Security Requirements

In any network, security considerations devolve into essentially two types of issues. Compromises are either accidental; occur through misconfigurations, growth, or unanticipated changes in the network; or deliberate attacks by some entity bent on causing havoc. The risk vectors are either external issues (driven by events external to the network in question) or internal problems (which are sourced from within the network itself). Additionally, most security-related problems fall into the categories of denial of service (DoS) or intrusion. DoS events may be intentional or accidental, whereas intrusion issues by definition are intentional. It is essential to harden the network components and the system as a whole to minimize the likelihood of any of the preceding scenarios. However, as with all resource-consuming features, a balance must be struck between maximizing security and offering the performance and usability that the service is intended to provide. Clearly, a wholly disconnected host or router has total security; however, its ability to forward data or provide services is substantially compromised.

The state of the network from an availability and security viewpoint may also differ with respect to the perspective of the interested party. That is, the concerns of the service provider and the customer are an intersecting, but not completely overlapping, set of needs. Indeed, the two parties might have different perspectives on the network's current status.

Topological and Network Design Considerations

Clearly, the type of physical network selected to interconnect the CE and PE offers differing levels of resilience to intrusion and redirection. A serial point-to-point facility is very difficult to subvert, and intrusions usually are quite noticeable. When a serial connection of this nature is interrupted, alarms are raised very quickly, and the two endpoints are difficult to masquerade.

PVC-based networks, such as Frame Relay and ATM, are somewhat less resistant because they generally are controlled by software-based virtual circuit switching and can be readily misswitched or duplicated. However, even these facilities typically use a serial point-to-point connection between the CE and the telco central office, making intrusion difficult outside the telco realm.

Ethernet-based facilities are most readily compromised in that it is relatively easy to insert a promiscuous monitoring device somewhere in the path.

Note

The physical links from the CE to the central office remain directly cabled. Consequently, intrusion still generally requires telco access.

Of course, it is possible to insert equipment into these physical plants, but the level of expertise required to identify the correct facility, access the physical structures, and unobtrusively insert illicit systems is very high and is not readily performed by any but a determined and well-funded attacker.

The more significant issues with shared physical interface accesses (PVC-based or VLAN-based) would be managing the offered traffic loads so that one VPN cannot affect the operational characteristics of other VPNs being terminated on the same port. To guarantee the performance of the VPNs per SLA agreements, it is necessary to either provision much greater bandwidth on the access port than the expected load or to manage the bandwidth available using policing and shaping mechanisms.

Typically, this is done by offering a limited set of performance options (say, four or five classes) to the customers when they request the service. Policing controls are then applied to the interfaces based on these predefined classes of service to meet the customer's expectations. In an unmanaged VPN where different entities control the CE and PE, and consequently, neither can be guaranteed to stay within the expected operational characteristics, these controls need to be applied to both routers to ensure that offered loads do not affect the applicable networks.

In general, MPLS/VPN implementations may be characterized in five sets, which present differing requirements with respect to the CE-PE arrangements.

SP-Managed VPNs

In the SP-managed VPN, the service provider's control extends all the way out to the point of presence within the customer's Interior Gateway Protocol (IGP).

As such, the service provider has full control of the CE configuration, including the following:

• Access to the router itself

• Interaction with the rest of the customers' IGP

• Interaction with the service provider's PE routing mechanism

• Openness to customer statistics gathering

• Management requirements specific to the service provider's operation

This model gives the service provider the greatest degree of control over the potential impact on the customers' operations on the service provider's network itself. It also offers greater control over issues that may affect other service provider customer VPNs.

In converse, this arrangement implies some degree of trust on the part of the customer:

• The customer allows another company (the service provider) to have access to its IGP.

• The customer trusts the service provider to map its network communications solely to endpoints approved by the customer.

• The customer assumes that the service provider will provide the majority of fault analysis and resolution activity (because its own access is somewhat limited).

The challenge presented in migrating from the existing network infrastructure to an MPLS VPN is to capture all the requirements accomplished as a result of the Layer 2 network infrastructure within the Layer 3 VPN model.

Unmanaged VPNs are distinguished by the notion that the CE router is owned and controlled by the customer. Although the term "unmanaged VPN" is, strictly speaking, a misnomer (and perhaps indicative of a more service provider-centric perspective), it is widely accepted to mean a network where the customer rather than the service provider manages the CE router. In this scenario, the demarcation point between the service provider and the customer is usually the data set at the customer premises. (But, it is quite possible that the communication facility provider may not in fact be the Layer 3 MPLS VPN provider.) The customer has full control over the configuration of the CE router and interacts with the service provider's network over some mutually agreed-on arrangement between the service provider and the customer.

In this situation, the service provider's network operation might be exposed to the customer's configurations of the CE router. As such, the service provider needs to take additional steps to ensure that its network operations are not disturbed by changes in the customers' network environment or CE router setups.

However, this operative mode may be more palatable to customers who want to maintain the following:

• Complete control over their IGP

• Additional fault analysis/troubleshooting information access

• Minimized exposure of their network to the service provider

• The ability to manage their Layer 2 and Layer 3 exposures to the service provider

From the service provider's perspective, the unmanaged VPN environment changes the span of control significantly. This approach affects the service provider in a number of ways:

• Need to protect Layer 3 interconnect between the CE and PE

• Possible need to protect the Layer 2 interconnect (if shared)

• Requirement for clear definition of SLA-affecting responsibilities due to changes in span of control and the need to closely interact with the customer in the event of problems

• Additional level of security awareness at the PE router because the CE is no longer under its explicit control