1. Fig.1
NIB – II
Srinagar TOPOLOGY
Shimla
Chandigarh
IGW
Delhi
Noida Noida
Jaipur
Guwahati
Lucknow
Patna
Gandhinagar / Ahmedabad
Bhopal
Mumbai Kolkata
BRAS
Chattisgarh IGW
IGW
Kolkata
Mumbai
H-bad
IGW Pune BRAS
Bhubaneshwar
IGW
Goa
Bangalore
Chennai
Bangalore
IGW
Chennai
IGW
Pondicherry
Back Office facilities – Web hosting,
Customer servers, Messaging, Caching,
Ernakulam Billing, etc.
IGW CORE Router
EDGE Router
BRAS
STM16
Thiruvanthapuram
STM1
2. Fig. 2
NIB – II
ARCHITECTURE
DIAL – UP
CONNECTIONS TO OTHER CORE ROUTERS
NATIONAL INTERNET
EXCHANGE
TO CONNECT
PSTN NETWORK ALL ISPs AND PROVIDE
COMMON
INTERNATIONAL
GATEWAY
CORE ROUTER
RAS
DIAL – UP EDGE ROUTERS NIEX
SERVICE EDGE ROUTERS EDGE ROUTER
EDGE
ROUTER TIER I
BRAS BRAS BRAS BRAS
EDGE ROUTERS EDGE ROUTERS EDGE ROUTERS EDGE ROUTERS
MPLS VPN
EDGE ROUTERS
TIER II TIER II TIER II TIER II TIER II TIER II EDGE ROUTER
TIER II TIER II TIER II TIER II
DSLAMs
DSLAMs
Leased Lines from VPN Subscriber Premises
3. Explanatory Motes on VPN Vulnerability
Slide 1 shows the topology of a typical ISP’s IP network over which
both Internet and VPN services are laid out. This is the topology of
BSNL’s NIB – ii. Five cities are connected in a full mesh
connectivity to form the core IP back-bone across India. Other
cities are connected through tri-node rings from the nodes of the
core network through the Tier-1 switch at these nodes.
Slide 2 shows the architecture of each of these nodes. The core router
at the node sits on the Tier 1 switch. From these switches are
taken the router connections for all the services – VPN, Internet
through Broadband and PSTN. Thus you will note that there is
continuous physical connectivity between all the routers in this IP
network through the Tier 1 switch at each IP Node (POP). Thus
there is continuous public domain access to the VPN routers.
1. In any IP network, public or private, the WAN ports of all routers in
the network have continuous physical access to each other. Thus
while a router port is engaged in communication with another in the
network, a third port can have simultaneous communications with
it. If the IP network is in the public domain (Internet) or has access
from the public domain (VPN), this third port could be that of a
hacker.
2. Thus while the various security protocols like IP Sec, etc., can
transport the data from one computer to another securely, the LAN
and the data bases residing on it are exposed to public domain
through a VPN which has public domain access for reasons
explained in 1 above.
3. For WAN computing it is necessary to have a real private network
(at least for data communications). Once this is there then inter-
locational voice / fax can be run over this network at marginal
increase in the operating cost, using the patented PVDTN
system.
4. You should not expose your company data bases to the public
domain through Internet, ISDN back-up, or VPN (which has public
domain access) for reasons explained earlier in 1 above.
5. The MPLS networks currently in vogue are another form of VPN
network and are subject to the comments in 1 to 4 above.
We do hope the above notes will explain the security vulnerability of
your data bases when these are on LANs connected to VPN
(MPLS or other wise) of any service provider.
If you wish to secure your data bases 100% then use point-to-
point leased lines for inter-locational computer connectivity.