1 / 30

MPLS/VPN Security Threats and Defensive Techniques (provider provision)

MPLS/VPN Security Threats and Defensive Techniques (provider provision). Speaker : JET 3,1’2004. Introduction. From BTexact Technologies. What is Threats ?. Observation, modification, or deletion of PPVPN user data Replay of MPLS/VPN user data

artie
Download Presentation

MPLS/VPN Security Threats and Defensive Techniques (provider provision)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker:JET 3,1’2004

  2. Introduction • From BTexact Technologies

  3. What is Threats ? • Observation, modification, or deletion of PPVPN user data • Replay of MPLS/VPN user data • Injection of non-authentic data into a MPLS/VPN • Traffic pattern analysis on MPLS/VPN traffic • Disruption of MPLS/VPN connectivity • Degradation of MPLS/VPN service quality

  4. Threats sources • The MPLSVPN service provider or persons working for it • Other persons who obtain physical access to a service provider site • Persons within the organization which is the MPLS/VPN user with respect to a particular MPLS/VPN • Persons within an organization that is a separate MPLS/VPN user of the same service provider • Others i.e. attackers from the Internet at large.

  5. Security Threats - Data Plane Traffic Pattern Analysis Spoofing and Replay DoS MPLS/VPN Unauthorized Observation/Modification/Deletion Impersonation

  6. Insertion of Non-Authentic Data Traffic: Spoofing and Replay • Spoofing : insertion into the VPN of packets that do not belong there • Replay : copies of once-legitimate packets that have been recorded and replayed

  7. Denial of Service Attacks on the MPLS/VPN • Monopolize network resources and thus prevent other PPVPNs from accessing those resources • Inserting an overwhelming quantity of non-authentic data • Overwhelming the service provider's general (MPLS/VPN-independent) infrastructure with traffic • Interfering with its operation

  8. Unauthorized Observation/Modification/Deletion of Data Traffic • “Sniffing" VPN packets • Examining their contents • Modifying the contents of packets in flight • Causing packets in flight to be discarded • Would typically occur • on links • in a compromised node

  9. Traffic Pattern Analysis • “Sniffing" VPN packets and examining aspects or meta-aspects of them • Even are encrypted • gain useful information • the amount and timing of traffic • packet sizes • source and destination addresses • etc.

  10. Impersonation • Disguises itself to appear as a legitimate entity

  11. Security Threats - Control Plane Routing Protocols Address Space Separation DoS SP’s Equipment MPLS/VPN Cross-connection of Traffic Between MPLS-VPNs Route Separation

  12. Denial of Service Attacks on the Network Infrastructure • Against the mechanisms the service provider uses to provide MPLS/VPNs • MPLS , LDP/BGP , IPsec , etc., • Against the general infrastructure of the service provider • Core routers • Deny the otherwise-legitimate activities of another MPLS/VPN user

  13. Attacks on the Service Provider Equipment Via Management Interfaces • Reconfigure the equipment • extract information (statistics, topology, etc.) • Malicious entering of the systems • Inadvertently as a consequence of inadequate inter-VPN isolation in a MPLS/VPN user self-management interface

  14. Cross-connection of Traffic Between MPLS/VPNs • This refers to the event where expected isolation between separate PPVPNs is breached • This includes cases such as • A site being connected into the "wrong" VPN • Two or more VPNs being improperly merged together • A point-to-point VPN connecting the wrong two points • Any packet or frame being improperly delivered outside the VPN it is sent in • Likelihood of being the result of service provider or equipment vendor error

  15. Attacks Against MPLS/VPN Routing Protocols • Routing protocols that are run by the service provider - LDP / BGP • In layer 3 VPNs with dynamic routing this would typically relate to the distribution of per-VPN routes as well as backbone routes • In layer 2 VPNs this would typically relate only to the distribution of backbone routes

  16. Attacks on Route Separation • keeping the per-VPN topology and reachability information for each PPVPN separate from, and unavailable to, any other PPVPN • Reveal topology • Addressing information about a MPLS/VPN • Cause black hole routing or unintended cross-connection between MPLS/VPNs

  17. Attacks on Address Space Separation • In Layer 3 VPNs, the IP address spaces of different VPNs need to be kept separate • In Layer 2 VPNs, the MAC address and VLAN spaces of different VPNs need to be kept separate • Result in cross-connection between VPNs.

  18. Defensive Techniques • Cryptographic techniques • Authentication • Access Control techniques • Use of Isolated Infrastructure • Use of Aggregated Infrastructure • Service Provider Quality Control Processes • Deployment of Testable MPLS/VPN Service

  19. Defense Philosophy • Security threats can be addressed • Provider's specific service offerings • MPLS/VPN user should assess the value which these techniques add to the user's VPN requirements • Nothing is ever 100% secure - most likely to occur and/or that have the most dire consequences • To make the cost of a successful attack greater than what the adversary will be willing to expend

  20. Cryptographic techniques • Privacy • traffic separation • encryption • Authentication • Integrality • Drawback • Computational burden • Complexity of the device configuration • Incremental labor cost • Packet lengths are typically increased • traffic load • fragmentation • Other Devices

  21. IPsec in MPLS/VPNs • PE to PE (can’t be employed ) • PE to CE - weaker links (pass the Internet) • CE-to-CE (only use tunnel mode) • Service Level Agreement (SLA) rather than analyzing the specific encryption techniques \

  22. Encryption for device configuration and management • Secure Shell (SSH) offers protection for TELNET [STD-8] or terminal-like connections to allow device configuration • SNMP v3 [STD62] also provides encrypted and authenticated protection for SNMP-managed devices • Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL) [RFC-2246]

  23. Authentication • Prevent • Denial -of-Service attacks • Malicious misconfiguration • Cryptographic techniques – • Cryptographic techniques • shared secret keys • one-time keys generated by accessory devices or software • user-ID and password pairs • public-private key systems • do not protect against some types of denial of service attacks

  24. Authentication issues • VPN Member Authentication • Management System Authentication • auto- discovery • Peer-to-peer Authentication

  25. Access Control techniques • packet-by-packet • packet-flow-by-packet-flow • Filtering • Firewalls

  26. Filtering • Common for routers • Filter Characteristics • Stateless (In most cases ) • Stateful (commonly done in firewalls ) • Actions based on Filter Results • Discard • Set CoS • Count packets and/or bytes • Rate Limit - MPLS EXP field • Forward and Copy

  27. Firewalls • passing between different trusted zones • SP to SP , PE to CE • passing between trusted zone and an untrusted zone • Services • threshold-driven denial-of-service attack protection • virus scanning • acting as a TCP connection proxy • Advantage • understanding of the topologies • understanding of the threat model

  28. Firewalls (conf) • Within the MPLS/VPN framework, traffic typically is not allowed to pass between the various user VPNs • Extranets - provide the services required for secure extranet implementation • Protect the user VPNs and core network from the public Internet

  29. ixp1200 ixp1200 ixp1200 ixp1200 My LAB Environment CE router Linux PE router Linux MPLS Daemon isp A vpn 1 vpn 2 P router Linux MPLS Daemon HOST Linux For API WinXP For Microcode Frmo EE isp B

  30. Next Presentation (3,8’2004) • IXP1200 Linux How To • MPLS for Linux Development

More Related