The 2004 CSI/FBI Computer Crime and Security Survey shows that about the same number of security incidents have their origin on the inside as on the outside of an enterprise. More generically speaking, this refers to a zone of trust. Without any doubt, in many networks, insiders represent at least the same threat to a network as an outsider.
This principle applies in the same way to MPLS VPN deployments, for each zone of trust separately:
Zone of a given VPN? This is essentially the enterprise intranet, and the CSI/FBI report referred directly to this zone of trust.
Core network? In the core, an insider can easily modify configurations, endangering the security of the core or connected VPNs. Where this affects VPNs it is strictly speaking not a threat from within the zone. This is discussed earlier in this chapter.
Extranet? For extranets and other external networks, threats such as accidental interconnection of VPNs can be originated in these zones.
A number of potential security issues originate in the same zone of trust and are thus not related to the fact that the underlying infrastructure is an MPLS network. Examples of such issues are
An unsecured wireless access point in an enterprise that has an MPLS VPN service.
A DoS attack from the Internet to a web server in a VPN network, where the VPN with Internet service is provided on the same MPLS core: if an MPLS core provides Internet connectivity to a given VPN, then this connectivity can also be used to attack the VPN from the outside. The same would be true in other VPN deployments such as Frame Relay or ATM.
An intrusion from one MPLS VPN into another VPN, where the packet flow went through interconnection points which are specifically designed for this purpose, for example Extranets. Such deployments should normally be secured by a firewall, and the security depends on correct configuration of that firewall.
Worm infections from a VPN site to an extranet site, where such connectivity was deployed consciously. Also, firewalls are typically deployed where VPNs connect to extranets, and security depends on correct operation of the firewall, plus standard security measures within the end systems.
In summary, within a single zone of trust, or wherever connectivity between zones of trust has been specifically designed, security issues relating to such connectivity are outside the scope of this book. In these cases, traditional security solutions such as firewalls need to be used to separate the zones as required.