MPLS VPN Security By Michael H Behringer, Monique J Morrow Publisher: Cisco Press Pub Date: June 08, 2005 ISBN: 1-58705-183-4 Pages: 312 Table of Contents | Index A practical guide to hardening MPLS networks Define "zones of trust" for your MPLS VPN environment Understand fundamental security principles and how MPLS VPNs work Build an MPLS VPN threat model that defines attack points, such as VPN separation, VPN spoofing, DoS against the network's backbone, misconfigurations, sniffing, and inside attack forms Identify VPN security requirements, including robustness against attacks, hiding of the core infrastructure, protection against spoofing, and ATM/Frame Relay security comparisons Interpret complex architectures such as extranet access with recommendations of Inter-AS, carrier-supporting carriers, Layer 2 security considerations, and multiple provider trust model issues Operate and maintain a secure MPLS core with industry best practices Integrate IPsec into your MPLS VPN for extra security in encryption and data origin verification Build VPNs by interconnecting Layer 2 networks with new available architectures such as virtual private wire service (VPWS) and virtual private LAN service (VPLS) Protect your core network from attack by considering Operations, Administration, and Management (OAM) and MPLS backbone security incidentsMultiprotocol Label Switching (MPLS) is becoming a widely deployed technology, specifically for providing virtual private network (VPN) services Security is a major concern for companies migrating to MPLS VPNs from existing VPN technologies such as ATM Organizations deploying MPLS VPNs need security best practices for protecting their networks, specifically for the more complex deployment models such as inter-provider networks and Internet provisioning on the network.MPLS VPN Security is the first book to address the security features of MPLS VPN networks and to show you how to harden and securely operate an MPLS network Divided into four parts, the book begins with an overview of security and VPN technology A chapter on threats and attack points provides a foundation for the discussion in later chapters Part II addresses overall security from various perspectives, including architectural, design, and operation components Part III provides practical guidelines for implementing MPLS VPN security Part IV presents real-world case studies that encompass details from all the previous chapters to provide examples of overall secure solutions.Drawing upon the authors' considerable experience in attack mitigation and infrastructure security, MPLS VPN Security is your practical guide to understanding how to effectively secure communications in an MPLS environment "The authors of this book, Michael Behringer and Monique Morrow, have a deep and rich understanding of security issues, such as denial-of-service attack prevention and infrastructure protection from network vulnerabilities They offer a very practical perspective on the deployment scenarios, thereby demystifying a complex topic I hope you enjoy their insights into the design of self-defending networks." Jayshree V Ullal, Senior VP/GM Security Technology Group, Cisco Systems® MPLS VPN Security By Michael H Behringer, Monique J Morrow Publisher: Cisco Press Pub Date: June 08, 2005 ISBN: 1-58705-183-4 Pages: 312 Table of Contents | Index Copyright About the Authors About the Technical Reviewers Acknowledgments Foreword Icons Used in This Book Command Syntax Conventions Introduction Who Should Read This Book How This Book Is Organized Part I MPLS VPN and Security Fundamentals Chapter 1 MPLS VPN Security: An Overview Key Security Concepts Other Important Security Concepts Overview of VPN Technologies Fundamentals of MPLS VPNs A Security Reference Model for MPLS VPNs Summary Chapter 2 A Threat Model for MPLS VPNs Threats Against a VPN Threats Against an Extranet Site Threats Against the Core Threats Against the Internet Threats from Within a Zone of Trust Reconnaissance Attacks Summary Part II Advanced MPLS VPN Security Issues Chapter 3 MPLS Security Analysis VPN Separation Robustness Against Attacks Hiding the Core Infrastructure Protection Against Spoofing Specific Inter-AS Considerations Specific Carrier's Carrier Considerations Security Issues Not Addressed by the MPLS Architecture Comparison to ATM/FR Security Summary Footnotes Chapter 4 Secure MPLS VPN Designs Internet Access Extranet Access MPLS VPNs and Firewalling Designing DoS-Resistant Networks Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues Carriers' Carrier Layer 2 Security Considerations Multicast VPN Security Summary Footnotes Chapter 5 Security Recommendations General Router Security CE-Specific Router Security and Topology Design Considerations PE-Specific Router Security PE Data Plane Security PE-CE Connectivity Security Issues P-Specific Router Security Securing the Core Routing Security CE-PE Routing Security Best Practices Internet Access Sharing End-to-End Resources LAN Security Issues IPsec: CE to CE MPLS over IP Operational Considerations: L2TPv3 Securing Core and Routing Check List Summary Part III Practical Guidelines to MPLS VPN Security Chapter 