I bet its the auditors that are asking.

If he wants to persue MPLS he should first diig up the docuement on how secure VRFs can be. 

A lot would depend on just how many sites he needs to support.

Disclaimer

The Author of this  posting offers the information contained within this posting without  consideration and with the reader's understanding that there's no  implied or expressed suitability or fitness for any purpose. Information  provided is for informational purposes only and should not be construed  as rendering professional advice of any kind. Usage of this posting's  information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Alessio Andreoli wrote:
You would not need any encryption with a MPLS VPN and you would have much more flexibility and control in place.

Often CE <> PE link isn't MPLS, even when SP cloud is.

Even with MPLS, although perhaps it's much less likely for another MPLS VPN customer to tap your data, or perhaps there's less chance for your data being inadvertently directed to a 3rd party, there still can be concern over access by the SP themselves.  If this is a concern, though, i.e. the security requirements are that stringent, then data should be encrypted end-to-end, not just across the SP's network.

Hi Joseph,

I partially agree with you in this sense.. If it is true that the pe to ce routing protocol is very often something different from MPLS, you need to admit that this is not going to be an issue at all. You could extend a VRF from the ce to the pe extending the private network that, de facto, MPLS is providing. For the second valid point that you were proposing, I could say the same for IPSec or whatever encryption you are going to implement. If you introduce the human mistake for the SP side, you also need to introduce the same potential danger for who is managing the encrypted tunnels. There is here another valid point which deserves attention. Assuming that a mistake is done, it is much better from a managerial/political/economical point of view that an external company does it. In this way the enterprise/institution which will be exposed can avoid legal issues because the VPN was not under their own responsibility and therefore no customer can complain (legally) at it.

Back to the technical reasons, I think I still would see a MPLS VPN safer than IPSec tunnel. If we even ignore the fact that often not even human inputs are allowed on the PE routers, we must consider that to forward the traffic to a wrong destination much more than a mistake is required; import/export maps, VRF, BGP encoding and much more should all be modified to forward the data traffic to the wrong place!!!

By the way, I guess that both IPSec and MPLS VPN are quite solid solutions.

Take care

Alessio

Sent from Cisco Technical Support iPad App

Disclaimer

The  Author of this  posting offers the information contained within this  posting without  consideration and with the reader's understanding that  there's no  implied or expressed suitability or fitness for any purpose.  Information  provided is for informational purposes only and should not  be construed  as rendering professional advice of any kind. Usage of  this posting's  information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Alessio, no sorry, I don't agree using MPLS, even CE <> PE makes this a non-issue.  I see possible differences between accidental access and illicit access; and legal shared responsibilities.

Assume I've arranged with an employee of a service provider to provide me a dump of your data transfers.  Does MPLS really hinder my SP "partner"?  However, if you transport your confidential data across the SP's network encrypted (hopefully) this will make such access useless.

Could the same colusion happen with an internal employee (of the data source's company)?  Sure, but with internal employees you're better both able to directly vet them and control access and auditing policies.

You mention it's better if we just allow an external entity to take full responsibility.  Perhaps in some cases, but legal responsibilities can be "funny".  If a bank contracted a 3rd party to transport inter-bank cash transfers, using a company that put the cash bags in back of open pick-up (to save costs) vs. an armored car with armed guards, and someone helped themselves to the contents of the open pick-up, you really think the bank would be excluded from any and all legal responsibility for such loss?

Years ago, I worked in a bank's IT group, working on computer programs for their International banking section.  When individual electronic transfers are over 100 million dollars (literally), there's lot of concern about security even before considering regulations and laws.

Hi Joseph,

thanks for your cool reply. I know what you are talking about because i did work for banks and militar environment in the past as Network Architect and i can ensure you that many banks with even bigger amount of money (electronically moved)  than 100M $ would prefer a well built and dedicated MPLS network to IPSec. For what is the internal audit and security policies you probably know better than me that no perfect policy can be implemented for billions of factors. By the way, i am not telling that an IPSec tunnel would be a bad idea, just that a well built MPLS VPN would be more appropriate  in my humble opinion

Thanks for your reply anyway, i like to speak about this choices. They alwas are spots to think about

Take Care

Alessio

Take a look at this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

It will be a good start point for the answers you are looking for. However, you essentially must do these tasks:

1) establish ppp communication (implement ppp encapsulation on the serial interfaces) and verification (session up)

2) write down your crypto map

3) apply the crypto map to the serial interface

Hope this helps

Alessio

PS: L2TP is another way to tunnel info and can run in combination with IPSec

Thanks alot Alessio for your support;

     I think we need only to think about an encryption, here is my start I guess:

An Introduction to IP Security (IPSec) Encryption

     http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml?referring_site=bodynav

     I think this is what we can do for this customer now; please let me know if you dont agree.

     Also, is there any how to verify this solution??

Many thanks in advance