MPLS IP VPN security: How are MPLS IP VPNs resistant to attacks?
There is a growing concern as to how secure MPLS IP VPNs really are and how they can be protected from Internet attacks. Fortunately, the answer is pretty straightforward, and it doesn’t require a lot of technical analysis to see why.
In pure MPLS IP VPN environments without Internet access, where the network is used to connect different sites, the core network and network address space is concealed 100%. This means that no information is revealed to third parties or the Internet. With no information revealed, hackers are unable to obtain access to critical information such as router IP addresses in order to perform Denial of Service (DoS) attacks and bring down the network.
In addition, service providers prevent their routers from being reachable via the Internet by using well-known techniques such as packet filtering, applying access control lists (ACLs) to limit access only to the ports of the routing protocol (i.e., BGP) from specific areas within their network.
In an environment where Internet access is provided to the enterprise via the MPLS link, Internet service providers (ISPs) use similar mechanisms to lock down their Customer Edge (CE) routers that provide access to the Internet. The routing protocols used by the ISP have built-in mechanisms that are usually enabled and increase the security level even more. A few examples are the configuration of the MD5 authentication for routing protocols (such as BGP and OSPF,), configuration of maximum number of routes accepted per virtual routing and forwarding instance (VRF).
MPLS IP VPN encryption
While MPLS IP VPNs provide a scalable model in which enterprises can securely connect remote sites between each other, there have been quite a few discussions about the encryption services offered by service providers for these circuits.
The fact is that MPLS IP VPNs usually do not offer any encryption services. The MPLS VPN architecture makes it pretty impossible to hack into the MPLS circuits and expose the internal network(s) and routes, unless a major bug or configuration flaw exists somewhere in the provider’s network.
Encryption of the MPLS VPN is performed using IPsec, which essentially is a suite of protocols designed to provide a secure IP-based pathway between two or more endpoints. You can read more about Internet Protocol security on Firewall.cx’s dedicated IPsec page.
Below are two examples of IPsec encryption between two sites connected via an MPLS IP VPN:
Enlarge MPLS IP VPN encryption diagram.
CE-CE IPsec MPLS IP VPNs
In this example, the IPsec is used between the CEs on each end; therefore, the entire path between the CEs is protected. This setup offers the best possible protection against possible hacking attempts. Packets enter the CE router and are immediately encrypted. When packets are decrypted on the other end, they are located directly at the enterprise’s LAN network.
CE-CE IPsec offers true protection against the following threats:
- Replay of legitimate packets that have been recorded previously.
- Change of packets that are in transit between the sites.
- Eavesdropping anywhere between the CE's, provider edge's (PE) or provider's (P) routers.
PE-PE IPsec MPLS IP VPNs
This method is by far less secure than the previous one examined. IPsec encryption occurs from the PE routers onwards, leaving the rest of the network unencrypted and therefore not providing true VPN security.
PE-PE IPsec offers true protection against the following threats:
- Eavesdropping between the PE's or P's routers.
Generally, point-to-point VPN connections are easy to manage, but when the scenario gets more complex with multiple endpoints, IPsec tunnels do have a considerable administrative overhead that shouldn’t be taken lightly. For example, maintaining an IPsec topology between five sites requires the configuration of multiple crypto IPsec tunnels on each router located at every site. Any changes made to one router—like internal routes or LAN IP addressing—require the reconfiguration of all other routers so that the IPsec tunnels continue working correctly.
→ Continue reading this tutorial to learn why enterprises are turning towards DSL VPNs instead of MPLS VPNs. Or to read more on VPN encryption and IP security, you can also visit Firewall.cx's network protocol section.
This was first published in July 2011