MPLS VPN Security

By Michael H. Behringer, Monique J. Morrow
...............................................
Publisher: Cisco Press
Pub Date: June 08, 2005
ISBN: 1-58705-183-4
Pages: 312



Table of Contents | Index


A practical guide to hardening MPLS networks Define "zones of trust" for your MPLS VPN environment Understand fundamental security principles and how MPLS VPNs work Build an MPLS VPN threat model that defines attack points, such as VPN separation, VPN spoofing, DoS against the network's backbone, misconfigurations, sniffing, and inside attack forms Identify VPN security requirements, including robustness against attacks, hiding of the core infrastructure, protection against spoofing, and ATM/Frame Relay security comparisons Interpret complex architectures such as extranet access with recommendations of Inter-AS, carrier-supporting carriers, Layer 2 security considerations, and multiple provider trust model issues Operate and maintain a secure MPLS core with industry best practices Integrate IPsec into your MPLS VPN for extra security in encryption and data origin verification Build VPNs by interconnecting Layer 2 networks with new available architectures such as virtual private wire service (VPWS) and virtual private LAN service (VPLS) Protect your core network from attack by considering Operations, Administration, and Management (OAM) and MPLS backbone security incidentsMultiprotocol Label Switching (MPLS) is becoming a widely deployed technology, specifically for providing virtual private network (VPN) services. Security is a major concern for companies migrating to MPLS VPNs from existing VPN technologies such as ATM. Organizations deploying MPLS VPNs need security best practices for protecting their networks, specifically for the more complex deployment models such as inter-provider networks and Internet provisioning on the network.MPLS VPN Security is the first book to address the security features of MPLS VPN networks and to show you how to harden and securely operate an MPLS network. Divided into four parts, the book begins with an overview of security and VPN technology. A chapter on threats and attack points provides a foundation for the discussion in later chapters. Part II addresses overall security from various perspectives, including architectural, design, and operation components. Part III provides practical guidelines for implementing MPLS VPN security. Part IV presents real-world case studies that encompass details from all the previous chapters to provide examples of overall secure solutions.Drawing upon the authors' considerable experience in attack mitigation and infrastructure security, MPLS VPN Security is your practical guide to understanding how to effectively secure communications in an MPLS environment. "The authors of this book, Michael Behringer and Monique Morrow, have a deep and rich understanding of security issues, such as denial-of-service attack prevention and infrastructure protection from network vulnerabilities. They offer a very practical perspective on the deployment scenarios, thereby demystifying a complex topic. I hope you enjoy their insights into the design of self-defending networks." —Jayshree V. Ullal, Senior VP/GM Security Technology Group, Cisco Systems®

Copyright
About the Authors
About the Technical Reviewers
Acknowledgments
Foreword
Icons Used in This Book
Command Syntax Conventions
Introduction
Who Should Read This Book
How This Book Is Organized
Part I. MPLS VPN and Security Fundamentals
Chapter 1. MPLS VPN Security: An Overview
Key Security Concepts
Other Important Security Concepts
Overview of VPN Technologies
Fundamentals of MPLS VPNs
A Security Reference Model for MPLS VPNs
Summary
Chapter 2. A Threat Model for MPLS VPNs
Threats Against a VPN
Threats Against an Extranet Site
Threats Against the Core
Threats Against the Internet
Threats from Within a Zone of Trust
Reconnaissance Attacks
Summary
Part II. Advanced MPLS VPN Security Issues
Chapter 3. MPLS Security Analysis
VPN Separation
Robustness Against Attacks
Hiding the Core Infrastructure
Protection Against Spoofing
Specific Inter-AS Considerations
Specific Carrier's Carrier Considerations
Security Issues Not Addressed by the MPLS Architecture
Comparison to ATM/FR Security
Summary
Footnotes
Chapter 4. Secure MPLS VPN Designs
Internet Access
Extranet Access
MPLS VPNs and Firewalling
Designing DoS-Resistant Networks
Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues
Carriers' Carrier
Layer 2 Security Considerations
Multicast VPN Security
Summary
Footnotes
Chapter 5. Security Recommendations
General Router Security
CE-Specific Router Security and Topology Design Considerations
PE-Specific Router Security
PE Data Plane Security
PE-CE Connectivity Security Issues
P-Specific Router Security
Securing the Core
Routing Security
CE-PE Routing Security Best Practices
Internet Access
Sharing End-to-End Resources
LAN Security Issues
IPsec: CE to CE
MPLS over IP Operational Considerations: L2TPv3
Securing Core and Routing Check List
Summary
Part III. Practical Guidelines to MPLS VPN Security
Chapter 6. How IPsec Complements MPLS
IPsec Overview
Location of the IPsec Termination Points
Deploying IPsec on MPLS
Using Other Encryption Techniques
Summary
Chapter 7. Security of MPLS Layer 2 VPNs
Generic Layer 2 Security Considerations
C2 Ethernet Topologies
C3 VPLS Overview
C4 VPWS Overview
C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview
C6 VPLS and VPWS Security Overview
Customer Edge
Summary
Chapter 8. Secure Operation and Maintenance of an MPLS Core
Management Network Security
Securely Managing CE Devices
Securely Managing the Core Network
Summary
Part IV. Case Studies and Appendixes
Chapter 9. Case Studies
Internet Access
Multi-Lite VRF Mechanisms
Layer 2 LAN Access
Summary
Appendix A. Detailed Configuration Example for a PE
Appendix B. Reference List
Cisco Press Books
IETF
ITU-T
Index


Another VPN Books
Download