MPLS

[boldin]

So, we're looking at moving from a traditional hub/spoke environment to an MPLS environment. We have hundreds of sites around the world. Some are on a s2s VPN connection back to the closest data center, most are on dedicated circuit. Unfortunately, the customer wants to rely solely on the service provider to provide encryption and take the firewalls out of the loop at local sites. Granted, we don't have firewalls at every site now, but we do have hub sites that do have firewalls where we have increased visibility and flexibility to use Suspicious Activity Monitor to block offending systems.

I'm not a decision maker or influencer on this project, so that's pretty much how it's going to be. I'd much rather see every site with their own UTM running SMDF and VPN. I don't want to rely on a service provider to take care of encryption - I'd rather do it myself. We would also have the ability to take care of offending systems (malware spreading, etc.) with Suspicious Activity Monitor (surgical) instead of unplugging the whole site at the mercy of the local LEC (chainsaw), who may take hours to fulfill our request. A happy medium would be to route all of the MPLS traffic through regional firewalls prior to passing the traffic on to the data centers. We could at least have visibility by region as opposed to only at the data centers...

One thing I might add is that some LECs are state-run or have open access to state representatives (or even mafia, think Russian Business Network) in foreign countries. If we rely on the LEC to provide encryption, who's to say that the foreign government (or mob) doesn't just drop a sniffer in before the encryption takes place and starts looking at all of our goodies?

Call me paranoid, but I really don't think this is a good idea. Luckily, we've communicated this to all the right people and it is very-well documented in multiple emails - so at least our asses are covered with an "I told you so."

What are your thoughts on this? What would you recommend?

[munrog]

Hi there.

Never rely upon the network provider to get it right with MPLS. I rolled out the Security Infrastructure for a number of multinationals using various providers including BT and C&W. Both of which are respectible companies, but both of which had problems.

BT in particular managed to expose our entire network to another company with the same IP address range. Fortunately I knew the guys there well enought through a previous engagement and we managed to quickly resolve the situation internally.

my $0.02c

[boldin]

That's the kind of stuff I'm looking for to provide to our higher-ups. Anyone else have some advice or want to provide their two cents as well?

Thanks.

[lammbo]

The thought of a deployment like this scares the hell out of me. At the risk of losing my job, I would type something up saying I strongly disagree with this method of deployment for data security reasons and refuse to be held accountable for any data that is mishandled or exposed and have someone sign it.

.02

[Routerkid1]

The thought of a deployment like this scares the hell out of me. At the risk of losing my job, I would type something up saying I strongly disagree with this method of deployment for data security reasons and refuse to be held accountable for any data that is mishandled or exposed and have someone sign it.

.02

Yea that is why ipsec over Gre is great because you encrypt the traffic router to router as it rides on the provders mpls network. I trust no one and anyone in business not willing to think about security is crazy. You may be able to do this for no money if your current routers support this.