Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
4
Replies

MPSL

Go to solution
bsudol79p
Level 1
Level 1

‎04-24-2009 01:18 PM - edited ‎03-04-2019 04:30 AM

Can anyone tell me some of the vulnerabilities of running MPLS between remote locations without using the site to site VPN?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-24-2009 01:32 PM

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

View solution in original post

0 Helpful

Go to solution
lamav
Level 8
Level 8

‎04-24-2009 01:34 PM

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-24-2009 01:32 PM

Bart

It really comes down to how much you trust the provider of the MPLS network. Just as with frame-relay/ATM you are relying on the provider to

1) not make a mistake in the configuration so that your traffic becomes visible to other companies

2) not to look at your traffic. Any provider has the ability to do this but if they did they would soon find they weren't getting much business :-).

It also depends on the security level of the company you work for. A lot of enterprises will accept MPLS without encryption but then again if you work for the Ministry of Defence or the equivalent in your country you might well decide the data you are dealing with is sensitive enough to need encryption.

Always bear in mind that MPLS/ATM/frame-relay, even dedicated P2P links are vulnerable to a provider.

Jon

0 Helpful

Go to solution
bsudol79p
Level 1
Level 1
In response to Jon Marshall

‎04-24-2009 01:39 PM

Thanks Jon for the fast response. Lately whenever I hear of MPLS, there is talk of encryption so I was wondering if there are any companies that are running MPLS without the encryption. Thanks

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to bsudol79p

‎04-24-2009 05:09 PM

I work with a large client that uses at least two independent international MPLS WANs without using encryption. (I.e. so there's at least one company that does.)

BTW, with them, the question does arise from time-to-time about using VPN encryption across the MPLS cloud. I try to remind them there are more likely other security risks that might need to be addressed first. Further, security has costs which needs to be compared to probably risk of loss.

When you compare cost with risk of loss, general VPN encryption across MPLS often isn't justified. If there's just some data that's very sensitive, send it as an encrypted file (which also helps protect it across the LAN).

Today with wireless everywhere, your security risk might be higher with someone attaching their own AP to your LAN rather than a security breach within a provider's MPLS cloud.

0 Helpful

Go to solution
lamav
Level 8
Level 8

‎04-24-2009 01:34 PM

Hi:

Well, what you are doing is basically outsourcing your L3 domain to a provider. It gives you less leverage over the routing environment - ie, path selection, failover and redundancy.

Given today's robust service provider networks and the ubiquity of enterprise customers who rely on MPLS, I wouldn't be too concerned about these issues.

Security, however, is an issue that is [sort of] hotly discussed and debated in network security circles. Proponents of MPLS VPNs swear by its impenetrable and incorruptible routing architecture due to its ability to leverage ipv4 routing extensions which allow them to isolate routing instances across the MPLS backbone.

On the other hand, the skeptics cite the fact that MPLS VPNs are an extension of L3 domains and consist of IP addresses, which leave them vulnerable to typical DoS attacks and spoofing. Moreover, legacy site-to-site VPNs use IPSec encryption, which affords maximum security that MPLS alone can never match.

Some time back I read this pretty good article from Cisco.

Check it out.

Please rate all helpful posts.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00800a85c5.shtml#wp31759

HTH

Victor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card