1 SEC-370 © 2001, Cisco Systems, Inc. All rights reserved.
1SEC-370 2001, Cisco Systems, Inc. All rights reserved.
3SEC-370SEC-370 2003, Cisco Systems, Inc. All rights reserved.
Understanding MPLS/VPN Security Issues
SEC-370
Michael Behringer
SEC-370 44 2003, Cisco Systems, Inc. All rights reserved. 4
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 55 2003, Cisco Systems, Inc. All rights reserved. 5
The Principle: A Virtual Router
!ip vrf Customer_Ard 100:110route-target export 100:1000route-target import 100:1000
!interface Serial0/1ip vrf forwarding Customer_A
!
Virtual Routing and Forwarding Instance Route Distinguisher:
Makes VPN routes unique
Export this VRF with community 100:1000
Import routes from other VRFs with
community 100:1000
Assign Interface to Virtual Router
SEC-370 66 2003, Cisco Systems, Inc. All rights reserved. 6
General VPN Security Requirements
Address Space and Routing Separation
Hiding of the MPLS Core Structure
Resistance to Attacks
Impossibility of VPN Spoofing
Working assumption: The core (PE+P) is secure
SEC-370 77 2003, Cisco Systems, Inc. All rights reserved. 7
Address Space Separation
Route Distinguisher IPv4 Address
VPN IPv4 Address
64 bits 32 bits
Within the MPLS core all addresses are unique due to the Route Distinguisher
SEC-370 88 2003, Cisco Systems, Inc. All rights reserved. 8
Routing Separation
Each (sub-) interface is assigned to a VRF
Each VRF has a RD (route distinguisher)
Routing instance: within one RD -> within one VRF
-> Routing Separation
SEC-370 99 2003, Cisco Systems, Inc. All rights reserved. 9
Visible Address Space
Hiding of the MPLS Core Structure
VRF contains MPLS IPv4 addresses Only peering Interface (on PE) exposed (-> CE)!
-> ACL or unnumbered
PEMPLS core
IP(PE; l0) P
CE2IP(CE2) IP(PE; fa1) VRF CE2
CE1IP(CE1) IP(PE; fa0) VRF CE1
P
P P
SEC-370 1010 2003, Cisco Systems, Inc. All rights reserved. 10
Resistance to Attacks:Where and How?
Where can you attack?Address and Routing Separation, thus:
Only Attack point: peering PE
How?- Intrusions
(telnet, SNMP, , routing protocol)
- DoSSecure
with ACLsSecure
with MD5
See ISP Essentials
SEC-370 1111 2003, Cisco Systems, Inc. All rights reserved. 11
Label Spoofing
PE router expects IP packet from CE
Labelled packets will be dropped
Thus no spoofing possible
SEC-370 1212 2003, Cisco Systems, Inc. All rights reserved. 12
Comparison with ATM / FR
ATM/FR MPLSAddress space separation yes yes Routing separation yes yes Resistance to attacks yes yes Resistance to Label Spoofing
yes yes
Direct CE-CE Authentication (layer 3)
yes with IPsec
SEC-370 1313 2003, Cisco Systems, Inc. All rights reserved. 13
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 1414 2003, Cisco Systems, Inc. All rights reserved. 14
Security Recommendations for ISPs
Secure devices (PE, P): They are trusted! CE-PE interface: Secure with ACLs Static PE-CE routing where possible If routing: Use authentication (MD5) Separation of CE-PE links where possible
(Internet / VPN) LDP authentication (MD5) VRF: Define maximum number of routesNote: Overall security depends on weakest link!
SEC-370 1515 2003, Cisco Systems, Inc. All rights reserved. 15
In order of security preference: 1. Static: If no dynamic routing required
(no security implications)2. BGP: For redundancy and dynamic
updates(many security features)
3. RIPv2: If BGP not supported(limited security features)
PE-CE Routing Security
SEC-370 1616 2003, Cisco Systems, Inc. All rights reserved. 16
ACL and secure routing
Securing the MPLS CoreMPLS core
Internet
VPNVPN PE
CE
CE
CE
CE
CE CE
PE
PEPE
PE
P
P
P
VPN
VPN
VPN
BGP Route Reflector
BGP peering with MD5 authentic.
