By NIRAJ AGRAWAL, Pandatel -- Virtual private networks based on intelligent optical switching technologies offer outstanding security against data spies and hackers. What's more, optical VPNs operate with any data rate, protocol, or network topology.
Network security experts predict that by 2007, as many as nine out of 10 enterprises will have suffered some form of attack from hackers and assorted white-collar criminals intent on accessing or disabling their computer systems and data centers. Network downtime and IT malfunctions caused by such incidents can have devastating consequences for trade and industry. According to data from Mummert Consulting of Germany, for example, German enterprise data centers were out of action for 1.2 million days in 2002 as a result of attacks on IT infrastructure, causing billions of euros worth of damage.
The problem is exacerbated by the fact that many companies still use low-cost public networks like the Internet to sell their products, exchange production data between different locations, and integrate suppliers and fieldworkers into their supply chains. Such public networks offer no safety precautions whatsoever and are susceptible to hackers looking to access confidential data. To combat this weak point in their security, more and more enterprises and service providers are turning to virtual private networks (VPNs). VPNs establish secure connections between two subnetworks to transmit confidential information across a shared infrastructure. What's more, they are just as secure as dedicated private networks and can be outsourced to a service provider for a reasonable price.
So how do VPNs enable secure connections? The answer lies in the creation of virtual data tunnels to link two or more private networks over a public transport network. This virtual tunnel doesn't need to be a permanent provisioned line. Instead, data are placed in a VPN container using encryption and authentication processes. Only designated recipients can view the VPN-protected information; it is invisible to all other users of the public network. Furthermore, users don't see any of these details--from their viewpoint, the VPN connection is a simple point-to-point link.
Currently, many enterprises base their VPN infrastructure on low-cost Internet connections. This technique--known as an IP-VPN--is gaining popularity, with U.S. consultancy The Yankee Group predicting a worldwide investment of $4.5 billion in this sector by 2006.
There are several different ways to implement an IP-VPN, including dial-up VPNs (which can be set up by a client system as well as by a network) and dedicated IP-VPNs. The latter include IP tunnels, virtual circuits, and other architectures based on, for example, MultiProtocol Label Switching--though all are implemented using switching at the network layer (Layer-3 switching). Other options for implementing VPNs include fixed connections, Frame Relay, ATM, and subscriber dialing.
VPNs established within optical networks must meet the same requirements as traditional wide-area networks, including security against unauthorized access; cost-effectiveness; scalability; high levels of availability and reliability; support for numerous protocols; reuse of network resources; and bandwidth management, including the ability to offer quality-of-service (QoS) and service-level agreements (SLAs). Any VPN with these properties can provide an infrastructure for transparent data transport, while offering the advantages associated with IP-VPNs.
One special variant is the optical VPN (OVPN), a system that is based on an intelligent optical network. This relatively new architecture uses the latest optical switching technologies and integrates them with WDM, TDM, and optical cross-connect functionalities. In conjunction with sophisticated network management, an intelligent optical network opens up a range of options for network design, implementation, operation, and management. OVPNs are more secure, more flexible, and less elaborate than comparable solutions and can be set up with minimal hardware and software costs.
Established by dynamically assigning a transmission channel (wavelength) to the user, the OVPN is physically separated from the main network and is therefore safe from unauthorized access. At the same time, all of the powerful features offered by an intelligent optical network are available to OVPN users. These include the following:
• Sophisticated and scalable redundancy The combination of cross-connects and WDM allows not only fiber switching, but also channel-based switching. If a line-break occurs, for example, data can be rerouted automatically and immediately.
• Protocol transparency The large number of protocols available today can cause problems for service providers and users. Transparent systems, however, adapt easily to all protocols and can cope with changes in requirements.
• A high degree of flexibility Intelligent optical networks work on the transport level and can transmit protocols with bit-rates of between 8 Mbits/sec and 2.7 Gbits/sec. At the same time, QoS can be guaranteed.
• Support for any infrastructure Intelligent optical systems support point-to-point, point-to-multipoint, ring, and mesh topologies. This means it is possible to implement additional locations and nodes without added costs.
• The simple extension of existing infrastructures Intelligent optical networks can be integrated into any existing network structures. This simplifies the process of installing OVPNs and reduces rollout costs.
• Intelligent network management Besides element management and network management, each individual application or wavelength that is transmitted within the network can be monitored and controlled automatically.
• Dynamic services Intelligent optical networks enable service providers to offer automated services, such as time-dependent OVPNs. In this scenario, a VPN could run standard operations during the day, releasing the capacity at night for backups and other tasks. Alternatively, two customers can time-share the resource (the duration of an OVPN can range from a minute up to several years).
