An Update On The MPLS Privacy Debate

Monday, April 25, 2011

PCI Guru

Fc152e73692bc3c934d248f639d9e963

The MPLS private network discussion continues...

A lot of network administrators and carriers argue that MPLS networks are private because the PCI SSC says they are private.  As more and more organizations migrate from ATM and Frame Relay, this topic keeps coming up again and again lately. 

Because of the push back from carriers and network administrators, I went back and re-read FAQ number 8705:

In general, MPLS networks are considered “private” networks and do not require encryption. This, however, is dependent upon the specific provider and/or configuration. If the IP addresses are public and the MPLS network provides exposure to the Internet either through the LSR or other device (if the edge router has an Internet port) then it should be reviewed carefully as it is likely considered “untrusted”.

The QSA should review the implementation and determine whether the IP addresses are public such that the MPLS network provides exposure to the Internet, before concluding that the MPLS network is considered private. If the QSA cannot gain that assurance, then the whole network should be in scope. The PCI SSC is not compiling a list of approved MPLS solutions nor do they have any plans to do so.

This requirement for encrypted transmissions is intended to apply to transmissions outside of an internal network to an external third party, going over an open, public network; this requirement does not apply to transmissions over an internal network protected by external facing firewalls, since that is not considered a public network.

Apparently, carriers and network administrators only read the first sentence of the FAQ and conveniently forget the next three sentences.  But it is those three sentences that document the criteria to determine whether or not an MPLS network is private. 

The criteria a QSA is to use to evaluate an MPLS network’s privacy are:

  • How is the MPLS network configured?
  • Does the LSR come into direct contact with the Internet?

While these appear to be fairly simple questions to be answered, these questions are anything but simple or even easily answered.

The first question, how is the MPLS network configured is a problem for a lot of QSAs and network administrators as well as carriers.  MPLS is just a specialized IP network, so how the network is engineered drives just how private is private. 

The problem with relying on IP addressing as the only criteria of whether or not an MPLS network is private is not proof positive.  I would argue that, even if the IP addressing on the MPLS network is RFC 1918 compliant, if the subnet is not the same as the network connecting to the network, then a QSA should look into the network to confirm that it is private. 

This is particularly true if the addressing on the MPLS network is an ARIN registered address block belonging to the carrier.  Yes, such a network would be private for the carrier, but could be anything but private for the carrier’s customers’ traffic.

The second question is also not as straight forward to answer.  Just because private addressing is used on the MPLS network does not mean that it does not come into contact with the Internet or Internet traffic. 

Unless you have visibility through the entire network and the rules used for that network, it is anyone’s guess as to whether or not it comes into contact with the Internet.

Of course all of this implies that the carrier is willing to show you their MPLS network configuration and share other information about their MPLS network.  But getting such a candid talk about a carrier’s network is sometimes anything but easy. 

I have personally encountered carriers that refused to explain anything about their network and also refused to allow anyone to look at their LSR configurations.  As a result, we had no way to confirm or deny that the network was private. 

To add insult to injury, I have been told by carriers that I was wrong in requesting to look into the configuration of their network and that this was not what the PCI SSC intended.  That said, I have also jumped through hoops to work out a way to confirm as best I could that the MPLS network was private.

MPLS is just an IP-based wide area network and because it uses IP, it can have a number of vulnerabilities just like IP networks.  Carriers use human beings to manage these networks and they are fallible just like our own employees. 

Therefore, it is highly likely that mistakes will sometimes occur that will affect the privacy of the network.  I am guessing that once we have a breach in the MPLS cloud, MPLS will no longer be automatically considered private and encryption will be required.

And it is not just MPLS networks.  Most ATM and Frame Relay networks are routed over MPLS backbones by the carriers.  So just because you do not use MPLS does not mean that you are immune to the risks of MPLS.

In the end, we will have to rely on the statements and representations of the carrier as to whether or not the network is private.  Is this a good way to secure your organization?  It is as long as your carrier never causes a problem.

Cross-posted from PCI Guru

Possibly Related Articles:
10639
Privacy Compliance QSA Network Security PCI SSC MPLS
Post Rating I Like this!
C643eec6350152c6c3fbd1288578d98a
Terry Perkins This is interesting. Thanks for posting it.
1303833512
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson I think it should be a no-brainer that any WAN link where you don't have physical ownership of the entire span should be treated as an untrusted network. If it is a private piece of fibre trenched under your parking lot between adjacent buildings you have little risk of it being tapped into by some 3rd party, but can you trust that the phone company that leases you lines between your offices doesn't have any disgruntled employees looking to make a little extra $ selling your secrets?
Even if the carrier promises that none of their other customers will come in contact with your data, their own employees would have access. The technology used by the carrier doesn't matter if you are passing your info to the carrier without encrypting it yourself.
1303859322
Fc152e73692bc3c934d248f639d9e963
PCI Guru A lot of people think MPLS is just like ATM and Frame Relay which had physical properties that made them private. However, MPLS has no such properties and relies on the logical engineering of the circuits to ensure privacy. However, just like large corporate networks, there are certain limitations to that engineering and some traffic may have to hit core switches/routers and co-mingle with other traffic. While not a problem in and of itself, it is the potential of human error in this mix that makes me cringe.
1303903872
C643eec6350152c6c3fbd1288578d98a
Terry Perkins That's exactly why we are pushing for P2PE. Then, I don't have to worry about this. :)
1303910694
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.