the about MPLS security

Similar documents
Cisco Group Encrypted Transport VPN

Transform your network and your customer experience. Introducing SD-WAN Concierge

Transform your network and your customer experience. Introducing SD-WAN Concierge

Automating VPN Management

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Choosing the Right. Ethernet Solution. How to Make the Best Choice for Your Business

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Configuring OpenVPN on pfsense

From Zero Touch Provisioning to Secure Business Intent

IPsec NAT Transparency

Ensuring the Success of E-Business Sites. January 2000

Wireless Network Security Spring 2011

Chapter 8. Network Troubleshooting. Part II

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Building Infrastructure for Private Clouds Cloud InterOp 2014"

Thomson Reuters. FCN Services

IPsec NAT Transparency

IPv6 Switching: Provider Edge Router over MPLS

NGF0401 Instructor Slides

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

New Cisco 2800 And 3800 Series Integrated Services Router Wan Optimization Bundles

Hardening Network Routing. Kevin Brady ICTN 4040 April, 2006

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Protegrity Vaultless Tokenization

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Cisco SCE 2020 Service Control Engine

Features. HDX WAN optimization. QoS

Are You Avoiding These Top 10 File Transfer Risks?

MPLS опорни мрежи MPLS core networks

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

ENTERPRISE CONNECTIVITY

2610:f8:ffff:2010:04:13:0085:1

BW Protection. 2002, Cisco Systems, Inc. All rights reserved.

Cisco on Cisco. Executive Overview. Version 2.0, Q1, FY 07. Cisco Public. Sal Pearce Cisco Systems, Inc. All rights reserved.

Explain the methods for implementing QoS on a converged network with Cisco's routers and Catalyst Switches

ENTERPRISE CONNECTIVITY

MPLS in the DCN. Introduction CHAPTER

IPv6 Switching: Provider Edge Router over MPLS

Implementation Guide - VPN Network with Static Routing

Introducing Avaya SDN Fx with FatPipe Networks Next Generation SD-WAN

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

itel MPLS (IP VPN) Maximum Network Potential

Seven Criteria for a Sound Investment in WAN Optimization

MPLS, THE BASICS CSE 6067, UIU. Multiprotocol Label Switching

Virtual private networks

4 Easy Steps to Get off the MPLS Treadmill

IPv6 at Google. Lorenzo Colitti


MPLS VPN Explicit Null Label Support with BGP. BGP IPv4 Label Session

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Hillstone IPSec VPN Solution

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

ALCATEL Edge Services Router

Advanced iscsi Management April, 2008

Internet security and privacy

Network Design with latest VPN Technologies

Network Configuration Example

GUIDELINES FOR VOIP NETWORK PREREQUISITES

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Analysis of VPN Protocols

Firepower Threat Defense Site-to-site VPNs

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

Network Service Assurance

Network Service Description

MPLS VPN--Inter-AS Option AB

How Firewalls and Secure Virtual Private Network Hardware Can Be Combined for Robust Corporate Security

Virtual Dispersive Networking Spread Spectrum IP

THE MPLS JOURNEY FROM CONNECTIVITY TO FULL SERVICE NETWORKS. Sangeeta Anand Vice President Product Management Cisco Systems.

Mapping Mechanism to Enhance QoS in IP Networks

CASE STUDY: TRUHOME. TruHome Goes All-In on Cloud Telephony with Bigleaf SD-WAN as the Foundation

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Evaluating networking technologies

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

Simplifying the Branch Network

Table of Contents. Cisco Quality of Service Options on GRE Tunnel Interfaces


Juniper SD-WAN Alexandre Cezar Consulting Systems Engineer, Security/Cloud

EMC Celerra Replicator V2 with Silver Peak WAN Optimization

Multiprotocol Label Switching Overview

Cloud Connect. Gain highly secure, performance-optimized access to third-party public and private cloud providers

Techniques and Protocols for Improving Network Availability

THE FASTEST WAY TO CONNECT YOUR NETWORK. Accelerate Multiple Location Connectivity with Ethernet Private Line Solutions FIBER

Provisioning MPLS VPN Cable Services

A Singtel Whitepaper. A modern networking infrastructure unleashes innovations in retail operation and customer service

Optimizing the Internet Quality of Service and Economics for the Digital Generation. Dr. Lawrence Roberts President and CEO,

