Secure
Private Cloud for Networking
Your business may be
considering a move to the “cloud” for some applications and communications
services. Interest in cloud computing is driven by increasing expectations for
always-on, geographically dispersed businesses—accompanied by decreasing
budgets and staff availability to manage an in-house network.
But what does the
cloud really mean to your network design and how you deliver voice and data
services to users? What factors should you consider when evaluating how to use
cloud-based applications with public and private network services? How do you create
the best deployment of a private or hybrid public/private network for secure
cloud computing?
Before moving to a
cloud, it is important to identify the activities and applications that the
cloud network will need to support. For example, do you want to:
- Access external
storage and computing resources or cloud-based applications?
- Perform
transactions—such as working with financial databases or verifying identities?
- Support real-time
monitoring, collaboration, and instant communication?
The
Drawbacks of a Public (Internet-Only) Network
After identifying
your cloud computing goals, consider the type of network you want. Although a
public network that uses the
Internet to transport
all traffic may seem like an attractive choice, it involves significant
trade-offs for performance and security.
Applications may not
perform properly and/or bandwidth may not be available for mission-critical
applications. Your network may
suffer latency,
jitter, and packet loss.
For performance, a
public network provider using the Internet can only deliver a “best effort”
priority level that applies to all traffic. This limitation exists because all
Internet traffic is vulnerable to moment-by-moment congestion levels and
routing path availability, which can render your applications unusable.
Applications on a public network may create user frustration if the network
delivers a slow response or when access is blocked because of Internet
problems.
Security is another
critical concern in using public networks. Private Networks, MPLS in particular,
are less susceptible to Denial of Service (DOS) and other attacks than networks
that utilize the public network for site-to-site communications.
Additionally,
although anti-virus, intrusion detection, and intrusion prevention services may
be available, these services are usually applied only at the customer premises,
which may be too late for protecting data and applications from unauthorized access,
data theft, and disruption.
Together, the risk of
network latency and security threats in a public network may outweigh the
advantages of moving to a cloud environment in order to reduce computing costs
and IT staff levels.
The
Advantages of Private MPLS-based Network for Cloud Computing
In contrast to the
limitations of a public network, private MPLS-based network offers many
advantages for cloud computing. MPLS (Multi-Protocol Label Switching) has been
the foundation technology for communications and creating private networks
consisting of two or more locations. By design, MPLS creates a fully meshed
network topology with multiple paths between any two or more sites. It
automatically forwards your traffic via the optimal path, ensuring that
packets—which carry data, voice calls, or video streams—are delivered quickly
without bottlenecks or single points of failure. This efficiency makes MPLS
ideal for supporting performance-sensitive applications such as Voice over
Internet Protocol (VoIP) and videoconferencing, as well as financial and
enterprise resource planning (ERP) transactions. Many large enterprises,
healthcare organizations, government agencies, and other companies choose MPLS
because of the advantages it offers for the safety and security of their
networks and data.
MPLS is both a secure
and “self-healing” network that maintains multiple routes to cloud-based
applications. If a private network becomes congested, the network can automatically
reroute packets using another available path. In addition, Class of Service
(CoS) definitions can prescribe the priority levels for certain types of
packets (e.g., voice, video, and point-of-sale) throughout a private network to
ensure your applications have the network resources available to function
properly.
Additional security
measures can protect your data if you include Internet access in your private network
design. A gateway security service will check the data packets before they
enter your private network looking for intrusions, viruses, and related
threats. A firewall can allow certain types of network traffic to access
cloud-based applications, or it can deny external access.
A Carrier’s network
plays a role your business’ cloud computing by connecting your business
locations to each other and the Internet. This role means the capabilities the
carriers network can greatly impact the performance, reliability, and security
of your cloud-based applications.
The carrier must have
an all-optical MPLS core network that offers a strong foundation for a private
network because the MPLS network is engineered to maximize application
performance. Redundant OCx links and a fault-tolerant point-of-presence (POP) architecture
maximize network uptime and reliability. In addition, the carrier must use
state-of-the-art MPLS routing technology to deliver your data with
exceptionally low latency and packet loss.
High
Performance Traffic Shaping and Class of Service
A critical factor for
the success of cloud computing is delivering high performance levels for each
traffic type and application carried on the network. MPLS networks use Class of
Service (CoS) tagging or labeling to shape voice, video, and data traffic, then
maintain that priority across the network. This prioritization delivers the
quality of service that is an important requirement for a provider’s network.
CoS rules ensure that
voice calls and videos have optimal sound and playback quality. Additionally,
IT managers can control bandwidth costs and network performance by using CoS to
prioritize voice traffic ahead of data applications and real-time video conference
streams ahead of stored video downloads. A provider extends service classes to
your sites using CoS-capable equipment to mark, queue, and prioritize traffic
as it travels from the site to the MPLS network. This traffic marking and
prioritization ensures consistent circuit performance for important
applications. The provider-edge routers also prioritize and queue these traffic
flows across the MPLS network and in the return direction from the network to
the site.
It is important to
note that any traffic destined for the Internet cannot be prioritized once it
leaves the carriers network because they have no control over the Internet
routers. (A carrier may have its own Internet routers but cannot not control the
Internet routers owned or managed by other carriers.) However, critical
applications that access the Internet can still benefit from priority handling
within some networks while en route to the Internet.
Although most service
providers support some form of CoS prioritization in their MPLS networks, not
all of these offerings are alike. Some service providers support only a few
options for traffic prioritization CoS definitions, covering the broad
categories of voice, video, and data. The most common definitions are:
- Real-time: Voice
services and customer VoIP and video traffic
- Critical:
Mission-critical data—such as financial transactions and credit card data
transmission
- Business:
Enterprise applications—such as SAP, Oracle, or video surveillance traffic
- Data: Low-priority
traffic—such as Internet browsing, file transfers, and stored video downloads
The ability to create
multiple CoS definitions helps you better manage traffic in a private cloud by:
- Prioritizing
business-critical applications
- Controlling
bandwidth allocations and avoiding the need to over-provision or dedicate
circuits
- Promoting
consistent, interruption-free network performance
- Preventing critical
applications from failing or impacting the user experience due to network
congestion
Protect
Your Network with Managed Security Services
To protect your
cloud-computing solution, carriers offer powerful, cost-effective, and fully
managed security solutions that are compliant with key industry standards, such
as PCI and HIPAA. These services deliver a multilayer security approach that provides
holistic protection from individual and blended threats, as well as coordinated
security alerting, blogging, and reporting.
Carriers offer
cloud-based network edge protection, as well as site-level solutions to protect
your assets from external and internal threats. Security solution
components—which are managed and maintained by the provider—typically include
managed firewalls; intrusion prevention systems; antivirus, anti-spyware, and
anti-spam software; and Web and content/URL filtering tools.
When delivered via a
single platform, these components are classified as Unified Threat Management
(UTM). When selecting a security solution, it is important to understand where
the protection is being applied. In all scenarios, defense-in-depth is a best security
practice.