1. MPLS VPN
One possible secure WAN solution is to use connectivity within a service provider’s Multiprotocol Label Switching VPN (MPLS VPN) network. Providers use MPLS VPNs to isolate customers from each other and from external networks, similarly to older technologies such as Frame Relay or ATM.
Customer VPNs are as secure as the service provider’s infrastructure. If the same infrastructure is also used to provide Internet connectivity, the service provider’s network may be vulnerable to various types of attacks from the Internet.
MPLS VPNs provide any-to-any connectivity to customer sites, similar to using the Internet, but they allow the usage of private addresses and interior routing protocols, similar to classic WAN. Customer sites are protected from denial of service (DoS) attacks as the WAN devices, and links are not reachable from the Internet.
On the other hand, MPLS VPNs do not provide cryptographic traffic protection, which would provide data confidentiality, authenticity, and integrity; they are therefore not considered secure by many organizations. These services can be implemented by using IPsec technology inside an MPLS VPN.
2.IPSec VPN
The second secure WAN solution is to use IPsec VPN technology to provide confidentiality, peer and data authenticity, and data integrity assurance to traffic over a WAN.
An IPsec VPN solution consists of two cryptographic protocol components. The first is the IPsec traffic encapsulation method itself, which is usually in the form of the Encapsulated Security Payload (ESP) encapsulation. The second is the Internet Key Exchange (IKE) protocol for authentication of peers, negotiation of protection policies, and exchange of session—or IPsec—keys.
IPSec Protection :
[table “5” not found /]
Peer authentication architecture :
- Pre-Shared Keys
- Wildcard Pre-Shared Keys
- Public Key Authentication
WAN | Solution | Comment |
---|---|---|
Frame Relay or ATM | Use IPsec to provide confidentiality if required:
|
|
MPLS VPN | Use IPsec to provide confidentiality if required:
|
|
MPLS VPN | Use IPsec to provide confidentiality:
|
|
Guidelines for deploying IPsec over a classic WAN or MPLS VPN include:
- For encryption, use 3DES or AES-256.
- For packet authentication and integrity assurance, use SHA-1.
- For key negotiation, use DH group 5 or 2 (investigate performance impact).
- For peer authentication, use long and random pre-shared keys or RSA with 1024-bit modulus or more.