mpls vpns and security - cisco
TRANSCRIPT
1SEC-370 © 2001, Cisco Systems, Inc. All rights reserved.
3SEC-370SEC-370 © 2003, Cisco Systems, Inc. All rights reserved.
Understanding MPLS/VPN Security Issues
SEC-370
Michael Behringer <[email protected]>
SEC-370 44© 2003, Cisco Systems, Inc. All rights reserved. 4
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 55© 2003, Cisco Systems, Inc. All rights reserved. 5
The Principle: A “Virtual Router”
!ip vrf Customer_Ard 100:110route-target export 100:1000route-target import 100:1000
!interface Serial0/1ip vrf forwarding Customer_A
!
Virtual Routing and Forwarding Instance Route Distinguisher:
Makes VPN routes unique
Export this VRF with community 100:1000
Import routes from other VRFs with
community 100:1000
Assign Interface to “Virtual Router”
SEC-370 66© 2003, Cisco Systems, Inc. All rights reserved. 6
General VPN Security Requirements
• Address Space and Routing Separation
• Hiding of the MPLS Core Structure
• Resistance to Attacks
• Impossibility of VPN Spoofing
Working assumption: The core (PE+P) is secure
SEC-370 77© 2003, Cisco Systems, Inc. All rights reserved. 7
Address Space Separation
Route Distinguisher IPv4 Address
VPN IPv4 Address
64 bits 32 bits
Within the MPLS core all addresses are unique due to the Route Distinguisher
SEC-370 88© 2003, Cisco Systems, Inc. All rights reserved. 8
Routing Separation
• Each (sub-) interface is assigned to a VRF
• Each VRF has a RD (route distinguisher)
• Routing instance: within one RD -> within one VRF
-> Routing Separation
SEC-370 99© 2003, Cisco Systems, Inc. All rights reserved. 9
Visible Address Space
Hiding of the MPLS Core Structure
• VRF contains MPLS IPv4 addresses• Only peering Interface (on PE) exposed (-> CE)!
-> ACL or unnumbered
PEMPLS core
IP(PE; l0) P
CE2IP(CE2) IP(PE; fa1) VRF CE2
CE1IP(CE1) IP(PE; fa0) VRF CE1
P
P P
SEC-370 1010© 2003, Cisco Systems, Inc. All rights reserved. 10
Resistance to Attacks:Where and How?
• Where can you attack?Address and Routing Separation, thus:
Only Attack point: peering PE
• How?- Intrusions
(telnet, SNMP, …, routing protocol)
- DoSSecure
with ACLsSecure
with MD5
See ISP Essentials
SEC-370 1111© 2003, Cisco Systems, Inc. All rights reserved. 11
Label Spoofing
• PE router expects IP packet from CE
• Labelled packets will be dropped
• Thus no spoofing possible
SEC-370 1212© 2003, Cisco Systems, Inc. All rights reserved. 12
Comparison with ATM / FR
ATM/FR MPLSAddress space separation yes yes Routing separation yes yes Resistance to attacks yes yes Resistance to Label Spoofing
yes yes
Direct CE-CE Authentication (layer 3)
yes with IPsec
SEC-370 1313© 2003, Cisco Systems, Inc. All rights reserved. 13
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 1414© 2003, Cisco Systems, Inc. All rights reserved. 14
Security Recommendations for ISPs
• Secure devices (PE, P): They are trusted!• CE-PE interface: Secure with ACLs• Static PE-CE routing where possible• If routing: Use authentication (MD5)• Separation of CE-PE links where possible
(Internet / VPN)• LDP authentication (MD5)• VRF: Define maximum number of routesNote: Overall security depends on weakest link!
SEC-370 1515© 2003, Cisco Systems, Inc. All rights reserved. 15
In order of security preference: 1. Static: If no dynamic routing required
(no security implications)2. BGP: For redundancy and dynamic
updates(many security features)
3. RIPv2: If BGP not supported(limited security features)
PE-CE Routing Security
SEC-370 1616© 2003, Cisco Systems, Inc. All rights reserved. 16
ACL and secure routing
Securing the MPLS CoreMPLS core
Internet
VPNVPN PE
CE
CE
CE
CE
CE CE
PE
PEPE
PE
P
P
P
VPN
VPN
VPN
BGP Route Reflector
BGP peering with MD5 authentic.
