Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004.

Published byUlises Parmeter Modified over 9 years ago

Similar presentations

Presentation on theme: "MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004."— Presentation transcript:

1 MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004

2 Introduction From BTexact Technologies

3 What is Threats ? Observation, modification, or deletion of PPVPN user data Replay of MPLS/VPN user data Injection of non-authentic data into a MPLS/VPN Traffic pattern analysis on MPLS/VPN traffic Disruption of MPLS/VPN connectivity Degradation of MPLS/VPN service quality

4 Threats sources The MPLSVPN service provider or persons working for it Other persons who obtain physical access to a service provider site Persons within the organization which is the MPLS/VPN user with respect to a particular MPLS/VPN Persons within an organization that is a separate MPLS/VPN user of the same service provider Others i.e. attackers from the Internet at large.

5 Security Threats - Data Plane MPLS/VPN Spoofing and Replay Unauthorized Observation/Modification/Deletion DoS Traffic Pattern Analysis Impersonation

6 Insertion of Non-Authentic Data Traffic: Spoofing and Replay Spoofing : insertion into the VPN of packets that do not belong there Replay : copies of once-legitimate packets that have been recorded and replayed

7 Denial of Service Attacks on the MPLS/VPN Monopolize network resources and thus prevent other PPVPNs from accessing those resources Inserting an overwhelming quantity of non- authentic data Overwhelming the service provider's general (MPLS/VPN-independent) infrastructure with traffic Interfering with its operation

8 Unauthorized Observation/Modification/Deletion of Data Traffic “Sniffing" VPN packets Examining their contents Modifying the contents of packets in flight Causing packets in flight to be discarded Would typically occur on links in a compromised node

9 Traffic Pattern Analysis “Sniffing" VPN packets and examining aspects or meta-aspects of them Even are encrypted gain useful information the amount and timing of traffic packet sizes source and destination addresses etc.

10 Impersonation Disguises itself to appear as a legitimate entity

11 Security Threats - Control Plane SP’s Equipment Cross-connection of Traffic Between MPLS-VPNs DoS Routing Protocols Route Separation MPLS/VPN Address Space Separation

12 Denial of Service Attacks on the Network Infrastructure Against the mechanisms the service provider uses to provide MPLS/VPNs MPLS, LDP/BGP, IPsec, etc., Against the general infrastructure of the service provider Core routers Deny the otherwise-legitimate activities of another MPLS/VPN user

13 Attacks on the Service Provider Equipment Via Management Interfaces Reconfigure the equipment extract information (statistics, topology, etc.) Malicious entering of the systems Inadvertently as a consequence of inadequate inter-VPN isolation in a MPLS/VPN user self-management interface

14 Cross-connection of Traffic Between MPLS/VPNs This refers to the event where expected isolation between separate PPVPNs is breached This includes cases such as A site being connected into the "wrong" VPN Two or more VPNs being improperly merged together A point-to-point VPN connecting the wrong two points Any packet or frame being improperly delivered outside the VPN it is sent in Likelihood of being the result of service provider or equipment vendor error

15 Attacks Against MPLS/VPN Routing Protocols Routing protocols that are run by the service provider - LDP / BGP In layer 3 VPNs with dynamic routing this would typically relate to the distribution of per- VPN routes as well as backbone routes In layer 2 VPNs this would typically relate only to the distribution of backbone routes

16 Attacks on Route Separation keeping the per-VPN topology and reachability information for each PPVPN separate from, and unavailable to, any other PPVPN Reveal topology Addressing information about a MPLS/VPN Cause black hole routing or unintended cross-connection between MPLS/VPNs

17 Attacks on Address Space Separation In Layer 3 VPNs, the IP address spaces of different VPNs need to be kept separate In Layer 2 VPNs, the MAC address and VLAN spaces of different VPNs need to be kept separate Result in cross-connection between VPNs.

18 Defensive Techniques Cryptographic techniques Authentication Access Control techniques Use of Isolated Infrastructure Use of Aggregated Infrastructure Service Provider Quality Control Processes Deployment of Testable MPLS/VPN Service

19 Defense Philosophy Security threats can be addressed Provider's specific service offerings MPLS/VPN user should assess the value which these techniques add to the user's VPN requirements Nothing is ever 100% secure - most likely to occur and/or that have the most dire consequences To make the cost of a successful attack greater than what the adversary will be willing to expend

20 Cryptographic techniques Privacy traffic separation encryption Authentication Integrality Drawback Computational burden Complexity of the device configuration Incremental labor cost Packet lengths are typically increased traffic load fragmentation Other Devices

21 IPsec in MPLS/VPNs PE to PE (can’t be employed ) PE to CE - weaker links (pass the Internet) CE-to-CE (only use tunnel mode) Service Level Agreement (SLA) rather than analyzing the specific encryption techniques \

22 Encryption for device configuration and management Secure Shell (SSH) offers protection for TELNET [STD-8] or terminal-like connections to allow device configuration SNMP v3 [STD62] also provides encrypted and authenticated protection for SNMP- managed devices Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL) [RFC-2246]

23 Authentication Prevent Denial -of-Service attacks Malicious misconfiguration Cryptographic techniques – Cryptographic techniques shared secret keys one-time keys generated by accessory devices or software user-ID and password pairs public-private key systems do not protect against some types of denial of service attacks

24 Authentication issues VPN Member Authentication Management System Authentication auto- discovery Peer-to-peer Authentication

25 Access Control techniques packet-by-packet packet-flow-by-packet-flow Filtering Firewalls

26 Filtering Common for routers Filter Characteristics Stateless (In most cases ) Stateful (commonly done in firewalls ) Actions based on Filter Results Discard Set CoS Count packets and/or bytes Rate Limit - MPLS EXP field Forward and Copy

27 Firewalls passing between different trusted zones SP to SP, PE to CE passing between trusted zone and an untrusted zone Services threshold-driven denial-of-service attack protection virus scanning acting as a TCP connection proxy Advantage understanding of the topologies understanding of the threat model

28 Firewalls (conf) Within the MPLS/VPN framework, traffic typically is not allowed to pass between the various user VPNs Extranets - provide the services required for secure extranet implementation Protect the user VPNs and core network from the public Internet

29 vpn 2 My LAB Environment isp A isp B P router Linux MPLS Daemon vpn 1 HOST Linux For API WinXP For Microcode CE router Linux PE router Linux MPLS Daemon ixp1200 Frmo EE ixp1200

30 Next Presentation (3,8 ’ 2004) IXP1200 Linux How To MPLS for Linux Development

Download ppt "MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Similar presentations

Ads by Google