OVPNs in action
In terms of performance, the above-mentioned features enable an OVPN to dynamically reuse wavelengths in the fiber without any restrictions on protocol, services provided, and transmission speed (each channel can transmit the full bit-rate of up to 2.7 Gbits/sec or more). The optimum resource planning is determined automatically by the system. But how do they work in practice?
To consider how OVPNs function, imagine a hospital operating an intranet over an intelligent optical network. This intranet could connect the hospital's wards with its laboratories and administration facilities, as well as linking via an extranet to geographically remote research institutes and external suppliers. The network also requires a direct connection to an external computer center, where all information required for handling emergencies is stored in real time.
Data-protection laws require confidentiality on patient-related files, which means that a network carrying administrative and research information must be secure. To address this issue the hospital can set up subnetworks in the form of VPNs, to separate sensitive areas from other parts of the intranet. Such a set-up would serve all of the relevant wards and external locations with a single network, while maintaining the required privacy wherever and whenever needed. To implement an OVPN, each area is assigned its own wavelength, which is physically separated from the rest of the network and thus inaccessible to the unauthorized user. Legitimate user-access points are operated with smart cards, or similar, to realize a highly secure networking infrastructure without sacrificing flexibility.
Once the VPNs are set up, there are further issues to consider. The connection to the data center, for example, needs to be protected by a redundant link to ensure fast network restoration and uninterrupted data access in the event of a fault. This is where an intelligent optical network comes into its own: If any network links are faulty, it automatically reroutes the signals using an optical cross-connect (sometimes called a matrix switch). Threshold values set via network-management software will initiate such self-healing measures or issue warnings to prevent the disruption of data traffic.
While hospitals or enterprises can set up their own OVPNs, another option is to outsource to a service provider that will operate, support, and if necessary, extend the network. The benefit of this contracted-out approach is that the technology and personnel costs remain manageable, calculable and transparent. With an intelligent optical network at its disposal, the service provider's task is relatively straightforward--it simply assigns reserved wavelengths to each area as required. The operator can also exploit the redundancy features as a commercial advantage (for example, by offering individual security levels in the form of SLAs to protect different connections with one or more redundant lines). Data encryption is another conceivable service offering.
The interest in OVPNs from service providers is growing and not just because it is one more service to offer the customer. They also regard the technology as an opportunity to generate higher turnover from existing networks. By exploiting the allocation of dynamic services, an operator can ensure optimum use of network resources. Invoicing, meanwhile, can be dealt with automatically using billing software that monitors and times all connections at the optical layer. OVPNs also enable individual carriers with complementary network coverage to enlarge the effective range of their networks by leasing surplus capacities to and from each other. In the past, network integration created enormous technical and administrative problems, but with modern intelligent optical systems offering enhanced interoperability and provisioning, the work involved for carriers has been reduced significantly.
One common real-world example is that of a provider delivering data services to local enterprises. If this service provider requires additional bandwidth to meet the capacity requirements of its customers, it can turn to a carrier with excess transmission capacity to meet any bandwidth shortfall. The carriers' carrier sets up an OVPN for the provider by subdividing its physical-layer network into a number of virtual subnetworks with assigned access rights and resources. These subnetworks appear in the provider's administrative systems as logical extensions of its own network, while the carrier's remaining network and higher-order information remain hidden.
As soon as the bandwidth trading partners have linked their networks to each other, the operating and deployment functions between the two are implemented in a secure, jointly defined and authorized manner. The service provider has full control over resources provided via the OVPN, while the carrier is still responsible for the physical availability and maintenance of the network operation.
This scenario has several positive implications for the service provider. It not only benefits from extra network resources but can offer its customers all of the dynamic services associated with an optical network. It can extend its geographical presence cost-effectively, at both a national and international level. The carrier also gains from this business model, because it can offer any excess network capacity to other users on attractive conditions, without increasing administrative overheads. Since the provisioning process is mostly automated, the carrier can quickly set up trading partners' access to the network, largely independent of the services that it plans to deploy.
In summary, a VPN based on an intelligent optical network can offer a powerful solution--for corporate customers and service providers alike. It enables maximum security against industrial espionage and hackers, without compromising performance, and with no restrictions on either transmission speed or protocol.
Niraj Agrawal is chief technology officer at German optical networking and access systems manufacturer Pandatel.
• This article originally appeared in FibreSystems Europe in association with LIGHTWAVE Europe, November 2004, p21.