In the Context of Cloud, Security and Mobility, It’s Time Organizations Ditch Legacy MPLS – SecurityWeek

4 minutes, 51 seconds Read

A building and an enterprise network are no different — they both need a foundation to remain stable and secure. If the underlying connectivity is too unsecure or erratic, then there’s no way a network will meet the desired availability, security and performance standards. Traditionally, organizations have relied on Multi-Protocol Label Switching (MPLS) for its reliability, security and high-speed connectivity. However, MPLS adoption is flattening after several years of showing a decline.

What’s more, even though MPLS has always been considered highly secure because it relies on private infrastructure, studies show MPLS is still vulnerable to DDoS attacks. Moreover, MPLS networks are not encrypted and therefore, any individual with physical access to the connection could potentially intercept communications.

Challenges That Modern Organizations Face With MPLS

1. MPLS was designed for a different era

MPLS was introduced in the 1990’s when networks were much simpler, and users operated from a fixed location. Corporate applications were hosted in-house and branch office traffic was backhauled to a central data center for security inspection. Today, the user location isn’t fixed, and most applications are hosted in the cloud. To secure users, applications and services, all cloud and internet traffic would have to be backhauled to a central or regional data center — an inefficient thing to do since this consumes precious MPLS capacity, eventually leading to degradation of internet and cloud performance (a.k.a. the trombone effect).

2. Installing and Maintaining MPLS Is Not Cheap

MPLS carries a hefty price tag. Setting up a new MPLS connection for every new regional office isn’t always feasible from a budgetary stance. Depending on the complexity or location of the infrastructure, MPLS deployments can take a long time (from 30 days to six months); they may require skilled resources which can prove to be a major overhead. Additionally, only a limited number of carriers can provide MPLS services. These providers have no incentive to negotiate or drive costs down. Switching MPLS carriers is usually the last option, but it can be an expensive and daunting process.

3. Service Level Agreements Are Great On Paper But Not So Great In The Real World

Advertisement. Scroll to continue reading.

Although SLAs provide some level of comfort and accountability, the reality is that enforcing penalties on missing SLA targets is always challenging. Sometimes there are exclusions baked in (for example: SLAs are limited to only specific geographical locations) to limit the scope of the penalty. Even if penalties are imposed, they won’t adequately compensate for the financial and reputational damage inflicted from a disruption in services. In addition, deploying last-mile redundancy (active-active connections with automatic failover), isn’t always affordable and feasible for small-sized branches. 

The Internet Is A Potential Replacement But Has Its Own Limitations

Mobile users can access the corporate network and cloud applications via the internet using VPNs. However, this comes at the cost of latency. Another alternative is that organizations can use Direct Internet Access (DIA) from service providers. But remember, the internet isn’t as reliable and secure when compared to MPLS and can fail to deliver a consistent user experience, especially users that need high reliability for mission-critical or loss-sensitive applications. The internet is also flawed by design: routing algorithms have no understanding or awareness of traffic flows, packet losses, jitter, latency or congestion. Moreover, service providers are known to abuse or manipulate internet routing for the sake of their own financial interests. Service providers may also intentionally transport packets over long distances or quickly get rid of unpaid packets (a.k.a. hot potato routing) just because it makes better financial sense to do so.

Converging SD-WAN And Security Makes The Perfect MPLS Replacement Recipe

Software Defined Wide Area Networking (SD-WAN) enables organizations to separate the overlay (MPLS or the internet) from the underlay (traffic routing intelligence), allowing organizations to choose the most optimal path for fastest packet delivery, enabling faster performance at reduced costs, regardless of any location. In addition, SD-WAN allows organizations to implement active/active connections with automatic failover, as well as a host of diverse routing methods, to meet or even exceed SLA commitments promised by MPLS providers.

Briefly, SD-WAN can disrupt the legacy approach of using MPLS for last mile connectivity. But SD-WAN on its own isn’t ideal. Mobile users are not supported by SD-WANs. Many IT teams are forced to layer additional security infrastructure and control mechanisms just to provide mobile users secure access to public cloud applications and WAN resources. SD-WAN helps address the last mile, but consider the middle-mile. How to overcome the challenges of an unreliable middle-mile internet service provider?

Secure Access Service Edge (SASE) is a networking architecture that converges SD-WAN with multiple security controls (i.e., firewall, IPS, endpoint security, secure web gateway, zero trust network access) into a single cloud service. It leverages the SD-WAN fabric to actively monitor connectivity conditions, dynamically choosing the optimal path, minimizing packet loss and meeting SLA goals. Mobile and fixed users are defended with a set of security protocols without the need for backhauling traffic or installing additional security hardware. Some SD-WANs provide a global private backbone with layers of redundancies across Points of Presence (POPs), nodes and servers. SD-WAN devices automatically connect to the nearest available backbone, ensuring uptime and eliminating the need for complex high availability and redundancy measures. In 2018, Gartner predicted that SD-WAN technology would eventually eliminate MPLS. Gartner made a fresh prediction claiming that by 2026, 60% of SD-WAN purchases will be part of a single-vendor SASE offering. If organizations dive deep to understand the benefits it offers over MPLS and traditional SD-WAN, then they will no doubt realize that SASE is poised to replace aging MPLS in due time.

Related: The SASE Conversation in 2022, a Resolution for the Future

Related: Vendor Survey vs Reality on SASE Implementation

RelatedGetting SASE, Without the Hyperbole

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts