Home > Focus: IPSec & MPLS VPNs
 Print Friendly Page ||  Email this story
IPSec and MPLS: Which VPN is right for you?

With other methods of securing data communications like MPLS emerging, security managers now have more options to build fortified networks. by Seamus Phan

The office fax machine is a very busy beast, receiving over tens of junk faxes everyday. When I decided I had enough of fax-spam, I went through the fax user manual and discovered the "Password Plus" mode, which allows only users in the authorized number list to fax in, while legitimate but uninvited guests will have to be provided a password. This is essentially turning a fax machine into a secured "tunnel", or an analogy of a virtual private network (VPN).

While VPNs do address information security, they are highly complex, due in part to the diversity of vendors offering similar and yet somewhat disparate solutions. The only governing standard that most vendors adhere to, at least at its core, is IPSec (Internet Protocol Security). IPSec VPNs have enjoyed market dominance for quite sometime now, displacing older remote access VPNs which relied on ISDN and analogue lines.

Nevertheless, new protocol entrants are emerging. In particular, Multiprotocol Label Switching (MPLS) has emerged to bridge the older world of asynchronous transfer mode (ATM), Frame Relay and the IP world. There are also startups, including Jim Clark's (Netscape co-founder) Neoteris (www.neoteris.com), which offers a non-IPSec proprietary VPN appliance that authenticates from a Web browser.

Understanding some VPN basics will help you to decide what is suitable for your enterprise.

IPSec Primer
IPSec is an IETF working group standard that provides authentication, confidentiality, and integrity for IP traffic. It provides authentication by blocking unauthorized users from the network and confidentiality by keeping unauthorized users from snooping or retrieving the contents of packets traveling to and from the network. IPSec also provides integrity for data by ensuring that the data traveling to and from the network is not modified or otherwise tampered with.

There are two kinds of IPSec packets, encapsulating security payload (ESP) and authentication header (AH). ESP provides for authentication, confidentiality and integrity while AH only covers authentication and integrity, but not confidentiality. Check against your intended solution to see that it supports both (or more).

ESP works by encrypting the entire data packet, including the payload with the sensitive information. AH does not encrypt the data packet nor the information, but merely creates a copy of the sensitive data transferred to check against, ensuring that nothing has been illegally modified during transit. The good thing about using AH is that it is much faster than ESP, since encryption is processor-intensive and can slow down traffic. But the landscape of VPN has also changed somewhat, with many vendors now offering hardware-assisted encryption that offloads encryption to a dedicated co-processor. Again, check to see if your vendor offers hardware-accelerated encryption, especially if you must have ESP.

IPSec traffic can work in two modes, transport mode, and tunneling. Transport mode will secure an IP packet from the originating source to the intended destination. Tunneling wraps an existing IP packet inside another IP packet defined in the IPSec format. Both modes can encapsulate in either encrypted ESP or un-encrypted AH headers.

The transport mode was designed to provide end-to-end security between communicating systems (including that of client platforms), while tunneling was intended primarily for gateway communication. Both modes however, rely on a key exchange (such as the Internet key exchange or IKE) where encryption keys are securely exchanged. IPSec supports DES (data encryption standard) or Triple DES (3DES) for data encryption, and MD5 and SHA-1 for authentication.

Using 3DES and SHA-1 requires accelerated hardware, especially for large corporate networks with hundreds of users (sometimes simultaneously online). Some VPN vendors may also include proprietary and sometimes stronger encryption protocols, but these may only work in tandem with identical or similar products. If your enterprise has determined to standardize equipment, then proprietary encryption protocols may be acceptable.

IKE can provide identity protection for the initiating session hosts under the main mode, or use the aggressive mode, which is faster but offers no identity protection for the session hosts. Both hosts communicating with each other must be running the same mode.

IPSec VPNs can also provide proprietary features such as "single sign-on", which requires clients to authenticate only once to get access to all services. Some IPSec VPNs also offer specialized client software for the authentication, while others allow authentication through Web browsers.

You may also attempt to build your own Linux-based IPSec VPN, by implementing the FreeS/WAN (www.freeswan.org) together with the likes of Linux Router Project or LRP (www.linuxrouter.org) on inexpensive PCs. This demands much expertise and patience, and should not be relied upon for mission-critical networks (unless you have also set up clustered, load-balanced networks).

