Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing E1 back-to-back connections

Good day everyone;

     I need some help in securing a back-toback connection using E1.

     The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.

     The E1 connections has been provided by our local telco, and they are completely private.

     The customer is a bank, and they asking me if this is a secure connection or not.

     If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).

Your quick help would be really appreciated

Best Regards

Salem

Everyone's tags (3)
11 REPLIES
Super Bronze

Re: Securing E1 back-to-back connections

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

A possible solution would be to encrypt all traffic between the two routers.  Without researching, don't recall whether 1841 has on-board encryption hardware or supports add-on hardware, nor recall software requirements (i.e. might require a minimum feature set or additional activation license).

Gold

Securing E1 back-to-back connections

Its secure.

If you have ever been in a Telco CO, you would understand how difficult it would be to find the right circuit to try and tap into. That being said, its not impossible.

Josephs suggestion regarding encryption would mitigate that. If you are not comfortable or familiar with setting up encryption, the follow Paolos suggestion.

Re: Securing E1 back-to-back connections

Hi Salem,

You would not need any encryption with a MPLS VPN and you would have much more flexibility and control in place.

Check this as solution with your ISP because MPLS is not that expensive anymore

Alessio

Gold

Re: Securing E1 back-to-back connections

I bet its the auditors that are asking.

If he wants to persue MPLS he should first diig up the docuement on how secure VRFs can be. 

A lot would depend on just how many sites he needs to support.

Super Bronze

Re: Securing E1 back-to-back connections

Disclaimer


The Author of this  posting offers the information contained within this posting without  consideration and with the reader's understanding that there's no  implied or expressed suitability or fitness for any purpose. Information  provided is for informational purposes only and should not be construed  as rendering professional advice of any kind. Usage of this posting's  information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Alessio Andreoli wrote:

You would not need any encryption with a MPLS VPN and you would have much more flexibility and control in place.

Often CE <> PE link isn't MPLS, even when SP cloud is.

Even with MPLS, although perhaps it's much less likely for another MPLS VPN customer to tap your data, or perhaps there's less chance for your data being inadvertently directed to a 3rd party, there still can be concern over access by the SP themselves.  If this is a concern, though, i.e. the security requirements are that stringent, then data should be encrypted end-to-end, not just across the SP's network.

Re: Securing E1 back-to-back connections

Hi Joseph,

I partially agree with you in this sense.. If it is true that the pe to ce routing protocol is very often something different from MPLS, you need to admit that this is not going to be an issue at all. You could extend a VRF from the ce to the pe extending the private network that, de facto, MPLS is providing. For the second valid point that you were proposing, I could say the same for IPSec or whatever encryption you are going to implement. If you introduce the human mistake for the SP side, you also need to introduce the same potential danger for who is managing the encrypted tunnels. There is here another valid point which deserves attention. Assuming that a mistake is done, it is much better from a managerial/political/economical point of view that an external company does it. In this way the enterprise/institution which will be exposed can avoid legal issues because the VPN was not under their own responsibility and therefore no customer can complain (legally) at it.

Back to the technical reasons, I think I still would see a MPLS VPN safer than IPSec tunnel. If we even ignore the fact that often not even human inputs are allowed on the PE routers, we must consider that to forward the traffic to a wrong destination much more than a mistake is required; import/export maps, VRF, BGP encoding and much more should all be modified to forward the data traffic to the wrong place!!!

By the way, I guess that both IPSec and MPLS VPN are quite solid solutions.

Take care

Alessio

Sent from Cisco Technical Support iPad App

Super Bronze

Re: Securing E1 back-to-back connections

Disclaimer


The  Author of this  posting offers the information contained within this  posting without  consideration and with the reader's understanding that  there's no  implied or expressed suitability or fitness for any purpose.  Information  provided is for informational purposes only and should not  be construed  as rendering professional advice of any kind. Usage of  this posting's  information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Alessio, no sorry, I don't agree using MPLS, even CE <> PE makes this a non-issue.  I see possible differences between accidental access and illicit access; and legal shared responsibilities.

Assume I've arranged with an employee of a service provider to provide me a dump of your data transfers.  Does MPLS really hinder my SP "partner"?  However, if you transport your confidential data across the SP's network encrypted (hopefully) this will make such access useless.

Could the same colusion happen with an internal employee (of the data source's company)?  Sure, but with internal employees you're better both able to directly vet them and control access and auditing policies.

You mention it's better if we just allow an external entity to take full responsibility.  Perhaps in some cases, but legal responsibilities can be "funny".  If a bank contracted a 3rd party to transport inter-bank cash transfers, using a company that put the cash bags in back of open pick-up (to save costs) vs. an armored car with armed guards, and someone helped themselves to the contents of the open pick-up, you really think the bank would be excluded from any and all legal responsibility for such loss?

Years ago, I worked in a bank's IT group, working on computer programs for their International banking section.  When individual electronic transfers are over 100 million dollars (literally), there's lot of concern about security even before considering regulations and laws.

Securing E1 back-to-back connections

Hi Joseph,

thanks for your cool reply. I know what you are talking about because i did work for banks and militar environment in the past as Network Architect and i can ensure you that many banks with even bigger amount of money (electronically moved)  than 100M $ would prefer a well built and dedicated MPLS network to IPSec. For what is the internal audit and security policies you probably know better than me that no perfect policy can be implemented for billions of factors. By the way, i am not telling that an IPSec tunnel would be a bad idea, just that a well built MPLS VPN would be more appropriate  in my humble opinion

Thanks for your reply anyway, i like to speak about this choices. They alwas are spots to think about

Take Care

Alessio

New Member

Re:Securing E1 back-to-back connections

Thanks alot guys for your contribution here;

I dunno anything about MPLS neither my SP do,

Im just wondering if there is any way to apply any possible encryption techniqe to the ppp connetions via serial interfaces.

Your advice would be appretiated

Thanks

Sent from Cisco Technical Support Android App

Re:Securing E1 back-to-back connections

Take a look at this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

It will be a good start point for the answers you are looking for. However, you essentially must do these tasks:

1) establish ppp communication (implement ppp encapsulation on the serial interfaces) and verification (session up)

2) write down your crypto map

3) apply the crypto map to the serial interface

Hope this helps

Alessio

PS: L2TP is another way to tunnel info and can run in combination with IPSec

New Member

Re:Securing E1 back-to-back connections

Thanks alot Alessio for your support;

     I think we need only to think about an encryption, here is my start I guess:

An Introduction to IP Security (IPSec) Encryption

     http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml?referring_site=bodynav

     I think this is what we can do for this customer now; please let me know if you dont agree.

     Also, is there any how to verify this solution??

Many thanks in advance

678
Views
9
Helpful
11
Replies
CreatePlease login to create content