6 How IPsec Complements MPLS IPsec Overview Location of the IPsec Termination Points Deploying IPsec on MPLS Using Other Encryption Techniques Summary Chapter 7 Security of MPLS Layer 2 VPNs Generic Layer 2 Security Considerations C2 Ethernet Topologies C3 VPLS Overview C4 VPWS Overview C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview C6 VPLS and VPWS Security Overview Customer Edge Summary Chapter 8 Secure Operation and Maintenance of an MPLS Core Management Network Security Securely Managing CE Devices Securely Managing the Core Network Summary Part IV Case Studies and Appendixes Chapter 9 Case Studies Internet Access Multi-Lite VRF Mechanisms Layer 2 LAN Access Summary Appendix A Detailed Configuration Example for a PE Appendix B Reference List Cisco Press Books IETF ITU-T Index Copyright Copyright © 2005 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing June 2005 Library of Congress Cataloging-in-Publication Number: 2003116565 Warning and Disclaimer This book is designed to provide information about MPLS VPN security Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The author, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information, please contact: U.S Corporate and Government Sales 1-800-382-3419 (corpsales@pearsontechgroup.com) For sales outside the U.S., please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us by e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Credits Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Production Manager Patrick Kanouse Development Editor Sheri Cain Project Editor Sheila Schroeder Copy Editor Emily Rader Technical Editors Saul Adler Raymond Zhang Marc Binderberger Reina Wang Editorial Assistant Tammi Barnett Cover Designer Louisa Adair Composition Interactive Composition Corporation Indexer Christine Karpeles Proofreader Melissa Pluta Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright â 2003 Cisco Systems, Inc All rights reserved CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, Strata View Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0303R) Printed in the USA Dedications To my parents: Ihr habt mich zu dem gemacht was ich bin Michael Behringer I dedicate this book to family and dear friends who have been passionate in supporting this effort; my parents, Sam and Odette Morrow; and a super friend in life, Veronique Thevenaz Monique Morrow To all of our customers and colleagues who continue to ask hard questions Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] MAC address limits and port security 2nd management network security overview 2nd management plane 2nd 3rd management VRF IN-Management route-map OUT-Management route-map 2nd overview 2nd MD5 (Message-Digest 5 authentication) 2nd Metro Ethernet Architecture 2nd Metro Ethernet Model misconfiguration or operational mistakes, protection against monolithic core DoS attacks 2nd internal threats 2nd 3rd intrusions 2nd MPLS architecture customer network security data confidentiality, integrity, and origin authentication misconfiguration or operational mistakes, protection against MPLS backbone, attacks from Internet through security issues not addressed by 2nd MPLS backbone, attacks from Internet through MPLS over IP operational considerations 2nd MPLS over L2TPv3 2nd MPLS VPNs nomenclature of 2nd overview planes of control plane 2nd 3rd data plane management plane 2nd 3rd overview security implications of connectionless VPNs 2nd security reference model 2nd 3rd multi-hop eBGP distribution of laveled VPN-IPv4 routes with eBGP redistribution of IP4 routes Inter-AS recommendations and traversing multiple provider trust model issues 2nd 3rd 4th 5th Multi-Lite VRF mechanisms case studies configuration example for Internet and VPN service using same CE 2nd Multi-Protocol Border Gateway Protocol (MP-BGP) multicast VPN security 2nd multihop BGP peering sessions, configuring TTL security check for Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] NAT customer-controlled NAT, Internet access via 2nd 3rd 4th registered NAT by CE NAT via common gateways 2nd NAT via single common gateway neighbor router authentication 2nd 3rd network operations center (NOC) threats against 2nd network reporting, establishing Network Time Protocol (NTP) no service finger no service pad nomenclature 2nd nonrecognized neighbors, prevention of routes being accepted by Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] OLE_LINK1 2nd OLE_LINK2 2nd OLE_LINK3 OLE_LINK4 OSPF PE-CE routing OUT-Management route-map 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] P-specific router security password recovery, disabling 2nd PE data plane security overview PE routers DoS attacks 2nd 3rd PE to multiple Internet gateways 2nd 3rd 4th PE-CE addressing 2nd PE-CE connectivity security issues 2nd PE-PE IPsec 2nd 3rd 4th PE-specific router security overview 2nd 3rd peer authentication with MD5 2nd point of presence (PoP) policy-based routing (PBR) prefix filtering 2nd prefix flooding 2nd pseudowire Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] rACLs (receive ACLs) 2nd basic template and ACL examples 2nd deployment guidelines 2nd 3rd fragmented packets and 2nd receive traffic