LDP with MD5
SEC-370 1717 2003, Cisco Systems, Inc. All rights reserved. 17
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 1818 2003, Cisco Systems, Inc. All rights reserved. 18
MPLS Internet Architectures: Principles
Core supports VPNs and Internet VPNs remain separated
Internet as an option for a VPN
Essential: Firewalling
SEC-370 1919 2003, Cisco Systems, Inc. All rights reserved. 19
Separate VPN and Internet Access
Separation: +++ DoS resistance: +++ Cost: $$$ (Two lines and two PEs: Expensive!)
PE1
MPLS core
P
CE2
CE1
PE2
Customer LAN
Firewall / NAT
To Internet
To VPN
VRF Internet
VRF VPN
IDS
SEC-370 2020 2003, Cisco Systems, Inc. All rights reserved. 20
Separate Access Lines + CEs, one PE
PE1
MPLS core
P
CE2
CE1
Customer LAN
Firewall / NAT
To Internet
To VPN
VRF Internet
VRF VPN
Separation: +++ DoS resistance: ++ (DoS might impact VPN on PE) Cost: $$ (Two lines, but only one PE)
IDS
SEC-370 2121 2003, Cisco Systems, Inc. All rights reserved. 21
Using a Single Access Line
Requirements to share a line:
PE requires separate sub-interfaces
CE requires separate sub-interfaces
CE side requires separate routing
SEC-370 2222 2003, Cisco Systems, Inc. All rights reserved. 22
Shared Access Line, Frame Relay
PE1
MPLS core
P
VPN CE
Internet CE
Customer LAN
Firewall / NAT
FR logical links
VRF Internet
VRF VPN
Separation: +++ DoS resistance: + (DoS might affect VPN on PE, line, CE) Cost: $
IDS
SEC-370 2323 2003, Cisco Systems, Inc. All rights reserved. 23
Shared Access Line, Policy Routing
PE1
MPLS core
P
VPN CE
Internet CE
Customer LAN
Firewall / NAT
FR logical links
PRVRF Internet
VRF VPN
Separation: +++ DoS resistance: + (DoS might affect VPN on PE, line, CE) Cost: $
IDS
SEC-370 2424 2003, Cisco Systems, Inc. All rights reserved. 24
Shared Access Line, CE with VRFs
PE1
MPLS core
P
Internet CE
Customer LAN
Firewall / NAT
FR logical links
VRF Internet
VRF VPNVRF Internet
Separation: +++ DoS resistance: + (DoS might affect VPN on PE, line, CE) Cost: $
IDS
SEC-370 2525 2003, Cisco Systems, Inc. All rights reserved. 25
mbehring
PE1
MPLS core
VPN CE
InternetCE
PE2
Hub Site
FirewallNAT
VRF Internet
Hub-and-Spoke VPN with Internet Access
Internet
Spoke 1 Spoke 2 Spoke 3
VPN VPN
To VPN
VPN
VRF VPN
PEs
CEs
To Internet -->
IDS
SEC-370 2626 2003, Cisco Systems, Inc. All rights reserved. 26
Alternative Topologies
Full VPN mesh, one Internet Access Internet access at several sites
-> Several firewalls needed-> More complex
Internet Access from all sites-> Complex, one firewall per site
SEC-370 2727 2003, Cisco Systems, Inc. All rights reserved. 27
Central Firewalling:Option 1: Stacking Firewalls
+ Central Management
+ Strong firewalls
+ Customer can choose firewall
+ Different policies per customer possible
+ CEs not touched
- One firewall per customer
MPLS core
VPN VPNVPNPEs
CEs
Customer1
Customer2
Customer3
VPN
Internet
S
P
D
o
m
a
i
n
NAT and Firewalling
SEC-370 2828 2003, Cisco Systems, Inc. All rights reserved. 28
Central Firewalling:Option 2: NAT on CE, one central FW
+ Central Management
+ One strong firewall
+ Easy to deploy
- Customer cannot pick his firewall
- CEs need config
MPLS core
VPN VPNVPNPEs
Customer1
Customer2
Customer3
VPN
Internet
S
P
D
o
m
a
i
n
Firewalling
NAT NAT NAT
e.g PIX 535
CEs
SEC-370 2929 2003, Cisco Systems, Inc. All rights reserved. 29
Central Firewalling:Option 3: IOS Firewall on CE
+ Economic
+ One firewall per customer
+ No central devices
- Management more difficult
- CEs need config
MPLS core
VPN VPNVPNPEs
CEs
Customer1
Customer2
Customer3
VPN
Internet
S
P
D
o
m
a
i
n
NAT andfirewall
NAT andfirewall
NAT andfirewall
SEC-370 3030 2003, Cisco Systems, Inc. All rights reserved. 30
A Word on Carriers Carrier
Same principles as in normal MPLS Customer trusts carrier who trusts carrier
CarriersCarrierCust.
