1. Trang chủ
  2. » Công Nghệ Thông Tin

MPLS cisco QOS VPN full mpls security

41 61 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 41
Dung lượng 620 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

Hiding the Service Provider Core ATM and Frame Relay • Only information that is shared between the provider and customer is info about the customer’s VCs •DLCI or VPI/VCI • Customer ha

Trang 1

MPLS VPN Security

Equivalent to the Security of

Frame Relay and ATM

Trang 3

MPLS VPN

CE Router

PE Router MPLS-Core

PE Router

CE Router

Customer B

CE Router Customer B

CE Router Customer A

Trang 4

Meircom MPLS-VPN Security Test

Meircom performed testing that

characteristics of a comparable layer two based VPN such as Frame-Relay

or ATM.

Trang 5

Meircom MPLS-VPN Test

Why did Cisco have Meircom do the test?

Wanted an independent third party to

perform the test

Test was driven by customer requests to

show MPLS-VPNs are secure

http://www.mier.com/reports/cisco/MPLS-VPNs.pdf

Trang 7

Requirements of a Secure

Network

Address and routing separation must

exist.

The service provider core network should

be hidden to the outside world.

The network must be resistant to attacks.

Trang 8

Address and Routing Separation

Address and routing separation

Between two non-intersecting VPNs the

address spaces are entirely independent

Each end site in a VPN has a unique

address for that VPN, and the routing spaces are entirely independent

Trang 9

Hiding the Core Network

Hide the internal structure of the

backbone:

There should be little or no visibility into

the core from outside networks

The only information the customer

should know is the minimum to allow service (DLCI, VPI/VCI)

Trang 10

Resistance to Attacks

Resistance to Attacks implies

Resistance to Denial of Service (DoS)

Resistance to intrusions and inability to

gain unauthorized access

Trang 12

Address and Routing Separation

ATM and Frame Relay

Traffic is switched based on VPI/VCI

Trang 13

Hiding the Service Provider Core

ATM and Frame Relay

Only information that is shared

between the provider and customer

is info about the customer’s VCs

DLCI or VPI/VCI

Customer has no other knowledge of

service provider network

Trang 14

What do Customers see?

Provider Provisioning and Network Management

Trang 15

Resistance to Attacks

ATM and Frame Relay

With no layer 3 information and barely any

layer 2 information about the provider

network what’s let to attack?

DoS attack – network switches ALL

packets to the other side of the VC

Intrusion attack – no layer 3 availability

Trang 16

Attack in an ATM or Frame-Relay

switched across cloud

Trang 17

ATM and Frame-Relay secure?

Address and routing separation?

Service Provider core hidden?

Resistant to attacks?

Trang 19

MPLS VPN Security

Questions need to be answered

How does routing stay separate?

How can addressing be separate?

How can the core network be hidden?

How vulnerable to DoS and Intrusion

attacks is the network?

Trang 20

Address and Routing Separation

MPLS VPN

Address Separation

64-bit route distinguisher (RD) added to

each IPv4 route, ensuring uniqueness in the MPLS core

MP-BGP used to exchange these new

VPN-IPv4 addresses across the core 96 bit VPN-IPv4

Trang 21

Address and Routing Separation

MPLS VPN

Routing Separation

These BGP routes are not redistributed

into the core

PEs have independent routing tables for

each VRF

Trang 22

How Meircom tested Address and

Routing Separation

A test bed was built involving three different VPNs:

two of which use the same addressing space

Every routing table was examined to verify no route

leaking and route table independence

Verified traffic that initiated from inside the VPN

stayed inside that VPN

Result: MPLS VPNs provide Address and Routing

Separation

Trang 23

Traffic Being Sent

No Traffic Being Received

Trang 24

Hiding the Service Provider Core

MPLS VPN

Interface to VPNs is BGP, no need to reveal

any info about the core

Info is only required when a routing protocol

is run between the CE and PE

If not desired, static route to an interface

Turn off MPLS traceroute

no tag-switching ip propagate-ttl

Trang 25

Diagram of what can be seen in

MPLS core

CE Router

PE Router MPLS-Core

PE Router

CE Router

Customer B

CE Router Customer B

CE Router Customer A

Addressing of WAN links between the

CEs and PEs can be seen Only those in same VRF

Trang 26

How Meircom Tested Hiding the Service Provider Core

Meircom tried to access the service provider

core via telnet

Route tables were examined to verify no routes

from the core existed on the CE routers

Also no routes from the VPNs existed in the

Core

Result: MPLS VPNs do not reveal the Service

Provider core

Trang 27

Resistance to Attacks

MPLS VPNs

There is now an address to attack the provider

network

The IP address of the WAN link

IP address of dynamic routing protocol peer

Main goal is to ensure that an attack from one

VPN has no effect on other VPNs.

Off of the same PE

Or across the network

Trang 28

Resistance to Attacks

MPLS VPN

Two potential ways to attack MPLS-VPNs

Traffic Isolation prevents an attack across

VPN boundaries

Trang 29

DoS Attacks

MPLS VPN

Have to secure the PE against DoS attacks

Intrusion attacks on the PE

Flood of routing updates

Same attacks as an ISP Internet router is

vulnerable to The same prevention

techniques should be used.

Trang 30

How MPLS-VPNs Handle DoS

Attacks

Intrusion attacks on the PE

Access-lists denying telnet and other access from the

CE to the PE

Flood of routing updates

Routing protocol authentication

Access-lists to block routing protocols not used

VRF route limits

BGP route-dampening and prefix limits

Trang 31

CE Does have PE

Address

Trang 32

How Meircom Tested DoS

attacks on the PE

Verified that Access-lists denied intrusion

attacks

Flood of RIP and OSPF updates into a PE

Applied VRF route filtering

Applied BGP Prefix limits

Result: MPLS VPNs are resistant to DoS

attacks

Trang 33

Meircom DoS Routing Test

PE router Under attack W/VRF filters

PE router Unaffected by attack BGP Filters applied

P router Unaffected by attack

Attack with Routing updates

Red VPN

Unaffected by attack

Red VPN Unaffected by attack

Trang 34

Attack on MPLS Signaling

MPLS VPN

the core

like IP spoofing

outside (from a CE router)?

Trang 35

MPLS Label Spoofing

interface w/o labels)

a label from a CE

on a interface where tag-switching is disabled

Trang 36

Meircom Testing MPLS Label

Spoofing

Verified the following

disabled are dropped

Result: MPLS VPNs are resistant to attacks on the

signaling method

PE CE

Labeled Packets

Tag-switching disabled

Trang 38

Miercom performed a test that proved that

MPLS based VPNs are equivalent to the

security of Frame-Relay and ATM

Address space and routing separation

Unique addressing utilizing VPN-IPv4 addresses

Routing separation by the use of VRFs

Trang 39

Mechanisms in place to limit the impact of DoS

attacks

Trang 40

Meircom MPLS-VPN Security Test

Meircom performed testing that

characteristics of a comparable layer two based VPN such as Frame-Relay

or ATM.

Ngày đăng: 18/10/2019, 15:37

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN