Connect with us

Hi, what are you looking for?


Network Security

In the Context of Cloud, Security and Mobility, It’s Time Organizations Ditch Legacy MPLS

If organizations understand the benefits SASE offers over MPLS and traditional SD-WAN, they will realize that SASE is poised to replace aging MPLS in due time.

A building and an enterprise network are no different — they both need a foundation to remain stable and secure. If the underlying connectivity is too unsecure or erratic, then there’s no way a network will meet the desired availability, security and performance standards. Traditionally, organizations have relied on Multi-Protocol Label Switching (MPLS) for its reliability, security and high-speed connectivity. However, MPLS adoption is flattening after several years of showing a decline.

What’s more, even though MPLS has always been considered highly secure because it relies on private infrastructure, studies show MPLS is still vulnerable to DDoS attacks. Moreover, MPLS networks are not encrypted and therefore, any individual with physical access to the connection could potentially intercept communications.

Challenges That Modern Organizations Face With MPLS

1. MPLS was designed for a different era

MPLS was introduced in the 1990’s when networks were much simpler, and users operated from a fixed location. Corporate applications were hosted in-house and branch office traffic was backhauled to a central data center for security inspection. Today, the user location isn’t fixed, and most applications are hosted in the cloud. To secure users, applications and services, all cloud and internet traffic would have to be backhauled to a central or regional data center — an inefficient thing to do since this consumes precious MPLS capacity, eventually leading to degradation of internet and cloud performance (a.k.a. the trombone effect).

2. Installing and Maintaining MPLS Is Not Cheap

MPLS carries a hefty price tag. Setting up a new MPLS connection for every new regional office isn’t always feasible from a budgetary stance. Depending on the complexity or location of the infrastructure, MPLS deployments can take a long time (from 30 days to six months); they may require skilled resources which can prove to be a major overhead. Additionally, only a limited number of carriers can provide MPLS services. These providers have no incentive to negotiate or drive costs down. Switching MPLS carriers is usually the last option, but it can be an expensive and daunting process.

3. Service Level Agreements Are Great On Paper But Not So Great In The Real World

Advertisement. Scroll to continue reading.

Although SLAs provide some level of comfort and accountability, the reality is that enforcing penalties on missing SLA targets is always challenging. Sometimes there are exclusions baked in (for example: SLAs are limited to only specific geographical locations) to limit the scope of the penalty. Even if penalties are imposed, they won’t adequately compensate for the financial and reputational damage inflicted from a disruption in services. In addition, deploying last-mile redundancy (active-active connections with automatic failover), isn’t always affordable and feasible for small-sized branches. 

The Internet Is A Potential Replacement But Has Its Own Limitations

Mobile users can access the corporate network and cloud applications via the internet using VPNs. However, this comes at the cost of latency. Another alternative is that organizations can use Direct Internet Access (DIA) from service providers. But remember, the internet isn’t as reliable and secure when compared to MPLS and can fail to deliver a consistent user experience, especially users that need high reliability for mission-critical or loss-sensitive applications. The internet is also flawed by design: routing algorithms have no understanding or awareness of traffic flows, packet losses, jitter, latency or congestion. Moreover, service providers are known to abuse or manipulate internet routing for the sake of their own financial interests. Service providers may also intentionally transport packets over long distances or quickly get rid of unpaid packets (a.k.a. hot potato routing) just because it makes better financial sense to do so.

Converging SD-WAN And Security Makes The Perfect MPLS Replacement Recipe

Software Defined Wide Area Networking (SD-WAN) enables organizations to separate the overlay (MPLS or the internet) from the underlay (traffic routing intelligence), allowing organizations to choose the most optimal path for fastest packet delivery, enabling faster performance at reduced costs, regardless of any location. In addition, SD-WAN allows organizations to implement active/active connections with automatic failover, as well as a host of diverse routing methods, to meet or even exceed SLA commitments promised by MPLS providers.

Briefly, SD-WAN can disrupt the legacy approach of using MPLS for last mile connectivity. But SD-WAN on its own isn’t ideal. Mobile users are not supported by SD-WANs. Many IT teams are forced to layer additional security infrastructure and control mechanisms just to provide mobile users secure access to public cloud applications and WAN resources. SD-WAN helps address the last mile, but consider the middle-mile. How to overcome the challenges of an unreliable middle-mile internet service provider?

Secure Access Service Edge (SASE) is a networking architecture that converges SD-WAN with multiple security controls (i.e., firewall, IPS, endpoint security, secure web gateway, zero trust network access) into a single cloud service. It leverages the SD-WAN fabric to actively monitor connectivity conditions, dynamically choosing the optimal path, minimizing packet loss and meeting SLA goals. Mobile and fixed users are defended with a set of security protocols without the need for backhauling traffic or installing additional security hardware. Some SD-WANs provide a global private backbone with layers of redundancies across Points of Presence (POPs), nodes and servers. SD-WAN devices automatically connect to the nearest available backbone, ensuring uptime and eliminating the need for complex high availability and redundancy measures. In 2018, Gartner predicted that SD-WAN technology would eventually eliminate MPLS. Gartner made a fresh prediction claiming that by 2026, 60% of SD-WAN purchases will be part of a single-vendor SASE offering. If organizations dive deep to understand the benefits it offers over MPLS and traditional SD-WAN, then they will no doubt realize that SASE is poised to replace aging MPLS in due time.

Related: The SASE Conversation in 2022, a Resolution for the Future

Related: Vendor Survey vs Reality on SASE Implementation

RelatedGetting SASE, Without the Hyperbole

Written By

Etay Maor is Senior Director of Security Strategy for Cato Networks. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counter-terrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.