LDP with MD5
SEC-370 1717© 2003, Cisco Systems, Inc. All rights reserved. 17
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 1818© 2003, Cisco Systems, Inc. All rights reserved. 18
MPLS Internet Architectures: Principles
• Core supports VPNs and Internet
• VPNs remain separated
• Internet as an option for a VPN
• Essential: Firewalling
SEC-370 1919© 2003, Cisco Systems, Inc. All rights reserved. 19
Separate VPN and Internet Access
• Separation: +++• DoS resistance: +++ • Cost: $$$ (Two lines and two PEs: Expensive!)
PE1
MPLS core
P
CE2
CE1
PE2
Customer LAN
Firewall / NAT
To Internet
To VPN
VRF Internet
VRF VPN
IDS
SEC-370 2020© 2003, Cisco Systems, Inc. All rights reserved. 20
Separate Access Lines + CEs, one PE
PE1
MPLS core
P
CE2
CE1
Customer LAN
Firewall / NAT
To Internet
To VPN
VRF Internet
VRF VPN
• Separation: +++• DoS resistance: ++ (DoS might impact VPN on PE)
• Cost: $$ (Two lines, but only one PE)
IDS
SEC-370 2121© 2003, Cisco Systems, Inc. All rights reserved. 21
Using a Single Access Line
Requirements to share a line:
• PE requires separate sub-interfaces
• CE requires separate sub-interfaces
• CE side requires separate routing
SEC-370 2222© 2003, Cisco Systems, Inc. All rights reserved. 22
Shared Access Line, Frame Relay
PE1
MPLS core
P
VPN CE
Internet CE
Customer LAN
Firewall / NAT
FR logical links
VRF Internet
VRF VPN
• Separation: +++• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost: $
IDS
SEC-370 2323© 2003, Cisco Systems, Inc. All rights reserved. 23
Shared Access Line, Policy Routing
PE1
MPLS core
P
VPN CE
Internet CE
Customer LAN
Firewall / NAT
FR logical links
PRVRF Internet
VRF VPN
• Separation: +++• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost: $
IDS
SEC-370 2424© 2003, Cisco Systems, Inc. All rights reserved. 24
Shared Access Line, CE with VRFs
PE1
MPLS core
P
Internet CE
Customer LAN
Firewall / NAT
FR logical links
VRF Internet
VRF VPNVRF Internet
• Separation: +++• DoS resistance: + (DoS might affect VPN on PE, line, CE)
• Cost: $
IDS
SEC-370 2525© 2003, Cisco Systems, Inc. All rights reserved. 25
mbehring
PE1
MPLS core
VPN CE
InternetCE
PE2
Hub Site
FirewallNAT
VRF Internet
Hub-and-Spoke VPN with Internet Access
Internet
Spoke 1 Spoke 2 Spoke 3
VPN VPN
To VPN
VPN
VRF VPN
PEs
CEs
To Internet -->
IDS
SEC-370 2626© 2003, Cisco Systems, Inc. All rights reserved. 26
Alternative Topologies
• Full VPN mesh, one Internet Access• Internet access at several sites
-> Several firewalls needed-> More complex
• Internet Access from all sites-> Complex, one firewall per site
SEC-370 2727© 2003, Cisco Systems, Inc. All rights reserved. 27
Central Firewalling:Option 1: Stacking Firewalls
+ Central Management
+ Strong firewalls
+ Customer can choose firewall
+ Different policies per customer possible
+ CEs not touched
- One firewall per customer
MPLS core
VPN VPNVPNPEs
CEs
Customer1
Customer2
Customer3
VPN
Internet
SP D
omai
n
NAT and Firewalling
SEC-370 2828© 2003, Cisco Systems, Inc. All rights reserved. 28
Central Firewalling:Option 2: NAT on CE, one central FW
+ Central Management
+ One strong firewall
+ Easy to deploy
- Customer cannot pick his firewall
- CEs need config
MPLS core
VPN VPNVPNPEs
Customer1
Customer2
Customer3
VPN
Internet
SP D
omai
n
Firewalling
NAT NAT NAT
e.g PIX 535
CEs
SEC-370 2929© 2003, Cisco Systems, Inc. All rights reserved. 29
Central Firewalling:Option 3: IOS Firewall on CE
+ Economic
+ One firewall per customer
+ No central devices
- Management more difficult
- CEs need config
MPLS core
VPN VPNVPNPEs
CEs
Customer1
Customer2
Customer3
VPN
Internet
SP D
omai
n
NAT andfirewall
NAT andfirewall
NAT andfirewall
SEC-370 3030© 2003, Cisco Systems, Inc. All rights reserved. 30
A Word on Carrier’s Carrier
• Same principles as in normal MPLS• Customer trusts carrier who trusts carrier
Carrier’sCarrierCust. Cust.Carrier Carrier
CE CEPE
PE
PE
PEPE PE
IP
label
label
data
IP data
label IP data
label IP data
IP data
SEC-370 3131© 2003, Cisco Systems, Inc. All rights reserved. 31
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 3232© 2003, Cisco Systems, Inc. All rights reserved. 32
Ways to Attack
• “Intrusion”: Get un-authorised accessTheory: Not possible (as shown before)
Practice: Depends on:
- Vendor implementation
- Correct config and management
• “Denial-of-Service”: Deny access of othersMuch more interesting…
No Trust?
