Is your Private MPLS network really private ?

Stock Photo

This is a question that security professionals must ask themselves.

The notion that the private networks we rely on to be secured against public access can be compromised.

What if I told you that your MPLS network is not 100% private you may ask how an attacker can gain access to a secured private network unless its via an Internet-based attack now I am not talking compromised as in a virus or APT but the network itself.

Think to yourself other than yourself who has control of your “Private” network?

who has the ability to add an MPLS site into your network ?.

Of course, it’s your ISP  now the attitude of most network admins is that the network is not public as in not Internet so the use of protocols such as FTP is fine… But … what if a worker at the ISP  decides to build an MPLS leg into your network and start sniffing ?.

How about if there is an accidental misconfiguration and an improper route distinguisher points your traffic to another customer’s network or if a VLAN has been


The point is that you have to trust someone with some part of your network but you should not operate that network with the belief its 100% secure.

That means telnet..out ftp..out pop..out any of these clear text protocols either via Internet or MPLS should be ripped out and secure alternatives put in.

Also from an ISP perspective more can be done to prevent such situations such as an email notification for when a change has been made to a particular routing instance or vrf any config changes? email the customer. Was this activity authorized? no, begin the investigation.

Some security  tips to help you with this type situation

Use encrypted protocols

-Audit network changes
-Work with  your ISP on security protocols  for changes made to your network
-Create firewall rules to only include subnets which are in use





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.