2
There are several types of virtual private networks (VPNs). The two most prominent for supporting employee access to enterprise IT resources are IPsec and Multiprotocol Label Switching (MPLS) VPNs. It is possible to use just one type or the other, or to use both together in a hybrid deployment. What will typically determine whether a given location connects using an IPsec or an MPLS VPN are the following factors: • The size of the site to be connected • How much bandwidth you need at that site • Your performance reliability requirements for that site • The degree of direct connectivity to other corporate sites (and possibly extranet sites) that you need at the location • Your WAN connectivity budget for the site The primary differences between IPsec and MPLS VPNs are technical in nature and relate to their underlying network foundations. These differences affect speed, performance, reliability and cost, depending on implementation. However, when properly configured, both provide appropriate levels of network privacy and security for enterprise business use. Most IPsec VPNs connect sites using public Internet transport, which is comprised of interconnected networks run by multiple carriers. These VPNs use industry-standard IP encryption technology (called “IPsec”) to render the data transmitted private across network borders. There are a couple of different configurations available, which will be discussed in the next section. MPLS VPNs connect sites using a single carrier’s MPLS network. That carrier should have complete management control of the network, including the ability to enforce quality-of-service (QoS) policies on specific traffic flows. MPLS VPNs partition one customer’s traffic from another’s to keep it private across the infrastructure. The partitioning is created using special MPLS tags rather than encryption. A hybrid VPN is created when individual IPsec VPN sites connect to an enterprise MPLS VPN. IPsec encryption is sometimes (although rarely) used in conjunction with an MPLS VPN infrastructure; in effect, running a VPN within a VPN. While this configuration might be considered security overkill, it is often selected by more security-sensitive organizations, such as government defense agencies and financial institutions. Let’s look a little more closely at which type of service you’ll likely want to install at each of your sites based on the criteria listed above. IPsec and MPLS VPN Applications In many large organizations, both types of VPNs exist. What type best matches each location? MPLS VPN Use Cases As noted, the MPLS VPN is a high-speed, single-carrier-operated network that maintains traffic separation between different customers streams using the network. It allows one of your sites to link directly at high speeds to any other of your MPLS VPN site(s) without going through the public Internet. Central and regional data centers usually connect directly to the MPLS VPN service as do other large organizational sites. The MPLS VPN service is generally considered your enterprise’s primary WAN service – in effect, your own private WAN – and is deployed at sites requiring significant bandwidth and performance reliability. Greater reliability and performance are possible over MPLS because it is under the control of a single operator and because MPLS technology supports traffic policy enforcement. This results in better quality transport for time-sensitive traffic, such as streaming real-time video/ audio or live voice-over-IP (VoIP) calls. These apps perform better when they don’t have to travel through a central hub site on their way from point A to point B. IPsec VPN Use Cases IPsec VPNs often complement the MPLS VPN service at smaller sites and work well for low-speed data transfers to corporate data centers. These sites might be small satellite offices, home offices and even traveling/mobile workers at an airport or coffee shop. IPsec-enabled sites and user devices can connect to the corporate MPLS VPN using readily available, low-cost remote-access broadband connections, such as DSL, cable modem, private-line and cellular data connections. Which VPN? Applications for IPsec and MPLS IPsec and MPLS VPNs satisfy different site requirements but are often used together for maximum benefit. Brief © AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.

Which VPN? Applications for IPsec and MPLS

  • Upload
    vukhanh

  • View
    227

  • Download
    0

Embed Size (px)

Citation preview

  • There are several types of virtual private networks (VPNs). The two most prominent for supporting employee access to enterprise IT resources are IPsec and Multiprotocol Label Switching (MPLS) VPNs. It is possible to use just one type or the other, or to use both together in a hybrid deployment. What will typically determine whether a given location connects using an IPsec or an MPLS VPN are the following factors:

    The size of the site to be connected

    How much bandwidth you need at that site

    Your performance reliability requirements for that site

    The degree of direct connectivity to other corporate sites (and possibly extranet sites) that you need at the location

    Your WAN connectivity budget for the site

    The primary differences between IPsec and MPLS VPNs are technical in nature and relate to their underlying network foundations. These differences affect speed, performance, reliability and cost, depending on implementation. However, when properly configured, both provide appropriate levels of network privacy and security for enterprise business use.

    Most IPsec VPNs connect sites using public Internet transport, which is comprised of interconnected networks run by multiple carriers. These VPNs use industry-standard IP encryption technology (called IPsec) to render the data transmitted private across network borders. There are a couple of different configurations available, which will be discussed in the next section.

