Leveraging the NetBy Kevin Fogarty | Posted 2008-03-31 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
American States Water and other Baseline 500 companies find that leased-line wide-area networks are sometimes more reliable and secure—and less costly—than the public cloud.
Leveraging the Net
Both American States Water and Winnebago do use the Internet and VPN connections for remote user access and other common tasks. But neither wants to put its highest-priority traffic on the public network.
“We leverage the ’Net for what we need it for,” says Bentley Brunszold, senior network specialist for Winnebago. “MPLS isn’t available here, so that’s not an option, and the price of frame relay is certainly attractive. We’re researching a couple of projects that would use a more widespread VPN capability, but, unfortunately, the price for that is not attractive. So you have to weigh what you’re trying to secure from the outside with what [risk or inconvenience] you can live with.”
Security alone—despite being high on the criteria list of most companies that depend on private lines for all or part of their networks—isn’t enough to justify the expense of leasing lines that are completely separate from the Internet, according to Washburn of Current Analysis. MPLS services from major carriers can separate a company’s MPLS traffic from its Internet traffic, giving each a different set of IP addresses and keeping anyone in one thread from seeing anything in the other thread.
“It’s almost like having two or more virtual networks within the router,” he explains. “MPLS presents very little risk, but it does leave the carrier managing the IP router tables, which doesn’t sit well with companies that want complete control over their IP networks.”
Sprint, Qwest and Verizon all maintain IP networks that are completely detached from any public network for customers that want that level of isolation. But there’s another alternative that provides all the security at a potentially much lower cost, according to Washburn.
Virtual private LAN services (VPLS)—also called carrier-based Ethernet—give customers a physical connection that is too low-level for the carrier to even know the IP addresses or see any details of the customer’s network, he says.
“VPLS, which you’ll hear a lot about in the next six months, is at Layer 2 [of the Open Systems Interconnection Basic Reference Model], so the carrier can only assign MAC [Media Access Control] addresses to the hardware and can assign virtual LANs,” Washburn says. “It has no visibility into the IP layer, so the customers can layer in all the IP stuff on their own.”