Cust.Carrier CarrierCE CE
PE
PE
PE
PEPE PE
IP
label
label
data
IP data
label IP data
label IP data
IP data
SEC-370 3131 2003, Cisco Systems, Inc. All rights reserved. 31
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 3232 2003, Cisco Systems, Inc. All rights reserved. 32
Ways to Attack
Intrusion: Get un-authorised accessTheory: Not possible (as shown before)
Practice: Depends on:
- Vendor implementation
- Correct config and management
Denial-of-Service: Deny access of othersMuch more interesting
No Trust?
Use IPsecbetween CEs!
SEC-370 3333 2003, Cisco Systems, Inc. All rights reserved. 33
DoS against MPLS
DoS is about Resource Starvation, one of:- Bandwidth
- CPU
- Memory (buffers, routing tables, )
- In MPLS, we have to examine:
- Rest is the same as in other networks
CE PE
SEC-370 3434 2003, Cisco Systems, Inc. All rights reserved. 34
Attacking a CE from MPLS (other VPN)
Is the CE reachable from the MPLS side?-> only if this is an Internet CE, otherwise not!
(CE-PE addressing is part of VPN!)
For Internet CEs: Same security rules apply as for any other access router.
MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks
SEC-370 3535 2003, Cisco Systems, Inc. All rights reserved. 35
Attacking a CE-PE Line
Also depends on reachability of CE or the VPN behind it
Only an issue for Lines to Internet-CEsSame considerations as in normal networks
If CE-PE line shared (VPN and Internet):DoS on Internet may influence VPN! Use CAR!
MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks
SEC-370 3636 2003, Cisco Systems, Inc. All rights reserved. 36
Attacking a PE Router
Only visible: your interfaceand interfaces of Internet CEs
PEIP(PE; l0) IP(P)
CE2IP(CE2) IP(PE; fa1) VRF CE2
CE1IP(CE1) IP(PE; fa0)
VRF CE1
VRF InternetAttack points
SEC-370 3737 2003, Cisco Systems, Inc. All rights reserved. 37
DoS Attacks to PE can come from:
Other VPN, connected to same PE
Internet, if PE carries Internet VRF
Possible Attacks:
Resource starvation on PEToo many routing updates, too many SNMP requests, small servers,
Has to be secured
SEC-370 3838 2003, Cisco Systems, Inc. All rights reserved. 38
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 3939 2003, Cisco Systems, Inc. All rights reserved. 39
Use IPsec if you need:
Encryption of traffic
Direct authentication of CEs
Integrity of traffic
Replay detection
Or: If you dont want to trust your ISP for traffic separation!
SEC-370 4040 2003, Cisco Systems, Inc. All rights reserved. 40
IPsec Topologies
CE to CE (static cryptomap)
Hub and Spoke (dynamic cryptomap)
Full Mesh with TED: Ideal!!!MPLS/VPN and TED are an ideal combination!!
IPsec is independent of MPLSIPsec and MPLS work together
SEC-370 4141 2003, Cisco Systems, Inc. All rights reserved. 41
Agenda
Analysis of MPLS/VPN Security
Security Recommendations MPLS Security Architectures
Internet AccessFirewalling Options
Attacking an MPLS Network IPsec and MPLS Summary
SEC-370 4242 2003, Cisco Systems, Inc. All rights reserved. 42
MPLS doesnt provide:
Protection against mis-configurations in the core
Protection against attacks from within the core
Confidentiality, authentication, integrity, anti-replay -> Use IPsec if required
Customer network security
SEC-370 4343 2003, Cisco Systems, Inc. All rights reserved. 43
Conclusions
MPLS VPNs can be secured as well as ATM/FR VPNs
Depends on correct configuration and function of the core
Use IPsec if you dont trust core
There are many ways to map VPNs with Internet access securely onto MPLS
44SEC-370SEC-370 2003, Cisco Systems, Inc. All rights reserved.
Understanding MPLS/VPN Security Issues
Session SEC-370
45SEC-370SEC-370 2003, Cisco Systems, Inc. All rights reserved.
Please Complete Your Evaluation Form
Session SEC-370
46Presentation_ID 2001, Cisco Systems, Inc. All rights reserved.