08-29-2012 02:11 AM - edited 03-04-2019 05:24 PM
Good day everyone;
I need some help in securing a back-toback connection using E1.
The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.
The E1 connections has been provided by our local telco, and they are completely private.
The customer is a bank, and they asking me if this is a secure connection or not.
If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).
Your quick help would be really appreciated
Best Regards
Salem
08-29-2012 02:32 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
A possible solution would be to encrypt all traffic between the two routers. Without researching, don't recall whether 1841 has on-board encryption hardware or supports add-on hardware, nor recall software requirements (i.e. might require a minimum feature set or additional activation license).
08-30-2012 11:48 AM
Its secure.
If you have ever been in a Telco CO, you would understand how difficult it would be to find the right circuit to try and tap into. That being said, its not impossible.
Josephs suggestion regarding encryption would mitigate that. If you are not comfortable or familiar with setting up encryption, the follow Paolos suggestion.
08-30-2012 12:35 PM
Hi Salem,
You would not need any encryption with a MPLS VPN and you would have much more flexibility and control in place.
Check this as solution with your ISP because MPLS is not that expensive anymore
Alessio
08-30-2012 12:46 PM
08-30-2012 05:26 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Alessio Andreoli wrote:
You would not need any encryption with a MPLS VPN and you would have much more flexibility and control in place.
Often CE <> PE link isn't MPLS, even when SP cloud is.
Even with MPLS, although perhaps it's much less likely for another MPLS VPN customer to tap your data, or perhaps there's less chance for your data being inadvertently directed to a 3rd party, there still can be concern over access by the SP themselves. If this is a concern, though, i.e. the security requirements are that stringent, then data should be encrypted end-to-end, not just across the SP's network.
08-30-2012 06:03 PM
Hi Joseph,
I partially agree with you in this sense.. If it is true that the pe to ce routing protocol is very often something different from MPLS, you need to admit that this is not going to be an issue at all. You could extend a VRF from the ce to the pe extending the private network that, de facto, MPLS is providing. For the second valid point that you were proposing, I could say the same for IPSec or whatever encryption you are going to implement. If you introduce the human mistake for the SP side, you also need to introduce the same potential danger for who is managing the encrypted tunnels. There is here another valid point which deserves attention. Assuming that a mistake is done, it is much better from a managerial/political/economical point of view that an external company does it. In this way the enterprise/institution which will be exposed can avoid legal issues because the VPN was not under their own responsibility and therefore no customer can complain (legally) at it.
Back to the technical reasons, I think I still would see a MPLS VPN safer than IPSec tunnel. If we even ignore the fact that often not even human inputs are allowed on the PE routers, we must consider that to forward the traffic to a wrong destination much more than a mistake is required; import/export maps, VRF, BGP encoding and much more should all be modified to forward the data traffic to the wrong place!!!
By the way, I guess that both IPSec and MPLS VPN are quite solid solutions.
Take care
Alessio
Sent from Cisco Technical Support iPad App
08-30-2012 07:16 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Alessio, no sorry, I don't agree using MPLS, even CE <> PE makes this a non-issue. I see possible differences between accidental access and illicit access; and legal shared responsibilities.
Assume I've arranged with an employee of a service provider to provide me a dump of your data transfers. Does MPLS really hinder my SP "partner"? However, if you transport your confidential data across the SP's network encrypted (hopefully) this will make such access useless.
Could the same colusion happen with an internal employee (of the data source's company)? Sure, but with internal employees you're better both able to directly vet them and control access and auditing policies.
You mention it's better if we just allow an external entity to take full responsibility. Perhaps in some cases, but legal responsibilities can be "funny". If a bank contracted a 3rd party to transport inter-bank cash transfers, using a company that put the cash bags in back of open pick-up (to save costs) vs. an armored car with armed guards, and someone helped themselves to the contents of the open pick-up, you really think the bank would be excluded from any and all legal responsibility for such loss?
Years ago, I worked in a bank's IT group, working on computer programs for their International banking section. When individual electronic transfers are over 100 million dollars (literally), there's lot of concern about security even before considering regulations and laws.
08-31-2012 03:41 AM
Hi Joseph,
thanks for your cool reply. I know what you are talking about because i did work for banks and militar environment in the past as Network Architect and i can ensure you that many banks with even bigger amount of money (electronically moved) than 100M $ would prefer a well built and dedicated MPLS network to IPSec. For what is the internal audit and security policies you probably know better than me that no perfect policy can be implemented for billions of factors. By the way, i am not telling that an IPSec tunnel would be a bad idea, just that a well built MPLS VPN would be more appropriate in my humble opinion
Thanks for your reply anyway, i like to speak about this choices. They alwas are spots to think about
Take Care
Alessio
08-31-2012 05:04 AM
Thanks alot guys for your contribution here;
I dunno anything about MPLS neither my SP do,
Im just wondering if there is any way to apply any possible encryption techniqe to the ppp connetions via serial interfaces.
Your advice would be appretiated
Thanks
Sent from Cisco Technical Support Android App
08-31-2012 05:32 AM
Take a look at this:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
It will be a good start point for the answers you are looking for. However, you essentially must do these tasks:
1) establish ppp communication (implement ppp encapsulation on the serial interfaces) and verification (session up)
2) write down your crypto map
3) apply the crypto map to the serial interface
Hope this helps
Alessio
PS: L2TP is another way to tunnel info and can run in combination with IPSec
09-01-2012 01:45 PM
Thanks alot Alessio for your support;
I think we need only to think about an encryption, here is my start I guess:
I think this is what we can do for this customer now; please let me know if you dont agree.
Also, is there any how to verify this solution??
Many thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide