A practical guide to hardening MPLS networks
- Define "zones of trust" for your MPLS VPN environment
- Understand fundamental security principles and how MPLS VPNs work
- Build an MPLS VPN threat model that defines attack points, such as VPN separation, VPN spoofing, DoS against the network’s backbone, misconfigurations, sniffing, and inside attack forms
- Identify VPN security requirements, including robustness against attacks, hiding of the core infrastructure, protection against spoofing, and ATM/Frame Relay security comparisons
- Interpret complex architectures such as extranet access with recommendations of Inter-AS, carrier-supporting carriers, Layer 2 security considerations, and multiple provider trust model issues
- Operate and maintain a secure MPLS core with industry best practices
- Integrate IPsec into your MPLS VPN for extra security in encryption and data origin verification
- Build VPNs by interconnecting Layer 2 networks with new available architectures such as virtual private wire service (VPWS) and virtual private LAN service (VPLS)
- Protect your core network from attack by considering Operations, Administration, and Management (OAM) and MPLS backbone security incidents
Multiprotocol Label Switching (MPLS) is becoming a widely deployed technology, specifically for providing virtual private network (VPN) services. Security is a major concern for companies migrating to MPLS VPNs from existing VPN technologies such as ATM. Organizations deploying MPLS VPNs need security best practices for protecting their networks, specifically for the more complex deployment models such as inter-provider networks and Internet provisioning on the network.
MPLS VPN Security is the first book to address the security features of MPLS VPN networks and to show you how to harden and securely operate an MPLS network. Divided into four parts, the book begins with an overview of security and VPN technology. A chapter on threats and attack points provides a foundation for the discussion in later chapters. Part II addresses overall security from various perspectives, including architectural, design, and operation components. Part III provides practical guidelines for implementing MPLS VPN security. Part IV presents real-world case studies that encompass details from all the previous chapters to provide examples of overall secure solutions.
Drawing upon the authors’ considerable experience in attack mitigation and infrastructure security, MPLS VPN Security is your practical guide to understanding how to effectively secure communications in an MPLS environment.
"The authors of this book, Michael Behringer and Monique Morrow, have a deep and rich understanding of security issues, such as denial-of-service attack prevention and infrastructure protection from network vulnerabilities. They offer a very practical perspective on the deployment scenarios, thereby demystifying a complex topic. I hope you enjoy their insights into the design of self-defending networks."
—Jayshree V. Ullal, Senior VP/GM Security Technology Group, Cisco Systems®
Table of Contents:
Foreword
Introduction
Part I MPLS VPN and Security Fundamentals
Chapter 1MPLS VPN Security: An Overview
Key Security Concepts
Security Differs from Other Technologies
What Is “Secure”?
No System Is 100 Percent Secure
Three Components of System Security
Principle of the Weakest Link
Principle of the Least Privilege
Other Important Security Concepts
Overview of VPN Technologies
Fundamentals of MPLS VPNs
Nomenclature of MPLS VPNs
Three Planes of an MPLS VPN Network
Security Implications of Connectionless VPNs
A Security Reference Model for MPLS VPNs
Summary
Chapter 2A Threat Model for MPLS VPNs
Threats Against a VPN
Intrusions into a VPN
Denial of Service Against a VPN
Threats Against an Extranet Site
Threats Against the Core
Monolithic Core
Inter-AS: A Multi-AS Core
Carrier’s Carrier: A Hierarchical Core
Threats Against a Network Operations Center
Threats Against the Internet
Threats from Within a Zone of Trust
Reconnaissance Attacks
Summary
Part II Advanced MPLS VPN Security Issues
Chapter 3MPLS Security Analysis
VPN Separation
Address Space Separation
Traffic Separation
Robustness Against Attacks
Where an MPLS Core Can Be Attacked
How an MPLS Core Can Be Attacked
How the Core Can Be Protected
Hiding the Core Infrastructure
Protection Against Spoofing
Specific Inter-AS Considerations
Model A: VRF-to-VRF Connections at the AS Border Routers
Model B: EBGP Redistribution of Labeled VPN-IPv4 Routes from AS to Neighboring AS
Model C: Multihop eBGP Redistribution of Labeled VPN-IPv4
Routes Between Source and Destination ASs, with eBGP
Redistribution of Labeled IPv4 Routes from AS to Neighboring AS
Comparison of Inter-AS Security Considerations
Specific Carrier’s Carrier Considerations
How CsC Works
Security of CsC
