MPLS/VPN Security Threats and Defensive Techniques (provider provision) - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

MPLS/VPN Security Threats and Defensive Techniques (provider provision)

Description:

one-time keys generated by accessory devices or software. user-ID and password pairs ... auto- discovery. Peer-to-peer Authentication. Access Control techniques ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 31
Provided by: jet19
Category:

less

Transcript and Presenter's Notes

Title: MPLS/VPN Security Threats and Defensive Techniques (provider provision)


1
MPLS/VPN Security Threats and Defensive
Techniques (provider provision)
  • SpeakerJET
  • 3,12004

2
Introduction
  • From BTexact Technologies

3
What is Threats ?
  • Observation, modification, or deletion of PPVPN
    user data
  • Replay of MPLS/VPN user data
  • Injection of non-authentic data into a MPLS/VPN
  • Traffic pattern analysis on MPLS/VPN traffic
  • Disruption of MPLS/VPN connectivity
  • Degradation of MPLS/VPN service quality

4
Threats sources
  • The MPLSVPN service provider or persons working
    for it
  • Other persons who obtain physical access to a
    service provider site
  • Persons within the organization which is the
    MPLS/VPN user with respect to a particular
    MPLS/VPN
  • Persons within an organization that is a separate
    MPLS/VPN user of the same service provider
  • Others i.e. attackers from the Internet at large.

5
Security Threats - Data Plane
Traffic Pattern Analysis
Spoofing and Replay
MPLS/VPN
DoS
Unauthorized Observation/Modification/Deletion
Impersonation
6
Insertion of Non-Authentic Data Traffic Spoofing
and Replay
  • Spoofing insertion into the VPN of packets that
    do not belong there
  • Replay copies of once-legitimate packets that
    have been recorded and replayed

7
Denial of Service Attacks on the MPLS/VPN
  • Monopolize network resources and thus prevent
    other PPVPNs from accessing those resources
  • Inserting an overwhelming quantity of
    non-authentic data
  • Overwhelming the service provider's general
    (MPLS/VPN-independent) infrastructure with
    traffic
  • Interfering with its operation

8
Unauthorized Observation/Modification/Deletion of
Data Traffic
  • Sniffing" VPN packets
  • Examining their contents
  • Modifying the contents of packets in flight
  • Causing packets in flight to be discarded
  • Would typically occur
  • on links
  • in a compromised node

9
Traffic Pattern Analysis
  • Sniffing" VPN packets and examining aspects or
    meta-aspects of them
  • Even are encrypted
  • gain useful information
  • the amount and timing of traffic
  • packet sizes
  • source and destination addresses
  • etc.

10
Impersonation
  • Disguises itself to appear as a legitimate entity

11
Security Threats - Control Plane
Routing Protocols
Address Space Separation
DoS
SPs Equipment
MPLS/VPN
Cross-connection of Traffic Between MPLS-VPNs
Route Separation
12
Denial of Service Attacks on the Network
Infrastructure
  • Against the mechanisms the service provider uses
    to provide MPLS/VPNs
  • MPLS , LDP/BGP , IPsec , etc.,
  • Against the general infrastructure of the service
    provider
  • Core routers
  • Deny the otherwise-legitimate activities of
    another MPLS/VPN user

13
Attacks on the Service Provider Equipment Via
Management Interfaces
  • Reconfigure the equipment
  • extract information (statistics, topology, etc.)
  • Malicious entering of the systems
  • Inadvertently as a consequence of inadequate
    inter-VPN isolation in a MPLS/VPN user
    self-management interface

14
Cross-connection of Traffic Between MPLS/VPNs
  • This refers to the event where expected isolation
    between separate PPVPNs is breached
  • This includes cases such as
  • A site being connected into the "wrong" VPN
  • Two or more VPNs being improperly merged together
  • A point-to-point VPN connecting the wrong two
    points
  • Any packet or frame being improperly delivered
    outside the VPN it is sent in
  • Likelihood of being the result of service
    provider or equipment vendor error

15
Attacks Against MPLS/VPN Routing Protocols
  • Routing protocols that are run by the service
    provider - LDP / BGP
  • In layer 3 VPNs with dynamic routing this would
    typically relate to the distribution of per-VPN
    routes as well as backbone routes
  • In layer 2 VPNs this would typically relate only
    to the distribution of backbone routes