    MPLS VPNs connect sites using a single carriers MPLS network. That carrier should have complete management control of the network, including the ability to enforce quality-of-service (QoS) policies on specific traffic flows. MPLS VPNs partition one customers traffic from anothers to keep it private across the infrastructure. The partitioning is created using special MPLS tags rather than encryption. A hybrid VPN is created when individual IPsec VPN sites connect to an enterprise MPLS VPN.

    IPsec encryption is sometimes (although rarely) used in conjunction with an MPLS VPN infrastructure; in effect, running a VPN within a VPN. While this configuration might be considered security overkill, it is often selected by more security-sensitive organizations, such as government defense agencies and financial institutions.

    Lets look a little more closely at which type of service youll likely want to install at each of your sites based on the criteria listed above.

    IPsec and MPLS VPN ApplicationsIn many large organizations, both types of VPNs exist. What type best matches each location?

    MPLS VPN Use Cases As noted, the MPLS VPN is a high-speed, single-carrier-operated network that maintains traffic separation between different customers streams using the network. It allows one of your sites to link directly at high speeds to any other of your MPLS VPN site(s) without going through the public Internet.

    Central and regional data centers usually connect directly to the MPLS VPN service as do other large organizational sites. The MPLS VPN service is generally considered your enterprises primary WAN service in effect, your own private WAN and is deployed at sites requiring significant bandwidth and performance reliability. Greater reliability and performance are possible over MPLS because it is under the control of a single operator and because MPLS technology supports traffic policy enforcement. This results in better quality transport for time-sensitive traffic, such as streaming real-time video/audio or live voice-over-IP (VoIP) calls. These apps perform better when they dont have to travel through a central hub site on their way from point A to point B.

    IPsec VPN Use Cases IPsec VPNs often complement the MPLS VPN service at smaller sites and work well for low-speed data transfers to corporate data centers. These sites might be small satellite offices, home offices and even traveling/mobile workers at an airport or coffee shop. IPsec-enabled sites and user devices can connect to the corporate MPLS VPN using readily available, low-cost remote-access broadband connections, such as DSL, cable modem, private-line and cellular data connections.

    Which VPN? Applications for IPsec and MPLS IPsec and MPLS VPNs satisfy different site requirements but are often used together for maximum benefit.

    Brief

    AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.

  • It can be quite cost-effective to use IPsec VPN services in highly dispersed organizations with lots of small locations, such as retail chain stores, restaurants and small bank branches. Regardless of the physical wired or wireless connection type, IPsec VPNs can ultimately terminate directly at the corporate data center or at the enterprises MPLS VPN point of presence.

    Choosing the termination point depends on your network traffic patterns. If your organization is a largely hub-and-spoke configuration, with lots of small sites that need to communicate only with a data center, you might run IPsec VPNs only. If these sites might need connectivity to other corporate or extranet sites, youd likely want to connect them to a corporate MPLS VPN service, which is highly meshed in nature and dedicated to your organization (see figure).

    IPsec VPNs have a few configuration options:

    On-premises encryption with public Internet transport. The IPsec encryption can take place on-site at your enterprise location in a router or firewall. Data remains encrypted across the last mile and public Internet. This is the least expensive option from a service-fee perspective, in that you create the encrypted tunnels yourself.

    Network-based encryption with public Internet transport. This is a managed service option. Your network operator handles the encryption at your first point of presence in the WAN. Your traffic is encrypted across the public Internet but not across the last mile broadband link. This is a little more costly than the on-premises option above, in that you pay the service provider something each month to manage the encryption function; however, you offload the cost of encryption purchase and maintenance in-house.

    Both options above are less expensive than MPLS services, but, because they traverse the public Internet, the same levels of performance are not guaranteed. The IPsec VPN option below helps improve performance.

    Network-based encryption with private IP transport. This service is similar to the options previously described, except that all IPsec sites connect to a single carriers IP network (not the multi-operator public Internet). Because a single operator manages and troubleshoots the network, performance is improved.

    SummaryThere are good reasons for running both IPsec and MPLS VPNs. Very highly distributed organizations with lots of satellite offices and very little need for direct, site-to-site communications among many sites will likely want to run mostly IPsec VPNs. Larger organizations wishing to run performance-sensitive applications among many sites will likely opt for MPLS VPN services at those sites, because MPLS VPNs have fundamental traffic engineering and QoS capabilities to support optimal performance.

