MPLS Security for TWAREN

1
MPLS Security for TWAREN

• ???
• bcheng_at_ccu.edu.twTel05-2720411 ext. 33512
• ???
• khc91_at_comm.ccu.edu.twTel05-2720411 ext. 23535

Information Networking Security and Assurance LAB
Department of Communication Engineering
National Chung Cheng University Chia-Yi, Taiwan
62107, ROC
http//insa.comm.ccu.edu.tw
2
Outline

• Introduction
• Security of the MPLS Architecture
• MPLS Security Threats
• Control Plane
• Data Plane
• Defending Techniques
• Securing the MPLS core
• MPLS/VPN Internet Access Architecture
• When IPsec meets MPLS
• Security Incident Response
• Conclusion

3
Security Is Not Optional !
System Access Security
Denial of Service Mitigation
SourceBTexact Technologies
MPLS Traffic Engineering
MPLS for VPN Support
4
Security of the MPLS Architecture

• General VPN Security Requirements
• Address Space and Routing Separation
• Hiding of the MPLS Core Structure
• Resistance to Attacks
• Impossibility of Label Spoofing
• Is MPLS/VPN Secure?

5
Address Space Separation
Each interface is assigned to a VRF (Virtual
Routing and Forwarding Instant)

• Any VPN must be able to use the same address
  space as anyother VPN
• Any VPN must be able to use the same address
  space as the MPLS core

6
Routing Separation

• Routing between any two VPNs must be independent
• Routing between any VPN and the core must be
  independent
• Each VRF has a RD (route distinguisher)
• Routing instance within one RD
• -gt within one VRF
• -gt Routing Separation

7
Hiding of the MPLS Core Structure

• Only the PE interface is exposed !
• Comparable to Layer 2 (such as Frame Relay or
  ATM) infrastructure
• Attacks become more difficult

8
Resistance to Attacks

• Impossible to intrude MPLS/ VPN directly
• Weak point PE
• Attacking methods
• DoS
• MPLS signaling mechanisms (e.g., routing
  protocol poisoning)
• Management Interface

9
Impossibility of Label Spoofing

• Only happening at IP network, but not in MPLS/VPN
• packets with a label from a CE interface will be
  dropped
• There is strict addressing separation within the
  PE router, and each VPN has its own VRF
• The VPN that the spoofed packet originated from

10
Comparison with ATM / FR
MPLS is at least as secure as Frame Relay and ATM
networks!!!
11
MPLS Security Threats Data Plane
Data Plane

• Spoofing and Replay
• DoS
• Unauthorized Manipulation
• Traffic Pattern Analysis
• Impersonation

12
MPLS Security Threats Control Plane
Control Plane

• DoS
• SPs Equipment via Management Interface
• Routing Protocols
• Route Separation
• Address Space Separation
• Mis-configuration
• Cross-connection of Traffic
• Between MPLS-VPNs

13
Securing the MPLS core

• Defense In Depth
• Multiple layers of protection to prevent and
  mitigate security accidents, an event that
  involves a security violation.
• Protection
• Control Plane
• Data Plane
• Security Perimeter
• Firewall
• IDS
• IPsec
• AAA

14
Control Plane

• Strong login authentication
• One Time Password
• Encrypted
• Authorization and Accounting
• Protect the router from direct attack or break-in
• Protect the routing protocol from direct attack
  or route insertion
• If attacks are found
• Trace back attacks and stop/rate-limit them on
  the edge of the Network
• Collect data on the attack for law enforcement
  actions.

15
The Weakest Link CE-PE !

• CE-PE interface Secure with ACLs
• Separation of CE-PE links where possible
  (Internet/VPN)
• PE-CE Routing Security
• Dynamic with the appropriate authentication
  mechanisms
• RFC2082 - RIP-2 MD5 Authentication
• RFC2154 - OSPF with Digital Signatures
• RFC2385 - Protection of BGP Sessions via the
  TCP MD5 Signature Option
• Routing protocols must be further secured
• For example, in BGP, it is possible to configure
  dampening parameters
• Static Routing
• Just pointing to an interface rather than to a
  peer IP address
• Protected with ACLs
• The security is very high and fully comparable to
  similar Layer 2 services

16
Banners

• Login Banner
• This is a legal requirement in some
  jurisdictions check with your legal group
• Exec Banner
• Used to remind staff of specific conditions

17
Internal Risk

• To avoid the risk of misconfigurations
• It is important that the equipment is easy to
  configure,
• SP staff has the appropriate training and
  experience
• SP staff has the experience
• To avoid the risk of "internal" attacks
• Network-element security
• Management security
• Physical security of the SP infrastructure
• Access control to SP installations
• Other standard SP security mechanisms

