MPSL

Answered Question
Apr 24th, 2009
User Badges:

Can anyone tell me some of the vulnerabilities of running MPLS between remote locations without using the site to site VPN?

Correct Answer by lamav about 8 years 1 month ago

Hi:


Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.


Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.


Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.


On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.


Some time back I read this pretty good article from Cisco.


Check it out.


Please rate all helpful posts.


http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759


HTH


Victor

Correct Answer by Jon Marshall about 8 years 1 month ago

Bart


It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to


1) not make a mistake in the configuration so that your traffic becomes visible to other companies


2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).


It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.


Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/24/2009 - 13:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bart


It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to


1) not make a mistake in the configuration so that your traffic becomes visible to other companies


2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).


It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.


Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.


Jon

bsudol79p Fri, 04/24/2009 - 13:39
User Badges:

Thanks Jon for the fast response. Lately whenever I hear of MPLS, there is talk of encryption so I was wondering if there are any companies that are running MPLS without the encryption. Thanks

Joseph W. Doherty Fri, 04/24/2009 - 17:09
User Badges:
  • Super Bronze, 10000 points or more

I work with a large client that uses at least two independent international MPLS WANs without using encryption. (I.e. so there's at least one company that does.)


BTW, with them, the question does arise from time-to-time about using VPN encryption across the MPLS cloud. I try to remind them there are more likely other security risks that might need to be addressed first. Further, security has costs which needs to be compared to probably risk of loss.


When you compare cost with risk of loss, general VPN encryption across MPLS often isn't justified. If there's just some data that's very sensitive, send it as an encrypted file (which also helps protect it across the LAN).


Today with wireless everywhere, your security risk might be higher with someone attaching their own AP to your LAN rather than a security breach within a provider's MPLS cloud.

Correct Answer
lamav Fri, 04/24/2009 - 13:34
User Badges:
  • Blue, 1500 points or more

Hi:


Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.


Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.


Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.


On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.


Some time back I read this pretty good article from Cisco.


Check it out.


Please rate all helpful posts.


http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759


HTH


Victor

Actions

This Discussion