IP Convergence: Beyond VoIP, Beyond Cost Savings

This presentation from the blackhat conference in Europe last year speaks directly to the point about the security issues between IP-VPN and Ethernet that I took issue with in my last blog. 

A couple of the key points that I took from this presentation were:

• In the case of both Ethernet VPNs and IP-VPNs, in order to hack into a customers network from outside the network, the attacker must have access to the provider's core routers. (pg. 26)
  
• If an attacker has penetrated the customer's network through a backdoor or through weak physical security, he has some interesting options with an Ethernet VPN that do not exist on an IP-VPN network, especially in a VPLS environment. (pg. 34 and others)
  
• A reminder about how much I dislike spanning tree (pg. 38)

ps. he refers to as the Juniper M7i as a "big-iron" router, when in fact it is the smallest of Juniper's carrier-line of routers and doubles as a high-end Enterprise router.  An M7i may be used by a carrier in a very small site, but such a site is not likely to have thousands of customers as cited in his example.  A site with thousands of customers is much more likely to be riding an M40e at minimum, or more likely an M320.

Hat Tip to Jim Lippard

Technorati Tags: Ethernet, VPLS, IP-VPN, Security