Title: MPLS/VPN Security Threats and Defensive Techniques (provider provision)
1MPLS/VPN Security Threats and Defensive
Techniques (provider provision)
2Introduction
- From BTexact Technologies
3What is Threats ?
- Observation, modification, or deletion of PPVPN
user data - Replay of MPLS/VPN user data
- Injection of non-authentic data into a MPLS/VPN
- Traffic pattern analysis on MPLS/VPN traffic
- Disruption of MPLS/VPN connectivity
- Degradation of MPLS/VPN service quality
4Threats sources
- The MPLSVPN service provider or persons working
for it - Other persons who obtain physical access to a
service provider site - Persons within the organization which is the
MPLS/VPN user with respect to a particular
MPLS/VPN - Persons within an organization that is a separate
MPLS/VPN user of the same service provider - Others i.e. attackers from the Internet at large.
5Security Threats - Data Plane
Traffic Pattern Analysis
Spoofing and Replay
MPLS/VPN
DoS
Unauthorized Observation/Modification/Deletion
Impersonation
6Insertion of Non-Authentic Data Traffic Spoofing
and Replay
- Spoofing insertion into the VPN of packets that
do not belong there - Replay copies of once-legitimate packets that
have been recorded and replayed
7Denial of Service Attacks on the MPLS/VPN
- Monopolize network resources and thus prevent
other PPVPNs from accessing those resources - Inserting an overwhelming quantity of
non-authentic data - Overwhelming the service provider's general
(MPLS/VPN-independent) infrastructure with
traffic - Interfering with its operation
8Unauthorized Observation/Modification/Deletion of
Data Traffic
- Sniffing" VPN packets
- Examining their contents
- Modifying the contents of packets in flight
- Causing packets in flight to be discarded
- Would typically occur
- on links
- in a compromised node
9Traffic Pattern Analysis
- Sniffing" VPN packets and examining aspects or
meta-aspects of them - Even are encrypted
- gain useful information
- the amount and timing of traffic
- packet sizes
- source and destination addresses
- etc.
10Impersonation
- Disguises itself to appear as a legitimate entity
11Security Threats - Control Plane
Routing Protocols
Address Space Separation
DoS
SPs Equipment
MPLS/VPN
Cross-connection of Traffic Between MPLS-VPNs
Route Separation
12Denial of Service Attacks on the Network
Infrastructure
- Against the mechanisms the service provider uses
to provide MPLS/VPNs - MPLS , LDP/BGP , IPsec , etc.,
- Against the general infrastructure of the service
provider - Core routers
- Deny the otherwise-legitimate activities of
another MPLS/VPN user
13Attacks on the Service Provider Equipment Via
Management Interfaces
- Reconfigure the equipment
- extract information (statistics, topology, etc.)
- Malicious entering of the systems
- Inadvertently as a consequence of inadequate
inter-VPN isolation in a MPLS/VPN user
self-management interface
14Cross-connection of Traffic Between MPLS/VPNs
- This refers to the event where expected isolation
between separate PPVPNs is breached - This includes cases such as
- A site being connected into the "wrong" VPN
- Two or more VPNs being improperly merged together
- A point-to-point VPN connecting the wrong two
points - Any packet or frame being improperly delivered
outside the VPN it is sent in - Likelihood of being the result of service
provider or equipment vendor error
15Attacks Against MPLS/VPN Routing Protocols
- Routing protocols that are run by the service
provider - LDP / BGP - In layer 3 VPNs with dynamic routing this would
typically relate to the distribution of per-VPN
routes as well as backbone routes - In layer 2 VPNs this would typically relate only
to the distribution of backbone routes
16Attacks on Route Separation
- keeping the per-VPN topology and reachability
information for each PPVPN separate from, and
unavailable to, any other PPVPN - Reveal topology
- Addressing information about a MPLS/VPN
- Cause black hole routing or unintended
cross-connection between MPLS/VPNs
17Attacks on Address Space Separation
- In Layer 3 VPNs, the IP address spaces of
different VPNs need to be kept separate - In Layer 2 VPNs, the MAC address and VLAN spaces
of different VPNs need to be kept separate - Result in cross-connection between VPNs.
18Defensive Techniques
- Cryptographic techniques
- Authentication
- Access Control techniques
- Use of Isolated Infrastructure
- Use of Aggregated Infrastructure
- Service Provider Quality Control Processes
- Deployment of Testable MPLS/VPN Service
19Defense Philosophy
- Security threats can be addressed
- Provider's specific service offerings
- MPLS/VPN user should assess the value which these
techniques add to the user's VPN requirements - Nothing is ever 100 secure - most likely to
occur and/or that have the most dire consequences - To make the cost of a successful attack greater
than what the adversary will be willing to expend
20Cryptographic techniques
- Privacy
- traffic separation
- encryption
- Authentication
- Integrality
- Drawback
- Computational burden
- Complexity of the device configuration
- Incremental labor cost
- Packet lengths are typically increased
- traffic load
- fragmentation
- Other Devices
21IPsec in MPLS/VPNs
- PE to PE (cant be employed )
- PE to CE - weaker links (pass the Internet)
- CE-to-CE (only use tunnel mode)
- Service Level Agreement (SLA) rather than
analyzing the specific encryption techniques \
22Encryption for device configuration and
management
- Secure Shell (SSH) offers protection for TELNET
STD-8 or terminal-like connections to allow
device configuration - SNMP v3 STD62 also provides encrypted and
authenticated protection for SNMP-managed devices - Transport Layer Security (TLS) (also known as
Secure Sockets Layer or SSL) RFC-2246
23Authentication
- Prevent
- Denial -of-Service attacks
- Malicious misconfiguration
- Cryptographic techniques
- Cryptographic techniques
- shared secret keys
- one-time keys generated by accessory devices or
software - user-ID and password pairs
- public-private key systems
- do not protect against some types of denial of
service attacks
24Authentication issues
- VPN Member Authentication
- Management System Authentication
- auto- discovery
- Peer-to-peer Authentication
25Access Control techniques
- packet-by-packet
- packet-flow-by-packet-flow
- Filtering
- Firewalls
26Filtering
- Common for routers
- Filter Characteristics
- Stateless (In most cases )
- Stateful (commonly done in firewalls )
- Actions based on Filter Results
- Discard
- Set CoS
- Count packets and/or bytes
- Rate Limit - MPLS EXP field
- Forward and Copy
27Firewalls
- passing between different trusted zones
- SP to SP , PE to CE
- passing between trusted zone and an untrusted
zone - Services
- threshold-driven denial-of-service attack
protection - virus scanning
- acting as a TCP connection proxy
- Advantage
- understanding of the topologies
- understanding of the threat model
28Firewalls (conf)
- Within the MPLS/VPN framework, traffic typically
is not allowed to pass between the various user
VPNs - Extranets - provide the services required for
secure extranet implementation - Protect the user VPNs and core network from the
public Internet
29My LAB Environment
CE router Linux
PE router Linux MPLS Daemon
isp A
vpn 1
vpn 2
P router Linux MPLS Daemon
HOST Linux For API
WinXP For Microcode
Frmo EE
isp B
30Next Presentation (3,82004)
- IXP1200 Linux How To
- MPLS for Linux Development