Documente Academic
Documente Profesional
Documente Cultură
1
Understanding MPLS/VPN
Security Issues
SEC-370
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 4
The Principle: A “Virtual Router”
Virtual Routing and
Forwarding Instance Route Distinguisher:
Makes VPN routes unique
!
ip vrf Customer_A
rd 100:110 Export this VRF with
route-target export 100:1000 community 100:1000
route-target import 100:1000
! Import routes from
interface Serial0/1 other VRFs with
ip vrf forwarding Customer_A community 100:1000
!
Assign Interface to
“Virtual Router”
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 5
General VPN Security Requirements
64 bits 32 bits
CE2
IP(CE2) IP(PE; fa1)
VRF CE2
ATM/FR MPLS
Address space separation yes yes
Routing separation yes yes
Resistance to attacks yes yes
Resistance to Label yes yes
Spoofing
Direct CE-CE yes with
Authentication (layer 3) IPsec
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 13
Security Recommendations for ISPs
VPN
CE BGP peering with
PE MD5 authentic.
PE VPN VPN PE
ACL and
CE CE CE secure routing
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 16
Agenda
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 17
MPLS Internet Architectures:
Principles
To Internet P
PE1
Firewall / NAT CE1
VRF Internet
IDS PE2
CE2
VRF VPN
To VPN
• Separation: +++
• DoS resistance: +++
• Cost:
SEC-370
$$$ (Two lines and two PEs: Expensive!) 19
© 2003, Cisco Systems, Inc. All rights reserved.
Separate Access Lines + CEs, one PE
Customer LAN MPLS core
To Internet P
PE1
Firewall / NAT CE1
To VPN
• Separation: +++
• DoS resistance: ++ (DoS might impact VPN on PE)
SEC-370
• Cost: $$ (Two lines, but only one PE) 20
© 2003, Cisco Systems, Inc. All rights reserved.
Using a Single Access Line
P
PE1
Firewall / NAT Internet CE
FR logical links
• Separation: +++
• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost:
SEC-370
$ 22
© 2003, Cisco Systems, Inc. All rights reserved.
Shared Access Line, Policy Routing
Customer LAN MPLS core
P
PE1
Firewall / NAT Internet CE
FR logical links
• Separation: +++
• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost:
SEC-370
$ 23
© 2003, Cisco Systems, Inc. All rights reserved.
Shared Access Line, CE with VRFs
Customer LAN MPLS core
P
PE1
Firewall / NAT Internet CE
FR logical links
• Separation: +++
• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost:
SEC-370
$ 24
© 2003, Cisco Systems, Inc. All rights reserved.
Hub-and-Spoke VPN with Internet Access
Hub Site MPLS core Internet
To Internet -->
Firewall Internet
NAT CE PE1
VRF Internet
IDS PE2
VPN CE
mbehring
VRF VPN
To VPN
CEs
Internet
+ Central Management
NAT and + Strong firewalls
Firewalling
+ Customer can
SP Domain
choose firewall
VPN
+ Different policies per
MPLS core customer possible
Internet
+ Central Management
Firewalling
+ One strong firewall
e.g PIX 535
SP Domain
+ Easy to deploy
VPN
- Customer cannot
MPLS core pick his firewall
PEs VPN VPN VPN - CEs need config
CEs
NAT NAT NAT
Internet + Economic
+ One firewall per
customer
VPN
+ No central devices
SP Domain
MPLS core
- Management more
PEs VPN VPN VPN
difficult
- CEs need config
CEs
NAT and NAT and NAT and
firewall firewall firewall
PE PE
PE PE
IP data IP data
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 31
Ways to Attack
CE2
IP(CE2) IP(PE; fa1) VRF CE2
VRF
Internet
Attack points
Has to be secured
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 37
Agenda
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 38
Use IPsec if you need:
• Encryption of traffic
• Direct authentication of CEs
• Integrity of traffic
• Replay detection
• CE to CE (static cryptomap)
• Hub and Spoke (dynamic cryptomap)
• Full Mesh with TED: Ideal!!!
MPLS/VPN and TED are an ideal combination!!
• Analysis of MPLS/VPN
Security
• Security Recommendations
• MPLS Security Architectures
Internet Access
Firewalling Options
• Attacking an MPLS Network
• IPsec and MPLS
• Summary
SEC-370 © 2003, Cisco Systems, Inc. All rights reserved. 41
MPLS doesn’t provide:
• Protection against
mis-configurations in the core
• Protection against
attacks from within the core
• Confidentiality, authentication, integrity,
anti-replay -> Use IPsec if required
• Customer network security