Académique Documents
Professionnel Documents
Culture Documents
Wade J. Finner
Telecommunication Systems in Management IFSM 450 August 3, 2002
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 1
Executive Summary
Statement of Purpose
The decision regarding the technology used in a Wide Area Network (WAN) to facilitate data communications among geographically disparate locations should not be taken lightly. Such issues such as cost, security, reliability and efficiency must be considered carefully before a course of action is decided upon. Two of the more prevalent technologies in use today for WAN applications, Frame Relay and Virtual Private Network, and the benefits and shortcomings of each are discussed in detail in this paper. It is the authors hope that the reader will emerge with an understanding of the technology and issues involved sufficient to render a decision as to which solution better applies to their particular concern.
Summary Conclusion
VPNs are a scalable, low cost WAN strategy that offers significant benefits over frame relay technology in the areas of cost and deployment speed. However, VPNs are a still developing technology and issues such as control of performance across the internet, remote user security and VPN protocols must be resolved for implementation in a business environment. Issues of VPN security and reliability can be resolved through proper planning and a willingness to invest in the proper support of the network. The greatest concern is that of performance drop-off across the Internet and is unlikely to be consistent across the various nodes of a WAN. Any VPN service contract, therefore, must include Quality of Service (QoS) guarantees and must be subject to site-to-site performance monitoring.
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 2
Topic Definition
As telecommunications technology continues to advance, more and more viable options for creating data networks are being made available. Not that long ago, leased lines were the only way in which two remote offices could be permanently connected together. With the advent of packet switched technologies, such as Frame Relay and ATM, the idea of a more cost effective Shared Network solution took hold. These solutions were more cost effective, and as the technology evolved, multiple different protocols, such as IP, SNA and IPX, could be passed over such a network. However, with the near universal acceptance of IP as the Layer 3 protocol of choice, creating tunnels in the Internet through the use of Virtual Private Network has become yet another option. This option is certainly cost effective, but due to the public nature of the Internet, raises additional concerns in the areas of security and reliability .
Organizational Impacts/Issues
What is Frame Relay?
A Frame Relay network is a collection of Frame Relay switches that are interconnected using dedicated circuits. The Frame switches are used both to connect to endpoints, and to connect to the rest of the Frame backbone. A Frame Relay user connects to the Frame network via a Frame Relay Access Line. Once connected to the network, the Frame provider establishes Permanent Virtual Circuits (PVCs) that virtually connect the users access port to the access port of other users. Thus, if a company has three locations, each
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 3
site connects to the providers closest Frame Relay switch, and PVCs are established across the Frame Relay backbone to connect the sites together. The advantage of Frame Relay over point-to-point connections is that the PVCs of multiple customers share the backbone links, the T1s and T3s connecting the Frame switches together. Because the network resources are shared, it is less expensive to buy a virtual connection across a Frame Relay network then it is to purchase a dedicated point-to-point connection between two offices. Frame Relay Considerations There are several items that should be pointed out with respect to a Frame Relay network. First, Frame Relay customers can run any protocol they desire over their PVCs. This could be IP, IPX, SNA, or any other Network layer protocol. In contrast, a basic requirement of an IP network, like the Internet, is that all parties communicate using IP.
