1. Field of the Invention
The field of the invention relates to telecommunications, an in particular, to traffic security over virtual links provided between enterprise sites by service providers.
2. Description of the Prior Art
Telecommunication service providers often times provide communication links over core telecommunication network between multiple enterprise locations. For example, a bank customer could obtain a virtual private network from a service provider in order to link the data operations disparate bank locations or branches. Internet protocol (IP), frame relay, multiprotocol label switching (MPLS), and other protocols are used to access VPNs and carry traffic over the service provider networks.
Security is an important concern to VPN customers. Typically, firewalls are placed between enterprise networks and access or service carriers to protect the enterprise networks from unauthorized access. In one example, firewalls filter incoming and outgoing traffic based on network address, media access control addresses (MACs), and data types.
One problem with virtual private networks is that traffic from multiple customers is carried over a common network. In addition, VPNs can be mis-provisioned. For example, access equipment at one customer site could be mis-provisioned to send traffic on the VPN of another customer, rather than the VPN assigned to the one customer. As a result, traffic is frequently routed to the wrong customer.
Presently, most current security measures do not account for a situation wherein a VPN is mis-provisioned. For instance, once traffic originating from one customer network is allowed by the network firewall and transmitted over a VPN belonging to another customer, the access equipment on the terminating end of the VPN will typically allow the traffic based on the assumption that traffic receiving over a secure VPN is itself secure. As a result, customer traffic belonging to one customer will be routed to the network of another customer.