Managed Services are network services, applications, and equipment that are managed by an outsourced vendor for a business. As businesses grow, managed services make it possible for companies to get the most out of their IT budget.

The current down economy is increasing the rate of adoption of managed services that provide the highest network performance possible at the lowest price possible.

Managed services replace investment in expensive hardware that depreciates quickly yet provide the same performance while also offering more nimbleness and freedom to try new solutions. Managed service solutions are fast, reliable and flexible network services at prices companies can afford.

Globalization has increased the need for managed services as organizations that need seamless network connectivity across the globe find that they cannot afford to invest in the hardware and IT staff required to manage and monitor their network in-house.  As companies find that they do not have the internal resources to deploy new technologies or to expand, manage and monitor them globally, the managed services option will become more attractive to companies that want to scale and flex with business volumes.  As an end result, companies will probably not go back to investing in their own hardware and IT staff to deploy and manage global networks.

In 2009, large carriers will continue to focus their resources on Fortune 100 – 500 companies, while mid-market companies will outsourcing their IT services on an increasing basis.  This will create a situation in which less support is provided from carriers right at the time more IT support is needed by mid-market companies.  This vast, underserved market requires the same IT solutions and customer support that our Fortune 100 customers receive, and managed services solution for mid-market companies will be chosen by carrier’s default.

Voice over Wireless LANs (VoWLANs) extend wired VoIP phone systems by providing mobility and converging voice with data applications. For example, in a healthcare environment, over a VoWLAN, doctors and nurses can be in immediate contact with each other in order to respond quickly to patient needs. In a retail store environment, VoWLANs make employees accessible from anywhere within the store.

Voice over wireless and WLAN sales to the enterprise are poised to grow strongly in the next five years, jumping from $2 billion in 2007 to $15 billion by 2012, according to a recent report from Juniper Research that marks a trend that has been gaining momentum for several years.

According to an In-Stat survey conducted in 2005, 23% of decision-maker respondents of more than 300 mid-size businesses and large-enterprises said that they had already deployed wireless VoIP and another 30% said that they were planning or evaluating the implementation of the technology within the next six to twelve months.

Wireless VoIP presents carriers with a lucrative new opportunity if they market the service smartly. According to In-Stat analyst, Becky Kiercks, “It is important to remember that VoIP is a technology and not a product. The product is telephone service, and customers don’t generally care what the underlying technology is, as long as it works. Carriers should look at wireless VoIP as just one other manner in which to provide seamless access to customers.”

As published in the Frame Relay Forum News, Autumn, 2001.

By David Gilberts, Vice President, Industry Implementation Committee, Frame Relay Forum, Global Frame Relay Product Manager, Infonet.

Note: This article addresses non-MPLS IP VPNs. MPLS VPNs have security features similar to Frame Relay and will be discussed in a follow-on article.

Are frame relay networks more or less secure than Internet Protocol (IP) Virtual Private Networks (VPNs)? Specifically, which type of network is more secure when a user of one customer’s network attempts to gain unauthorized access to the data of another customer’s network through network access provided by the service provider?

Despite the “religious” reaction and confusion this question tends to generate among end users, the basic answer is: frame relay offers security to the user automatically, while the IP VPN user must take additional measures to add security.

This article will expand that basic premise by comparing how frame relay and IP VPNs operate to protect network data. This is the first in a series of articles on frame relay security, and it is intended to provide a foundation for future discussion. Subsequent articles will consider frame relay physical security, remote access security, private IP security, MPLS security, security threats, performance, etc.

Frame Relay Security

Frame relay is more secure than IP VPNs in creating closed user groups, which completely eliminate the threat of a user on one customer’s network using a Frame Relay Access Device (FRAD) to access another customer’s FRAD. Let’s examine the fundamentals.

Frame relay is a data communications technology that sends information over a Wide Area Network (WAN) by dividing data into packets or frames. (See The Basic Guide to Frame Relay Networking, The Frame Relay Forum.) The frame relay protocol operates at layer 2 in the OSI model that switches packets across the network using frame addresses to determine frame destinations. FRADs send frames through the network to other FRADs through frame relay switches that switch frames through the network to the proper destination across the predefined logical path within the network. This logical path is called a Permanent Virtual Circuit (PVC).

PVCs create fixed point-to-point “connections” between ports that are connected to FRADs. Users have access to only their own FRADs. Frame relay customers cannot establish or change PVCs by manipulating their FRADs. Only the service provider can implement PVCs. PVCs are created between Data Link Connection Identifiers (DLCIs) that act as network addresses. DLCIs are defined by service provider and create the “permanent” part of the virtual circuit. Once established by the service provider, the customer cannot modify or cross-connect the PVC to another PVC. For example, site A can only talk to sites B and C only if the DLCI of site A is mapped by the service provider to the DLCI of sites B and C.

There is an extremely remote possibility that a bit error in a DLCI could create an incorrect circuit number. This does not pose a security risk, however, because the cyclic redundancy check (CRC) function in the frame relay protocol discards frames containing bit errors. Therefore, even if a bit error changed a DLCI so that customer data might be delivered to the wrong location, the frame relay protocol discards that information before it is delivered.