As represented in the above diagram, two types of equipment are necessary to establish the connections to support frame relay, Data terminal equipment (DTE) and Data circuitterminating equipment (DCE) .DTEs are terminating equipment for a specific network and typically are located on the premises of the business end-user. Examples of DTE devices are terminals, personal computers, routers, and bridges. DCEs provides switching services within the network, cloud. The Network provider would usually own the DCEs. In order for two locations connected to a Frame network to actually communicate, they must have a Permanent Virtual Circuit established between them. This has two consequences: first, the necessity of PVCs makes the network relatively secure. There might be many companies connected to a large Frame network, but any two connection points can only see one another if a PVC has been established between the two of them. In order to fully connect the offices of a company together, it is necessary to establish a PVC from each office to every other office. The disadvantages in this case are cost, scalability, and manageability. For a small number of offices this would not pose a large problem but as the number of offices increases, the number of PVCs grows rapidly. In order to differentiate between the different PVCs on a Frame network, each PVC is assigned a locally unique number called a Data Link Connection Identifier (DLCI). The DLCI is included in the header of each Frame Relay frame, and it used by the Frame switch
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 4
to determine where a particular Frame should be sent. (In contrast, routers examining the destination IP address make forwarding decisions in an IP network such as the Internet.) Measurement Terms Two other key terms associated with Frame Relay are CIR and Be (pronounced Be E). CIR stands for the Committed Information Rate, and it refers to the amount of bandwidth that is guaranteed for particular PVC. The term Be stands for the Excess Burst Rate, and it refers to additional bandwidth possibly available on a PVC, but not guaranteed.
What is a VPN?
A VPN is a method of idea of using the Internet to connect a group of users together in a private manner. Privacy is typically achieved through a combination of three methods: authentication, encryption, and access control. Authentication is a means of verifying identity. This can be achieved with user passwords, by using a shared key that only the proper participants in a session possess, or via a trusted third party using Public Keys and digital certificates. Authentication also involves validating that a third party somewhere along the way does not change the data being sent between two users. Encryption is used to make any information sent across a public network unreadable by anyone other than the intended recipient. If a strong form of encryption is used, and only the intended sender and receiver of data have the encryption key, it is possible to communicate sensitive information across a public network without worrying about an unintended recipient reading the data. Access Control is the concept of blocking unwanted users from gaining access to an organization or individual's internal network. Access control is typically achieved through the use of a firewall or through the use of access control lists on a router or other network device. IPSec for VPN Security In order to address security concerns on IP networks, the Internet Engineering Task Force (IETF) developed a standard known as IPSec. The IPSec protocol addresses authenticating and encrypting data traveling over an IP network. There are three pieces involved in IPSec. The first is a method for setting up an IPSec session and exchanging encryption keys called Internet Key Exchange (IKE). IKE is also used to authenticate the identity of the participants in an IPSec session. The second piece is a method to ensure the integrity of data being received and is called the Authentication Header (AH). The AH uses hashes and digital signatures that allow a receiving device to verify that data was not changed by a third party after it was transmitted from its source. The third and final part of IPSec is the Encapsulation Security Payload (ESP). The ESP is responsible for actually encrypting and decrypting data, and thus assures that the data being sent is undecipherable while out on the public network. The ESP makes use of encryption standards such as the Data Encryption Standard (DES) and 3DES (called Triple DES). Thus, IPSec provides a standard method for securely communicating across any IP network through authentication and encryption. It is important to note that IPSec does not provide access control for a user's internal networks, but it does provide assurance that
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 5
communications across a public network are in fact done in a private manner. As shown in the below diagram, the two sites are connected to the Internet. To insure privacy, data is secured using IPSec. The IPSec tunnel between the sites is first built using IKE, as IKE allows each endpoint of a tunnel to authenticate the tunnel endpoint on the other side. Before the tunnel is established between Site 1 and Site 2, Site 1 must verify that it is indeed speaking with Site 2, and the reverse is true as well. Once the tunnels are established, secure communications can begin. Data sent between the sites is encrypted using the ESP, and is thus unreadable to anyone other than the intended recipient. The keys used to encrypt and decrypt the data are managed by IKE. In addition, the AH is used to validate that data has not been altered between the two sites. When Site 2 receives a data packet from Site 1, it examines the AH of the packet, and if it appears that the data was altered by a third party, the packet is thrown away. Access control at each site is achieved through the use of a firewall, router, or through a proprietary VPN device.
