Since the first days of using of telecommunications to support an enterprise, the technical solution space has opted to maintain some semblance of a “private” network. Initially, this focused on using versions of private line communications to connect switching and routing devices owned directly by an enterprise. Over time, cost efficiencies and the need to scale helped create commercial service providers that provided additional flexibility. The enabled resource sharing and helped enterprises move away from completely dedicated services into using shared network services.
However, one of the key features of these early shared network services, for example ATM and Frame Relay, was and essentially remains that an enterprise needed dedicated access (private line service) to these networks. This is because, with some limited exceptions, service providers’ ATM and Frame Relay networks are not “peered” at the data layer with other service providers. The top two reasons for this are simple. First, customers wanted the security and performance of understanding exactly who and how their traffic was switched or routed, and second, the service provider wanted to keep 100% control and share of their customers network needs.
These two factors continue to this day. The use of service provider’s IP/MPLS-based VPN services has replaced traditional ATM and Frame Relay with a much more flexible technology. However, even with additional capabilities, the goal was to continue the concept that the network would continue to provide a service that ensured a level of performance and privacy. Dedicated access (that is private lines) is de rigueur for users of MPLS/VPNs service provider networks. However, there are several technical and business changes that change this perspective, and enable and drive the use of Internet services as the basis for an enterprise network:
- Dedicated access is expensive. The requirement for dedicated access stems from the need to maintain end-to-end performance guaranteed by an MPLS/VPN service provider. However, since the access is a significant driver in total network costs, the smallest practical link is generally used. Low rates means that Quality of Service mechanisms are critical to ensure that voice and video services work effectively over pipes as small as T1s (1.5Mbps). There are rays of hope in the costs of dedicated (or what appears to be dedicated) access with the rapid expansion of Ethernet service delivery which enables access to the service provider’s network via Layer 2 Ethernet (which means that it does not interfere with IP addressing between the customer and the MPLS/VPN network). In general Ethernet technology equals reduced costs
- Rapid deployment of broadband Internet services. These services are being deployed to provide Internet services, not services to enable access from a customer location to another service provider’s MPLS/VPN network. The competition for Internet services from the incumbent local provider (e.g., Verizon’s FiOS, DSL) and cable companies (e.g., Cox and Comcast) have caused the deployment of broadband that provides tens of megabits of capability at extremely attractive prices. In fact, in many cases, these finished services cost less than just the access service (whether Ethernet, T1, DS3, OC-x, etc.) alone.
- Simplified end-to-end security products. Enterprises that use the Internet for connectivity use encryption to ensure security and integrity of their data. Virtually all of these are based on the IPSec protocol. Unfortunately, although reasonably easy to setup for a few locations, IPSec itself is a “tunnel” protocol which adds significant complexity when deployed at more than a handful of locations where a “full mesh” of connectivity (the native connectivity provided by the underlying network) is desired. New technologies, which enable centralized control not only provides the security of IPSec between all locations of an enterprise, but also enables the ability to control at Layer 3 and Layer 4 (the application layer) the data that can flow between locations on the network.
- Lack of end-to-end Quality of Service (QoS). Overcoming this perception requires a bit of faith. With the increase in the use of Voice over IP (VoIP) services replacing traditional phone services, end-to-end QoS would seem to be needed. Virtually all MPLS/VPN providers use two mechanisms for QoS. First, they ensure that their core networks have virtually zero packet loss, and second, they enable packet prioritization of packets delivered from their network to a customer location. This packet prioritization is necessary to ensure that time critical VoIP packets are delivered before other packets. This is essential on the typical T1 (1.5 Mbps) MPLS/VPN customer location to get decent utilization and good voice quality. But, if you can buy 20Mbps or more Internet service for the same or less price than the MPLS/VPN T1, does this QoS really matter anymore? Well, tens of millions of consumer VoIP customers in the USA alone prove that not only does it not matter, but the quality of the Internet has improved dramatically with packet loss rates that look more like MPLS/VPN services.
What is the bottom line? The rapid deployment of low cost, high-quality, and high-capacity Internet services combined with more flexible and easier to deploy and manage security devices enables enterprises to leverage create a lower cost, higher-capability network environment. In fact, it is not uncommon for employees to remark that their Internet-based remote VPN access from home to their corporate network is better than access to corporate network resources sitting in their office!
With all good things, this comes at a price. Using Internet services:
- Leaves sites vulnerable to Denial of Service (DoS) attacks. Service providers have to take action to mitigate the effects, generally after the attack begins
- Relies on a more complicated set of cooperating companies to provide the end-to-end service
- Hard to rectify service issues. Although a site is serviced by an ISP, Reachability to other sites requires, in general, many Internet providers. This complicates trouble resolution. In fact, in the Internet, trouble may not be local, but at the Tier 1 level of the net. The good news is that hundreds of billions of dollars of commerce and consumer services are so dependent on the Internet, that problems will be reported immediately and resolved as soon as possible
- The Internet is a target for economic blackmail for profit, so any vulnerabilities that may exist could be used by network “hijackers” to blackmail service providers and even nations for cash to prevent “crash”. Because of this, service providers and vendors are constantly working to test and improve equipment, network architecture, and operating procedures
So, enterprises should now seriously consider:
- Using low cost, high-bandwidth Internet services for virtually all administrative network needs. This includes remote office email, internal resource sharing, and phone services (e.g., hosted VoIP). Security provided using encryption with control over Layer 3 and 4 resources.
- Using more expensive private lines and MPLS/VPN services for mission critical communications such as communication between data centers or mission critical sites that have significant impact on business operations.
From a communication service provider industry perspective, if this shift to using Internet services as the main method for enterprise networks, what happens to:
- The cost of dedicated access services when there are fewer customers to share costs?
- The cost of MPLS/VPN services if the enterprise customers that would normally use this service turn to the Internet?
