MPLS/VPN Security Threats and Defensive Techniques (provider provision)

1
MPLS/VPN Security Threats and Defensive
Techniques (provider provision)

• SpeakerJET
• 3,12004

2
Introduction

• From BTexact Technologies

3
What is Threats ?

• Observation, modification, or deletion of PPVPN
  user data
• Replay of MPLS/VPN user data
• Injection of non-authentic data into a MPLS/VPN
• Traffic pattern analysis on MPLS/VPN traffic
• Disruption of MPLS/VPN connectivity
• Degradation of MPLS/VPN service quality

4
Threats sources

• The MPLSVPN service provider or persons working
  for it
• Other persons who obtain physical access to a
  service provider site
• Persons within the organization which is the
  MPLS/VPN user with respect to a particular
  MPLS/VPN
• Persons within an organization that is a separate
  MPLS/VPN user of the same service provider
• Others i.e. attackers from the Internet at large.

5
Security Threats - Data Plane
Traffic Pattern Analysis
Spoofing and Replay
MPLS/VPN
DoS
Unauthorized Observation/Modification/Deletion
Impersonation
6
Insertion of Non-Authentic Data Traffic Spoofing
and Replay

• Spoofing insertion into the VPN of packets that
  do not belong there
• Replay copies of once-legitimate packets that
  have been recorded and replayed

7
Denial of Service Attacks on the MPLS/VPN

• Monopolize network resources and thus prevent
  other PPVPNs from accessing those resources
• Inserting an overwhelming quantity of
  non-authentic data
• Overwhelming the service provider's general
  (MPLS/VPN-independent) infrastructure with
  traffic
• Interfering with its operation

8
Unauthorized Observation/Modification/Deletion of
Data Traffic

• Sniffing" VPN packets
• Examining their contents
• Modifying the contents of packets in flight
• Causing packets in flight to be discarded
• Would typically occur
• on links
• in a compromised node

9
Traffic Pattern Analysis

• Sniffing" VPN packets and examining aspects or
  meta-aspects of them
• Even are encrypted
• gain useful information
• the amount and timing of traffic
• packet sizes
• source and destination addresses
• etc.

10
Impersonation

• Disguises itself to appear as a legitimate entity

11
Security Threats - Control Plane
Routing Protocols
Address Space Separation
DoS
SPs Equipment
MPLS/VPN
Cross-connection of Traffic Between MPLS-VPNs
Route Separation
12
Denial of Service Attacks on the Network
Infrastructure

• Against the mechanisms the service provider uses
  to provide MPLS/VPNs
• MPLS , LDP/BGP , IPsec , etc.,
• Against the general infrastructure of the service
  provider
• Core routers
• Deny the otherwise-legitimate activities of
  another MPLS/VPN user

13
Attacks on the Service Provider Equipment Via
Management Interfaces

• Reconfigure the equipment
• extract information (statistics, topology, etc.)
• Malicious entering of the systems
• Inadvertently as a consequence of inadequate
  inter-VPN isolation in a MPLS/VPN user
  self-management interface

14
Cross-connection of Traffic Between MPLS/VPNs

• This refers to the event where expected isolation
  between separate PPVPNs is breached
• This includes cases such as
• A site being connected into the "wrong" VPN
• Two or more VPNs being improperly merged together
• A point-to-point VPN connecting the wrong two
  points
• Any packet or frame being improperly delivered
  outside the VPN it is sent in
• Likelihood of being the result of service
  provider or equipment vendor error

15
Attacks Against MPLS/VPN Routing Protocols

• Routing protocols that are run by the service
  provider - LDP / BGP
• In layer 3 VPNs with dynamic routing this would
  typically relate to the distribution of per-VPN
  routes as well as backbone routes
• In layer 2 VPNs this would typically relate only
  to the distribution of backbone routes

16
Attacks on Route Separation

• keeping the per-VPN topology and reachability
  information for each PPVPN separate from, and
  unavailable to, any other PPVPN
• Reveal topology
• Addressing information about a MPLS/VPN
• Cause black hole routing or unintended
  cross-connection between MPLS/VPNs

17
Attacks on Address Space Separation

• In Layer 3 VPNs, the IP address spaces of
  different VPNs need to be kept separate
• In Layer 2 VPNs, the MAC address and VLAN spaces
  of different VPNs need to be kept separate
• Result in cross-connection between VPNs.

18
Defensive Techniques

• Cryptographic techniques
• Authentication
• Access Control techniques
• Use of Isolated Infrastructure
• Use of Aggregated Infrastructure
• Service Provider Quality Control Processes
• Deployment of Testable MPLS/VPN Service

19
Defense Philosophy

• Security threats can be addressed
• Provider's specific service offerings
• MPLS/VPN user should assess the value which these
  techniques add to the user's VPN requirements
• Nothing is ever 100 secure - most likely to
  occur and/or that have the most dire consequences
• To make the cost of a successful attack greater
  than what the adversary will be willing to expend

20
Cryptographic techniques

• Privacy
• traffic separation
• encryption
• Authentication
• Integrality
• Drawback
• Computational burden
• Complexity of the device configuration
• Incremental labor cost
• Packet lengths are typically increased
• traffic load
• fragmentation
• Other Devices

21
IPsec in MPLS/VPNs

• PE to PE (cant be employed )
• PE to CE - weaker links (pass the Internet)
• CE-to-CE (only use tunnel mode)
• Service Level Agreement (SLA) rather than
  analyzing the specific encryption techniques \

22
Encryption for device configuration and
management

• Secure Shell (SSH) offers protection for TELNET
  STD-8 or terminal-like connections to allow
  device configuration
• SNMP v3 STD62 also provides encrypted and
  authenticated protection for SNMP-managed devices
• Transport Layer Security (TLS) (also known as
  Secure Sockets Layer or SSL) RFC-2246

23
Authentication

• Prevent
• Denial -of-Service attacks
• Malicious misconfiguration
• Cryptographic techniques
• Cryptographic techniques
• shared secret keys
• one-time keys generated by accessory devices or
  software
• user-ID and password pairs
• public-private key systems
• do not protect against some types of denial of
  service attacks

24
Authentication issues

• VPN Member Authentication
• Management System Authentication
• auto- discovery
• Peer-to-peer Authentication

25
Access Control techniques

• packet-by-packet
• packet-flow-by-packet-flow
• Filtering
• Firewalls

26
Filtering

• Common for routers
• Filter Characteristics
• Stateless (In most cases )
• Stateful (commonly done in firewalls )
• Actions based on Filter Results
• Discard
• Set CoS
• Count packets and/or bytes
• Rate Limit - MPLS EXP field
• Forward and Copy

27
Firewalls

• passing between different trusted zones
• SP to SP , PE to CE
• passing between trusted zone and an untrusted
  zone
• Services
• threshold-driven denial-of-service attack
  protection
• virus scanning
• acting as a TCP connection proxy
• Advantage
• understanding of the topologies
• understanding of the threat model

28
Firewalls (conf)

• Within the MPLS/VPN framework, traffic typically
  is not allowed to pass between the various user
  VPNs
• Extranets - provide the services required for
  secure extranet implementation
• Protect the user VPNs and core network from the
  public Internet

29
My LAB Environment
CE router Linux
PE router Linux MPLS Daemon
isp A
vpn 1
vpn 2
P router Linux MPLS Daemon
HOST Linux For API
WinXP For Microcode
Frmo EE
isp B
30
Next Presentation (3,82004)

• IXP1200 Linux How To
• MPLS for Linux Development