OPTera Metro 8000 Services Switch

Ethernet Your Technology Partner for the Future

INNOVATIVE SD-WAN TECHNOLOGY

MPLS VERSUS CARRIER ETHERNET 7 REASONS WHY ETHERNET IS AN ECONOMICAL ALTERNATIVE

6WINDGate. White Paper. Packet Processing Software for Wireless Infrastructure

Multihoming Complex Cases & Caveats

Converged World. Martin Capurro

The TeraStream Approach - A Means for the provision of Cost Efficiency and Service Integration

WAN Edge MPLSoL2 Service

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

How to Configure a Hybrid WAN in Parallel to An Existing Traditional Wan Infrastructure

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Transcription:

uth 22 the about truth MPLS security

11 MPLS is private. MPLS is a shared service! We use a private network is often stated as the reason for not protecting data as it travels over 3rd party networks. But is MPLS really private? MPLS is technically a VPN or a Virtual Private Network, meaning it s not actually private - it only mimics privacy by logically separating data with labels. More importantly - even if MPLS were private, is privacy the equivalent of security? The answer is no. It is important to understand that a service provider has the technical possibility to sniff VPN data, and VPN users can either choose to trust the service providers not to use their data inappropriately, or they can encrypt the traffic over the MPLS core. Analyzing MPLS Security Michael H. Behringer and Monique Morrow MPLS is a shared network service - there is nothing private about it The labels generated by MPLS logically segment user traffic but they are used only for forwarding purposes. Traffic from thousands of different customers and users (including traffic from other carriers and the Internet) traverse a common set of backbone routers in rapid succession. Each router in an MPLS network performs label swapping. The new label is used by the next router for forwarding purposes. At any given moment traffic from competitors and other provider networks flows across a common infrastructure. Data is shared almost immediately Customer Edge (CE) routers are assigned to individual customers, but Provider Edge (PE) and Provider backbone (P) routers are shared. In other words, only the router in your office is private - the very next router your traffic hits (and all the routers after it) are shared by multiple users....carriers talk about frame relay or MPLS VPNs all the time, and if you think they're secure, you're mistaken. WAN Encryption: Just Do It Mike Fratto Network Computing 2

22 MPLS is secure. The truth is that MPLS provides no MPLS has no inherent security! There is a common misconception that MPLS provides some level of security. The truth is that MPLS offers- No protection against misconfigurations Human and machine errors as well as OS bugs can result in MPLS traffic being misrouted. No protection from attacks within the core MPLS is vulnerable to all the traditional WAN attack vectors. No protection or detection of sniffing/snooping It is impossible to detect if someone is siphoning or replicating data - there is no alarm that goes off if data is being stolen. No Data Security The data is left in the clear and can be accessed, replicated, or used by anyone who gains access to it. Label Value TC S TTL 20 bits 3 bits The illustration above shows the components of an MPLS header. Note the absence of any security measures within the header itself. The Label Value provides forwarding information used by the routers. Traffic Class (TC) bits are used to provide services such as traffic prioritization. The Stacking bit (S) allows multiple labels to be used. TTL is a time to live marker to allow packets to expire. None of these mechanisms provide security. Also note that the original IP packet is unchanged, which means: With MPLS- your data traverses a shared network in the clear....an organization s network traffic is in the clear on an MPLS network, meaning that the carrier and anyone else that has access to the organization s network can read packets on the MPLS network. 1 bit 8 bits L2 Header MPLS header IP Packet 3 PCI Guru

33 Providers position MPLS accurately. Providers continue to market MPLS as a secure service! In a podcast dated April 2009, a Product Director from a major service provider said security was built in to MPLS based on the following: Traffic streams are kept separate. There are controls around provisioning and management. There are gateways between the Public Internet and the MPLS. Netflow and J-Flow are used to identify malicious activity. Nearly every MPLS service provider makes similar claims. Service providers can make these claims because they bear no responsibility for the integrity of your data - SLAs are built around reliable delivery not data integrity or security. Hackers and Data Thieves know better! There are papers and video tutorials readily available on the Internet that provide a cook book approach to sniffing and redirecting MPLS traffic. Here s what Black Hat had to say about MPLS security claims: Providers say: Traffic streams are kept separate. Hackers know: The mechanism used to separate traffic can also be used to identify targets of interest! Providers say: There are controls around provisioning and management. Hackers know: Provisioning and management are to data security what traffic lights are to bank robbers - they do not prevent data theft! Providers say: There are gateways between the Internet and the MPLS network. Hackers know: Traffic is not accidentally leaking out to the Internet, it is being stolen right off the MPLS backbone! Providers say: They use Netflow/J-Flow to identify malicious activity. Hackers know: Post-event notification is not a substitute for prevention! Other industries don t get away with pushing debunked benefits! Why do service providers continue to make these claims? 4

