There are various definitions for the term extranet. Generally speaking, an extranet allows different VPNs to interconnect and potentially share common resources. In MPLS VPNs, there are two main ways to implement extranets:
Integrated intranet and extranet? Sites of different VPNs interconnect directly by controlling the route targets on the PE routers. In this case, the extranet consists of existing sites of the various VPNs, and from a security point of view, this type of extranet is just another way to interconnect VPN sites.
Central services? In this model, there is a dedicated extranet site (for example, to host a server farm), which is to be accessed from all involved VPNs. The route targets in the PE routers define how the sites, including the extranet site, are connected.
From a security point of view, both extranet models are similar: As seen from the core, there are a number of VPN sites, and the route targets configured on the PE routers define how these sites are interconnected. If two sites are interconnected, they can exchange traffic freely. Whether the two interconnected sites belong to the same VPN, or whether one is a VPN site and the other an extranet site, is a question of interpretation?technically the configuration is the same.
This means that if some control of security is required between a VPN and an extranet site, that control has to be implemented using standard security technology such as firewalls. Such implementations are, however, independent of the fact that the infrastructure is based on MPLS.
Therefore, threats against an extranet site, from an MPLS point of view, are equivalent to threats against VPN sites, and the considerations discussed in the previous section also apply here.
Until now, all threats are of direct interest to a VPN customer because they directly threaten the integrity of the customer's VPN. In the remainder of this chapter, threats to the other zones of trust are discussed. Those threats might indirectly also be threats to the VPN, but where this is the case it has already been mentioned in the above sections.