MPLS Connection / Security

We are in the process of connecting to other branches in europe and USA through MPLS. We were thinking about connecting through the ASA 5510 using a subinterface on DMZ. Our corporate office suggested connecting the CE router directly to the core 4506. Each branche have their own security policy. Is this a safe way to go?

Find more posts tagged with

Comments

networker050184

I'd tie it directly into your core also personally. No need for the firewall and DMZ for branch to branch connectivity over MPLS IMO.

chrisone

Im not a Guru on MPLS as I am no CCIP, but from experience isnt it already a secured medium? I guess to answer my own question LOL it is secured only to the outside, but i guess in between end points "Companies" you can tie the network to your router and have the routing interface on the router. Now to secure it, you can say any traffic destined for the internal network go to the ASA, then the ASA should have routes or static routes pointing to all the networks you want to communicate with. Then again all the routes can reside on your edge routers and you would point that traffic back from the ASA to the router and cause a loop ha ha ha, so i guess it all depends on your network design. But i hope these points help

ColbyG

Malicious traffic shouldn't be coming from your MPLS WAN.

fid500

Thanks all for your responses.
What we mainly worried about is some user in a different branch getting a virus and propagating to our network. At least with ASA the traffic is inspected before allowed in.

networker050184

fid500 wrote: »

Thanks all for your responses.
What we mainly worried about is some user in a different branch getting a virus and propagating to our network. At least with ASA the traffic is inspected before allowed in.

Its a legit concern to have. I just don't think its enough of a concern to warrant pumping branch traffic through an ASA and into a DMZ. I'll admit I'm not the most security conscience guy around though

keenon

There really shouldn't be a security concern to warrant a firewall as mpls is its own L3 vpn. But being on the paranoid side you could build another vpn tunnel between the sites. Which I think is overkill unless you don't trust the provider. If thats the case its no different than doing it over the internet

dynamik

keenon wrote: »

There really shouldn't be a security concern to warrant a firewall as mpls is its own L3 vpn. But being on the paranoid side you could build another vpn tunnel between the sites. Which I think is overkill unless you don't trust the provider. If thats the case its no different than doing it over the internet

The client I'm working with now runs VPNs over all their point-to-point links. I asked if they just don't their provider, and he just said they'd rather be overly cautious. They also have a forensics checklist that goes down to specific registry keys to review in their security policy. Hardcore

fid500

We are not very worried about another entity in MPLS cloud intercepting our traffic. What we are more worried about are users in the other branches spreading viruses. As for using VPN, there is a possiblity of processing overhead and traffic slowing down which we are trying to avoid.

mikej412

All I'll say is that we just assume that everyone is an axe murderer and we implement security accordingly.

shednik

mikej412 wrote: »

All I'll say is that we just assume that everyone is an axe murderer and we implement security accordingly.

I like this one the best

Ahriakin

Remember though that MPLS is a logical separation of traffic, it is not encrypted. If your business is governed by legal compliance on data integrity/confidentiality (or it's just very important IP (the intellectual kind)) then using an IPSec VPN aswell is the way to go.
Regardless I'd go with putting the firewalls on each side of the links for exactly the reasons you stated (also it may help you spot data leaks and just badly configured net services that shouldn't be on there in the first place, though you could to this with Netflow aswell). Having an appliance with integrated IPS would be a plus also but of course that is pushing the cost.