Published February 1, 2010 by

Authentication and Transmission Protection

1. MPLS VPN

One possible secure WAN solution is to use connectivity within a service provider’s Multiprotocol Label Switching VPN (MPLS VPN) network. Providers use MPLS VPNs to isolate customers from each other and from external networks, similarly to older technologies such as Frame Relay or ATM.

Customer VPNs are as secure as the service provider’s infrastructure. If the same infrastructure is also used to provide Internet connectivity, the service provider’s network may be vulnerable to various types of attacks from the Internet.

MPLS VPNs provide any-to-any connectivity to customer sites, similar to using the Internet, but they allow the usage of private addresses and interior routing protocols, similar to classic WAN. Customer sites are protected from denial of service (DoS) attacks as the WAN devices, and links are not reachable from the Internet.

On the other hand, MPLS VPNs do not provide cryptographic traffic protection, which would provide data confidentiality, authenticity, and integrity; they are therefore not considered secure by many organizations. These services can be implemented by using IPsec technology inside an MPLS VPN.

2.IPSec VPN

The second secure WAN solution is to use IPsec VPN technology to provide confidentiality, peer and data authenticity, and data integrity assurance to traffic over a WAN.

An IPsec VPN solution consists of two cryptographic protocol components. The first is the IPsec traffic encapsulation method itself, which is usually in the form of the Encapsulated Security Payload (ESP) encapsulation. The second is the Internet Key Exchange (IKE) protocol for authentication of peers, negotiation of protection policies, and exchange of session—or IPsec—keys.

IPSec Protection :

[table “5” not found /]


Peer authentication architecture :

  • Pre-Shared Keys
  • Wildcard Pre-Shared Keys
  • Public Key Authentication
WAN Solution Comment
Frame Relay or ATM Use IPsec to provide confidentiality if required:

  • Typically hub-and-spoke
  • Long and random pre-shared keys are sufficient
  • IPsec topology can follow the physical topology
  • Use tools to generate long and random keys
MPLS VPN Use IPsec to provide confidentiality if required:

  • Any-to-any connectivity provided
  • Use PKI if meshed IPsec solution is used
  • IPsec topology can follow the logical topology of MPLS VPN (e.g. use GET VPN for virtual full mesh)
MPLS VPN Use IPsec to provide confidentiality:

  • Any-to-any connectivity provided
  • Use PKI if meshed IPsec solution is used
  • Strong peer authentication is required to mitigate break-in attempts
  • IKE is vulnerable to DoS attacks; consider using MPLS VPN

Guidelines for deploying IPsec over a classic WAN or MPLS VPN include:

  • For encryption, use 3DES or AES-256.
  • For packet authentication and integrity assurance, use SHA-1.
  • For key negotiation, use DH group 5 or 2 (investigate performance impact).
  • For peer authentication, use long and random pre-shared keys or RSA with 1024-bit modulus or more.
Print Friendly, PDF & Email
Alexey

Alexey

MPLS