Frame Relay vs.

Virtual Private Networks for Business WAN Applications

Wade J. Finner
Telecommunication Systems in Management IFSM 450 August 3, 2002

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 1

Executive Summary
Statement of Purpose
The decision regarding the technology used in a Wide Area Network (WAN) to facilitate data communications among geographically disparate locations should not be taken lightly. Such issues such as cost, security, reliability and efficiency must be considered carefully before a course of action is decided upon. Two of the more prevalent technologies in use today for WAN applications, Frame Relay and Virtual Private Network, and the benefits and shortcomings of each are discussed in detail in this paper. It is the authors hope that the reader will emerge with an understanding of the technology and issues involved sufficient to render a decision as to which solution better applies to their particular concern.

Definitions and Overview

Both of the technologies under consideration are packet-switched network solutions. Packet-switched technologies maintain virtual connections between two users. It appears to the end users that they are directly connected, when, in reality, the connection may go through intermediate points. This requires the purchase of equipment at each end to support the connection. Frame Relay is a packet switched networking protocol that works at the physical and data link layers of the network model. It enables business locations to dynamically share network resources, eliminating the need for point-to-point leased lines between locations. It does require however, the purchase of network resources, usually in the form of a common circuit pool or network cloud. It should be noted that the Frame Relay protocol does not provide any error checking, so the connection equipment at each end must perform this. A Virtual Private Network (VPN) is a network that uses the Internet as its Wide Area Network (WAN) backbone. In a VPN local connections to an Internet service provider (ISP) are required, and the communication between the ISP endpoints occurs over the common Internet. Because of this, the cost is greatly reduced, but security and reliability become chief concerns when using a VPN. A VPN allows the businesses intranet to be securely extended across the Internet, facilitating secure e-commerce and extranet connections.

Summary Conclusion
VPNs are a scalable, low cost WAN strategy that offers significant benefits over frame relay technology in the areas of cost and deployment speed. However, VPNs are a still developing technology and issues such as control of performance across the internet, remote user security and VPN protocols must be resolved for implementation in a business environment. Issues of VPN security and reliability can be resolved through proper planning and a willingness to invest in the proper support of the network. The greatest concern is that of performance drop-off across the Internet and is unlikely to be consistent across the various nodes of a WAN. Any VPN service contract, therefore, must include Quality of Service (QoS) guarantees and must be subject to site-to-site performance monitoring.

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 2

Topic Definition
As telecommunications technology continues to advance, more and more viable options for creating data networks are being made available. Not that long ago, leased lines were the only way in which two remote offices could be permanently connected together. With the advent of packet switched technologies, such as Frame Relay and ATM, the idea of a more cost effective Shared Network solution took hold. These solutions were more cost effective, and as the technology evolved, multiple different protocols, such as IP, SNA and IPX, could be passed over such a network. However, with the near universal acceptance of IP as the Layer 3 protocol of choice, creating tunnels in the Internet through the use of Virtual Private Network has become yet another option. This option is certainly cost effective, but due to the public nature of the Internet, raises additional concerns in the areas of security and reliability .

Relationship to Information Systems

As our economy becomes increasingly information based, the importance of critical IT decisions cannot be undervalued. Selection of the correct network solutions to achieve a businesses end goals is of equal or greater importance as any other single decision in the Information Technology area. In addition to the basic needs of moving information among various areas in the organization, and providing desktop connectivity for each employee, the need to move information among disparate geographical locations and to and from customer sites has evolved from a nicety to a necessity. Certainly the rise to prominence of the Internet has repositioned the importance of data communications and networking in todays business environment. . A fertile mixture of high-risk ideas, stable research funding, visionary leadership, extraordinary grass-roots cooperation, and vigorous entrepreneurship led to a Global Information Infrastructure unlike anything that has ever existed. Because of this, a decision such as which technology to use for a wide area network is of premier importance. The usual considerations of cost effectiveness must be balanced against the need for reliability, security and speed. As with any data communications decision one must also ensure that the technology selected not only meets the organizations current needs, but that it can be easily expanded (or contracted) to meet future needs. As difficult as it is to predict the future trends in IT, it is also important that the stability and potential path to obsolescence of a given network solution be considered. The two technologies considered here are both established, and are likely to have a lifespan of at least a decade, meriting them consideration for current implementation.

