|
Feature
Dawn of the virtual WAN
One of the factors that has pumped up the WAN market is robust
demand for VPN technology. BFSI, e-trading and logistics are expected to set
the pace for this market in 2007. By Tanu Talwar.
 VPN
technology is being adopted across the board. For years, voice, data, and just
about all software-defined network services were dubbed virtual private networks
by telephone carriers. Today’s VPN technology however, is a combination
of tunnelling, encryption, authentication and access control technologies and
services that are used to carry traffic over the Internet, a managed IP network
or a provider’s backbone.
"With network traffic chocking on account of the increasing number
of users, organisations have now started looking at the STM 1 and STM
2 links to improve performance"
- Sanjay Kharade
Principal Consultant
CISCO, India and SAARC |
The traffic reaches these backbones using any combination
of access technologies, including T1, frame relay, ISDN, ATM or simple dial-up.
VPNs use networking technology and protocols. The client sends a stream of encrypted
Point-to-Point Protocol (PPP) packets to a remote server or router instead of
going across a dedicated line (as in the case of WANs), the packets go across
a tunnel over a shared network. VPNs have the same security and encryption features
as a private network, while taking the advantage of the economies of scale and
remote accessibility of large public networks. According to Sanjay Kharade,
principal consultant, Cisco, India and SAARC, “The key aspects accounting
for the growing deployment of VPNs are increased productivity, stability, reliability,
efficient manageability, coupled with the ease of deploying this technology
across the enterprise.” KVSSS Gunneswara Rao, Director, D-Link India Ltd
adds, “VPNs bring down costs through outsourcing of support overheads.
With VPN, instead of the enterprise, it is the service provider that supports
all necessary costs in terms of manpower, and technology as telecom service
providers can spread this cost over thousands of potential customers.”
"With VPN, instead of the enterprise, it is the service
provider that supports all necessary costs in terms of manpower,
and technology"
- KVSSS Gunneswara Rao
Director
D-Link India Ltd |
The general idea behind using this method is that a company
reduces the recurring telecommunications charges that are shouldered when connecting
remote users and branch offices to resources that reside in a corporation’s
headquarters. According to Frost & Sullivan, the IP VPN (IPSec VPN) market
in India in 2005 was estimated at $151.9 million, a growth of 53.2 percent over
the previous year. Multi Protocol Label Switching (MPLS) has been driving the
IP VPN market, largely due to its ability to offer frame relay features at a
lower cost. Sourabh Khushal, industry manager-ICT Practice, Frost & Sullivan
India says, “We expect the IP VPN market to grow at 41 percent to $215
million in 2006. Between 2005 to 2011 we expect this market to grow at 21.7
percent CAGR.” He however says that traditional WAN services such as IPLS,
ATM, and FR will see marginal (two to three percent) or even negative growth.
The demand for IP VPN is largely determined by enterprises having offices at
multiple locations within and without the country. With MNCs including non-IT
manufacturing companies, setting up offshore facilities and development centre,
the need for IP VPN has gone up. BFSI, manufacturing, engineering, pharmaceuticals,
R&D centres and even SMEs are consumers of this technology. P.K. Saji, Vice
resident-Technology, Sify Ltd., says, “BFSI are looking at VPN solutions
such as MPLS to connect their ATM centres and remote branches with their data
centre. In 2007, as MPLS VPN matures, we will see more banks such as UCO, Bank
of India and Union Bank of India moving away from using private networks such
as TDM to MPLS VPNas reduces the networking costs significantly. Other verticals
that will drive the adoption of IPSec VPN are retail and logistics.”
An interesting point to note is that as per RBI’s directive,
it is mandatory for co-operative, public and private sector banks to implement
a Core Banking Solution (CBS) and offer online connectivity at remote locations.
