VPN Technology Primer and Comparison of VPN Technology Options

Cisco Press

More Cisco Press book chapters from new and classic Cisco Press books.

Rate your favorite Cisco Press books.

The main focus of this chapter is on VPN technology, protocols, and concepts. This chapter presents a comparison of multiprotocol label switching (MPLS), IP security (IPsec), and Secure Socket Layer (SSL) to give you a good understanding about the benefits and shortfalls of choosing each technology for a VPN solution. This is a standalone section that can be read without working through Chapter 1, "The VPN Technology Promise: Secure Access from Anywhere to Anything." Even though this chapter is more technical in nature, it is essential for managers and CIOs of organizations considering deployment of a VPN solution to review this material. The comparisons in this chapter help develop an appreciation for the design considerations, deployment challenges, and management of technology for a successful VPN solution implementation.

Choosing the Right VPN Solution—A Technology Primer

In this technology primer, three technologies are discussed with VPN deployment in mind, and a comparison is provided because the main focus of this Short Cut is making a decision about how to implement a VPN. You can learn specifics about the technology, protocols, and concepts in detail from several other Short Cuts after you've made your initial decisions. This chapter helps you compare key factors for the following three VPN technologies before you make your implementation decision:

  • MPLS

  • IPsec

  • SSL

Note - For a detailed look at MPLS-based VPNs, consider reading MPLS and VPN Architectures, by Ivan Pepelnjak and Jim Guichard.

For a detailed look at IPsec VPNs, consider reading IPSec VPN Design, by Vijay Bollapragada, Mohamed Khalid, and Scott Wainner.

Indicators That MPLS Is a Good Choice

MPLS is essentially a label-switching technology and provides switching at Layer 2 in a time-efficient manner, making delivery of IP packets faster than normal IP routing at Layer 3. In addition, MPLS VPN provides the privacy and quality of service (QoS) of ATM and Frame Relay Layer 2 services, as well as the flexibility, scalability, and connectivity of IP. We can now combine them into a single service for the first time.

The reason we can do this is that MPLS is modeled on label-based forwarding at Layer 3. This essentially provides a foundation for IP value-added services.

MPLS VPNs provide the capability to flexibly group users and services into arbitrary groups with arbitrary services. This is an essential element and is a foundational change to prepare the network infrastructure to deliver IP services in a cost-effective and rapid manner.

Low-cost managed IP services delivery on MPLS VPNs are feasible because lower operational costs allow service providers to deliver private IP services to businesses with required management capabilities.

The following factors help enterprises to determine when to use MPLS:

  • The company needs SLAs for network operation assurance.

  • Security needs are met by traffic separation similar to that of Frame Relay or ATM.

  • Traffic patterns are suited for a partial or full mesh topology.

  • The enterprise plans to converge its data, video, and voice traffic onto a single network; therefore, delay-sensitive traffic, such as voice, video, or mission-critical data, must receive the necessary QoS.

  • Implementation is very large or growing.

  • The enterprise wants to deploy multicast applications.

  • The enterprise wants to deploy additional value-added applications, such as multimedia conferencing, e-collaboration, or business-process applications such as order fulfillment, enterprise resource planning (ERP), or customer relationship management (CRM).

  • The enterprise wants to outsource its WAN.

Note - The preceding factors for MPLS VPN are referenced from the following: http://cisco.com/en/US/partner/netsol/ns465/networking_solutions_white_paper0900aecd801b1b0f.shtml

MPLS User Experience

As a network-based VPN service, MPLS does not require the use of a VPN client. Enterprise end users typically interact with the network as they would ordinarily.

For telecommuters and mobile workers, a virtual route-forwarding (VRF) instance may be assigned to the Remote Users Profile, and IP packets belonging to this VRF may be switched accordingly. If these telecommuters and mobile workers are traversing through a public Internet, they can use IPsec for secure transmission of IP packets. After terminating the IPsec tunnels on an aggregation point or head-end, which may be a provider edge (PE) router, all clear text traffic may be mapped into an instance of VRF that subsequently is label switched.

MPLS Strengths

The primary strengths of an MPLS-based VPN for the enterprise are the following:

  • Network security—MPLS enforces traffic separation among different VPNs on the same core network by using route distinguishers. Unique route distinguishers are assigned automatically when the VPN is provisioned and is placed in packet headers. MPLS VPN privacy is similar to the privacy in traditional WAN infrastructures such as Frame Relay and ATM, and its effectiveness has been demonstrated by Miercom, which provides independent testing and analysis of networking services. The service provider can design the network so that customer routers have no knowledge of the core network, and core routers have no knowledge of the customer edge.

  • Scalability—A well-executed, MPLS-based VPN deployment scales easily to accommodate company growth or changes. It does not require the full-mesh, end-to-end peering that other VPN architectures require. For example, when a new site is added to the VPN, the company or service provider needs to establish local peering only between the new site and the provider edge. It does not need to reconfigure the CPE at other existing sites, gaining significant operational cost savings.

  • Support for SLAs—SLAs are important to enterprises with stringent requirements for network performance and resiliency. MPLS-based VPNs support SLAs by providing scalable, robust QoS mechanisms, guaranteed bandwidth, and traffic-engineering capabilities. By deploying traffic engineering in the core network, service provider network engineers can implement policies to help ensure optimal traffic distribution and improve overall network usage.

When to Implement MPLS

Because MPLS VPN provides the foundation for IP services, it is essential to deploy when you anticipate using it to deploy future IP services. An example is IP telephony solutions. MPLS provides a great foundation to provide IP telephony—essential to business communication in a cost-effective manner.

Generally, when QoS and privacy without encryptions are warranted, MPLS VPNs are chosen.

