Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5764
Views
5
Helpful
3
Replies

MPLS - How secure is it?

Go to solution
louis0001
Level 3
Level 3

‎01-13-2016 09:48 PM - edited ‎03-05-2019 03:07 AM

We have a private MPLS enabled network with 100 sites. This is provided by our ISP.

The sites are connected purely via routers. The only external egress/ingress to the whole network is provided by gateways at two sites which are protected by ASA's

We're wondering how secure this actually is by just using routers at the remote sites? 
Or should we go the whole hog and implement ASA's at each remote site?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
daniel.dib
Level 7
Level 7

‎01-14-2016 05:06 AM

Hi Louis,

There are many aspects to network security. I'm assuming that you are buying a L3VPN service from the SP delivered over MPLS? As you may already know, MPLS provides no encryption to the traffic which means that all traffic is sent in the clear unless the application itself uses a technology such as SSL or TLS. This may or may not be a concern for you but I thought it was worth mentioning.

If we look at MPLS L3VPN which uses VPN label (BGP) and transport label (LDP) to forward the traffic, it is a secure way of separating customer traffic. There is always the possibility of someone accidentally or intentionally leaking traffic between different VPNs (customers) but if someone has access to the devices, then that would hold true for other technologies as well.

You haven't mentioned yet how the topology is setup. Are you using a fully meshed network (logically) or do you have hub and spoke to these main sites that you mention?

In the end it's up to you and your security policy if you deem the network to be secure or not. Do you consider external threats as the biggest risk and how would you protect against internal threats?

If all traffic between sites passes your main sites, then all traffic would be inspected which would be more secure compared to if traffic can flow freely between sites. On the other hand, sending all traffic to a central site would increase latency and the bandwidth need at the main sites as well as putting more stress on the firewalls there. Design is always a tradeoff and you have to consider what is most important to you.

The central firewalls will not mitigate local issues though where a virus may spread on a local subnet or a network worm which may utilize all of your WAN bandwidth. 

In the end it comes down to how much money you are willing to spend compared to how you grade the risk of something happening and how seriously an incident would impact your business.

One option could be to have a small firewall at each site and run IPSec. On the other hand that would mean that you have 100+ firewalls to manage all of a sudden. From a management standpoint therefore it makes more sense to either send traffic to central sites or if the SP offers a firewalled service.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

View solution in original post

3 Replies 3

Go to solution
daniel.dib
Level 7
Level 7

‎01-14-2016 05:06 AM

Hi Louis,

There are many aspects to network security. I'm assuming that you are buying a L3VPN service from the SP delivered over MPLS? As you may already know, MPLS provides no encryption to the traffic which means that all traffic is sent in the clear unless the application itself uses a technology such as SSL or TLS. This may or may not be a concern for you but I thought it was worth mentioning.

If we look at MPLS L3VPN which uses VPN label (BGP) and transport label (LDP) to forward the traffic, it is a secure way of separating customer traffic. There is always the possibility of someone accidentally or intentionally leaking traffic between different VPNs (customers) but if someone has access to the devices, then that would hold true for other technologies as well.

You haven't mentioned yet how the topology is setup. Are you using a fully meshed network (logically) or do you have hub and spoke to these main sites that you mention?

In the end it's up to you and your security policy if you deem the network to be secure or not. Do you consider external threats as the biggest risk and how would you protect against internal threats?

If all traffic between sites passes your main sites, then all traffic would be inspected which would be more secure compared to if traffic can flow freely between sites. On the other hand, sending all traffic to a central site would increase latency and the bandwidth need at the main sites as well as putting more stress on the firewalls there. Design is always a tradeoff and you have to consider what is most important to you.

The central firewalls will not mitigate local issues though where a virus may spread on a local subnet or a network worm which may utilize all of your WAN bandwidth. 

In the end it comes down to how much money you are willing to spend compared to how you grade the risk of something happening and how seriously an incident would impact your business.

One option could be to have a small firewall at each site and run IPSec. On the other hand that would mean that you have 100+ firewalls to manage all of a sudden. From a management standpoint therefore it makes more sense to either send traffic to central sites or if the SP offers a firewalled service.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

Go to solution
Adel Barashed
Level 1
Level 1
In response to daniel.dib

‎01-14-2016 05:31 AM

Its great to have daniel reply here :) IMHO ...for current data growning and security threatening ...its recommended to deploy a secure VPN meeting the requirement such like GETVPN or DMVPN I believe we need to look at the requirement needs like getvpn will need a Key server and it might be installed in differnet sites for redunancy porpuses We need also to consider the overhead.... Hope to have your correction mates

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to daniel.dib

‎01-14-2016 02:56 PM

Thanks for the answer Daniel..... it is using BGP in a mesh. The only time remote sites need to go to the central sites are for the servers or access to the internet etc. Our ASA's lie at those central sites.

Very good answer though. Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card