Organizational Impacts/Issues
What is Frame Relay?
A Frame Relay network is a collection of Frame Relay switches that are interconnected using dedicated circuits. The Frame switches are used both to connect to endpoints, and to connect to the rest of the Frame backbone. A Frame Relay user connects to the Frame network via a Frame Relay Access Line. Once connected to the network, the Frame provider establishes Permanent Virtual Circuits (PVCs) that virtually connect the users access port to the access port of other users. Thus, if a company has three locations, each

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 3

site connects to the providers closest Frame Relay switch, and PVCs are established across the Frame Relay backbone to connect the sites together. The advantage of Frame Relay over point-to-point connections is that the PVCs of multiple customers share the backbone links, the T1s and T3s connecting the Frame switches together. Because the network resources are shared, it is less expensive to buy a virtual connection across a Frame Relay network then it is to purchase a dedicated point-to-point connection between two offices. Frame Relay Considerations There are several items that should be pointed out with respect to a Frame Relay network. First, Frame Relay customers can run any protocol they desire over their PVCs. This could be IP, IPX, SNA, or any other Network layer protocol. In contrast, a basic requirement of an IP network, like the Internet, is that all parties communicate using IP.

(Diagram Copyright 2002 Cisco Systems, Inc)

As represented in the above diagram, two types of equipment are necessary to establish the connections to support frame relay, Data terminal equipment (DTE) and Data circuitterminating equipment (DCE) .DTEs are terminating equipment for a specific network and typically are located on the premises of the business end-user. Examples of DTE devices are terminals, personal computers, routers, and bridges. DCEs provides switching services within the network, cloud. The Network provider would usually own the DCEs. In order for two locations connected to a Frame network to actually communicate, they must have a Permanent Virtual Circuit established between them. This has two consequences: first, the necessity of PVCs makes the network relatively secure. There might be many companies connected to a large Frame network, but any two connection points can only see one another if a PVC has been established between the two of them. In order to fully connect the offices of a company together, it is necessary to establish a PVC from each office to every other office. The disadvantages in this case are cost, scalability, and manageability. For a small number of offices this would not pose a large problem but as the number of offices increases, the number of PVCs grows rapidly. In order to differentiate between the different PVCs on a Frame network, each PVC is assigned a locally unique number called a Data Link Connection Identifier (DLCI). The DLCI is included in the header of each Frame Relay frame, and it used by the Frame switch

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 4

to determine where a particular Frame should be sent. (In contrast, routers examining the destination IP address make forwarding decisions in an IP network such as the Internet.) Measurement Terms Two other key terms associated with Frame Relay are CIR and Be (pronounced Be E). CIR stands for the Committed Information Rate, and it refers to the amount of bandwidth that is guaranteed for particular PVC. The term Be stands for the Excess Burst Rate, and it refers to additional bandwidth possibly available on a PVC, but not guaranteed.

What is a VPN?
A VPN is a method of idea of using the Internet to connect a group of users together in a private manner. Privacy is typically achieved through a combination of three methods: authentication, encryption, and access control. Authentication is a means of verifying identity. This can be achieved with user passwords, by using a shared key that only the proper participants in a session possess, or via a trusted third party using Public Keys and digital certificates. Authentication also involves validating that a third party somewhere along the way does not change the data being sent between two users. Encryption is used to make any information sent across a public network unreadable by anyone other than the intended recipient. If a strong form of encryption is used, and only the intended sender and receiver of data have the encryption key, it is possible to communicate sensitive information across a public network without worrying about an unintended recipient reading the data. Access Control is the concept of blocking unwanted users from gaining access to an organization or individual's internal network. Access control is typically achieved through the use of a firewall or through the use of access control lists on a router or other network device. IPSec for VPN Security In order to address security concerns on IP networks, the Internet Engineering Task Force (IETF) developed a standard known as IPSec. The IPSec protocol addresses authenticating and encrypting data traveling over an IP network. There are three pieces involved in IPSec. The first is a method for setting up an IPSec session and exchanging encryption keys called Internet Key Exchange (IKE). IKE is also used to authenticate the identity of the participants in an IPSec session. The second piece is a method to ensure the integrity of data being received and is called the Authentication Header (AH). The AH uses hashes and digital signatures that allow a receiving device to verify that data was not changed by a third party after it was transmitted from its source. The third and final part of IPSec is the Encapsulation Security Payload (ESP). The ESP is responsible for actually encrypting and decrypting data, and thus assures that the data being sent is undecipherable while out on the public network. The ESP makes use of encryption standards such as the Data Encryption Standard (DES) and 3DES (called Triple DES). Thus, IPSec provides a standard method for securely communicating across any IP network through authentication and encryption. It is important to note that IPSec does not provide access control for a user's internal networks, but it does provide assurance that

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 5

communications across a public network are in fact done in a private manner. As shown in the below diagram, the two sites are connected to the Internet. To insure privacy, data is secured using IPSec. The IPSec tunnel between the sites is first built using IKE, as IKE allows each endpoint of a tunnel to authenticate the tunnel endpoint on the other side. Before the tunnel is established between Site 1 and Site 2, Site 1 must verify that it is indeed speaking with Site 2, and the reverse is true as well. Once the tunnels are established, secure communications can begin. Data sent between the sites is encrypted using the ESP, and is thus unreadable to anyone other than the intended recipient. The keys used to encrypt and decrypt the data are managed by IKE. In addition, the AH is used to validate that data has not been altered between the two sites. When Site 2 receives a data packet from Site 1, it examines the AH of the packet, and if it appears that the data was altered by a third party, the packet is thrown away. Access control at each site is achieved through the use of a firewall, router, or through a proprietary VPN device.

