General discussion


Security over Metro Ethernet

By zRo.ToLeRaNcE ·
I'm looking to get some feedback on WAN security specifically referring to Metro Ethernet.

The situation is that my company is now receiving Metro Ethernet services from our Service Provider. Now, we are a Gov't organization managing IT services, and infrastructure for Tax Services and Revenue Collection Agencies across the island. So that lays the base that our data is sensitive...almost as sensitive as bank information.

With leased lines, we didn't use encryption as leased lines where deemed (private). This was obviously a wrong view and are in the process of correcting this.

With the move to Metro Ethernet, we've decided that some encryption has to take place. We have Cisco routing infrastructure at all sites (2800 and 3800 series routers). We have approximately 52 sites.

The issue is 2-fold
1. Without considering the sensitivity of the data, is Metro Ethernet as "secure" as leased lines? Is it really necessary to use encryption? Do many people use encryption on their Metro connection or do they trust the Service Provider?

2. Will routers alone be able to handle the encryption? What are the minimum router specs necessary to facilitate IPSec encryption among the Metro-E sites.

For the app being used across the WAN, The application architecture has it that most communication takes place in a Hub spoke manner i.e. Head Office has Database, while other sites access DB.

Currently, we have 1Mbps Metro Links which have a average max utilization of 13%.

Hopefully with all the info provided...some informed answers can be provided.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Not sure

by Fregeus In reply to Security over Metro Ether ...

I'm not sure what you mean by Metro Ethernet. I've never heard the term before. If its anything like our LAN Extentions, then yes, it is as secure as leased lines. LAN Extensions are, like it says, an extension of your LAN. You infrastructure has no knowledge of the providers equipement.

As far as the power needed for IPSec encryption. We would need the exact model, memory and load to give you an answer. But a shot in the dark would be, probably yes. The 2800s and 3800s are newer models with good size ram and decent CPUs. For a load of approximatly 130Kbps (13% of 1Mbps), I would venture you would be fine. All except your main central router. That would require calculations.


Collapse -

Not really LAN Extension

by zRo.ToLeRaNcE In reply to Not sure

It can be used for LAN Extension but not defined as such. You may know the term MPLS...check site below

Is there some sort of formula that can be used for IPSec calculations?

Collapse -

Metro ethernet - tagged traffic across provider network

by SYNner In reply to Security over Metro Ether ...

There are many ways to deliver what you might refer to as metro ethernet. Some ways are not as secure as others. If your ethernet circuit is delivered over sonet and it doesn't pass through any provider IP infrastructure, then it's as secure as your network is secure. If your circuit is delivered over layer 2 VLANs over some device like cisco's 3750 over some fiber infrastructure, it's not secure as any compromise to the device delivering the layer 2 vlan is a compromise to your network. If your ethernet circuit is delivered over MPLS utilizing VRFs, then it's somewhat secure as the CE device configure with the tag will be able to pull that traffic off the MPLS cloud. However, the realm of hijacking presents infinite possibilities.

I would definitely do some firewalls and site to site VPNs especially if you are a government entity.

Collapse -

There in lies the problem...firewall

by zRo.ToLeRaNcE In reply to Metro ethernet - tagged t ...

Thanks for your reply SYNer but in your answer lies a problem i'm trying to design a solution around.

We have acquired Checkpoint VPN-1 Edges (approx 12)and UTM-450/1050 (approx 4) which we are currently rolling out to branch sites depending on the # of persons as the location. There is a Checkpoint RG-65 Cluster at the main office.

We currently use ManageEngine NetFlow Analyzer 6 to monitor bandwidth utilization and such from our Cisco routers. However, as we rollout firewall and implement VPN/Encryption using the firewalls, we find that Netflow Analyzer has little or no use as most traffic is now showing as "ESP_data" coming from one (1) IP-address (i.e. the Firewall) which is the encrypted packet. We then turn to the CheckPoint SmartView Monitor to see what's happening at the site and that application is really horrible. No customization for timeline, and cannot setup a Dashboard like area for monitor several sites/firewalls at the same time. So our monitoring capabilities are limited with the firewalls.

So the question we NEED NEED NEED firewalls to perform the encryption required.
The reason I'm looking to do encryption using the routers is that I assume (could be an incorrect assumption) that since it's Cisco doing the encryption, NetFlow should still provide all the information required.

Also, only 3 of the sites that we are rolling out firewalls to actually have their own Internet connection. Therefore, the firewall is only performing encryption/tunneling and nothing else. So why can't the router do it? That's my issue.

Collapse -

by "Metro" are you refering to "MAN"

by dawgit In reply to Security over Metro Ether ...

a "MAN" or Metroploitan Area Network (IEEE 802.6) and "WAN" Wide Area Network (IEEE 802.7) use slightly different topologies (network level) but for your end the Standard TCP/IP protocals are used. Now here come the kicker, this goes for IPv4 just fine, but as we move toward IPv6, which will (should) be ready on the WAN's (WWW.Internet) might not get down to all the smaller levels, hence to (re-)establishment MAN's (Your Metro Link) to keep doing the job as done now. For your area it makes sense, as well as saving money. For normal users, they shouldn't notice a difference. As for security, It will be all on your end, as it should be. While you might be theoriticly be a little more secure, as there will be another step between your end and the big bad (WWW.) Internet, in practice, it won't help you much. If all your sites are located on island, the security issue will be the same as it is now. For those off-shore conections, you might think about setting up a 'Hub' at the main site to route trafic through. I hope I haven't confused you more. -d

Collapse -

Haven't confused me

by zRo.ToLeRaNcE In reply to by "Metro" are you referi ... haven't confused me but u sound like u're confused what i was asking about though :)

Metro Ethernet is not MAN as MAN is a topology while Metro Ethernet is a Link Type used within a MAN/WAN. I posted some links to more information in an earlier post.

I've decided to go with encryption on the routers and currently doing an audit of our infrastructure to gather our router specs and move forward. However, the one question i would love to get answered is about the calculations.

SYNer had suggested that for my current link utilization, i would be able to use my current 2800s and 3800s quite fine. I'm trying to figure out what are these calculations/formulas that i can use to determine encryption can work on X router with Y memory and Z processor.

Collapse -

I've been looking for them

by Fregeus In reply to Haven't confused me

and was not successfull. I did find some figures on the 2800s and the 3800s that confirm that you're very probably fine with the routers you've got (they went up to 50 Mbps encrypted which is a lot more than what you have right now)

Unfortunately, i wasn't able to find an actual formula to use. My suggestion would be to contact your Cisco engineer and ask him for the formula. I'm sure its something they have with them. And if you get it, post it so I can have it too.

Good luck


Related Discussions

Related Forums