Explains how all VPN networks (MPLS or otherwise) are built over Telephone Service Providers (TSPs) IP Core networks, and why they are security vulnerable.

1. NIB – II
TOPOLOGY
Kolkata
Guwahati
Lucknow
Chattisgarh
Bhopal
Jaipur
Gandhinagar / Ahmedabad
Chandigarh
Shimla
Srinagar
Kolkata
Delhi
IGW
IGW
IGW
Mumbai
BRAS
NoidaNoida
Patna
Fig.1
PuneIGW
IGW
IGW
IGW
IGW
H-bad
BRAS
Pondicherry
Chennai
Thiruvanthapuram
Ernakulam
Mumbai
Chennai
Bangalore
Bangalore
CORE Router
BRAS
STM16
STM1
EDGE Router
Goa
Bhubaneshwar
Back Office facilities – Web hosting,
Customer servers, Messaging, Caching,
Billing, etc.

2. NIB – II
ARCHITECTURE
CORE ROUTER
TIER I
EDGE ROUTERS EDGE ROUTERS
EDGE ROUTERS
EDGE ROUTERS
BRAS BRAS BRAS BRAS
EDGE ROUTERS
NATIONAL INTERNET
EXCHANGE
TO CONNECT
ALL ISPs AND PROVIDE
COMMON
INTERNATIONAL
GATEWAY
NIEX
EDGE ROUTER
Fig. 2
EDGE ROUTERS
RAS
PSTN NETWORK
TO OTHER CORE ROUTERS
DIAL – UP
CONNECTIONS
DIAL – UP
SERVICE
EDGE
ROUTER
TIER II TIER II
TIER II TIER II
TIER IITIER II TIER II
TIER II TIER II
TIER II
DSLAMs
DSLAMs
Leased Lines from VPN Subscriber Premises
MPLS VPN
EDGE ROUTER
EDGE ROUTERS

3. Explanatory Motes on VPN Vulnerability
Slide 1 shows the topology of a typical ISP’s IP network over which
both Internet and VPN services are laid out. This is the topology of
BSNL’s NIB – ii. Five cities are connected in a full mesh
connectivity to form the core IP back-bone across India. Other
cities are connected through tri-node rings from the nodes of the
core network through the Tier-1 switch at these nodes.
Slide 2 shows the architecture of each of these nodes. The core router
at the node sits on the Tier 1 switch. From these switches are
taken the router connections for all the services – VPN, Internet
through Broadband and PSTN. Thus you will note that there is
continuous physical connectivity between all the routers in this IP
network through the Tier 1 switch at each IP Node (POP). Thus
there is continuous public domain access to the VPN routers.
1. In any IP network, public or private, the WAN ports of all routers in
the network have continuous physical access to each other. Thus
while a router port is engaged in communication with another in the
network, a third port can have simultaneous communications with
it. If the IP network is in the public domain (Internet) or has access
from the public domain (VPN), this third port could be that of afrom the public domain (VPN), this third port could be that of a
hacker.
2. Thus while the various security protocols like IP Sec, etc., can
transport the data from one computer to another securely, the LAN
and the data bases residing on it are exposed to public domain
through a VPN which has public domain access for reasons
explained in 1 above.
3. For WAN computing it is necessary to have a real private network
(at least for data communications). Once this is there then inter-
locational voice / fax can be run over this network at marginal
increase in the operating cost, using the patented PVDTN
system.
4. You should not expose your company data bases to the public
domain through Internet, ISDN back-up, or VPN (which has public
domain access) for reasons explained earlier in 1 above.
5. The MPLS networks currently in vogue are another form of VPN
network and are subject to the comments in 1 to 4 above.
We do hope the above notes will explain the security vulnerability of
your data bases when these are on LANs connected to VPN
(MPLS or other wise) of any service provider.
If you wish to secure your data bases 100% then use point-to-
point leased lines for inter-locational computer connectivity.