MPLS VPN /IPSec VPN

Unanswered Question
Jon Marshall Sun, 12/06/2009 - 10:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Hi


Guys do y agree with me that MPLS VPN becomes useless in the present of IPSec VPN in order connects branches together?



thanks


Ali


No not all. IPSEC VPNs run over the internet which is fine but you have no real control over levels of service on the internet. So if a major event happens and everybody tries to access the internet for information your IPSEC VPNs could become almost useless.


Also if you are target by hackers from the Internet this too could severly impact your connections.


MPLS VPNs on the other hand are "private" networks run by service providers where a guaranteed service level can be agreed with the provider. They are not accessible from the internet and therefore offer some level of security that IPSEC VPNs do not. That is not to say they are totally secure but because they are closed networks they are not as susceptible to some of the things the internet is.


There are a lot more differences between IPSEC and MPLS VPNs but hopefully the above has given you some idea why you might want to choose an MPLS VPN over IPSEC VPNs.


Jon

darren-carr Mon, 08/22/2011 - 05:22
User Badges:

Hi Jon,


I found this old article that you responded to.


I am looking to use a SP L3 MPLS VPN and am trying to convince the business that it is secure enough without running IPSec over the top of it.


Do you have any specific references to documents relating to this topic?


Thanks,

Darren

Jon Marshall Mon, 08/22/2011 - 06:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Darren


It really depends on the security requirements of your company. Firstly there is obviously a degree of trust in the SP themselves but then that applies to just about any WAN connection unless you physically lay your own cables.


If you trust the SP then the next question is what is the possibility of your traffic being compromised while in the MPLS network. MPLS segregates traffic with labels primarily and a misconfiguration could indeed lead to your data being leaked to another company. Having said that, if this was a common occurence i suspect MPLS VPNs would not be so widely used.


I have come across companies that do indeed run IPSEC VPNs across their MPLS connections but i think this is the exception rather than the norm.


Personally for normal applications i have always felt comfortable using MPLS VPNs. But then the companies i worked for did not have any information that was that sensitive. Actually they did bur for that specific information we used dedicated links.


Attached is a Cisco doc outling the pros and cons between using MPLS L3 VPNs and IPSEC VPNs. Bear in mind that if you have some specific information you still want to use MPLS for then you can always encrypt that information only ie. it is not a simple MPLS or IPSEC VPN choice.


Jon

Attachment: 
Joseph W. Doherty Mon, 08/22/2011 - 08:38
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The Author of this posting offers the information  contained within this posting without consideration and with the  reader's understanding that there's no implied or expressed suitability  or fitness for any purpose. Information provided is for informational  purposes only and should not be construed as rendering professional  advice of any kind. Usage of this posting's information is solely at  reader's own risk.


Liability Disclaimer


In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.


Posting


An excellent answer.


I might add for the original question, it's a similar question to how secure do you feel other private WAN clouds are?  (E.g. frame-relay, ATM)  Unless you really are concerned about the service provider, themselves, 3rd parties accessing your data, in-flight, is a bit difficult.  In fact even on the Internet, other than ISPs, 3rd parties accessing your data in-flight isn't all that easy either (assuming transient devices are secure).  (On the Internet, end-points [servers] are the primary targets, both easier to get to than in-flight data, and more data of interest stored there too.)

Joseph W. Doherty Mon, 08/22/2011 - 08:28
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.


Liability Disclaimer


In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.


Posting


In principle, 100% agree with Jon.  In practice, I've found the advantages of MPLS VPNs rarely bests a well crafted VPN setup across the Internet for hub-and-spoke topologies.  The latter often costs much, much less and easier to obtain especially in 3rd world countries.

Actions

This Discussion