    Often a hybrid IPsec/MPLS VPN will be deployed, whereby satellite sites and mobile workers connect to the MPLS VPN across a public Internet connection. And in rare cases, IPsec traffic will traverse the MPLS VPN for a double layer of security. The attributes of the most commonly used VPNs are summarized in the box below.

    Which VPN? Applications for IPsec and MPLS ____________________________________________________________________________________________________ 2

    VPN Type Cost Level

    Performance Level

    Security Level

    IPsec VPN (on prem, Internet based)

    Lowest Lowest Very High

    IPsec VPN (managed service, Internet based)

    Medium Low

    Medium Low Very High

    IPsec VPN (single carriers IP network)

    Medium Medium-High Very High

    MPLS VPN Highest Highest Very High

    Public Internet

    Smartphone

    Home Office

    Small Office

    IPSec tunnels

    Headquarters

    Manufacturing

    Data Center

    RegionalOffices

    VIG

    AuthenticationServer

    Private VPN

    The Internet

    Private MPLSVPN

    Mixing and matching VPN service types

    For more information please visit www.att.com/networktransformation.

    07/08/15 AB-2703-01

    AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.

    http://www.att.com/networktransformation


MPLS VPN. MPLS/BGP VPNs Goals MPLS/BGP VPN Features Implementation Conclusions

MPLS VPN. MPLS/BGP VPNs Goals MPLS/BGP VPN Features Implementation Conclusions

Documents
VPN, MPLS, L2TP, IPsec - rti.etf.bg.ac.rs - VPN, MPLS... · VPN, MPLS, L2TP, IPsec dr Pavle ... L2, L3 • Po poverljivosti podataka – Trusted VPN – Secure VPN MPLS tehnologija

VPN, MPLS, L2TP, IPsec - rti.etf.bg.ac.rs - VPN, MPLS... · VPN, MPLS, L2TP, IPsec dr Pavle ... L2, L3 • Po poverljivosti podataka – Trusted VPN – Secure VPN MPLS tehnologija

Documents
VPN Ipsec Ubuntu

VPN Ipsec Ubuntu

Documents
Brocade 5600 vRouter IPsec Site-to-Site VPN Reference Guide… · Brocade 5600 vRouter IPsec Site-to-Site VPN ... security vpn ipsec esp-group .....101 security vpn ipsec

Brocade 5600 vRouter IPsec Site-to-Site VPN Reference Guide… · Brocade 5600 vRouter IPsec Site-to-Site VPN ... security vpn ipsec esp-group .....101 security vpn ipsec

Documents
Retele VPN Protocolul IPSec

Retele VPN Protocolul IPSec

Documents
Nist Ipsec VPN

Nist Ipsec VPN

Documents
IPSEC VPN Fundamentals

IPSEC VPN Fundamentals

Documents
Tài liệu về VPN IPSEC - Trển khai VPN có IPsec trên Windows Server

Tài liệu về VPN IPSEC - Trển khai VPN có IPsec trên Windows Server

Technology
IPSec VPN Basics

IPSec VPN Basics

Technology
Troubleshooting MPLS VPN Networks - MIK · • MPLS VPN Troubleshooting Control Plane Forwarding Plane ... Troubleshooting MPLS VPN Networks

Troubleshooting MPLS VPN Networks - MIK · • MPLS VPN Troubleshooting Control Plane Forwarding Plane ... Troubleshooting MPLS VPN Networks

Documents
IPSec VPN · IPSec VPN IPsec VPN is a common method for enabling private communication over the Internet. IPsec supports a similar client server architecture as SSL VPN. However,

IPSec VPN · IPSec VPN IPsec VPN is a common method for enabling private communication over the Internet. IPsec supports a similar client server architecture as SSL VPN. However,

Documents
VPN Ipsec Asa

VPN Ipsec Asa

Documents
Fortigate - VPN Ipsec

Fortigate - VPN Ipsec

Documents
VPN: SSL vs IPSEC

VPN: SSL vs IPSEC

Technology
MPLS and VPN Architecturesarmstrong.craig.free.fr/eBooks/Cisco/Cisco Press MPLS and VPN... · Migration of VPN Sites onto the MPLS/VPN Solution Summary A. Tag-switching and MPLS Command

MPLS and VPN Architecturesarmstrong.craig.free.fr/eBooks/Cisco/Cisco Press MPLS and VPN... · Migration of VPN Sites onto the MPLS/VPN Solution Summary A. Tag-switching and MPLS Command