This has also contributed to the growth of IPSec VPN. The same i the case financial
institutions and the telecom sector. “Even SMEs are competing in the global
market to sustain growth and ramp up operations ig investments are being made
in creating the backbone infrastructure and IP VPN has become the preferred
choice for e-mail, browsing, remote database access and Intranets. IP VPN implementations
can be extended by deploying MPLS technology. MPLS gives network operators the
flexibility to divert and route traffic around link failures, congestion and
bottlenecks,” says Khushal.
|
More and more companies are now
adopting WAN accelerators to boost the speed of accessing enterprise applications
and optimise bandwidth
|
As compared to the private networks, IPSec VPN supports value-added
services and facilities such as VoIP, bandwidth on demand and the like. Many
large enterprises are using a MPLS VPN network for real-time access to their
core applications such as ERP, CRM, SCM and BI.
There have been security issues with IPSec VPNs and many claim that it cannot
provide secure remote access. IPSec does not work in an extended enterprise
network, and is only good for site-to-site VPNs.
SSL and IPSec to co-exist
Some security issues raised IPSec VPN are addressed by SSL VPN and it is gaining
momentum in the market. SSL VPN works at OSI Layer 4. When a client establishes
an SSL connection handshake with a server, the server is authenticated to the
client, verifying that the server’s certificate and public ID are valid
and have been issued by a trusted certificate authority. Then the client and
server negotiate and select a cryptographic algorithm that they both support.
The client may then be authenticated to the server, and an encrypted SSL connection
can be established. An SSL VPN provides strong security for remote access and
do not require a complex client unlike IPSec. This makes it easier to install
and support, leading to cost savings. SSL is pre-installed in every major browser,
making SSL VPN a client-less solution. An IPSec VPN requires a device-specific
client installation on the remote end-user side of a secure tunnel. Keeping
these clients updated is an ongoing burden. Khushal adds, “SSL VPN will
see higher growth; a 32 percent CAGR from 2005 to 2010 compared to 20.7 percent
CAGR for IPSec VPN during the same period. Banks have started deploying it.
ISPs, BPOs and e-traders are also expected to follow suit.”
iGATE uses both IPSec and SSL VPN he latter has integrated
well with the third-party security solutions that iGATE uses and it does not
need a dedicated authentication server. The company admits there is no need
to install a client for running an SSL VPN, whereas IPSec VPN is heavily dependent
on client software, with SSL VPN there is no need to procure concurrent licences
for each and every employee—a clear return-on-investment factor. Marico
is another company that uses SSL VPN.
Large businesses are facing an issue of poor application performance and slow
connectivity on the Wide Area Network (WAN).
Pressing the pedal to the WAN metal
"Today’s WAN solutions must provide wider reach, greater application
awareness, and
acceleration to improve response times, all the while lowering the cost
of
implementation and operation"
- Nagendra Venkaswamy
Managing Director
Juniper, India and SAARC
|
Companies have long sought a way to bring down the high cost
of WAN links and clamoured for a means to access WAN resources at LAN speeds.
In order to achieve this goal, more and more companies are now adopting WAN
accelerators to boost the speed of accessing enterprise applications and optimise
bandwidth. These accelerators use a number of techniques such as compression,
application of quality of service (QoS) and chiefly work towards speeding up
transmission over a wide area network. Kharade, explains, “if an application
is chatty and requires constant usage and updation, the WAN accelerator speeds
up transmission by transferring the content required behind the scenes. For
example, Windows file sharing (CIFS protocol) is slow over a WAN. A CIFS WAN
accelerator can pre-fetch data at the server side and transfer it to the client
side so that most of the CIFS interaction takes place locally.”
However, Kharade, believes, “The industry is growing
exponentially. The WAN market has grown manifold overthe past five years and
has undergone dramatic changes in 2006. In 2005, organisations were going in
for traditional WAN links, 64 Kbps to 2 Mbps. However, with network traffic
chocking on account of the increasing number of users, organisations have now
started looking at the STM 1 and STM 2 links to improve performance.” A
network that covered about 200 to 400 sites last year, encompasses about 4,000-5,000
sites today.
In Kharade’s mind WANs owe their popularity to the accelerator market.
He says “Even though the WAN acceleration market is relatively new, it
has shown great potential over the last year. It has moved beyond the early
adopter phase into the mainstream, as enterprises understand how much the solution
can do for them and want to deploy it everywhere on the enterprise WAN.”
