IPSec vs. MPLS VPNs

A debate at the Next Generation Networks conference in Boston earlier this month pitted IPSec (Internet Protocol Security) VPNs (virtual private networks) based on equipment placed at each network site against network-based Multi-protocol Label Switching (MPLS) VPNs that sort traffic into discrete customer streams within a service provider’s network.

Neither technology won the debate, but the discussion did reveal strengths and weaknesses of each. These results can prove useful to anyone trying to sort through wide area networking choices.

An IPSec VPN is one that creates encrypted IP tunnels from site to site across a public network. A Multi-protocol Label Switching (MPLS) VPN service assigns each corporate user its own IP space and moves traffic along Layer 2 MPLS flows. Both enable users to create fully meshed networks for less than it would cost to set up private line, frame relay or ATM (Asynchronous Transfer Mode) networks. Some carriers claim they could cut the cost in half.

IPSec VPNs offer several benefits. They require each site to have devices that authenticate users and encrypt and decrypt traffic, which makes these VPNs very secure. Any changes users make to lists of authorized users or security policies take effect immediately because users control all the equipment. They are well suited to supporting remote access for mobile users who may be calling in over insecure networks. Sites can tie into the VPN over plain old Internet access links, which are relatively inexpensive.

The downside is that they require an initial capital outlay for equipment at each site, and they require ongoing management, monitoring and maintenance. Part of this continuing effort includes managing keys that are used to encrypt traffic. As these networks grow, they require more work to manage unless the gear comes with tools to automate policy distribution.

Encapsulating VPN traffic using this method increases packet-header size, and can increase the size of some packets making them so large that they must be fragmented. This can slow down traffic.

But network-based VPNs do have advantages, as well. They require no new network gear as long as each site already has a WAN (wide area network) router, so there is no initial capital outlay.

Network-based services are well suited for multiprotocol traffic because non-IP traffic is readily converted by customer routers. These services can support frame relay, ATM and even Ethernet access lines, as well.

The service provider configures and manages, monitors and maintains the network. The downside of that is these services cost more per month than simple Internet access. Also, users have to wait for the service provider to make any additions or changes to user lists.

As you can see there is no hands-down winner, but knowing these pluses and minuses can help you make a choice.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now