Embed Size (px)
Citation preview
MPLS/VPN Security Threats and Defensive Techniques (provider provision)
Speaker: JET
3,1’2004
Introduction
From BTexact Technologies
What is Threats ?
Observation, modification, or deletion of PPVPN user data
Replay of MPLS/VPN user data Injection of non-authentic data into a
MPLS/VPN Traffic pattern analysis on MPLS/VPN traffic Disruption of MPLS/VPN connectivity Degradation of MPLS/VPN service quality
Threats sources
The MPLSVPN service provider or persons working for it
Other persons who obtain physical access to a service provider site
Persons within the organization which is the MPLS/VPN user with respect to a particular MPLS/VPN
Persons within an organization that is a separate MPLS/VPN user of the same service provider
Others i.e. attackers from the Internet at large.
Security Threats - Data Plane
MPLS/VPN
Spoofing and Replay
Unauthorized Observation/Modification/Deletion
DoS
Traffic Pattern Analysis
Impersonation
Insertion of Non-Authentic Data Traffic: Spoofing and Replay Spoofing : insertion into the VPN of packets
that do not belong there Replay : copies of once-legitimate packets
that have been recorded and replayed
Denial of Service Attacks on the MPLS/VPN Monopolize network resources and thus prev
ent other PPVPNs from accessing those resources
Inserting an overwhelming quantity of non-authentic data
Overwhelming the service provider's general (MPLS/VPN-independent) infrastructure with traffic
Interfering with its operation
Unauthorized Observation/Modification/Deletion of Data Traffic
“Sniffing" VPN packets Examining their contents Modifying the contents of packets in flight Causing packets in flight to be discarded Would typically occur
on links in a compromised node
Traffic Pattern Analysis
“Sniffing" VPN packets and examining aspects or meta-aspects of them Even are encrypted
gain useful information the amount and timing of traffic packet sizes source and destination addresses etc.
Impersonation
Disguises itself to appear as a legitimate entity
Security Threats - Control Plane
SP’s Equipment
Cross-connection of Traffic
Between MPLS-VPNs
DoSRouting Protocols
Route Separation
MPLS/VPN
Address Space
Separation
Denial of Service Attacks on the Network Infrastructure Against the mechanisms the service provider
uses to provide MPLS/VPNs MPLS , LDP/BGP , IPsec , etc.,
Against the general infrastructure of the service provider Core routers
Deny the otherwise-legitimate activities of another MPLS/VPN user
Attacks on the Service Provider Equipment Via Management Interfaces
Reconfigure the equipment extract information (statistics, topology, etc.)
Malicious entering of the systems Inadvertently as a consequence of
inadequate inter-VPN isolation in a MPLS/VPN user self-management interface
Cross-connection of Traffic Between MPLS/VPNs This refers to the event where expected isolation bet
ween separate PPVPNs is breached This includes cases such as
A site being connected into the "wrong" VPN Two or more VPNs being improperly merged together A point-to-point VPN connecting the wrong two points Any packet or frame being improperly delivered outside
the VPN it is sent in Likelihood of being the result of service provider or eq
uipment vendor error
Attacks Against MPLS/VPN Routing Protocols Routing protocols that are run by the service
provider - LDP / BGP In layer 3 VPNs with dynamic routing this wou
ld typically relate to the distribution of per-VPN routes as well as backbone routes
In layer 2 VPNs this would typically relate only to the distribution of backbone routes
Attacks on Route Separation
keeping the per-VPN topology and reachability information for each PPVPN separate from, and unavailable to, any other PPVPN
Reveal topology Addressing information about a MPLS/VPN Cause black hole routing or unintended cros
s-connection between MPLS/VPNs
Attacks on Address Space Separation
In Layer 3 VPNs, the IP address spaces of different VPNs need to be kept separate
In Layer 2 VPNs, the MAC address and VLAN spaces of different VPNs need to be kept separate
Result in cross-connection between VPNs.
Defensive Techniques
Cryptographic techniques Authentication Access Control techniques Use of Isolated Infrastructure Use of Aggregated Infrastructure Service Provider Quality Control Processes Deployment of Testable MPLS/VPN Service
Defense Philosophy
Security threats can be addressed Provider's specific service offerings MPLS/VPN user should assess the value which these
techniques add to the user's VPN requirements Nothing is ever 100% secure - most likely to occur
and/or that have the most dire consequences To make the cost of a successful attack greater than
what the adversary will be willing to expend
Cryptographic techniques
Privacy traffic separation encryption
Authentication Integrality Drawback
Computational burden Complexity of the device configuration Incremental labor cost Packet lengths are typically increased
traffic load fragmentation
Other Devices
IPsec in MPLS/VPNs
PE to PE (can’t be employed ) PE to CE - weaker links (pass the Internet) CE-to-CE (only use tunnel mode)
Service Level Agreement (SLA) rather than analyzing the specific encryption techniques \
Encryption for device configuration and management Secure Shell (SSH) offers protection for
TELNET [STD-8] or terminal-like connections to allow device configuration
SNMP v3 [STD62] also provides encrypted and authenticated protection for SNMP-managed devices
Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL) [RFC-2246]
Authentication
Prevent Denial -of-Service attacks Malicious misconfiguration
Cryptographic techniques – Cryptographic techniques
shared secret keys one-time keys generated by accessory devices or soft
ware user-ID and password pairs public-private key systems do not protect against some types of denial of service a
ttacks
Authentication issues
VPN Member Authentication Management System Authentication
auto- discovery Peer-to-peer Authentication
Access Control techniques
packet-by-packet packet-flow-by-packet-flow Filtering Firewalls
Filtering
Common for routers Filter Characteristics
Stateless (In most cases ) Stateful (commonly done in firewalls )
Actions based on Filter Results Discard Set CoS Count packets and/or bytes Rate Limit - MPLS EXP field Forward and Copy
Firewalls
passing between different trusted zones SP to SP , PE to CE
passing between trusted zone and an untrusted zone Services
threshold-driven denial-of-service attack protection virus scanning acting as a TCP connection proxy
Advantage understanding of the topologies understanding of the threat model
Firewalls (conf)
Within the MPLS/VPN framework, traffic typically is not allowed to pass between the various user VPNs
Extranets - provide the services required for secure extranet implementation
Protect the user VPNs and core network from the public Internet
vpn 2
My LAB Environment
isp A
isp B
P routerLinux
MPLS Daemon
vpn 1
HOSTLinux
For API
WinXPFor Microcode
CE routerLinux
PE routerLinux
MPLS Daemon
ixp1200
Frmo EE
ixp1200
ixp1200
ixp1200
Next Presentation (3,8’2004)
IXP1200 Linux How To MPLS for Linux Development
