MPSL

Answered Question
Apr 24th, 2009

Can anyone tell me some of the vulnerabilities of running MPLS between remote locations without using the site to site VPN?

I have this problem too.
0 votes
Correct Answer by lamav about 7 years 9 months ago

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

Correct Answer by Jon Marshall about 7 years 9 months ago

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/24/2009 - 13:32

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

bsudol79p Fri, 04/24/2009 - 13:39

Thanks Jon for the fast response. Lately whenever I hear of MPLS, there is talk of encryption so I was wondering if there are any companies that are running MPLS without the encryption. Thanks

Joseph W. Doherty Fri, 04/24/2009 - 17:09

I work with a large client that uses at least two independent international MPLS WANs without using encryption. (I.e. so there's at least one company that does.)

BTW, with them, the question does arise from time-to-time about using VPN encryption across the MPLS cloud. I try to remind them there are more likely other security risks that might need to be addressed first. Further, security has costs which needs to be compared to probably risk of loss.

When you compare cost with risk of loss, general VPN encryption across MPLS often isn't justified. If there's just some data that's very sensitive, send it as an encrypted file (which also helps protect it across the LAN).

Today with wireless everywhere, your security risk might be higher with someone attaching their own AP to your LAN rather than a security breach within a provider's MPLS cloud.

Correct Answer
lamav Fri, 04/24/2009 - 13:34

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

Actions

This Discussion