MPLS VPN Considerations for Building Versus Buying

For businesses, moving to MPLS VPN is a technology shift. With WAN routers connecting to the Internet, businesses have to incur the cost of buying bandwidth. It is advisable to look for an MPLS bundle because to truly benefit from Internet connectivity and provide access to partners, a mobile sales force, and remote workers, it is becoming essential to deploy VPN VRFs directly on the WAN router.

Building MPLS VPNs is quite an undertaking for a business IT department. Adequately skilled staff for design, deployment, and rollout are essential to deploy VPN. As MPLS VPNs are getting commoditized, it is becoming more common for businesses to outsource MPLS VPNs that were built by the IT department at one stage. Again, for businesses, negotiations when procuring bandwidth purchase can help identify the bundle that allows service providers to manage the router freeing up the IT department and at the same time get the business technology ready so that other IP services can be deployed very rapidly.

Drawbacks of MPLS VPN

As the technology shift continues to happen in the marketplace, no real drawbacks exist for deploying an MPLS VPN. In terms of an IT department's skill levels, MPLS VPN requires more skilled staff that may be already in short supply because of mass deployment of the technology. In reality, the advantages of deploying an MPLS VPN far outweigh the drawbacks.

Indicators That IPsec Is a Good Choice

The main driver for IPsec deployment is the confidentiality gained because of encryption. Other tenants of CIAN that are essential when adhering to regulatory requirements become mandatory for businesses.

IPv4 by design has considerations that make it secure in operation. This goes back to the Internet changing from a "model of inherit trust" to a "model of pervasive distrust" with a history of attacks and malicious activities adversely affecting businesses connecting to the Internet. Businesses also wanting to secure their intellectual properties, especially in areas such as technology, biotech, and manufacturing, deploy IPsec to add to the privacy provided by MPLS VPN.

The following factors help enterprises to determine when to use IPsec:

  • The enterprise needs security measures such as data encryption or user and device authentication. IPsec provides strong security beyond the traffic separation inherent to MPLS, Frame Relay, or ATM networks. Enterprises that choose the MPLS VPN architecture because of its scalability and QoS support sometimes augment it with IPsec when they need additional security functions such as data encryption.

  • Cost considerations are important. An IPsec VPN can be deployed across any existing IP network, avoiding the capital and operational expense of building a new network.

  • The enterprise needs to extend its corporate network resources to geographically dispersed teleworkers and mobile workers.

  • Rapid deployment is important because the business can quickly add a new site or expand to a new location. IPsec saves time because it requires little or no change to the existing IP network infrastructure.

  • Traffic flow follows a hub-and-spoke topology.

Note - The preceding factors for IPsec VPN are referenced from http://cisco.com/en/US/partner/netsol/ns465/networking_solutions_white_paper0900aecd801b1b0f.shtml

IPsec User Experience

The user experience for site-to-site and remote-access VPNs varies slightly.

Remote-Access User Experience

Typically, the user invokes the VPN software client and selects the appropriate destination, such as a hostname or IP address. After successful authentication and IPsec tunnel setup, users can access applications as they would from their offices. IPsec allows access to almost all networked applications, without modifications to the hosted site or client.

Site-to-Site User Experience

For site-to-site connectivity via an IPsec-based VPN, users do not need client software on their computers. Instead, the user at a branch office launches the application as if it resided locally. An IPsec-enabled VPN router at the branch office automatically initiates an IPsec session with the central office. Upon successful session negotiation and authentication, a secure VPN tunnel is established between the branch and central office, without any action by the user.

IPsec Strengths

The primary strengths of IPsec-based VPN for the enterprise are as follows:

  • Low cost—Low-cost Internet access can be used for network transport.

  • Strong security—Inherently strong security features enable user authentication, data confidentiality, and integrity. Users are authenticated with digital certificates or preshared keys. Packets that do not conform to the security policy are dropped.

  • Support for teleworkers and mobile workers—Head-end IPsec VPN devices scale to serve many thousands of geographically dispersed users.

  • Ease of deployment—No service provider intervention is required to set up the VPN, although many enterprises choose to take advantage of the service provider's managed-service experience for regional or national multisite deployments to reduce costs, accelerate service introduction, and mitigate risk.

  • Reduced congestion at hub site—When configured for split tunneling, the remote VPN client can forward Internet-destined traffic directly, instead of through an IPsec tunnel, and establish a tunnel only for related traffic being forwarded to the hub. This reduces congestion at the hub site.

When to Implement IPsec

To achieve VPN connectivity, especially for remote access IPsec VPN, a remote client is required. Depending on the solution, a software VPN client is installed on the end station connecting to the IPsec VPN head-end, or a hardware client is deployed providing IPsec connectivity to multiple clients connected to the LAN. In turn, only a hardware VPN remote client needs to connect to the IPsec VPN head-end, and traffic from all the end stations on the LAN is secured by IPsec VPN. Bearing that in mind, here are some of the reasons IPsec VPN would be the best solution to deploy:

  • IPsec-based VPNs are application agnostic. This means that any application may be accessible from anywhere, given that adequate IPsec VPN access is provided. For example, advanced applications such as telephony or QoS will be able to function over IPsec tunnels.

  • IPsec will allow access to almost all network applications without modifications to the central site or client.

  • IPsec will allow almost all applications to be supported without custom changes.

As IPsec is designed for IP unicast traffic only, with adequate support for IP multicast over the virtual adapter concept, IPsec can provide an experience equivalent to that at an office.

IPsec VPN Considerations for Building Versus Buying

1 2 3 Page 1
Page 1 of 3
IT Salary Survey 2021: The results are in