In Chapter 4, we discussed implementation details regarding security best practices for Internet access. We highlight some of these key points from Chapter 4 in this section as it pertains to overall core security.
In network environments where both private network and Internet access are provided by one infrastructure, the security considerations applicable to the MPLS VPN assume the added significance of the Internet component's impact or potential impact on the SP backbone and the CE connections. Not only are two corporate entities involved in the network service's provisioning, but the Internet and its millions of connections and users are now closely coupled with the corporate data networks.
This necessitates stringent adherence to the SP security best practices to ensure the security and reliability of the backbone. In addition, it is essential to address network design issues to guarantee that corporate (once private) network data is not adversely impacted by the vagaries of the Internet data flows. Of course, it is also conceivable that high volumes of corporate data (say large image transfers or data backups) could also impact the infrastructure to an extent that Internet traffic may suffer.
However, typically, Internet traffic is viewed as "best effort" traffic with little or no expected service levels and, as such, as long as user performance is not unduly hindered, this should not be a major issue. As the usage profiles of the Internet change to support traffic that has more stringent latency or jitter restrictions, more attention may be required with respect to general traffic performance.
Of greater importance are intrusion-oriented security concerns and DoS attacks, which are more likely to be sourced from the Internet than the corporate space and must be addressed to mitigate impact to the VPN traffic flows. At an overview level, there are three basic approaches to providing Internet and MPLS VPN services to a given set of customers:
Totally distinct networks
Shared core network with separate PE and CE components and connections
Shared resources end to end
Clearly, the provisioning of totally separate networks ensures that the only Internet-driven security vulnerabilities will be through the customer's own interconnect points within the customer network. However, this is a very costly approach for the service provider, which will be reflected in the costs passed on to the consumer of such services.
In general, it is recommended that the VPN service network interconnects and the Internet access be run over separate links and to separate routers (not the VPN-supporting routers), rather than attempting to homogenize them over a single facility.
That is, the SP should provision separate PEs for VPN versus Internet access even if the backbone P routers are convergent.Also, the interconnections between the VPN (intranet) and Internet PEs should be unique and preferably be terminated on separate CE routers. This allows for the greatest degree of configuration flexibility (thereby policy control) and will reduce the concern that Internet-launched DoS attacks will have an immediate impact on the VPN performance. Internet traffic can also be directed through DMZ facilities at centralized customer sites where firewall-based control and intrusion detection systems can be readily deployed. Internet access can then be provided to other sites with default routing propagated through the corporate VPN.
The use of default routing to direct traffic through the DMZ ensures that corporate security policies are applied to traffic that traverses the Internet, and additionally provides a single connection point where problems can be identified and controlled. Also, this approach minimizes the memory usage on the PE and CE routers that would be considerable if the entire Internet table were propagated.