Security Issues Not Addressed by the MPLS Architecture
Comparison to ATM/FR Security
VPN Separation
Robustness Against Attacks
Hiding the Core Infrastructure
Impossibility of VPN Spoofing
CE-CE Visibility
Comparison of VPN Security Technologies
Summary
Chapter 4Secure MPLS VPN Designs
Internet Access
MPLS Core Without Internet Connectivity
Generic Internet Design Recommendations
Internet in a VRF
Internet in the Global Routing Table
Overview of Internet Provisioning
Extranet Access
MPLS VPNs and Firewalling
Designing DoS-Resistant Networks
Overview of DoS
Designing a DoS-Resistant Provider Edge
Tradeoffs Between DoS Resistance and Network Cost
DoS Resistant Routers
Inter-AS Recommendations and Traversing Multiple Provider
Trust Model Issues
Case A: VRF-to-VRF Connection on ASBRs
Case B: eBGP Redistribution of Labeled VPN-IPv4 Routes
Case C: Multi-Hop eBGP Distribution of Labeled VPN-IPv4 Routes
with eBGP Redistribution of IP4 Routes
Carriers’ Carrier
Layer 2 Security Considerations
Multicast VPN Security
Summary
Chapter 5Security Recommendations
General Router Security
Secure Access to Routers
Disabling Unnecessary Services for Security
IP Source Address Verification
12000 Protection and Receive ACLs (rACLs)
Control Plane Policing
AutoSecure
CE-Specific Router Security and Topology Design Considerations
Managed CE Security Considerations
Unmanaged CE Security Considerations
CE Data Plane Security
PE-Specific Router Security
PE Data Plane Security
PE-CE Connectivity Security Issues
P-Specific Router Security
Securing the Core
Infrastructure Access Lists (iACLs)
Routing Security
Neighbor Router Authentication
MD5 for Label Distribution Protocol
CE-PE Routing Security Best Practices
PE-CE Addressing
Static Routing
Dynamic Routing
eBGP PE-CE Routing
EIGRP PE-CE Routing
OSPF PE-CE Routing
RIPv2 PE-CE Routing
PE-CE Routing Summary
Prevention of Routes from Being Accepted by Nonrecognized Neighbors
BGP Maximum-Prefix Mechanism
Internet Access
Resource Sharing: Internet and Intranet
Sharing End-to-End Resources
Additional Security
Addressing Considerations
LAN Security Issues
LAN Factors for Peering Constructs
IPsec: CE to CE
IPsec PE-PE
MPLS over IP Operational Considerations: L2TPv3
MPLS over L2TPv3
Securing Core and Routing Check List
Summary
Part III Practical Guidelines to MPLS VPN Security
Chapter 6How IPsec Complements MPLS
IPsec Overview
Location of the IPsec Termination Points
CE-CE IPsec
PE-PE IPsec
Remote Access IPsec into an MPLS VPN
Deploying IPsec on MPLS
Using Other Encryption Techniques
Summary
Chapter 7Security of MPLS Layer 2 VPNs
Generic Layer 2 Security Considerations
C2 Ethernet Topologies
C3 VPLS Overview
C4 VPWS Overview
C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview
C6 VPLS and VPWS Security Overview
Physical Interconnection Option Details
D1 SP Interconnect Models
D3 Metro Ethernet Model
Customer Edge
CE Interconnection Service Is a Layer 3 Device
Customer Edge Interconnection Service Is a Layer 2 Device
Hijack Management Security
Disable Password Recovery
U-PE STP Priority
Apply Broadcast Limiters
Disable/Block Layer 2 Control Traffic
VTP Transparent Operation
MAC Address Limits and Port Security
Controlling Reserved VLANs
Removing Unused VLANs
Hard-Code Physical Port Attributes
Establish Network Reporting
Enable 802.1x
Summary
Chapter 8Secure Operation and Maintenance of an MPLS Core
Management Network Security
Securely Managing CE Devices
Management VRF Overview
Management VRF Details
Securely Managing the Core Network
Summary
Part IV Case Studies and Appendixes
Chapter 9Case Studies
Internet Access
NAT Via Common Gateways
PE to Multiple Internet Gateways
NAT via a Single Common Gateway
Registered NAT by CE
Internet Access via Customer-Controlled NAT
Internet Access Using Global Routing Table
BGP Internet Routing Table from the Service Provider of an ISP
Tier 3 ISP Connecting to an Upstream Tier via a Service Provider
Hybrid Model
Multi-Lite VRF Mechanisms
Configuration Example for Internet and VPN Service Using the Same CE
Layer 2 LAN Access
Summary
Appendix ADetailed Configuration Example for a PE
Appendix BReference List
Index
About the Author :
Michael H. Behringer is a distinguished engineer at Cisco®, where his expertise focuses on MPLS VPN security, service provider security, and denial-of-service (DoS) attack prevention. Prior to joining Cisco Systems, he was responsible for the design and implementation of pan-European networks for a major European Internet service provider.
Monique J. Morrow is a CTO consulting engineer at Cisco Systems, to which she brings more than 20 years’ experience in IP internetworking, design, and service development for service providers. Monique led the engineering project team for one of the first European MPLS VPN deployments for a European Internet service provider.
