This chapter examines the security issues to consider from the enterprise perspective when migrating from a WAN that's based on Layer 2 technologies such as Frame Relay and ATM to a Layer 3 IP virtual private network (VPN). The focus in this chapter is on infrastructure security rather than security of packet payload, which is covered in Chapter 9, "Off-Net Access to the VPN." When an enterprise subscribes to an IP VPN service, IP routes are exchanged between the enterprise and service provider network. This process is new compared to the previous Layer 2 WAN. It provides knowledge of the enterprise network topology to an entity outside the enterprise. This additional knowledge of the enterprise infrastructure by an outside source causes some enterprise network managers to be concerned. It can be debated whether this is warranted, but the fact remains that when connecting at Layer 3, rather than at Layer 2, more information is exchanged between enterprise and provider about the enterprise network, and the first thing an attacker of networks needs is information. In addition to this new Layer 3 exchange of information, one of the typical advantages of migrating to a Layer 3 service is that networks become more richly connected. This is driven by applications such as voice over IP (VoIP). However, along with the benefits of richer connection (in terms of more possible paths across the WAN) comes the challenge of tracking sources of attack in this environment. In the case where a Layer 2 WAN provides a discrete number of connections to potential attack sources, the enterprise is faced with an anywhere-to-anywhere connection model that requires more effort to track attacks through. Many of the techniques described in later sections, such as black-hole filtering, used to be considered applicable only to service provider networks, not enterprise networks. The reason for this was that enterprise networks were considered to have a low number of external peers and only a handful of points in the network where attacks could enter. For larger enterprise networks, this is no longer the case. The larger enterprises have multiple providers connected to their networks and have multiple extranet connections to business partners, and their networks now resemble provider networks. This chapter considers the issues related to securing the network infrastructure from attacks by miscreants. Note Detailed configuration recommendations for firewall and Intrusion Detection Systems (IDS) are outside the scope of this book. They are covered in several other Cisco Press books. Note The "References" section, which appears at the end of this chapter, contains extensive publicly available resources that detail the best recommendations for securing networks. |