MPLS Connection / Security

fid500fid500 Member Posts: 71 ■■□□□□□□□□
We are in the process of connecting to other branches in europe and USA through MPLS. We were thinking about connecting through the ASA 5510 using a subinterface on DMZ. Our corporate office suggested connecting the CE router directly to the core 4506. Each branche have their own security policy. Is this a safe way to go?

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    I'd tie it directly into your core also personally. No need for the firewall and DMZ for branch to branch connectivity over MPLS IMO.
    An expert is a man who has made all the mistakes which can be made.
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Im not a Guru on MPLS as I am no CCIP, but from experience isnt it already a secured medium? I guess to answer my own question LOL it is secured only to the outside, but i guess in between end points "Companies" you can tie the network to your router and have the routing interface on the router. Now to secure it, you can say any traffic destined for the internal network go to the ASA, then the ASA should have routes or static routes pointing to all the networks you want to communicate with. Then again all the routes can reside on your edge routers and you would point that traffic back from the ASA to the router and cause a loop ha ha ha, so i guess it all depends on your network design. But i hope these points help icon_smile.gif
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • ColbyGColbyG Member Posts: 1,264
    Malicious traffic shouldn't be coming from your MPLS WAN.
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□
    Thanks all for your responses.
    What we mainly worried about is some user in a different branch getting a virus and propagating to our network. At least with ASA the traffic is inspected before allowed in.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    fid500 wrote: »
    Thanks all for your responses.
    What we mainly worried about is some user in a different branch getting a virus and propagating to our network. At least with ASA the traffic is inspected before allowed in.

    Its a legit concern to have. I just don't think its enough of a concern to warrant pumping branch traffic through an ASA and into a DMZ. I'll admit I'm not the most security conscience guy around though icon_wink.gif
    An expert is a man who has made all the mistakes which can be made.
  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    There really shouldn't be a security concern to warrant a firewall as mpls is its own L3 vpn. But being on the paranoid side you could build another vpn tunnel between the sites. Which I think is overkill unless you don't trust the provider. If thats the case its no different than doing it over the internet
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    keenon wrote: »
    There really shouldn't be a security concern to warrant a firewall as mpls is its own L3 vpn. But being on the paranoid side you could build another vpn tunnel between the sites. Which I think is overkill unless you don't trust the provider. If thats the case its no different than doing it over the internet

    The client I'm working with now runs VPNs over all their point-to-point links. I asked if they just don't their provider, and he just said they'd rather be overly cautious. They also have a forensics checklist that goes down to specific registry keys to review in their security policy. Hardcore icon_cool.gif
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□
    We are not very worried about another entity in MPLS cloud intercepting our traffic. What we are more worried about are users in the other branches spreading viruses. As for using VPN, there is a possiblity of processing overhead and traffic slowing down which we are trying to avoid.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    All I'll say is that we just assume that everyone is an axe murderer and we implement security accordingly.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • shednikshednik Member Posts: 2,005
    mikej412 wrote: »
    All I'll say is that we just assume that everyone is an axe murderer and we implement security accordingly.

    I like this one the best :D
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Remember though that MPLS is a logical separation of traffic, it is not encrypted. If your business is governed by legal compliance on data integrity/confidentiality (or it's just very important IP (the intellectual kind)) then using an IPSec VPN aswell is the way to go.
    Regardless I'd go with putting the firewalls on each side of the links for exactly the reasons you stated (also it may help you spot data leaks and just badly configured net services that shouldn't be on there in the first place, though you could to this with Netflow aswell). Having an appliance with integrated IPS would be a plus also but of course that is pushing the cost.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.