Documents
hQÆRN« Q QM 9N }web.scut.edu.cn/_upload/article/files/7d/d2/3685496640d486527bd4… · PPP. Web 7.2 . GA/T 684—2007 IPSec VPN MPLS VPN Qos MPLS VPN VPN MPLS IPSec , 7.3 7.4

hQÆRN« Q QM 9N }web.scut.edu.cn/_upload/article/files/7d/d2/3685496640d486527bd4… · PPP. Web 7.2 . GA/T 684—2007 IPSec VPN MPLS VPN Qos MPLS VPN VPN MPLS IPSec , 7.3 7.4

Documents
tp VPN+IPSEC

tp VPN+IPSEC

Documents
Ipsec vpn v0.1

Ipsec vpn v0.1

Technology
IpSec VPN Design

IpSec VPN Design

Documents
VPN Types and Ipsec VPN Features Inecert.com

VPN Types and Ipsec VPN Features Inecert.com

Documents
VPN, Mpls, Ipsec

VPN, Mpls, Ipsec

Documents
Troubleshooting MPLS VPN Networks · 2019-05-03 · MPLS VPN Control Plane—MPBGP • MPLS VPN is based on RFC2547 • The whole MPLS VPN concept revolves around MP-BGP • MP-BGP

Troubleshooting MPLS VPN Networks · 2019-05-03 · MPLS VPN Control Plane—MPBGP • MPLS VPN is based on RFC2547 • The whole MPLS VPN concept revolves around MP-BGP • MP-BGP

Documents
IPSec VPN Best Practices - Oracle · 5 | IPSEC VPN BEST PRACTICES • IPSec VPN configuration: For two endpoints to establish an IPSec connection and for traffic to flow through the

IPSec VPN Best Practices - Oracle · 5 | IPSEC VPN BEST PRACTICES • IPSec VPN configuration: For two endpoints to establish an IPSec connection and for traffic to flow through the

Documents
hQÆRN« Q QM 9N }web.scut.edu.cn/_upload/article/files/2f/60/74c1adcc404196910d912… · PPP. Web 7.2 . GA/T 684—2007 IPSec VPN MPLS VPN Qos MPLS VPN VPN MPLS IPSec , 7.3 7.4

hQÆRN« Q QM 9N }web.scut.edu.cn/_upload/article/files/2f/60/74c1adcc404196910d912… · PPP. Web 7.2 . GA/T 684—2007 IPSec VPN MPLS VPN Qos MPLS VPN VPN MPLS IPSec , 7.3 7.4

Documents
VPN Mpls Ipsec Tls

VPN Mpls Ipsec Tls

Documents
IPSec VPN

IPSec VPN

Technology
VPN, MPLS, L2TP, IPsec - rti.etf.bg.ac.rsrti.etf.bg.ac.rs/rti/ir4roi/Prezentacije/02 - VPN, MPLS, IPsec.pdf · VPN, MPLS, L2TP, IPsec ... NetA, L3 NetA, L1 NetA, L4 NetA, L2 28 Na

VPN, MPLS, L2TP, IPsec - rti.etf.bg.ac.rsrti.etf.bg.ac.rs/rti/ir4roi/Prezentacije/02 - VPN, MPLS, IPsec.pdf · VPN, MPLS, L2TP, IPsec ... NetA, L3 NetA, L1 NetA, L4 NetA, L2 28 Na

Documents
08 - IPSec & VPN

08 - IPSec & VPN

Documents
Which VPN? Applications for IPsec and MPLS€¦ · _____2 VPN Type Cost . Level Performance ; Level Security ; Level IPsec VPN (on prem, Internet based) Lowest: Very High IPsec VPN

Which VPN? Applications for IPsec and MPLS€¦ · _____2 VPN Type Cost . Level Performance ; Level Security ; Level IPsec VPN (on prem, Internet based) Lowest: Very High IPsec VPN

Documents
Remote access VPN IPsec - TheGreenBo€¦ · TheGreenBowTM IPsec VPN Client Application Note Remote access VPN IPsec Accessing the MRD-3xx Indsutrial 3G router using TheGreenBow IPSec

Remote access VPN IPsec - TheGreenBo€¦ · TheGreenBowTM IPsec VPN Client Application Note Remote access VPN IPsec Accessing the MRD-3xx Indsutrial 3G router using TheGreenBow IPSec

Documents