLS fit into all this? MPLS, a recently finalized IETF protocol, provides two pleasant and inherent by-product benefits. First, it attaches tags - or "labels" - to IP packets when they enter the MPLS-based network. This eliminates the need for each intermediate router node to delve deeply into each packet's IP header to make forwarding and handling decisions. This means packet streams can pass through an MPLS-based WAN infrastructure blindingly fast.

Second, the same labels that MPLS employs for distinguishing IP packet streams - so they can be given the appropriate class-of-service handling - also provide secure isolation of these packets from other traffic over the same physical links.

Our lab recently evaluated the security aspects of MPLS using Cisco's IOS Versions 12.0 and 12.1 across a half-dozen router platforms, from low-end 1750s to high-end 12000 GSRs. (A report detailing this testing is downloadable free from

We concluded that because the MPLS labeling hides the real IP address and other aspects of the packet stream, it provides data protection at least as secure as other Layer 2 technologies, including frame relay and ATM. Indeed, MPLS-based isolation of packet streams can be viewed as the WAN equivalent to virtual LANs - the segregation of traffic over LANs that's enabled by IEEE 802.1p and 802.1q tags.

MPLS without encryption doesn't provide the same level of security as IPSec-based VPNs using Triple-DES encryption. However, Triple-DES's added processing also has a measurable effect on the latency and throughput of traffic that's sent through encrypted VPN tunnels.

MPLS will not put IPSec-based VPNs out of business. There seems to be no technical reason why a company could not also apply IPSec-based security, including encryption, to traffic that is being handled by the service provider via MPLS-labeled VPNs. Indeed, that combination might well provide the best overall security that can be achieved for Internet-based data transmission today.


Mier is founder of Miercom in Princeton Junction, N.J. He can be reached at

Network World on VPNs
Sign up for our free e-mail newsletter.

Breaking VPN news

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.