Use IPsecbetween CEs!
SEC-370 3333© 2003, Cisco Systems, Inc. All rights reserved. 33
DoS against MPLS
• DoS is about Resource Starvation, one of:- Bandwidth
- CPU
- Memory (buffers, routing tables, …)
- In MPLS, we have to examine:
- Rest is the same as in other networks
CE PE
SEC-370 3434© 2003, Cisco Systems, Inc. All rights reserved. 34
Attacking a CE from MPLS (other VPN)
• Is the CE reachable from the MPLS side?-> only if this is an Internet CE, otherwise not!
(CE-PE addressing is part of VPN!)
• For Internet CEs: Same security rules apply as for any other access router.
MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks
SEC-370 3535© 2003, Cisco Systems, Inc. All rights reserved. 35
Attacking a CE-PE Line
• Also depends on reachability of CE or the VPN behind it
• Only an issue for Lines to Internet-CEsSame considerations as in normal networks
• If CE-PE line shared (VPN and Internet):DoS on Internet may influence VPN! Use CAR!
MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks
SEC-370 3636© 2003, Cisco Systems, Inc. All rights reserved. 36
Attacking a PE Router
Only visible: “your” interfaceand interfaces of Internet CEs
PEIP(PE; l0) IP(P)
CE2IP(CE2) IP(PE; fa1) VRF CE2
CE1IP(CE1) IP(PE; fa0)
VRF CE1
VRF InternetAttack points
SEC-370 3737© 2003, Cisco Systems, Inc. All rights reserved. 37
DoS Attacks to PE can come from:
• Other VPN, connected to same PE
• Internet, if PE carries Internet VRF
Possible Attacks:
• Resource starvation on PEToo many routing updates, too many SNMP requests, small servers, …
Has to be secured
SEC-370 3838© 2003, Cisco Systems, Inc. All rights reserved. 38
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 3939© 2003, Cisco Systems, Inc. All rights reserved. 39
Use IPsec if you need:
• Encryption of traffic
• Direct authentication of CEs
• Integrity of traffic
• Replay detection
• Or: If you don’t want to trust your ISP for traffic separation!
SEC-370 4040© 2003, Cisco Systems, Inc. All rights reserved. 40
IPsec Topologies
• CE to CE (static cryptomap)
• Hub and Spoke (dynamic cryptomap)
• Full Mesh with TED: Ideal!!!MPLS/VPN and TED are an ideal combination!!
IPsec is independent of MPLSIPsec and MPLS work together
SEC-370 4141© 2003, Cisco Systems, Inc. All rights reserved. 41
Agenda
• Analysis of MPLS/VPN Security
• Security Recommendations• MPLS Security Architectures
Internet AccessFirewalling Options
• Attacking an MPLS Network• IPsec and MPLS• Summary
SEC-370 4242© 2003, Cisco Systems, Inc. All rights reserved. 42
MPLS doesn’t provide:
• Protection against mis-configurations in the core
• Protection against attacks from within the core
• Confidentiality, authentication, integrity, anti-replay -> Use IPsec if required
• Customer network security
SEC-370 4343© 2003, Cisco Systems, Inc. All rights reserved. 43
Conclusions
• MPLS VPNs can be secured as well as ATM/FR VPNs
• Depends on correct configuration and function of the core
• Use IPsec if you don’t trust core
• There are many ways to map VPNs with Internet access securely onto MPLS
44SEC-370SEC-370 © 2003, Cisco Systems, Inc. All rights reserved.
Understanding MPLS/VPN Security Issues
Session SEC-370
45SEC-370SEC-370 © 2003, Cisco Systems, Inc. All rights reserved.
Please Complete Your Evaluation Form
Session SEC-370
46Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved.