MPLS VPN security threats
MPLS L3 VPN services is widely used nowadays by many enterprises and organizations. They provide a lot of flexibility in connecting different sites compared to L2VPN services and offloads a lot of the responsibilities from the enterprise to the provider.
I have gained all my networking experience in service provider environments, and have seen very little number of customers taking VPN security seriously. While for most of them security is a very critical issue to consider. Banks, Travel agencies and stock brokerages have very critical applications that require a high level of security planning.
In This post I am going to describe some possible threats against a VPN from the customer point of view and in later posts I will cover best practices and design concepts.
Generally speaking threats against a VPN can be inform of Intrusions or Denial of Service.
Intrusions happen when an outsider takes control over part of your network; this can be a computer or other networking device.
Intrusions may come from any outside location that have connectivity to you network. This attacks can come from other VPNs, internet or the service provider core itself. The protection against these types of attacks come from the ability to filter unwanted traffic from unwanted sources on network's ingress points.
This can be difficult in some MPLS VPN design models which lacks centralization in which all sites can connect each other without traffic control.
DOS attacks is another type of threats against a VPN. DOS attack can come from another VPN, internet or the service provider core just as intrusions. However, the main difference between the two types of attacks is that the attacker does not need to get access or have control over one of you equipment in case of DOS attacks.
DOS attacks against the service provider devices can also cause a denail of service to some parts of your VPN. Although it might be hard to sometimes protect your network against DOS attacks, the main protection against them lies in the good network design of the MPLS VPN.