In 2006, enterprises experimented with this technology on a limited scale in
a handful of locations. Today they want to roll it out globally to hundreds
of branch offices to stay connected with their remote workers.
Nagendra Venkaswamy, managing director, Juniper, India and
SAARC states “Applications are demanding more from wide area networks (WANs).
Today’s WAN solutions must provide wider reach, greater application awareness,
and acceleration to improve response times, all the while lowering the cost
of implementation and operation.” The first and the foremost challenge
facing enterprises is the high price of WAN links. Even though the cost has
come down in the recent years, They’re far from inexpensive.
| Types |
Description |
Advantages |
Disadvantages |
| IPSec |
Most clients to site VPNs are based around
IPSec (IP Security). It is a suite of protocols developed by the Internet
Engineering Task Force. The objective was to support secure exchange of
packets at the IP layer |
1. In an IPSec VPN, end-points establish
secure encrypted connections using the IPSec protocol across a public IP-based
network. End-points could be a client and server, or gateway devices deployed
on the edge of the public network. By using encryption, any packets intercepted
along the way will be difficult to read.
2. IPSec VPNs can be established between any two points on a public IP network
such as the Internet.
3. IPSec VPNs can transverse geographical or service provider boundaries
and hence offer itself as the best bet for remote locations with limited
services |
1. IPSec tunnels across the public Internet
offer no service level guarantees. Therefore, it will not be suitable for
latency sensitive traffic such as voice and video.
2. There is hardly anyway to monitor application performance across the
service provider backbone since all traffic is encrypted.
3. IPSec VPNs may also become difficult to manage. Encryption requires the
management of public keys and certificates since IPSec relies on the uniqueness
of the end-station devices.
4 IPSec is difficult to deploy in environments where Network Address Translation
(NAT) is used, since NAT is designed to hide the attributes of the end-points.
In addition, the encryption process adds overhead and delay into packet
transmission. |
| Secure Sockets Layer (SSL) |
Secure Sockets layer is a protocol, which
is already imbedded in most IP stacks. It sits at the base of the application
layer; SSL has been traditionally and widely deployed for securing Web-based
applications in the form of HTTPS (or secure HTTP). |
1. Since SSL VPNs can be clientless,
the cost of deploying clients is saved.
2. Access can be granted from many types of machines (Linux, Windows 2K/XP,
Apple Mac, Palm OS, Symbian, Pocket PC). Although VPN client platforms are
available for most common operating systems, very few vendors produce these
clients in parallel (e.g. the Apple Mac and Linux clients always appear
six months behind the Windows ones).
3. Although IPSec clients can grant access across most mediums (Leased line,
DSL, Dialup, GPRS) they only offer access from the corporate desktop on
which the client is installed. SSL VPNs can be configured to allow access
from corporate build laptops, home desktops, customer or supplier desktops
or any machine in an Internet cafe.
4. SSL-based VPNs tend to communicate on the port used for Secure HTTP (TCP
port 443), which is one of the few ports allowed outbound access from any
machine in the corporate network in most environments. Even in situations
where proxy cache servers are deployed, because HTTPS traffic is encrypted,
they will normally pass this traffic un-inspected. |
1. SSL does not support all the applications
and protocols.
2. It may still need to keep IPSec to support itself of specific applications
such as IP telephony.
3. It is expensive to implement and manage.
4. It cannot enable and disable split tunnelling. |
| MPLS VPN
|
Multi Protocol Label Switching (MPLS)
is a data-carrying mechanism. It emulates some properties of a circuit-switched
network over a packet-switched network. |
1. Since MPLS-VPNs do not encrypt traffic,
it is possible to provide IP QoS
2. MPLS-VPN services also allow customers to easily build fully-meshed network.
3. MPLS-VPNs represent an easier migration for enterprises than IPSec offerings
since they do not add additional complexity to the end-points. All the complexity
can be hidden in the service provider network, just as is done today with
Frame Relay or ATM. |
1. It is concern among engineers that
IP traffic is carried unencrypted across a public IP network, however the
use of labels does provide traffic isolation.
