MPLS: The Inconvenient Truth!

Would you purchase a WAN network service from a vendor today that was not encrypted or shared openly with other users? Unlikely. Would your security team sign off on it? One would hope not.


Despite this, the WAN service favoured by most enterprises is MPLS, an inherently insecure and open transport.


Let’s take a quick look.

Assumption 1: MPLS is private.

Nope, MPLS is a shared service from a carrier. Your traffic is mixed in with all the other customers using the service. Your packets are assigned labels to identify them as yours, they then traverse the carrier’s common infrastructure.

Customer Edge (CE) routers are assigned to individual customers but the very next router your traffic hits is the Provider Edge (PE) router which is shared with multiple customers. So, MPLS is shared, not private.

Assumption 2: MPLS is Secure

Nope again, the data traversing the carrier’s common infrastructure is clear, there is no encryption on your data. Your security is fully dependent on the security of your carrier. Do you really, really trust your carrier? Do you trust them to ensure no OS bugs misroute traffic to another customer? Do you trust them to ensure they are secure against all known WAN attack vectors? Do you trust them to monitor if someone is sniffing or replicating data and tell you about it? Forget about the last question, there is just no way to detect that! To meet the definition for encryption in transit, the data flows need to be encrypted at an application layer. I will save GDPR interpretation for another time.


Assumption 3: It’s tried and trusted

Well maybe, MPLS was first deployed in 1999 so it’s certainly tried, Pre Y2K-bug, Boris Yeltsin was president of Russia and ‘SpongeBob SquarePants’ made his debut. ATM and Frame Relay was introduced about the same time. As for trusted, not quite so much. Would you connect a PC with Windows 95/98 to the Internet now and run your enterprises critical application on it? Probably not. There have been a number of improvements over the years to the standard but it’s fundamentally the same as it was when first introduced.


Assumption 4: Enterprises don’t have much choice.

Big Nope, over the last 2 decades we’ve seen huge innovation in Enterprise ICT; Hardware & Desktop virtualisation, the rise and rise of Cloud services and a paradigm shift in capacity and performance capability. In the last 2-3 years, we’ve seen a similar focus on the WAN. While there are a number of new technologies available, most of the current focus is on the explosion of SD-WAN as a replacement for WAN connectivity. IDC predict 30% of enterprises will be using SD-WAN by 2018 and the market will continue to grow at 70% compound. We will look at the how and the why of SD-WAN in other blogs so let’s just focus on Security.


Is SD-WAN more secure than MPLS?

Absolutely Yes. Take a look at Citrix ACD/NetScaler SD-WAN, the SD-WAN solution we believe offers the best performance, security and reliability of the SD-WAN solutions available today.


Citrix NetScaler SD-WAN can use any type of connection available between branch and data centre. Using multiple less-expensive circuits, NetScaler SD-WAN creates a software defined secure virtual overlay network that intelligently routes traffic based on network performance by monitoring network conditions in real-time. This ensures more bandwidth, better availability, a great user experience and significant cost savings.


To get technical, every virtual circuit is encrypted by default with AES-128 which can be increased to AES-256. Encryption Key Rotation using an Elliptic Curve Diffie-Hellman key exchange at intervals of 10-15 minutes on every virtual path ensures very strong security. Further enhancement options such as Extended Packet Encryption Header will randomize the output of the encryption, providing strong message indistinguishability. Another option, Extended Packet Authentication Trailer appends an authentication code to the end of every encrypted message. This allows for the verification that packets are not modified in transit.

That’s a whole lot more secure.


There’s literally a false sense of security that by using an enterprise service from a large carrier your WAN traffic is secure. Ironically, you will get a much more secure configuration by using less expensive circuits and SD-WAN. Improve security, reduce costs. MPLS is on borrowed time!


So, if you are using MPLS and need to better secure your WAN or move to more secure less expensive solutions, get in touch with Edge7 Networks and we will help you on the journey, you will also enjoy the cost savings and the improvement in user experience that adopters of SD-WAN enjoy.