CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: MPLS

  1. #1
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    14

    Default MPLS

    So, we're looking at moving from a traditional hub/spoke environment to an MPLS environment. We have hundreds of sites around the world. Some are on a s2s VPN connection back to the closest data center, most are on dedicated circuit. Unfortunately, the customer wants to rely solely on the service provider to provide encryption and take the firewalls out of the loop at local sites. Granted, we don't have firewalls at every site now, but we do have hub sites that do have firewalls where we have increased visibility and flexibility to use Suspicious Activity Monitor to block offending systems.

    I'm not a decision maker or influencer on this project, so that's pretty much how it's going to be. I'd much rather see every site with their own UTM running SMDF and VPN. I don't want to rely on a service provider to take care of encryption - I'd rather do it myself. We would also have the ability to take care of offending systems (malware spreading, etc.) with Suspicious Activity Monitor (surgical) instead of unplugging the whole site at the mercy of the local LEC (chainsaw), who may take hours to fulfill our request. A happy medium would be to route all of the MPLS traffic through regional firewalls prior to passing the traffic on to the data centers. We could at least have visibility by region as opposed to only at the data centers...

    One thing I might add is that some LECs are state-run or have open access to state representatives (or even mafia, think Russian Business Network) in foreign countries. If we rely on the LEC to provide encryption, who's to say that the foreign government (or mob) doesn't just drop a sniffer in before the encryption takes place and starts looking at all of our goodies?

    Call me paranoid, but I really don't think this is a good idea. Luckily, we've communicated this to all the right people and it is very-well documented in multiple emails - so at least our asses are covered with an "I told you so."

    What are your thoughts on this? What would you recommend?
    - boldin
    CISSP
    CCSE/R65

  2. #2
    Join Date
    2006-06-27
    Location
    New Zealand (this week)
    Posts
    86
    Rep Power
    17

    Default Re: MPLS

    Hi there.

    Never rely upon the network provider to get it right with MPLS. I rolled out the Security Infrastructure for a number of multinationals using various providers including BT and C&W. Both of which are respectible companies, but both of which had problems.

    BT in particular managed to expose our entire network to another company with the same IP address range. Fortunately I knew the guys there well enought through a previous engagement and we managed to quickly resolve the situation internally.

    my $0.02c

  3. #3
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    14

    Default Re: MPLS

    That's the kind of stuff I'm looking for to provide to our higher-ups. Anyone else have some advice or want to provide their two cents as well?

    Thanks.
    - boldin
    CISSP
    CCSE/R65

  4. #4
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    18

    Default Re: MPLS

    The thought of a deployment like this scares the hell out of me. At the risk of losing my job, I would type something up saying I strongly disagree with this method of deployment for data security reasons and refuse to be held accountable for any data that is mishandled or exposed and have someone sign it.

    .02
    There's no place like 127.0.0.1

  5. #5
    Join Date
    2006-12-16
    Posts
    539
    Rep Power
    16

    Default Re: MPLS

    Quote Originally Posted by lammbo View Post
    The thought of a deployment like this scares the hell out of me. At the risk of losing my job, I would type something up saying I strongly disagree with this method of deployment for data security reasons and refuse to be held accountable for any data that is mishandled or exposed and have someone sign it.

    .02

    Yea that is why ipsec over Gre is great because you encrypt the traffic router to router as it rides on the provders mpls network. I trust no one and anyone in business not willing to think about security is crazy. You may be able to do this for no money if your current routers support this.
    CCSA,CCSE,CCSE+,CCMSE+P1,CCMSE+VSX,CCMA #23

Similar Threads

  1. Replies: 11
    Last Post: 2012-07-21, 15:32
  2. MPLS Topology and Licensing issues
    By lammbo in forum Topology Issues
    Replies: 6
    Last Post: 2010-03-30, 08:51

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •