To protect your data and your network there is no way around securing your VPN. As an added bonus you also will be compliant with key regulations. If you have an Ethernet-VPN you will need an Ethernet encryptor that encrypts the network at layer 2. An MPLS-VPN operates at an intermediate layer, right between layer 2 and layer 3. You can encrypt an MPLS-VPN at layer 2 with an Ethernet encryptor that is MPLS-aware, or you can encrypt at layer 3 with all the performance penalties and additional overhead that layer 3 encryption is known for.
Unprotected Virtual Private Networks
Virtual Private Networks are only secure if encrypted. The word “private” isn’t a synonym for “encrypted”, it only means that a given user’s virtual network is not shared with others. In reality a Virtual Private Network still runs on a shared infrastructure and is not secured. Carriers claim that a virtual private network is as safe as a leased line, but forget to mention the fact that leased lines are unsecured. Furthermore virtual private networks run on a transport network that provides the shared infrastructure and that can be attacked. Encryption combined with replay and integrity protection secures your Virtual Private Network.
Only SSL- and SSH-VPNs come with required built-in encryption. The security provided is as only as good as its implementation. Recent events have shown that proper implementation is not a given. For IP-VPNs the use of IPSec is not mandatory, despite the omnipresence of IPSec functionality. In practice it is rare to see an IP-VPN that is not encrypted. The standard key system for IPSec is limited to point-to-point connections. MPLS is situated on layer 2.5 and doesn’t come with any encryption. It can be either encrypted on layer 2 or on layer 3. There is also no official standard for encrypting Ethernet-VPNs at layer 2 and OTN at layer 1. Despite the lack of official standards, there are suitable solutions available on the market.
Unprotected optical fiber links
Optical fiber links are often considered to be “private” links, because the link’s use down to the physical layer is exclusive to a single customer. But “private” just means exclusive use and should not be confused with “secure”. Neither fiber nor wavelengths come with built-in security. It is actually pretty easy to tap optical fiber. Once tapped, the entire traffic running over the optical fiber is exposed. Proper means can protect the network and the data.
Optical links are best secured at the physical or the data link layer. Encrypting at layer 1 allows the encryption of multiple different layer 2 protocols, such as Ethernet, FibreChannel and InfiniBand, whereas encryption at layer 2 will secure a single layer 2 protocol. In both cases the widely available upper bandwidth limit is 10G, so that encryption of a 10G Ethernet point-to-point connection can be as efficient at layer 2 as it is at layer 1. For both layers there are already installations with higher bandwidths (40 Gb/Sec and 100 Gb/sec) and there are already encryption solutions for those bandwidths. The typical use case is a data center interconnect (DCI).
In the metro area the availability of optical fiber links is increasing at a fast pace, but regional and wide area networks run mostly over a shared infrastructure. This is mainly due to two factors: (1) the distance-based cost structure of optical fiber links, which makes it prohibitively expensive to operate them over a long distance, and (2) the diminishing benefits in terms of latency as latency increases with distance and limits the choice in economically justifiable scenarios. Network access and short-distance datacenter interconnect (DCI) for mirroring are therefore the two main use cases. A Virtual Private Network (VPN) is a lower-cost alternative that can be operated over different transport networks. Neither direct optical fiber links are secure without additional provisions.