MPLS/VPN Security Threats and Defensive Techniques (provider provision)

MPLS/VPN Security Threats and Defensive Techniques (provider provision)

Speaker： JET

3,1’2004

Introduction

From BTexact Technologies

What is Threats ?

Observation, modification, or deletion of PPVPN user data

Replay of MPLS/VPN user data Injection of non-authentic data into a

MPLS/VPN Traffic pattern analysis on MPLS/VPN traffic Disruption of MPLS/VPN connectivity Degradation of MPLS/VPN service quality

Threats sources

The MPLSVPN service provider or persons working for it

Other persons who obtain physical access to a service provider site

Persons within the organization which is the MPLS/VPN user with respect to a particular MPLS/VPN

Persons within an organization that is a separate MPLS/VPN user of the same service provider

Others i.e. attackers from the Internet at large.

Security Threats - Data Plane

MPLS/VPN

Spoofing and Replay

Unauthorized Observation/Modification/Deletion

DoS

Traffic Pattern Analysis

Impersonation

Insertion of Non-Authentic Data Traffic: Spoofing and Replay Spoofing : insertion into the VPN of packets

that do not belong there Replay : copies of once-legitimate packets

that have been recorded and replayed

Denial of Service Attacks on the MPLS/VPN Monopolize network resources and thus prev

ent other PPVPNs from accessing those resources

Inserting an overwhelming quantity of non-authentic data

Overwhelming the service provider's general (MPLS/VPN-independent) infrastructure with traffic

Interfering with its operation

Unauthorized Observation/Modification/Deletion of Data Traffic

“Sniffing" VPN packets Examining their contents Modifying the contents of packets in flight Causing packets in flight to be discarded Would typically occur

on links in a compromised node

Traffic Pattern Analysis

“Sniffing" VPN packets and examining aspects or meta-aspects of them Even are encrypted

gain useful information the amount and timing of traffic packet sizes source and destination addresses etc.

Impersonation

Disguises itself to appear as a legitimate entity

Security Threats - Control Plane

SP’s Equipment

Cross-connection of Traffic

Between MPLS-VPNs

DoSRouting Protocols

Route Separation

MPLS/VPN

Address Space

Separation

Denial of Service Attacks on the Network Infrastructure Against the mechanisms the service provider

uses to provide MPLS/VPNs MPLS , LDP/BGP , IPsec , etc.,

Against the general infrastructure of the service provider Core routers

Deny the otherwise-legitimate activities of another MPLS/VPN user

Attacks on the Service Provider Equipment Via Management Interfaces

Reconfigure the equipment extract information (statistics, topology, etc.)

Malicious entering of the systems Inadvertently as a consequence of

inadequate inter-VPN isolation in a MPLS/VPN user self-management interface

Cross-connection of Traffic Between MPLS/VPNs This refers to the event where expected isolation bet

ween separate PPVPNs is breached This includes cases such as

A site being connected into the "wrong" VPN Two or more VPNs being improperly merged together A point-to-point VPN connecting the wrong two points Any packet or frame being improperly delivered outside

the VPN it is sent in Likelihood of being the result of service provider or eq

uipment vendor error

Attacks Against MPLS/VPN Routing Protocols Routing protocols that are run by the service

provider - LDP / BGP In layer 3 VPNs with dynamic routing this wou

ld typically relate to the distribution of per-VPN routes as well as backbone routes

In layer 2 VPNs this would typically relate only to the distribution of backbone routes

Attacks on Route Separation

keeping the per-VPN topology and reachability information for each PPVPN separate from, and unavailable to, any other PPVPN

Reveal topology Addressing information about a MPLS/VPN Cause black hole routing or unintended cros

s-connection between MPLS/VPNs

Attacks on Address Space Separation

In Layer 3 VPNs, the IP address spaces of different VPNs need to be kept separate

In Layer 2 VPNs, the MAC address and VLAN spaces of different VPNs need to be kept separate

Result in cross-connection between VPNs.

Defensive Techniques

Cryptographic techniques Authentication Access Control techniques Use of Isolated Infrastructure Use of Aggregated Infrastructure Service Provider Quality Control Processes Deployment of Testable MPLS/VPN Service

Defense Philosophy

Security threats can be addressed Provider's specific service offerings MPLS/VPN user should assess the value which these

techniques add to the user's VPN requirements Nothing is ever 100% secure - most likely to occur

and/or that have the most dire consequences To make the cost of a successful attack greater than

what the adversary will be willing to expend

Cryptographic techniques

Privacy traffic separation encryption

Authentication Integrality Drawback

Computational burden Complexity of the device configuration Incremental labor cost Packet lengths are typically increased

traffic load fragmentation

Other Devices

IPsec in MPLS/VPNs

PE to PE (can’t be employed ) PE to CE - weaker links (pass the Internet) CE-to-CE (only use tunnel mode)

Service Level Agreement (SLA) rather than analyzing the specific encryption techniques \

Encryption for device configuration and management Secure Shell (SSH) offers protection for

TELNET [STD-8] or terminal-like connections to allow device configuration

SNMP v3 [STD62] also provides encrypted and authenticated protection for SNMP-managed devices

Transport Layer Security (TLS) (also known as Secure Sockets Layer or SSL) [RFC-2246]

Authentication

Prevent Denial -of-Service attacks Malicious misconfiguration

Cryptographic techniques – Cryptographic techniques

shared secret keys one-time keys generated by accessory devices or soft

ware user-ID and password pairs public-private key systems do not protect against some types of denial of service a

ttacks

Authentication issues

VPN Member Authentication Management System Authentication

auto- discovery Peer-to-peer Authentication

Access Control techniques

packet-by-packet packet-flow-by-packet-flow Filtering Firewalls

Filtering

Common for routers Filter Characteristics

Stateless (In most cases ) Stateful (commonly done in firewalls )

Actions based on Filter Results Discard Set CoS Count packets and/or bytes Rate Limit - MPLS EXP field Forward and Copy

Firewalls

passing between different trusted zones SP to SP , PE to CE

passing between trusted zone and an untrusted zone Services

threshold-driven denial-of-service attack protection virus scanning acting as a TCP connection proxy

Advantage understanding of the topologies understanding of the threat model

Firewalls (conf)

Within the MPLS/VPN framework, traffic typically is not allowed to pass between the various user VPNs

Extranets - provide the services required for secure extranet implementation

Protect the user VPNs and core network from the public Internet

vpn 2

My LAB Environment

isp A

isp B

P routerLinux

MPLS Daemon

vpn 1

HOSTLinux

For API

WinXPFor Microcode

CE routerLinux

PE routerLinux

MPLS Daemon

ixp1200

Frmo EE

ixp1200

ixp1200

ixp1200

Next Presentation (3,8’2004)

IXP1200 Linux How To MPLS for Linux Development