MPLS VPN /IPSec VPN

alsayed · ‎12-06-2009

Hi

Guys do y agree with me that MPLS VPN becomes useless in the present of IPSec VPN in order connects branches together?

thanks

Jon Marshall · ‎12-06-2009

alsayed@litani.gov.lb

Hi

Guys do y agree with me that MPLS VPN becomes useless in the present of IPSec VPN in order connects branches together?

thanks

Ali

No not all. IPSEC VPNs run over the internet which is fine but you have no real control over levels of service on the internet. So if a major event happens and everybody tries to access the internet for information your IPSEC VPNs could become almost useless.

Also if you are target by hackers from the Internet this too could severly impact your connections.

MPLS VPNs on the other hand are "private" networks run by service providers where a guaranteed service level can be agreed with the provider. They are not accessible from the internet and therefore offer some level of security that IPSEC VPNs do not. That is not to say they are totally secure but because they are closed networks they are not as susceptible to some of the things the internet is.

There are a lot more differences between IPSEC and MPLS VPNs but hopefully the above has given you some idea why you might want to choose an MPLS VPN over IPSEC VPNs.

Jon

alsayed · ‎12-09-2009

Thanks jon

alsayed · ‎12-09-2009

Thanks jon

darren-carr · ‎08-22-2011

Hi Jon,

I found this old article that you responded to.

I am looking to use a SP L3 MPLS VPN and am trying to convince the business that it is secure enough without running IPSec over the top of it.

Do you have any specific references to documents relating to this topic?

Thanks,

Darren

Jon Marshall · ‎08-22-2011

Darren

It really depends on the security requirements of your company. Firstly there is obviously a degree of trust in the SP themselves but then that applies to just about any WAN connection unless you physically lay your own cables.

If you trust the SP then the next question is what is the possibility of your traffic being compromised while in the MPLS network. MPLS segregates traffic with labels primarily and a misconfiguration could indeed lead to your data being leaked to another company. Having said that, if this was a common occurence i suspect MPLS VPNs would not be so widely used.

I have come across companies that do indeed run IPSEC VPNs across their MPLS connections but i think this is the exception rather than the norm.

Personally for normal applications i have always felt comfortable using MPLS VPNs. But then the companies i worked for did not have any information that was that sensitive. Actually they did bur for that specific information we used dedicated links.

Attached is a Cisco doc outling the pros and cons between using MPLS L3 VPNs and IPSEC VPNs. Bear in mind that if you have some specific information you still want to use MPLS for then you can always encrypt that information only ie. it is not a simple MPLS or IPSEC VPN choice.

Jon

Joseph W. Doherty · ‎08-22-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

An excellent answer.

I might add for the original question, it's a similar question to how secure do you feel other private WAN clouds are? (E.g. frame-relay, ATM) Unless you really are concerned about the service provider, themselves, 3rd parties accessing your data, in-flight, is a bit difficult. In fact even on the Internet, other than ISPs, 3rd parties accessing your data in-flight isn't all that easy either (assuming transient devices are secure). (On the Internet, end-points [servers] are the primary targets, both easier to get to than in-flight data, and more data of interest stored there too.)

vmiller · ‎08-22-2011

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml

My own bias is for l3 mpls vpn, i found life fairly easy once the orginal CE config details were hammered out.

We were able to convince internal audit that there was no more risk involved than running private frame relay.

Joseph W. Doherty · ‎08-22-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

In principle, 100% agree with Jon. In practice, I've found the advantages of MPLS VPNs rarely bests a well crafted VPN setup across the Internet for hub-and-spoke topologies. The latter often costs much, much less and easier to obtain especially in 3rd world countries.