reconnaissance attacks 2nd 3rd remote access IPsec 2nd resource sharing 2nd RIPv2 PE-CE routing route distinguisher (RD) route flap damping 2nd route targets (RTs) route-target export route-target filtering 2nd route-target import routing security configuring TTL security check for BGP peering sessions configuring TTL security check for multihop BGP peering sessions MD5 for Label Distribution Protocol 2nd neighbor router authentication 2nd 3rd overview TTL security check, benefits of BGP support for TTL security check, configuring TTL security mechanism for BGP 2nd 3rd routing/forwarding instance (VRF) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] secure failure Secure Sockets Layer (SSL) security 100 percent security, impossibility of components of 2nd confidentiality, integrity, and availability connectionless VPNs, security implications of 2nd defined 2nd 3rd layers of defense least privilege principle 2nd other technologies, security differing from 2nd overview secure failure security policy threat model weakest link principle 2nd zones of trust security policy security recommendations CE-CE IPsec 2nd PE-PE IPsec compared CE-PE routing security best practices BGP maximum-prefix mechanism 2nd BGP PE-CE routing 2nd dynamic routing EIGRP PE-CE routing 2nd key chaining nonrecognized neighbors, prevention of routes being accepted by OSPF PE-CE routing overview 2nd PE-CE addressing 2nd RIPv2 PE-CE routing static routing CE-specific router security data plane security managed CE security considerations 2nd overview 2nd 3rd unmanaged CE security considerations 2nd checklist 2nd core iACLs 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th overview end-to-end resource sharing additional security addressing considerations overview general router security AutoSecure 2nd 3rd control plane policing 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th disabling unnecessary services 2nd 3rd 4th 5th IP source address verification overview rACLs 2nd 3rd 4th 5th 6th 7th 8th 9th secure access to routers 2nd 3rd 4th 5th Internet access overview 2nd resource sharing 2nd LAN security LAN factors for peering constructs overview 2nd MPLS over IP operational considerations 2nd MPLS over L2TPv3 2nd overview 2nd P-specific router security PE data plane security overview PE-CE connectivity security issues 2nd PE-specific router security overview 2nd 3rd routing security configuring TTL security check for BGP peering sessions configuring TTL security check for multihopBGP peering sessions MD5 for Label Distribution Protocol 2nd neighbor router authentication 2nd 3rd overview TTL security check, benefits of BGP support for TTL security check, configuring TTL security mechanism for BGP 2nd 3rd security reference model 2nd 3rd shared access line small TCP and UDP servers spoofing IP address spoofing label spoofing overview 2nd 3rd standard router security 2nd static IPsec static routing Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] tag distribution protocol (TDP) threat model overview threats against extranet sites 2nd against Internet 2nd against NOC overview 2nd against zone of trust 2nd reconnaissance attacks 2nd threats against core network hierarchical core 2nd Inter-AS core 2nd 3rd monolithic core 2nd 3rd 4th 5th 6th 7th 8th overview 2nd threats against VPNs DoS (denial of service) 2nd intrusions 2nd 3rd overview 2nd tier 3 ISP connecting to an upstream tier via a service provider 2nd traffic separation 2nd 3rd TTL security check, benefits of BGP support for TTL security check, configuring TTL security mechanism for BGP 2nd 3rd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] U-PE STP priority Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] VLAN trunking protocol (VTP) transparent operation VLANS controlling reserved 2nd removing unused VPLS security considerations 2nd 3rd Metro Ethernet Model physical interconnection option SP interconnect models 2nd 3rd VPLS (Virtual Private LAN Service) 2nd 3rd VPN separation address space separation 2nd ATM/FR security comparisons non-VRF interface overview traffic separation 2nd 3rd VRF interface VPN spoofing ATM/FR security comparisons VPN technologies connection-oriented encrypted Internet based overview 2nd 3rd VPWS security considerations 2nd 3rd Metro Ethernet Model physical interconnection option SP interconnect models 2nd 3rd VRF designs and Internet access 2nd VRF Lite VRF-to-VRF connection on ASBRs Inter-AS recommendations and traversing multiple provider trust model issues 2nd VRF-to-VRF connections at AS border routers 2nd 3rd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] weakest link principle 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] zone of trust threats against 2nd zones of trust 2nd ... Fundamentals of MPLS VPNs A Security Reference Model for MPLS VPNs Summary Chapter 2 A Threat Model for MPLS VPNs Threats Against a VPN Threats Against an Extranet Site Threats Against the Core... Threats Against the Internet Threats from Within a Zone of Trust Reconnaissance Attacks Summary Part II Advanced MPLS VPN Security Issues Chapter 3 MPLS Security Analysis VPN Separation... Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa