Like other VPN technologies, MPLS virtual private networks (VPNs) can and should be secured. However, not all service providers are clear on how to achieve this security from an operational standpoint. This is particularly true when the core network also carries Internet traffic. This presentation explains how MPLS VPN networks (RFC2547bis) have to be planned, implemented and operated such that the VPNs provided are secure. One of the main issues discussed will be shared Internet/VPN backbones. Other considerations to be raised in this discussion include whether provider edge routers (PEs) should be separated for Internet and VPN service, how to secure PE routers from the customers and the Internet, and how to secure the entire backbone against attacks from the Internet. Options for firewalling between VPNs, and between a VPN and the Internet will also be discussed. Attendees of this session will learn best practices when building a secure MPLS/VPN network.

Michael Behringer is a senior consulting engineer at Cisco Systems, Inc. In this position, Michael focuses on service provider security issues, such as MPLS security and Denial-of-Service attack prevention. Prior to Cisco, Michael worked at the European Internet Service Provider DANTE, based in Cambridge, UK, where he last held the position of senior network engineer, responsible for the design and implementation of DANTE's pan-European networks.. Michael is an active member of the IETF and earned his diploma in computer science at the Technical University of Munich.