Wednesday, November 02, 2016

Does MPLS (Multi-Protocol Label Switching) Meet The Data Security Needs Of Business Organizations?

MPLS as a Bandwidth Solution, by itself, merely offers a "label switching" architecture, and does not address security in any way. It enables the efficient routing of datagrams/packets over a path, in a manner not unlike driving a car on highways - when you're on the highway, all you care about is the exit, not the final destination. Similarly, when you're "labeled" routers hop you through the cloud till the end of your label switched path.

Security is achieved by the tunneled layer II or layer III protocol. In the case of most VPNs, that would be IPSec, which - through its components, AH and ESP, offer the security services required, including confidentiality, and protection from man in the middle forms. IPSec encryption and authentication is generally regarded as highly secure (it can work with the latest FIPS approved standards, e.g. AES (Rijndael)). The only minor caveat is in key establishment, but that, too, can be easily solved.

It is important to keep in mind that not all MPLS networks are created equal. Some telecommunications providers route Internet traffic across the same backbone that also caries MPLS traffic while some have built dedicated private network MPLS only backbones.

Some vendors allow customer controlled routers to inject MPLS labels into the network and therefore they could be subject to spoofing attacks while other vendors edge routers will have ingress and egress policies that will reject and shutdown any customer edge interface that has has MPLS packets on them.

Some vendors require check sums and authentication of peering routers with static addresses assigned and controlled others do not care. And some vendors allow full encryption of traffic prior to MPLS encapsulation but others will warn you that you will lose classes of service etc. if you do that.

Key to the question is "which organization"? The answer is also linked to the use case for the technology. Three combinations immediately spring to mind - and more will probably crop up if anyone cares to offer comments in reply.

* Use Case 1 - Shared Public Network - SP Perspective

If you are looking at the ISP/SP that is providing shared access across common equipment then MPLS-VPN is a solid technology that provides good segmentation of traffic. In that respect it is an excellent technical approach that provides benefits. As pointed out above implementation is the key!

* Use Case 2 - Shared Public Network - Consumer Perspective

From the perspective of the consumer of the service that is provided the MPLS VPN is transparent. The term VPN is potentially misleading in that there is no tunnel from end-point to end-point. It is more of a Virtual Circuit on the packet-based network. There is no security provided by the MPLS technology because access to the routers = access to the data and control of that is with a third party.

* Use Case 3 - Private Network over SP Infrastructure

The third use case is on the backbone of the network inside a large organisation where the MPLS infrastructure is managed across an infrastructure provided by a third-party SP/ISP cloud. In this scenario the MPLS services can provide separation of traffic, control and QoS in a "VLAN on Steroids" approach. Again implementation is key.

* Approach to Regulation and Encryption

If an organisation is regulated for privacy - healthcare, financial services etc., then it is going to want to layer a full VPN implementation over the MPLS to provide the tunnel security that is usually the interpretation of the legislation. In current implementations, that VPN could be SSL/TLS based or IPSEC, but will generally use strong encryption from end-to-end and incorporate good key-management processes.

I hope this summary prompts more discussion (sic comments in reply) - as there is a lot of confusion about the security implications of these technologies. But it's a good question to ask.

Labels: , , , , , , ,


Post a Comment

Links to this post:

Create a Link

<< Home