Security Basics mailing list archives
Re: Network Upgrade
From: James Lee Bell <nuclear-cowboy () cox net>
Date: Sat, 08 Mar 2008 11:57:43 -0700
Jon R. Kibler wrote:
Mohit Sharma wrote:
(snip)
Could you please help me seek more clarity over the security issues MPLS over IPsec could have??? We're ISO 27001 certified and were working in completely isolated VSAT networks, this MPLS would change the entire risk assessment and all. Are their any things I need to keep in mind??The smartest way to deploy MPLS is to have the ISP install their managed routers at each of your locations. Your router (which should be the same model) then simply has an ethernet connection to the ISP router. The ISP router then handles all the MPLS. All your router has to do is to supply the ISP router with IP packets that have the appropriate DSCP QoS value set so that packets are appropriately prioritized. With properly configured MPLS, you should have a semi-private VPN. The only risk with MPLS is that someone is able to sniff the MPLS traffic at some point in the network. That is where IPSec comes into play. What I usually do is to set up IPSec SAs between each company site router. Typically, the SA is applied to the router interface that connects to the ISP router. Then, assuming that you have properly configured ESP, all the traffic that goes to the MPLS network has IPSec encryption and authentication. Thus, the small risk of having MPLS traffic sniffed is essentially eliminated.
The other issues are the management overhead of the IPSEC tunnels if you have lots of sites to do this with, and the fact that you loose some of the benefits of MPLS clouds in the first place, e.g. any-site-to-any-site connectivity and associated QOS. You either end up with hub-n-spoke functionality using MPLS as the transport if you deploy single tunnels per site, or partial mesh if you deploy multiple tunnels per site. You can do full mesh and keep the any-to-any connectivity (if not the QOS precisely) if you have a small enough set of sites, but maintaining 200 sites and 199 tunnels at each site for full mesh becomes a bit much.
Cisco - and presumably others soon - have developed their GET or group-encryption-tunnel tech last year to fix this issue. Only the payload gets encrypted, and the IP headers stay untouched enabling any MPLS based QOS functionality based on Layer 3/4 you could want.
Has anyone actually deployed this latter? Successfully?
Current thread:
- Network Upgrade Mohit Sharma (Mar 07)
- Re: Network Upgrade Jon R. Kibler (Mar 07)
- Message not available
- Message not available
- Re: Network Upgrade Jon R. Kibler (Mar 07)
- Re: Network Upgrade James Lee Bell (Mar 10)
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Message not available
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Re: Network Upgrade Mohit Sharma (Mar 10)
- Re: Network Upgrade Jon R. Kibler (Mar 10)
- Message not available