attacks on MPLS?

• Previous message (by thread): attacks on MPLS?
• Next message (by thread): attacks on MPLS?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 9, 2009 at 1:31 PM, Wayne E. Bouchard <web at typo.org> wrote:
> Meh...
>
> Sure, it rehashes what we pretty well already know, "If a bad guy can
> get access to your network or your management tools, you're boned."

actually... what it says is that 'hey, your "VPN' isn't really
'private' like an IPSEC tunnel was". Save some really high-end
crypto-cracking-gear if you ipsec your transport it doesn't matter
where in the world it goes, it's "secure" from end to end. (secure
from snooping, which seems to be the majority of their point in the
article).

Folks I saw at former-employer were moving from 'frame' or 'atm'
private networks and to 'mpls vpn' because it was:

1) less complex for the customer
2) cheaper for the customer
3) the 'new shiny thing!!'

There was little understanding initially that this might be:
1) run over the same IP core as the 'internetz'
2) not very 'private' if you count 'can not sniff' in your 'is
private' bailiwick
3) less/more/equally as 'secure' as what they had previously.

Noting to customers that MPLS-vpn was essentially as 'secure' as
Frame/ATM was sort of an eye-opener. Some of the customers even said:
"Why would I do this over internet-based IPSEC vpn?" or "Oh, so I'll
still have the IPSEC management pain?"

The thrust of the article (aside from the scare-mongering and press
for the 'researchers' of course) is that: "Hey, just because it says:
'VPN' in the name doesn't mean its really 'private'", and that ip or
application level security is still important for anything that leaves
your physical perimeter AND has some level of importance to you or
your business.

-Chris

• Previous message (by thread): attacks on MPLS?
• Next message (by thread): attacks on MPLS?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]