1. Trang chủ
  2. » Công Nghệ Thông Tin

MPLS cisco QOS VPN full mpls security

41 40 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 41
Dung lượng 620 KB

Nội dung

MPLS VPN Security Equivalent to the Security of Frame Relay and ATM Course Number Presentation_ID © 2000, Cisco Systems, Inc Agenda • Introduction • VPN Security today • MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc MPLS VPN CE Router Customer A CE Router Customer B PE Router PE Router MPLS-Core CE Router Customer B CE Router Customer A Presentation_ID © 2001 Cisco Systems, Inc Meircom MPLS-VPN Security Test • Meircom performed testing that proved that MPLS-VPNs have met or exceeded all of the security characteristics of a comparable layer two based VPN such as Frame-Relay or ATM Presentation_ID © 2001 Cisco Systems, Inc Meircom MPLS-VPN Test • Why did Cisco have Meircom the test? • Wanted an independent third party to perform the test • Test was driven by customer requests to show MPLS-VPNs are secure http://www.mier.com/reports/cisco/MPLS-VPNs.pdf Presentation_ID â 2001 Cisco Systems, Inc Agenda • VPN Overview • VPN Security today MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc Requirements of a Secure Network • Address and routing separation must exist • The service provider core network should be hidden to the outside world • The network must be resistant to attacks Presentation_ID © 2001 Cisco Systems, Inc Address and Routing Separation • Address and routing separation • Between two non-intersecting VPNs the address spaces are entirely independent • Each end site in a VPN has a unique address for that VPN, and the routing spaces are entirely independent Presentation_ID © 2001 Cisco Systems, Inc Hiding the Core Network • Hide the internal structure of the backbone: •There should be little or no visibility into the core from outside networks •The only information the customer should know is the minimum to allow service (DLCI, VPI/VCI) Presentation_ID © 2001 Cisco Systems, Inc Resistance to Attacks • Resistance to Attacks implies •Resistance to Denial of Service (DoS) •Resistance to intrusions and inability to gain unauthorized access Presentation_ID © 2001 Cisco Systems, Inc 10 Resistance to Attacks MPLS VPNs • There is now an address to attack the provider network •The IP address of the WAN link •IP address of dynamic routing protocol peer • Main goal is to ensure that an attack from one VPN has no effect on other VPNs •Off of the same PE Or across the network Presentation_ID â 2001 Cisco Systems, Inc 27 Resistance to Attacks MPLS VPN • Two potential ways to attack MPLS-VPNs •Attack the PE router •Attack the signaling mechanisms of MPLS • Traffic Isolation prevents an attack across VPN boundaries Presentation_ID © 2001 Cisco Systems, Inc 28 DoS Attacks MPLS VPN • Have to secure the PE against DoS attacks • Intrusion attacks on the PE • Flood of routing updates • Same attacks as an ISP Internet router is vulnerable to The same prevention techniques should be used Presentation_ID © 2001 Cisco Systems, Inc 29 How MPLS-VPNs Handle DoS Attacks • Intrusion attacks on the PE •Access-lists denying telnet and other access from the CE to the PE • Flood of routing updates •Routing protocol authentication •Access-lists to block routing protocols not used •VRF route limits BGP route-dampening and prefix limits Presentation_ID â 2001 Cisco Systems, Inc 30 DoS Diagram Customer B CE Customer A CE CE Can’t attack P CE Does have PE Address PE Customer A CE Presentation_ID © 2001 Cisco Systems, Inc CE Can’t attack Other VPNs P PE Customer B CE 31 How Meircom Tested DoS attacks on the PE • Verified that Access-lists denied intrusion attacks • Flood of RIP and OSPF updates into a PE •Applied VRF route filtering •Applied BGP Prefix limits • Result: MPLS VPNs are resistant to DoS attacks Presentation_ID © 2001 Cisco Systems, Inc 32 Meircom DoS Routing Test Red VPN Unaffected by attack Red VPN Unaffected by attack PE router Under attack W/VRF filters PE router Unaffected by attack BGP Filters applied P router Unaffected by attack Blue VPN Source of the attack Presentation_ID © 2001 Cisco Systems, Inc Attack with Routing updates RIP/OSPF Blue VPN Unaffected by attack 33 Attack on MPLS Signaling MPLS VPN • Packets are forwarded based on labels in the core • LDP/TDP used to exchange labels • Theoretically possible to spoof the label, like IP spoofing • Can we insert packets with labels from the outside (from a CE router)? Presentation_ID © 2001 Cisco Systems, Inc 34 MPLS Label Spoofing • Line between CE and PE is an IP interface (an interface w/o labels) • A PE router should never accept a packet with a label from a CE • A PE router will drop labeled packets received on a interface where tag-switching is disabled • LDP offers md-5 authentication Presentation_ID © 2001 Cisco Systems, Inc 35 Meircom Testing MPLS Label Spoofing • Verified the following •Labeled packets received on an interface where tag-switching is disabled are dropped Tag-switching disabled CE PE Labeled Packets • Result: MPLS VPNs are resistant to attacks on the signaling method Presentation_ID © 2001 Cisco Systems, Inc 36 Agenda • Introduction • VPN Security today MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc 37 Summary • Miercom performed a test that proved that MPLS based VPNs are equivalent to the security of Frame-Relay and ATM • Address space and routing separation •Unique addressing utilizing VPN-IPv4 addresses •Routing separation by the use of VRFs Presentation_ID © 2001 Cisco Systems, Inc 38 Summary • Service Providers core structure is not revealing •Only information shared is already part of the VRF • The network is resistant to attacks •Mechanisms in place to limit the impact of DoS attacks Presentation_ID © 2001 Cisco Systems, Inc 39 Meircom MPLS-VPN Security Test • Meircom performed testing that proved that MPLS-VPNs have met or exceeded all of the security characteristics of a comparable layer two based VPN such as Frame-Relay or ATM Presentation_ID © 2001 Cisco Systems, Inc 40 Presentation_ID © 2000, Cisco Systems, Inc 41 ... requests to show MPLS- VPNs are secure http://www.mier.com/reports /cisco /MPLS- VPNs.pdf Presentation_ID â 2001 Cisco Systems, Inc Agenda • VPN Overview • VPN Security today • MPLS VPN Security • Summary... Presentation_ID â 2001 Cisco Systems, Inc 17 Agenda Introduction • VPN Security today • MPLS VPN Security • Summary Presentation_ID © 2001 Cisco Systems, Inc 18 MPLS VPN Security • Questions need... Introduction • VPN Security today • MPLS VPN Security Summary Presentation_ID â 2001 Cisco Systems, Inc MPLS VPN CE Router Customer A CE Router Customer B PE Router PE Router MPLS- Core CE Router

Ngày đăng: 23/10/2019, 15:06

TÀI LIỆU CÙNG NGƯỜI DÙNG

  • Đang cập nhật ...

TÀI LIỆU LIÊN QUAN