MPLS VPN Security Equivalent to the Security of Frame Relay and ATM Course Number Presentation_ID © 2000, Cisco Systems, Inc Agenda • Introduction • VPN Security today • MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc MPLS VPN CE Router Customer A CE Router Customer B PE Router PE Router MPLS-Core CE Router Customer B CE Router Customer A Presentation_ID © 2001 Cisco Systems, Inc Meircom MPLS-VPN Security Test • Meircom performed testing that proved that MPLS-VPNs have met or exceeded all of the security characteristics of a comparable layer two based VPN such as Frame-Relay or ATM Presentation_ID © 2001 Cisco Systems, Inc Meircom MPLS-VPN Test • Why did Cisco have Meircom the test? • Wanted an independent third party to perform the test • Test was driven by customer requests to show MPLS-VPNs are secure http://www.mier.com/reports/cisco/MPLS-VPNs.pdf Presentation_ID â 2001 Cisco Systems, Inc Agenda • VPN Overview • VPN Security today MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc Requirements of a Secure Network • Address and routing separation must exist • The service provider core network should be hidden to the outside world • The network must be resistant to attacks Presentation_ID © 2001 Cisco Systems, Inc Address and Routing Separation • Address and routing separation • Between two non-intersecting VPNs the address spaces are entirely independent • Each end site in a VPN has a unique address for that VPN, and the routing spaces are entirely independent Presentation_ID © 2001 Cisco Systems, Inc Hiding the Core Network • Hide the internal structure of the backbone: •There should be little or no visibility into the core from outside networks •The only information the customer should know is the minimum to allow service (DLCI, VPI/VCI) Presentation_ID © 2001 Cisco Systems, Inc Resistance to Attacks • Resistance to Attacks implies •Resistance to Denial of Service (DoS) •Resistance to intrusions and inability to gain unauthorized access Presentation_ID © 2001 Cisco Systems, Inc 10 Resistance to Attacks MPLS VPNs • There is now an address to attack the provider network •The IP address of the WAN link •IP address of dynamic routing protocol peer • Main goal is to ensure that an attack from one VPN has no effect on other VPNs •Off of the same PE Or across the network Presentation_ID â 2001 Cisco Systems, Inc 27 Resistance to Attacks MPLS VPN • Two potential ways to attack MPLS-VPNs •Attack the PE router •Attack the signaling mechanisms of MPLS • Traffic Isolation prevents an attack across VPN boundaries Presentation_ID © 2001 Cisco Systems, Inc 28 DoS Attacks MPLS VPN • Have to secure the PE against DoS attacks • Intrusion attacks on the PE • Flood of routing updates • Same attacks as an ISP Internet router is vulnerable to The same prevention techniques should be used Presentation_ID © 2001 Cisco Systems, Inc 29 How MPLS-VPNs Handle DoS Attacks • Intrusion attacks on the PE •Access-lists denying telnet and other access from the CE to the PE • Flood of routing updates •Routing protocol authentication •Access-lists to block routing protocols not used •VRF route limits BGP route-dampening and prefix limits Presentation_ID â 2001 Cisco Systems, Inc 30 DoS Diagram Customer B CE Customer A CE CE Can’t attack P CE Does have PE Address PE Customer A CE Presentation_ID © 2001 Cisco Systems, Inc CE Can’t attack Other VPNs P PE Customer B CE 31 How Meircom Tested DoS attacks on the PE • Verified that Access-lists denied intrusion attacks • Flood of RIP and OSPF updates into a PE •Applied VRF route filtering •Applied BGP Prefix limits • Result: MPLS VPNs are resistant to DoS attacks Presentation_ID © 2001 Cisco Systems, Inc 32 Meircom DoS Routing Test Red VPN Unaffected by attack Red VPN Unaffected by attack PE router Under attack W/VRF filters PE router Unaffected by attack BGP Filters applied P router Unaffected by attack Blue VPN Source of the attack Presentation_ID © 2001 Cisco Systems, Inc Attack with Routing updates RIP/OSPF Blue VPN Unaffected by attack 33 Attack on MPLS Signaling MPLS VPN • Packets are forwarded based on labels in the core • LDP/TDP used to exchange labels • Theoretically possible to spoof the label, like IP spoofing • Can we insert packets with labels from the outside (from a CE router)? Presentation_ID © 2001 Cisco Systems, Inc 34 MPLS Label Spoofing • Line between CE and PE is an IP interface (an interface w/o labels) • A PE router should never accept a packet with a label from a CE • A PE router will drop labeled packets received on a interface where tag-switching is disabled • LDP offers md-5 authentication Presentation_ID © 2001 Cisco Systems, Inc 35 Meircom Testing MPLS Label Spoofing • Verified the following •Labeled packets received on an interface where tag-switching is disabled are dropped Tag-switching disabled CE PE Labeled Packets • Result: MPLS VPNs are resistant to attacks on the signaling method Presentation_ID © 2001 Cisco Systems, Inc 36 Agenda • Introduction • VPN Security today MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc 37 Summary • Miercom performed a test that proved that MPLS based VPNs are equivalent to the security of Frame-Relay and ATM • Address space and routing separation •Unique addressing utilizing VPN-IPv4 addresses •Routing separation by the use of VRFs Presentation_ID © 2001 Cisco Systems, Inc 38 Summary • Service Providers core structure is not revealing •Only information shared is already part of the VRF • The network is resistant to attacks •Mechanisms in place to limit the impact of DoS attacks Presentation_ID © 2001 Cisco Systems, Inc 39 Meircom MPLS-VPN Security Test • Meircom performed testing that proved that MPLS-VPNs have met or exceeded all of the security characteristics of a comparable layer two based VPN such as Frame-Relay or ATM Presentation_ID © 2001 Cisco Systems, Inc 40 Presentation_ID © 2000, Cisco Systems, Inc 41 ... requests to show MPLS- VPNs are secure http://www.mier.com/reports /cisco /MPLS- VPNs.pdf Presentation_ID â 2001 Cisco Systems, Inc Agenda • VPN Overview • VPN Security today • MPLS VPN Security • Summary... Presentation_ID â 2001 Cisco Systems, Inc 17 Agenda Introduction • VPN Security today • MPLS VPN Security • Summary Presentation_ID © 2001 Cisco Systems, Inc 18 MPLS VPN Security • Questions need... Introduction • VPN Security today • MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc MPLS VPN CE Router Customer A CE Router Customer B PE Router PE Router MPLS- Core CE Router