18
Data Plane

• RFC 2827 Network Ingress Filtering
• Your customers should not be sending any IP
  packets out to the Internet with a source address
  other then the address you have allocated to
  them!
• Anti label spoofing
• Filter as close to the edge as possible

19
MPLS/VPN Internet Access Architecture

• Core supports VPNs and Internet
• VPNs remain separated
• Internet as an option for a VPN
• Essential
• Firewall (on CE / on PE)
• IDS ( Intrusion Detection System)
• AAA

20
Firewalls to the Internet (Firewalls on CEs)

• Option 1Separate Access Lines
• Option 1a Separate Access Lines - 2 PEs
• Option 1bSeparate Access Lines - one PE
• Option 2Shared Access Line
• Option 2aShared Access Line - Frame Relay
  Logical Links
• Option 2bShared Access Line - CE with VRF-Lite

21
Option 1aSeparate VPN and Internet Access
To Internet
MPLS Core
VRF Internet
PE1
Firewall/NAT
P
CE1
CE2
PE2
VRF VPN
To VPN
Separation Dos resistance
Cost (Two lines and Two
PEsExpensive!)
22
Option 1bSeparate Access Lines CEs, One PE
To Internet
MPLS Core
Firewall/NAT
P
CE1
PE1
VRF Internet
CE2
VRF VPN
To VPN
Separation Dos resistance (Dos
might impact VPN on PE) Cost
(Two lines but only one PE)
23
Option 2aShared Access Line - Frame Relay
Logical Links
MPLS Core
Firewall/NAT
VRF Internet
P
Internet CE
PE1
VRF VPN
VPN CE
FR logical links
Separation DoS resistance
(DoS might affect VPN on PE, line, CE) Cost

24
Option 2bShared Access Line - CE with VRF-Lite
MPLS Core
Firewall/NAT
VRF Internet
P
PE1
VRF Internet
VRF VPN
VPN CE
FR logical links
Separation DoS resistance
(DoS might affect VPN on PE, line, CE) Cost

25
Hub-and-Spoke VPN with Internet Access
MPLS Core
VRF Internet
PE1
Firewall/NAT
Internet CE
P
VPN CE
PE2
VRF VPN
VPN
VPN
PEs
CEs
26
Firewalls to the Internet (Firewalls on PEs)

• Option 1Stacking Firewalls
• Option 2One Central Firewall
• Option 2aNAT on PE, one Central Firewall
• Option 2bNAT on CE, one Central Firewall
• Option 3Firewalls on CE Sites (on SP Domain)
• Option 3aIOS Firewall on CE
• Option 3bOn-Site Firewall

27
Option 1Stacking Firewalls

• Central Management
• Strong Firewalls
• Different policies per customer possible
• CEs not touched
• -/ One firewall per customer

Internet
VPN
SP Domain
TAWAREN MPLS core
VPN
VPN
VPN
PEs
CEs
28
Option 2aNAT on PE, one Central Firewall

• Central Management
• One Strong Firewall
• Easy to Deploy
• CEs not touched
• - Customer cannot pick his firewall

Internet
VPN
SP Domain
TAWAREN MPLS core
VPN
VPN
VPN
PEs
CEs
29
Option 2bNAT on CE, one Central Firewall

• Central Management
• One Strong Firewall
• Easy to Deploy
• - Customer cannot pick his firewall
• - CEs need config

Internet
VPN
SP Domain
TAWAREN MPLS core
VPN
VPN
VPN
PEs
CEs
30
Option 3aIOS Firewall on CE

• Economic
• One Firewall per customer
• No Central Devices
• - Management more difficult
• - CEs need config

Internet
VPN
SP Domain
TAWAREN MPLS core
VPN
VPN
VPN
PEs
CEs
31
Option 3bOn-Site Firewall

• One Firewall per customer and at every site
• No Central Devices
• CEs not touched
• Different policies per customer possible
• - Management more difficult
• - Higher Cost

Internet
VPN
TAWAREN MPLS core
SP Domain
VPN
VPN
VPN
PEs
CEs
32
Our suggestion2a 3a

• Strong Firewall
• Different policies per customer
• Whole MPLS core security policy enforcement
• Cost effective
• One Firewall per customer
• Defense in death

Internet
TAWRAEN Domain
VPN
TAWAREN MPLS core
VPN
VPN
VPN
PEs
CEs
33
Types of IDS (Information Source)
http//www.networkintrusion.co.uk/ids.htm
34
NIDS Deployments

• See all outside attacks to help forensic analysis

1

• Identify DMZ related attacks
• Spot outside attacks penetrate the network's
  perimeter
• Avoid outside attacks to IDS itself
• Highlight external firewall problems with the
  policy/performance
• Pinpoint compromised server via outgoing traffic

DMZ
2

• Increase the possibility to recognize attacks.
• Detect attacks from insider or authorized users
  within the security perimeter.

3

• Mode
• Tap
• SPAN (Mirror)
• Port Clustering
• In-Line

• Observe attacks on critical systems and resources
• Provide cost effective solutions

4
35
IDS Balancer

• Toplayers IDS Balancer
• Radware FireProof

GigaBit SX Tap
Fiber Tap

• Availability
• Scalability
• ROI
• Cost-effective (reduce sensors while increasing
  intrusion coverage)

36
Our SuggestionNIDS Location
Internet

• See all outside attacks to help forensic analysis

3
1
TAWRAEN Domain

• Avoid outside attacks to IDS itself
• Highlight external firewall problems with the
  policy/performance
• Pinpoint compromised server via outgoing traffic

VPN
TAWAREN MPLS core
VPN
VPN
VPN
PEs
2
CEs

• Detect attacks to/from the customer site

37
When Do I Use the IPsec Technology

• Data confidentially
• Data Integrity
• Data origin Authentication
• Anti-Replay
• Direct Authentication of CEs

I dont trust my ISP and its traffic separation!
38
Combining IPsec and MPLS

• The SP must be trusted to some extent
• IPsec offers additional security over an MPLS
  network
• IPsec can be run on the CE routers, or on devices
  further away from the core
• MPLS and IPsec together provide a very high level
  of security for VPNs.

39
IPsec Topologies

• Full mesh (static cryptomap)
• Hub and Spoke (dynamic cryptomap)
• Full Mesh with TED

IPsec is independent of MPLS IPsec and MPLS work
together
40
Full Mesh
MPLS core
Each peer needs to have static crypto maps to
every other peer in the network
Efficiency - Number of Sites Grows the
Provisioning and Management ? O(n2)
41
Hub and Spoke
Scalable - Introduce Some Routing
Inefficiencies - Additional Performance
Consideration
IPsec Tunnel
Network Traffic
42
Tunnel Endpoint Discovery
Releases 12.0(5)T and 12.0(5)
The peer is discovered dynamically. Thus, static
crypto maps do not need to be configured for
each peer.
A to B must be protected no SA gt send probe
Alice
IPsec Session
X
TED probe
IP A to B
Y
TED reply
Traffic to B must be protected no SA probe
received gt block answer probe
Bob
43
Remote Access To MPLS/VPN
over dialup, using IPSec, or both
Internally to a company network
As part of the shared infrastructure of the MPLS
core

• Mapping of user into a VPN
• It is crucial for the security
• user_at_domain)
• certificate

• Location of the AAA server (shared or per VPN)
• The AAA RFC2903 server interfaces Holds
  all the user-related information
• TACACS
• Remote Access Dial-In User Service (RADIUS)
  protocols

• Security of the connection of a
• remote-access server to the MPLS cloud
• The PE and access server must either be
  colocated in a physically secured SP environment
• between the two must be further secured with
  IPSec

44
Security Incident Response

• Six Phases of How and ISP Responds to a Security
  Incident

Preparation
Identification
Post Mortem
Classification
Reaction
Traceback
45
Conclusion (I)

• Security becomes an important issue for service
  provider
• MPLS is at least as secure as Frame Relay and ATM
  networks
• Internet Service
• Firewall and IDS should be placed between the
  VPNs and the Internet
• Running IPsec over the MPLS Cloud
• If the security of the SP MPLS network is
  considered insufficient

46
Conclusion (II)

• CE router in the SP management domain
• The core network can now be completely hidden to
  the customer networks
• Enable IOS Firewall features to protect MPLS
  network
• The CE can now also be configured with strict
  ACLs that also control access to the PE router.
• The routing protocol between the CE and the PE is
  now under the control of the SP
• If IPsec is required, running IPsec from the CE
  routers means in this scenario giving control of
  encryption to the SP

47
References

• Security of the MPLS Architecture
• http//www.cisco.com/en/US/tech/tk436/tk428/techno
  logies_white_paper09186a00800a85c5.shtml
• BTexact Technologies, "Carrier requirements of
  core IP routers 2002",
• http//www.juniper.net/products/features/core/BTex
  act-Carrier-requirements-of-core-ip-routers.pdf
• Miercom, "Cisco MPLS based VPNs Equivalent to
  the security of Frame Relay and ATM",
• http//www.cisco.com/global/CN/networking/vpn/pdf/
  mpls_vpn_security_miers.pdf
• IETF Draft, Security Framework for Provider
  Provisioned Virtual Private Networks
• http//www.ietf.org/internet-drafts/draft-fang-ppv
  pn-security-framework-01.txt