What The Future Holds Certainly, the need for high-speed, reliable, secure data communications between a businesses various locations is not going to go away anytime soon. As the Global Information economy reaches maturity in the decades to come, the importance of intra- and inter- networking will continue to grow. The future of the two technologies discussed here is more difficult to predict. If the past decade is any indication, Frame-relay may well be obsolete in another ten years. Should VPN deliver on its promise of providing low-cost, reliable secure communications, the need for semi-dedicated solutions such as Frame Relay could evaporate. Two large variables will be determining factors in this equation. If VPN standards solidify and vendor products interoperate fully with one another, and if the available bandwidth on the Internet is able to stay ahead of the demand, the appeal of VPNs should increase. At present, the bandwidth question is an even race, as providers run thousands of miles of fiber-optic cables, the residential Internet user discovers applications, such as video and audio services that require increased bandwidth. There is some speculation at the present time that the insolvency of certain large telecommunications providers, should it occur to such behemoths as Qwest and WorldCom, could cause the overnight shutdown of large portions of the public Internet. Should this happen, business presently relying on the Internet would run screaming into the arms of dedicated circuit providers, and Frame Relay would probably enjoy an extended life span as a result.
Conclusion
Frame Relay vs. Virtual Private Networks for Business WAN Applications Frame Relay enjoys the following advantages: Flexibility - it can support any Layer 3 protocols
Pg. 6
Security - it is possible to limit the number of points at which a company connects to the Internet. A typical Frame Relay scenario involves a hub and spoke topology where all the remote (spoke) offices access the Internet via the central (hub) site. With this scenario the company is able to protect their entire network from access via the Internet by using one Firewall located at the hub site. In contrast, a VPN connects all sites to the Internet, meaning that access control needs to be addressed at each location. Throughput - Frame Relay CIR allows a company to guarantee that they will always get at least a minimum level of throughput end to end through the Frame network. VPNs, on the other hand offer superiority in these areas: Connectivity By connecting all of a companys sites to the Internet, those sites automatically can all communicate directly with each other, without the need to build a PVC between each of the sites. To communicate securely, VPN tunnels must be built between each site, but no PVCs must be purchased, as must be done with Frame Relay. Remote users VPN remote users can simply dial into their local ISP and establish a VPN tunnel to a device at one of the companys VPN sites. Cost This, unfortunately, is often the determining factor in business telecommunications decisions. Typically, VPN costs run one-third to one-half that of Frame Relay, and the cost per office decreases with each office added. All-in-all, if an organization can live without guaranteed throughput, and is willing to trust the IPSec standard, VPN is the clear winner in the decision as to which method is best suited for a business WAN application.
Frame Relay vs. Virtual Private Networks for Business WAN Applications
Pg. 7
Frame Relay vs. Virtual Private Networks for Business WAN Applications References Cisco Systems Internetworking Technology Handbook, 2002, http://www.cisco.com/univercd/home/home.htm WANs, Intranets and VPNs. Gray, S and Worley, A. Michigan Law Poverty Program, April 3, 2000. http://www.mplp.org/technology/wans_vpns.htm Bibliography Data Comm for Business, Inc. (2001) Frame Relay, An Overview, http://www.dcbnet.com/notes/framerly.html Briere, D., Heckart, C., (2000), IP-VPNs may spell end for Frame Relay, Network World, 03/27/200 www.nwfusion.com/columnists/2000/0327briere.html Cisco Systems Internetworking Technology Handbook, 2002, http://www.cisco.com/univercd/home/home.htm Goodwins, R. (1999), What makes a VPN reliable ?, IT Week, http://www.zdnet.co.uk/itweek/brief/1999/08/vpn/01.html Goulde, A. (1999), The Internet Solution for Remote Access, Patricia Seybold Group Whitepaper http://www.firstvpn.com/papers/ipass/ipass.pdf Sweeny, T. (2000), Businesses Lock In On www.informationweek.com/780/vpn.htm , 04/03/2000 VPN Outsourcing Options,
Thibideau, J. (1998) The Basic Guide To Frame Relay Networking, Frame Relay Forum, http://www.frforum.com/basics.pdf