Summary

This chapter assessed the security implications of an enterprise using provider-provisioned IP VPNs based on MPLS, compared to traditional Frame Relay and ATM Layer 2 VPNs. The conclusion is that, in terms of technology, IP VPNs based on MPLS are as secure as Layer 2 VPNs. Security of the MPLS paradigm was further examined by looking at how MPLS can relieve core routers of supporting Internet routes in a provider environment. The objective is to analyze issues from an enterprise perspective so that reasoned choices can be made about the service selected from provider offerings.

The issue of shared or private PEs was also tackled, with the clear guidance that segregated PEs between VPN and Internet service are most secure form the enterprise perspective. Options for PE-to-CE connectivity were discussed, and the cost and security trade-offs were identified.

Security issues that used to be relevant only to provider networks are now relevant to larger enterprise networks as the number of third-party networks that enterprises connect to expands. Techniques such as filtering, tracing spoofed packets, remote trigger black-hole filtering, loose and strict uRPF, sinkholes, and backscatter traceback were all detailed. Insight was provided into hacker tools such as bots, botnets, and worms and how to mitigate them. The common theme is preparation, baselining via NetFlow and a NetFlow Collector. Additional security measures such as TCP Intercept, Cisco Guard, Cisco Security Agent, and more can be considered as part of the overall security plan. Regardless of what technical elements are deployed, defined team roles and practice with the available tools are essential to maintain an operational network in today's environment.