The MPLS private network discussion continues...
A lot of network administrators and carriers argue that MPLS networks are private because the PCI SSC says they are private. As more and more organizations migrate from ATM and Frame Relay, this topic keeps coming up again and again lately.
Because of the push back from carriers and network administrators, I went back and re-read FAQ number 8705:
In general, MPLS networks are considered “private” networks and do not require encryption. This, however, is dependent upon the specific provider and/or configuration. If the IP addresses are public and the MPLS network provides exposure to the Internet either through the LSR or other device (if the edge router has an Internet port) then it should be reviewed carefully as it is likely considered “untrusted”.
The QSA should review the implementation and determine whether the IP addresses are public such that the MPLS network provides exposure to the Internet, before concluding that the MPLS network is considered private. If the QSA cannot gain that assurance, then the whole network should be in scope. The PCI SSC is not compiling a list of approved MPLS solutions nor do they have any plans to do so.
This requirement for encrypted transmissions is intended to apply to transmissions outside of an internal network to an external third party, going over an open, public network; this requirement does not apply to transmissions over an internal network protected by external facing firewalls, since that is not considered a public network.
Apparently, carriers and network administrators only read the first sentence of the FAQ and conveniently forget the next three sentences. But it is those three sentences that document the criteria to determine whether or not an MPLS network is private.
The criteria a QSA is to use to evaluate an MPLS network’s privacy are:
- How is the MPLS network configured?
- Does the LSR come into direct contact with the Internet?
While these appear to be fairly simple questions to be answered, these questions are anything but simple or even easily answered.
The first question, how is the MPLS network configured is a problem for a lot of QSAs and network administrators as well as carriers. MPLS is just a specialized IP network, so how the network is engineered drives just how private is private.
The problem with relying on IP addressing as the only criteria of whether or not an MPLS network is private is not proof positive. I would argue that, even if the IP addressing on the MPLS network is RFC 1918 compliant, if the subnet is not the same as the network connecting to the network, then a QSA should look into the network to confirm that it is private.
This is particularly true if the addressing on the MPLS network is an ARIN registered address block belonging to the carrier. Yes, such a network would be private for the carrier, but could be anything but private for the carrier’s customers’ traffic.
The second question is also not as straight forward to answer. Just because private addressing is used on the MPLS network does not mean that it does not come into contact with the Internet or Internet traffic.
Unless you have visibility through the entire network and the rules used for that network, it is anyone’s guess as to whether or not it comes into contact with the Internet.
Of course all of this implies that the carrier is willing to show you their MPLS network configuration and share other information about their MPLS network. But getting such a candid talk about a carrier’s network is sometimes anything but easy.
I have personally encountered carriers that refused to explain anything about their network and also refused to allow anyone to look at their LSR configurations. As a result, we had no way to confirm or deny that the network was private.
To add insult to injury, I have been told by carriers that I was wrong in requesting to look into the configuration of their network and that this was not what the PCI SSC intended. That said, I have also jumped through hoops to work out a way to confirm as best I could that the MPLS network was private.
MPLS is just an IP-based wide area network and because it uses IP, it can have a number of vulnerabilities just like IP networks. Carriers use human beings to manage these networks and they are fallible just like our own employees.
Therefore, it is highly likely that mistakes will sometimes occur that will affect the privacy of the network. I am guessing that once we have a breach in the MPLS cloud, MPLS will no longer be automatically considered private and encryption will be required.
And it is not just MPLS networks. Most ATM and Frame Relay networks are routed over MPLS backbones by the carriers. So just because you do not use MPLS does not mean that you are immune to the risks of MPLS.
In the end, we will have to rely on the statements and representations of the carrier as to whether or not the network is private. Is this a good way to secure your organization? It is as long as your carrier never causes a problem.
Cross-posted from PCI Guru