If physical security is maintained, frame relay is arguably as secure as connecting network end points with dedicated private lines. For example, Customer A’s FRAD cannot connect to Customer B’s FRAD unless the service provider sets up a PVC between the two FRADs. Because there is no connectivity between different customer’s FRADs (unless both customers want to be connected), frame relay automatically creates a closed user group that completely eliminates the threat of a user on one customer’s network using a FRAD to access another customer’s FRAD.

Although physical security will be addressed in another article, it should be noted that physical security in frame relay and IP VPN service provider core node sites is similar. Service providers generally adhere to stringent physical security policies because they recognize that anyone with the right equipment and physical access to a switch or router can capture network data. At the network core, Frame Relay switches and IP VPN routers are usually housed in physically secure facilities accessible only to the service provider’s authorized technical staff.

IP VPN Security

IP VPNs1 are highly secure in protecting data across the network by using encryption. However, IP VPNs must take security measures not required at layer 2 to turn layer 3 “any-to-any” IP routing open user groups into closed IP VPN user groups. Let’s look at how IP VPNs work and the security measures that are necessary.

IP VPNs may be “public” or “private.” A public IP VPN configuration uses the public Internet to establish secure connectivity. Private IP VPNs run completely on one service provider’s IP network. IP VPNs that run on private IP backbones are more secure than an IP VPNs that run completely across the public Internet because private addressing schemes and access lists are used to control network access.

IP VPNs do not have PVCs. This is a key distinction. Unlike layer 2 protocols such as frame relay that switch along predefined paths to destinations, IP VPNs must look at layer 3 packet headers to make forwarding decisions to route packets to destinations IP VPNs operate at layer 3 of the OSI model and provide “connectionless” routing.

“Any-to-any” describes the way in which any router can communicate with any other router across the TCP/IP protocol underlying the IP VPN that creates an open user group. The goal of an IP VPN is to carve out a “closed user group” from an IP-based open user group.

VPNs are vulnerable to the risk of a user on one customer’s network using a router to access another customer’s router across the network because anyone who is connected to the IP VPN enjoys the connective characteristics of TCP/IP layer 3 routing. To solve this vulnerability, IP VPNs use private IP addressing, access control lists, encryption, and firewalls to maintain the privacy and integrity of data across IP VPN customer sites.

Encryption offers a high degree of data security and privacy end-to-end across the IP VPN by:

1. encrypting data prior to transmission,
2. maintaining data encryption across the IP VPN, and
3. decrypting data at its final destination.

IP VPN packets are encrypted so that, without a decryption key, Customer B cannot decipher content encrypted by Customer A.

IP VPNs use IPSec encryption with digital certificates to maintain the privacy and integrity of data transmitted across the IP VPN to and from Customer Premise Equipment (CPE) routers. IPSec is part of the IP protocol group. It provides two protocols called AH (Authentication Header) and ESP (Encapsulated Security Payload). The AH protects the source and destination addresses of the IP header. The ESP header allows for encryption of the data payload protecting data privacy and integrity.

An end-to-end IPSec “tunnel” between CPE routers encapsulates IP VPN traffic to establish a high level of security for the information transmitted and received. Digital certificates complete this security scheme using Public Key Infrastructure (PKI) and a “Certificate Authority” (CA) to automate the creation, validation and revocation of the encryption keys employed in the VPN.

IP VPN router integrity can be strengthened by firewalls that minimize the risk of attack. However, a firewall cannot completely close the entry points to a TCP/IP-based network because any router connected to that network has the potential to communicate with other routers on the network. Firewalls may be used to provide barriers to communication between routers, but the potential path between the routers exists and can be gained if a firewall fails or is defeated by a hacker.

Regardless of the security and privacy afforded by IPSec, digital certificates, and firewalls for data across the network, every router on one customer’s IP VPN has the potential to access every other customer’s routers on the IP VPN via TCP/IP, which has many well-documented security flaws such as vulnerability to Denial of Service (DoS) attacks, firewall holes that may allow intruders to tunnel illegitimate traffic into or out of corporate networks, etc. Unlike frame relay networks, IP VPNs are inherently vulnerable to the risk of a user on one customer’s network using a router to access another customer’s router across the network. Vulnerability reports post new security threats to firewalls, routers, and other VPN equipment on a daily basis as VPNs are hacked. No similar problem exists for frame relay networks.

Bottom Line: More Security, Easier with FR Frame relay offers security to the user automatically, while the IP VPN user must take additional measures to add security. Inherent in its technology, frame relay creates closed user groups that completely eliminate the threat of a user on one customer’s network using a FRAD to access another customer’s FRAD. Frame relay’s predefined layer 2 PVC paths between the FRADs cannot be breached via frame relay customer access.

IP VPNs protect data across the network by using encryption, digital certificates, and firewalls to turn layer 3 “any-to-any” IP routing open user groups into closed IP VPN user groups. These security measures not only add complexity and overhead, but they can be compromised. The bottom line is simply this: there is greater risk of an IP VPN user on one customer’s network using a router to access another customer’s router across the IP VPN network.