44 Encryption breaks MPLS. IPsec VPNs are typically used to protect data on MPLS networks. While they do provide excellent security, they also mask many of the features service providers offer, including: Class of Service Netflow/J-Flow Network Address Translation (NAT) Policy based routing Group Encryption is transparent to MPLS! Group Encryption allows security administrators to create encryption policies that match the existing network topology and application flows - without creating tunnels. By maintaining the original headers, Group Encryption allows you to retain all of the benefits (including layer 4 services) of MPLS, while providing the highest level of data protection. Other traditional issues with IPsec tunnels include: Forces any-to-any networks to become point-to-point connections Requires complex configurations, which are expensive to operate and manage Is not VoIP or Video compatible (due to increased latency) Slows/breaks Multicast Breaks load balancing Often requires router/os upgrades Hides application information required for troubleshooting With Group Encryption you can decouple security from the infrastructure and maintain application performance, while protecting data and complying with privacy regulations. "With [Group Encryption], we can protect our data while maintaining traffic shaping and other network services that require access to the Layer 4 header. This eliminates what used to be a tradeoff between security and performance." 5 Ron Pass Senior Network Engineer First Franklin Financial

ruth 55 Encryption kills performance. You can encrypt MPLS without impacting quality or performance! Latency has traditionally been one of the major drawbacks of encryption. Even with an accelerator card in place there can be as much as an 80% drop in performance on a WAN link while encrypting. No amount of cryptographic acceleration can help because encryption is not the only cause of latency. Other contributors are massive policy maps and the associated look-ups that get created when an any-to-any network is relegated into point-to-point relationships. Latency can also be caused by the repeated passing of packets through the router backplane. Group Encryption does not impact network performance. Because Group Encryption does not impact the underlying infrastructure or impose point-to-point connections, any topology can be secured without modifications. Full mesh networks can be encrypted while preserving Layer-4 services VoIP can be encrypted without impacting call quality Dual carrier networks can be secured without impacting SLAs Load balanced networks can be secured without impacting high availability Encrypt latency sensitive application such as Voice and Video Because the complexity of tunnels and the latencyinducing policy look-ups are avoided, voice and video can be secured without hampering quality. The CipherEngine solution enables companies to protect their data without impeding the performance or operation of the network. 6 Charles Kolodgy Vice President, Security Products IDC

ruth 66 Encryption is expensive. Encryption is not expensive - encryption with traditional IPsec tunnels is expensive! It can take as many as 15 minutes to set up a VPN tunnel. That may not sound like much but consider this: A 50 node network would take 36,750 minutes to figure all the IPsec tunnels. That s 600 hours of work just to set it up. All of those tunnels create policy maps that can significantly choke router throughput. A typical 1Gbps link can cost $3k a month and you could get as little as 240Mbps throughput, even with a standard accelerator card. You could be wasting thousands of dollars per month per site. If you have to add or drop a site, it s another 300 hours of work every time! All of this complexity also creates additional vulnerabilities in the network. Group Encryption has a low Total Cost of Ownership (TCO)! With tunnel-less Group Encryption, policies are created using drag and drop functionality. You can secure a large full mesh network with a single policy that takes only minutes to set up and manage, even for very large networks. Policy and encryption key refreshes can be set up to take place at regular intervals or with the click of a button. Performance is maintained because the massive policy look ups that choke router performance are avoided. In some cases, WAN acceleration can be avoided because there is nothing impeding performance. "The de-coupling of the encryption service from the network infrastructure means our customers no longer have to chose between performance and security. Also, the simple installation and ease of management of the solution helps keep costs under control, which is an important consideration for our customers." Orhan Düz Operations Group Manager KoçSistem 7

77 Additional Facts: Certes Networks released the industry s first Group Encryption solution in 2006 Certes Networks has partnered with premier service providers to provide MPLS compatible encryption as a managed service Certes Networks offers the industry s only Layer 4 compatible encryption solution Certes Networks offers tunnel-less Group Encryption at Layer 2, Layer 3, and Layer 4 For more information visit us at www.certes Networks.com 2010 Certes Networks, Inc. All rights

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback