Is IPSec or MPLS VPN right for you?

We contrast & compare Layer 3 IP VPN architecture-MPLS and IPSec networks in relation to common business issues. Click here for best practices and an informed summary of the two networks.

How long can your business afford to be down?
Do you have servers at your branch offices?
What applications run over your WAN?
Are your WAN/business needs likely to change in the future?
How much data are you transferring between links?
Where are you located?
Do you have trained IT staff at your head and branch offices?
What are the factors you base your Total Cost of Ownership on?
What would it mean to your business if your data is intercepted or attacked?

QuestionsBusiness ImplicationMPLS NetworkIPSec VPN
How long can your business afford to be down?This brings up dual issues of reliability and redundancy. How much downtime can your business tolerate? How reliable is your link?

 A recent risk survey of 400 IT Managers by Symantec Global Services found that their top concern is downtime or network availability.

When you say 'risk' you think 'security', but actually availability is the top risk," said Jeremy Ward, development director at Symantec Global Services.
In general, MPLS will be more reliable than IPSec VPNs because there is less complication in the quality of the line,  tunneling and firewall configuration. You are assured of quality as the carrier manages the service end to end. An Internet link is not backed by Service Levels in terms of latency and bandwidth.IPSec VPN reliability is dependent on:

1. The reliability of the Internet. Make sure your ISP gives you a business grade service level target. Receiving all your IPSec VPN circuits through the same carrier will increase reliability (but decrease fault tolerance) over using multiple Internet carriers.

2. Multiple points of failure. Due to multiple VPN gateways, encryption, security risks, misconfiguration etc, an IPSec VPN can be less reliable than MPLS.
 Does your link failover to another form of connectivity seamlessly in the case of a failure?

In October 2007,  there was a fire at a service provider's exchange in Sydney CBD, which brought down fibre links.
Both MPLS & IPSec VPN do well when comparing Redundant links. The general practice is to failover from a Private network to an IPSec VPN. Netforce have designed networks with both Carrier/local loop redundancy and Customer premise redundancy (one router with dual circuits (RIP2), or dual routers operating on Hot Standby Routing Protocol) Both MPLS & IPSec VPNs can run dedicated circuits and backup paths that are carrier diverse, exchange diverse and technology diverse. Our design for redundant links often incorporates wireless failover. In the event of primary link failure, a non-terrestrial data path gives you enhanced WAN diversity, not to mention exchange diversity, loop diversity and PoP diversity.
Do you have servers at your branch offices?Which topology is right for you? If you do have servers at branch offices, consider MPLS.Private Networks (MPLS) creates a redundant (fully meshed) network by default which allows you connect easily to local or head office data. This also brings other advantages explained later on. Hub & Spoke Network by default, though meshed networks are possible in simple scenarios
What applications run over your WAN? Time sensitive traffic like Citrix or voice are key deciders.

If you or are likely to run Citrix, Voice, multimedia conferencing, enterprise resource planning (ERP), or customer relationship management (CRM), choose a Private Network.

Time sensitive traffic like Voice-over-IP (VoIP) benefit by the "any-to-any" connectivity benefit of MPLS networks. So by being connected to your MPLS network, you have a direct connection to all your remote locations without any of the additional cost or configuration you would need with FRame-relay or IPSec VPN tunnels.

* MPLS networks have the ability to define traffic types called Classes of Service (CoS) and assign fixed and variable bandwidths to each of them. This ensures a higher guarantee that your real-time and business-critical applications are performing at a premium, what is known as Quality of Service (QoS).

* For example, voice and other critical applications such as CRM systems will not suffer if there is a sudden peak of Internet downloading. 

VoIP is challenging to implement over IPSec site-to-site VPN tunnels because:

 * The encryption and the path via multiple Internet carriers can cause too much latency. Once you add the encryption header onto the voice payload, the multiple tiny voice packets over an Internet line can result in breakups & inaudibility.

* QoS features are limited. Once you send your encrypted data over the Internet, little can be done to prioritise it. (Cisco IPSec VPN deployments can preserve packet classification for QoS within an IPSec tunnel.)

Are your WAN/business needs likely to change in the future? Future proof your network so it can adapt dynamically to the needs of your business as it changes.Easy to add new sites and new applications into the network as business needs change. (Due to better QoS/CoS features). It is also easy to scale bandwidth up or down.In a simple hub & spoke layout, increasing sites is simply a matter of adding another branch office router or firewall, provided the head office gateway hardware can cope with this. Adding applications may be more difficult as it is hard to add QoS to high latency networks.
How much data are you transferring between links?   This is an important factor in deciding  performance required and ongoing costs.If you are transferring a lot of data, it is going to cost less and flow faster on a Private Network due to unlimited data transfer between sites and less contention. You may get an Internet connection with unlimited data plans, but the link will have a higher contention ratio than an Private Network. And you may pay a higher data download rate in a capped plan.
The drawbacks to encrypted VPN tunnels are that there is overhead (latency) associated with the encryption.
Where are you located? It used to be difficult to deploy Private Networks because they were only available at limited exchanges, but not with Netforce. It used to be that MPLS services needed to be with the one provider, and if one site was out of region for the provider, it was difficult to deploy. Not any more. Netforce can build a network that incorporates terminations of various last-mile technologies including WiMAX, 3G, ATM, Ethernet, Frame Relay, DSL, fibre etc into one quality, managed network.  IPSec tunnels are carrier independent and can be deployed to any customer located anywhere in the world with an Internet connection.
Do you have trained IT staff at your head and branch offices?  Apart from the actual cost of the network, consider ongoing administration time.MPLS provides one common interface to an IP backbone that handles the virtual tunnel setup through the IP cloud. There are no ongoing costs in terms of internal administration like maintaining shared secrets, etc. There is an additional management overhead of configuring, maintaining and managing IPSec tunnels across the IP cloud. IPSec key distribution, key management and peering configuration need to be regularly maintained.
What are the factors you base your Total Cost of Ownership on? Don't just consider monthly spend or upfront costs when making up your mind; clearly this is important, but not the only factor. 

Total Cost of ownership  includes ongoing costs of links. While least-price Internet connectivity is a major consideration, a contended link without Service Levels may lead to  unproductive  staff and downtime.

Research indicates that companies who use their IT systems to gain a competitive edge measure factors like uptime, trouble tickets, application acceleration, latency etc.

* Initial setup costs are lower than IPSec VPN. For instance, we would recommend a router with less memory, routing & firewalling capabilities for a Private Network.

* In addition to the WAN costs, add an Internet connection.

* There is a perception that Private networks have higher ongoing costs than IPSec Networks; however, this all depends on the service provider and your situation. Netforce can perform a cost benefit analysis to see where true savings can be made.

Both IPSec & MPLS TCO can be measured; again, it is how important factors of uptime, latency, packet loss etc is to your business that determines choices.

* Initial setup costs are higher in hardware as well as configuration time.

* Ongoing costs, apart from the Internet connections) to be considered are data downloads. You would have to pay for the traffic between sites which is sometimes not the case in Private networks.

*Add the time required to maintain and troubleshoot the IPSec VPN tunnels

What would it mean to your business if your data is intercepted or attacked?What concerns do you have with your data integrity, confidentiality and security? Companies with privacy concerns need to think about protecting confidential data e.g. - healthcare providers. Data sent over an MPLS network is not travelling over the Internet and open to less risk.A misconfigured firewall can open your IPSec VPN network to the Internet. Security is of even higher concern if you use split tunneling on your VPN concentrators. However, IPSec VPN tunnels protect the data that is traversing the WAN, because the  data will be encrypted.
Do you have a number of branch offices? Highly distributed sites indicate a need for meshed networks.Consider MPLS for your network.Complexity and hardware requirements grows as the number of sites grow.

In summary, there is no right or wrong choice between MPLS and IPSec VPNs. The choice of whether or not to use an MPLS or IPSec VPN is dependent upon your business needs. Managing risks, controlling costs and providing flexibility and scalability are significant factors when deciding which way you should go.

Best practices indicate companies can meet their site-to-site VPN business requirements with a combination of MPLS & IPSec VPN - e.g., the core networks is on MPLS, and the WAN connection points are firewalled with an UTM appliance that also serves as an IPSec gateway for roaming and remote users.

Gartner recommends that businesses should evaluate the opportunity to reduce WAN costs and create a more redundant network by using a hybrid combination of Multiprotocol Label Switching and Internet IP VPNs.

We can build a network that incorporates terminations of various last-mile technologies including WiMAX, 3G, ATM, Ethernet, Frame Relay, DSL, fibre, etc into one quality, managed network - either MPLS or IPSec.

For further infomation on MPLS or IPSec please Contact us: