Chapter 7. Enterprise Security in an MPLS VPN Environment

This chapter covers the following topics:

Comparing an enterprise's security implications using provider-provisioned IP VPNs based on MPLS to traditional Frame Relay and ATM Layer 2 VPNs.
Understanding the security issues raised in the provider network by using shared or private PEs.
Understanding the cost and security trade-offs for different types of connectivity for connecting PEs to CEs.
Understanding how to apply on your network security techniques such as filtering, tracing spoofed packets, remote-trigger black-hole filtering, loose and strict uRPF, sinkholes, and backscatter traceback.
Understanding hacker tools such as bots, botnets, and worms and how to mitigate them.
Learning how to prepare network operations to mitigate attacks by baselining via NetFlow and a NetFlow Collector, using Cisco Guard, plus defining team roles and procedures with available tools that are essential in maintaining an operational network in today's environment.
Understanding the options implemented by our case study network group.

This chapter examines the security issues to consider from the enterprise perspective when migrating from a WAN that's based on Layer 2 technologies such as Frame Relay and ATM to a Layer 3 IP virtual private network (VPN). The focus in this chapter is on infrastructure security rather than security of packet payload, which is covered in Chapter 9, "Off-Net Access to the VPN."

When an enterprise subscribes to an IP VPN service, IP routes are exchanged between the enterprise and service provider network. This process is new compared to the previous Layer 2 WAN. It provides knowledge of the enterprise network topology to an entity outside the enterprise. This additional knowledge of the enterprise infrastructure by an outside source causes some enterprise network managers to be concerned. It can be debated whether this is warranted, but the fact remains that when connecting at Layer 3, rather than at Layer 2, more information is exchanged between enterprise and provider about the enterprise network, and the first thing an attacker of networks needs is information.

In addition to this new Layer 3 exchange of information, one of the typical advantages of migrating to a Layer 3 service is that networks become more richly connected. This is driven by applications such as voice over IP (VoIP). However, along with the benefits of richer connection (in terms of more possible paths across the WAN) comes the challenge of tracking sources of attack in this environment.

In the case where a Layer 2 WAN provides a discrete number of connections to potential attack sources, the enterprise is faced with an anywhere-to-anywhere connection model that requires more effort to track attacks through.

Many of the techniques described in later sections, such as black-hole filtering, used to be considered applicable only to service provider networks, not enterprise networks. The reason for this was that enterprise networks were considered to have a low number of external peers and only a handful of points in the network where attacks could enter. For larger enterprise networks, this is no longer the case. The larger enterprises have multiple providers connected to their networks and have multiple extranet connections to business partners, and their networks now resemble provider networks. This chapter considers the issues related to securing the network infrastructure from attacks by miscreants.

Note

Detailed configuration recommendations for firewall and Intrusion Detection Systems (IDS) are outside the scope of this book. They are covered in several other Cisco Press books.

Note

The "References" section, which appears at the end of this chapter, contains extensive publicly available resources that detail the best recommendations for securing networks.