2 MPLS-VPN services are still comparatively immature as they are based on
emerging standards.
3. MPLS deployment is comparatively the costliest among the entire pool
of VPN technologies. |
Network Congestion
Umesh Shrivastav, managing director, Accton EI-EN, India, states, “As a
company grows it becomes imperative to bring about virtualisation, ensuring
transparency across its distributed network running across locations.”
Besides these bottlenecks there are three main pain points that need to be tackled
irstly, inefficiencies that creep into the system such as low response time,
data duplication security concerns that affect customer relationship management
have to be dealt with. Secondly, service providers need to arm customers with
an efficient backup plan to avoid contingencies. And thirdly, a system to lower
cost and avoid latency for systems running on the satellite links is needed.
|
There is growing realisation amongst
enterprises about the advantages of evolving technologies such as VoIP,
video conferencing etc. The obvious result of this realisation is the
booming demand for these technologies
|
A major factor that generates traffic on the network causing
it to slow down is underestimating the load that the network will have to bear.
This results in organisations opting for lower bandwidth than they actually
need. However, as an organisation sets up more branches, the number of users
accessing the network shoots up either slowing the network to a crawl or resulting
in temporary malfunctions when usage rises suddenly at times such as taking
inventory stock or processing payroll. Kiran Bhagwanani, vice president, Apac
Sales, HCL Comnet asserts, “It’s of utmost importance that enterprises
analyse and understand their bandwidth requirement. Going for the right quantum
of bandwidth can help an organisation overcome several hurdles. Most often the
usage of the network increases when an application becomes popular.”
Network congestion only gets worse as an enterprise adds converged
technologies and applications. There is growing realisation amongst enterprises
about the advantages of evolving technologies such as VoIP, video conferencing
etc. The obvious result of this realisation is the booming demand for these
technologies. Even though enterprises opt for such solutions to enhance their
business, lack of planning renders the network inefficient. Shrivastav, says,
“Often enterprises add complex applications for enhancing productivity
without increasing the bandwidth. The percentage of bandwidth required varies
from application to application. For example voice and data may work well with
a certain bandwidth, adding video conferencing may require the network to pump
in more bandwidth to perform as desired.”
Many organisations have a priority list describing the hierarchy of different
applications. Kharade explains, “While in some organisations, voice is
given higher priority, in others video is sought after. However, the list is
decided keeping in mind the level of latency that the medium can handle.”
In order to provide full hands on experience to the customer network providers
either have to add bandwidth or provide services and solutions that accelerate
applications. Venkaswamy believes, “Adding bandwidth to the network may
not always be the right thing to do as there are many reasons causing a network
to act the way that it does. If an organisation keeps adding converged technologies
and bandwidth simultaneously, at times all the data, voice, videos and other
application may start flowing together which will not improve response time
but make things worse.” Pumping in additional bandwidth every now and then
is not as easy as it appears. Then again, there is a limit to which bandwidth
can be stretched. Kharade, opines, “Exceeding bandwidth every time a new
technology comes in to play does not make sense. Even though the option may
be successful for an SME it’s not viable for a large enterprise as it keeps
adding to operational expenditure.”
WAN acceleration is being touted as the magic bullet for this problem. With
the increase in the number of users there are two major trends emerging in the
market—link optimisation and application acceleration. Link optimisation
works on point point links that provide a single, pre-established WAN communication
path from the customer premises through a carrier network, such as a telephone
company, to a remote network. Point-to-point lines are usually leased from a
carrier and thus are often called leased lines. Link optimisation helps minimising
the traffic and can mange maximum traffic efficiently.
While link optimisation helps reduce traffic, application acceleration is a
technique used for higher level protocols. It aims to improve response time
by reducing handshakes between the data centre and branches of a company. According
to Venkaswamy, “Demand for WAN accelerators has risen over the past year.
Accelerators help increase the life of a network without reengineering it.”
|