(Diagram Copyright 2000 Michigan Poverty Law Program)

What The Future Holds Certainly, the need for high-speed, reliable, secure data communications between a businesses various locations is not going to go away anytime soon. As the Global Information economy reaches maturity in the decades to come, the importance of intra- and inter- networking will continue to grow. The future of the two technologies discussed here is more difficult to predict. If the past decade is any indication, Frame-relay may well be obsolete in another ten years. Should VPN deliver on its promise of providing low-cost, reliable secure communications, the need for semi-dedicated solutions such as Frame Relay could evaporate. Two large variables will be determining factors in this equation. If VPN standards solidify and vendor products interoperate fully with one another, and if the available bandwidth on the Internet is able to stay ahead of the demand, the appeal of VPNs should increase. At present, the bandwidth question is an even race, as providers run thousands of miles of fiber-optic cables, the residential Internet user discovers applications, such as video and audio services that require increased bandwidth. There is some speculation at the present time that the insolvency of certain large telecommunications providers, should it occur to such behemoths as Qwest and WorldCom, could cause the overnight shutdown of large portions of the public Internet. Should this happen, business presently relying on the Internet would run screaming into the arms of dedicated circuit providers, and Frame Relay would probably enjoy an extended life span as a result.

Conclusion

Frame Relay vs. Virtual Private Networks for Business WAN Applications Frame Relay enjoys the following advantages: Flexibility - it can support any Layer 3 protocols

Pg. 6

Security - it is possible to limit the number of points at which a company connects to the Internet. A typical Frame Relay scenario involves a hub and spoke topology where all the remote (spoke) offices access the Internet via the central (hub) site. With this scenario the company is able to protect their entire network from access via the Internet by using one Firewall located at the hub site. In contrast, a VPN connects all sites to the Internet, meaning that access control needs to be addressed at each location. Throughput - Frame Relay CIR allows a company to guarantee that they will always get at least a minimum level of throughput end to end through the Frame network. VPNs, on the other hand offer superiority in these areas: Connectivity By connecting all of a companys sites to the Internet, those sites automatically can all communicate directly with each other, without the need to build a PVC between each of the sites. To communicate securely, VPN tunnels must be built between each site, but no PVCs must be purchased, as must be done with Frame Relay. Remote users VPN remote users can simply dial into their local ISP and establish a VPN tunnel to a device at one of the companys VPN sites. Cost This, unfortunately, is often the determining factor in business telecommunications decisions. Typically, VPN costs run one-third to one-half that of Frame Relay, and the cost per office decreases with each office added. All-in-all, if an organization can live without guaranteed throughput, and is willing to trust the IPSec standard, VPN is the clear winner in the decision as to which method is best suited for a business WAN application.

Frame Relay vs. Virtual Private Networks for Business WAN Applications

Pg. 7

Frame Relay vs. Virtual Private Networks for Business WAN Applications References Cisco Systems Internetworking Technology Handbook, 2002, http://www.cisco.com/univercd/home/home.htm WANs, Intranets and VPNs. Gray, S and Worley, A. Michigan Law Poverty Program, April 3, 2000. http://www.mplp.org/technology/wans_vpns.htm Bibliography Data Comm for Business, Inc. (2001) Frame Relay, An Overview, http://www.dcbnet.com/notes/framerly.html Briere, D., Heckart, C., (2000), IP-VPNs may spell end for Frame Relay, Network World, 03/27/200 www.nwfusion.com/columnists/2000/0327briere.html Cisco Systems Internetworking Technology Handbook, 2002, http://www.cisco.com/univercd/home/home.htm Goodwins, R. (1999), What makes a VPN reliable ?, IT Week, http://www.zdnet.co.uk/itweek/brief/1999/08/vpn/01.html Goulde, A. (1999), The Internet Solution for Remote Access, Patricia Seybold Group Whitepaper http://www.firstvpn.com/papers/ipass/ipass.pdf Sweeny, T. (2000), Businesses Lock In On www.informationweek.com/780/vpn.htm , 04/03/2000 VPN Outsourcing Options,

Thibideau, J. (1998) The Basic Guide To Frame Relay Networking, Frame Relay Forum, http://www.frforum.com/basics.pdf