16
Attacks on Route Separation
  • keeping the per-VPN topology and reachability
    information for each PPVPN separate from, and
    unavailable to, any other PPVPN
  • Reveal topology
  • Addressing information about a MPLS/VPN
  • Cause black hole routing or unintended
    cross-connection between MPLS/VPNs

17
Attacks on Address Space Separation
  • In Layer 3 VPNs, the IP address spaces of
    different VPNs need to be kept separate
  • In Layer 2 VPNs, the MAC address and VLAN spaces
    of different VPNs need to be kept separate
  • Result in cross-connection between VPNs.

18
Defensive Techniques
  • Cryptographic techniques
  • Authentication
  • Access Control techniques
  • Use of Isolated Infrastructure
  • Use of Aggregated Infrastructure
  • Service Provider Quality Control Processes
  • Deployment of Testable MPLS/VPN Service

19
Defense Philosophy
  • Security threats can be addressed
  • Provider's specific service offerings
  • MPLS/VPN user should assess the value which these
    techniques add to the user's VPN requirements
  • Nothing is ever 100 secure - most likely to
    occur and/or that have the most dire consequences
  • To make the cost of a successful attack greater
    than what the adversary will be willing to expend

20
Cryptographic techniques
  • Privacy
  • traffic separation
  • encryption
  • Authentication
  • Integrality
  • Drawback
  • Computational burden
  • Complexity of the device configuration
  • Incremental labor cost
  • Packet lengths are typically increased
  • traffic load
  • fragmentation
  • Other Devices

21
IPsec in MPLS/VPNs
  • PE to PE (cant be employed )
  • PE to CE - weaker links (pass the Internet)
  • CE-to-CE (only use tunnel mode)
  • Service Level Agreement (SLA) rather than
    analyzing the specific encryption techniques \

22
Encryption for device configuration and
management
  • Secure Shell (SSH) offers protection for TELNET
    STD-8 or terminal-like connections to allow
    device configuration
  • SNMP v3 STD62 also provides encrypted and
    authenticated protection for SNMP-managed devices
  • Transport Layer Security (TLS) (also known as
    Secure Sockets Layer or SSL) RFC-2246

23
Authentication
  • Prevent
  • Denial -of-Service attacks
  • Malicious misconfiguration
  • Cryptographic techniques
  • Cryptographic techniques
  • shared secret keys
  • one-time keys generated by accessory devices or
    software
  • user-ID and password pairs
  • public-private key systems
  • do not protect against some types of denial of
    service attacks

24
Authentication issues
  • VPN Member Authentication
  • Management System Authentication
  • auto- discovery
  • Peer-to-peer Authentication

25
Access Control techniques
  • packet-by-packet
  • packet-flow-by-packet-flow
  • Filtering
  • Firewalls

26
Filtering
  • Common for routers
  • Filter Characteristics
  • Stateless (In most cases )
  • Stateful (commonly done in firewalls )
  • Actions based on Filter Results
  • Discard
  • Set CoS
  • Count packets and/or bytes
  • Rate Limit - MPLS EXP field
  • Forward and Copy

27
Firewalls
  • passing between different trusted zones
  • SP to SP , PE to CE
  • passing between trusted zone and an untrusted
    zone
  • Services
  • threshold-driven denial-of-service attack
    protection
  • virus scanning
  • acting as a TCP connection proxy
  • Advantage
  • understanding of the topologies
  • understanding of the threat model

28
Firewalls (conf)
  • Within the MPLS/VPN framework, traffic typically
    is not allowed to pass between the various user
    VPNs
  • Extranets - provide the services required for
    secure extranet implementation
  • Protect the user VPNs and core network from the
    public Internet

29
My LAB Environment
CE router Linux
PE router Linux MPLS Daemon
isp A
vpn 1
vpn 2
P router Linux MPLS Daemon
HOST Linux For API
WinXP For Microcode
Frmo EE
isp B
30
Next Presentation (3,82004)
  • IXP1200 Linux How To
  • MPLS for Linux Development
Write a Comment
User Comments (0)
About PowerShow.com