MPLS Primer
Multiprotocol label switching (MPLS) is another IETF definition. It can be seen as a method of connecting IP traffic to connection-oriented networks, such as ATM, Frame Relay, or optical networks.

The key benefit of MPLS is speed. Think of our postal system at work using the MPLS, where the mail received is not analyzed by individual collection postmen, but sent to a regional collection centre. This collection centre then scans the mail by machine (if readable), by humans (if handwritten), and then barcoded. The barcoded mail is then scanned at downstream delivery checkpoints, without further analysis. This whole process speeds up mail delivery, similar to the concept behind MPLS.

MPLS started as Tag Switching, where ATM switches adopt a routing function, and dynamic IP routing is used to trigger virtual circuits or path setups. The data is analyzed deeply once at the entry to the MPLS network, after which forwarding tags are inserted before the IP headers.

At both ends of a data session are label switch routers (LSRs), which can support MPLS. An ingress LSR is where data enters into the MPLS network while an egress LSR has data leaving its MPLS network. The ingress LSR inserts small identifiers known as labels (or tags), and when the data leaves the egress LSR, the labels are removed. This is because labels are known only to MPLS equipment, and should not confuse non-MPLS equipment outside the MPLS network.

There can also be multiple labels for each data packet, but only the outer-most (the most recently added) label will be used for forwarding.

The advantage of using labels with MPLS networks is that once a packet has been labeled, the packet will not go through multiple hop analysis, and can provide the much needed speed in secure communications.

However, MPLS does not offer 100 percent security and downstream IP-based security equipment may be added to enhance security. Remember that MPLS is intended for site-to-site connections while IPSec can be for site-to-site as well as other connections. Each has its place in comprehensive corporate-wide security architecture.

For open source fans, there is also an ongoing project at SourceForge (sourceforge.net/projects/mpls-linux) which aims to port MPLS onto Linux boxes. As with the Linux Router Project and FreeS/WAN, these kinds of implementations should be left to Unix gurus with patience and knowledge, and if implemented, should be run on clustered, load-balanced and redundant equipment.

Get a helping hand
If you would rather offload the entire VPN project to someone else, there is always the option of using managed security services. With managed security services, you relegate your full control to a trusted third party where you can define performance and QoS levels. However, managed security services often do not provide as granular a control as your own VPN setup would, and you may have to work around some limitations imposed by these providers.

For MPLS, Equant offers managed VPN services. According to Equant, malicious spoofing (where intruders try to gain access to a premise equipment or PE router) is nearly impossible, since the packets received from the router are IP packets that must be received on a particular interface or sub-interface to be uniquely-identified with a specific customer's VPN Label. In short, each customer is given a unique Label and all incoming traffic is tagged with this label.

For IPSec, the likes of KDDI and WorldCom offer managed VPN services. These typically allow almost any IP and IPSec capable downstream client platform to access corporate resources from anywhere in the world, and can also provide site-to-site security as well.

Whether your enterprise decides to outsource the VPN architecture or even the manpower, it is also important to be knowledgeable about VPN offerings, their design and implementation. There is no simple way to deploy comprehensive security.

Seamus Phan is research director at KnowledgeLabs News Center (www.knowledgelabs.net), an independent technology news bureau and writes for Network Computing-The Asian Edition. He can be reached at seamus@knowledgelabs.net.


MPLS vendors
Avici Systems (www.avici.com)
Cisco Systems (www.cisco.com)
CoSine Communications (www.cosinecom.com)
Juniper Networks (www.juniper.net)
Lucent Technologies (www.lucent.com)
Nortel Networks (www.nortelnetworks.com)
Riverstone Networks (www.riverstonenet.com)

IPsec VPN vendors
Check Point Software (www.checkpoint.com)
Cisco Systems (www.cisco.com)
CoSine Communications (www.cosinecom.com)
CyberGuard (www.cyberguard.com)
Efficient Networks (www.efficient.com)
Enterasys Networks (www.enterasys.com)
Lucent Technologies (www.lucent.com)
Netscreen Technologies (www.netscreen.com)
Sonicwall (www.sonicwall.com)

Open Source IPsec VPN
Linux FreeS/WAN (www.freeswan.org)

Open Source MPLS
MPLS for Linux (sourceforge.net/projects/mpls-linux)

Managed service providers
Equant (www.equant.com)
KDDI (www.kddi.com)
WorldCom (www.worldcom.com)

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD