carrier ethernet security
TRANSCRIPT
Security Best Practices for Carrier Ethernet Networks and Services
Ralph SantitoroMEF Director and Security Working Group Co-chair
2
Acknowledgement
• Special thanks to Peter Hayman and Steve Holmgren for their significant contributions to the MEF’s Carrier Ethernet security white paper and review comments on this presentation
3
Agenda
• MEF Ethernet Service Classification
• Security Vulnerability versus Service Flexibility
• Service Provider and Enterprise Network Security Environments
• Ethernet Threats and Vulnerabilities
– Which types of services are affected ?
– Best practice mitigation techniques
• Carrier Ethernet Security Pillars
• Summary
4
MEF Ethernet Service Definition Classification
• MEF Services are classified into two categories:– Port-based
• Single Service Instance per UNI (dedicated network resource)– VLAN-based
• Multiple Service Instances per UNI (shared network resource)
Service TypeService Type Port-BasedPort-Based(All-to-One Bundling)(All-to-One Bundling)
VLAN-BasedVLAN-Based(Service Multiplexed)(Service Multiplexed)
E-LineE-Line(Point-to-Point EVC)(Point-to-Point EVC)
Ethernet Private LineEthernet Private Line(EPL)(EPL)
Ethernet Virtual Private LineEthernet Virtual Private Line(EVPL)(EVPL)
E-LANE-LAN (multipoint-to-multipoint EVC)(multipoint-to-multipoint EVC)
Ethernet Private LANEthernet Private LAN(EP-LAN)(EP-LAN)
Ethernet Virtual Private LANEthernet Virtual Private LAN(EVP-LAN)(EVP-LAN)
E-TreeE-Tree(rooted multipoint EVC)(rooted multipoint EVC)
Ethernet Private TreeEthernet Private Tree(EP-Tree)(EP-Tree)
Ethernet Virtual Private TreeEthernet Virtual Private Tree(EVP-Tree)(EVP-Tree)
5
Security Vulnerabilities versus Service Flexibility- Based on traffic separation techniques
Security Vulnerabilities
Service Flexibility
EPL
Service Flexibility RankingService Flexibility Ranking• Protocol Protocol (most flexible)(most flexible)
• Time or WavelengthTime or Wavelength• Physical Connection Physical Connection (least flexible)(least flexible)
Security Ranking Security Ranking • Physical Connection Physical Connection (most secure)(most secure)
• Time or WavelengthTime or Wavelength• Protocol Protocol (least secure)(least secure)
EVPL
EVP-LAN
EVP-Tree
EP-Tree
EP-LAN
Some Ethernet Services are inherently more secure than othersSome Ethernet Services are inherently more secure than othersTraffic Isolation/Separation techniques play a key roleTraffic Isolation/Separation techniques play a key role
6
Service Provider and Enterprise Comparison
PropertyProperty Enterprise EnvironmentEnterprise Environment Service Provider EnvironmentService Provider Environment
Physical Physical Access and Access and SecuritySecurity
Mix of low security common areas Mix of low security common areas and restricted access data centers and restricted access data centers and wiring closetsand wiring closets
Restricted access buildings with Restricted access buildings with electronic access cards with video electronic access cards with video surveillancesurveillance
MobilityMobilityUsers can easily move PCs and Users can easily move PCs and laptops around, even use wireless laptops around, even use wireless technology to roam.technology to roam.
Equipment and connections Equipment and connections permanently installed & inventoried in permanently installed & inventoried in database to track any changesdatabase to track any changes
Network Network Access PortsAccess Ports
Pervasive in the environment, Pervasive in the environment, typically enabled in most placestypically enabled in most places
Limited to physical network equipment Limited to physical network equipment only. Generally disabled except when only. Generally disabled except when provisionedprovisioned
Network Network ReachabilityReachability
May be partitioned into subnets or May be partitioned into subnets or VLANs. Internet access through VLANs. Internet access through firewall generally accessible from firewall generally accessible from anywhere.anywhere.
Circuits provisioned by port as part of Circuits provisioned by port as part of customer network. No default network customer network. No default network or Internet access. or Internet access.
Wireless Wireless AccessAccess
Available in most places, Available in most places, sometimes with greater security sometimes with greater security than hard-wired ports.than hard-wired ports.
Typically not available due to Typically not available due to interference and security concernsinterference and security concerns
7
• MEF Ethernet Service Classification
• Security Vulnerability versus Service Flexibility
• Service Provider and Enterprise Network Security Environments
• Ethernet Threats and Vulnerabilities– Which types of services are affected ?– Best practice mitigation techniques
• Carrier Ethernet Security Pillars
• Summary
Agenda
8
Port or VLAN Mirroring and Monitoring- Threat Scenario and Affected Services
• Threat Scenario– Eavesdropper gains control of switch and enables
mirroring so subscriber’s traffic can be monitored and copied
• Ethernet Services affected– EVPL, EVP-LAN and EVP-Tree
• EPL unaffected since transported through dedicated transport, e.g., SDH
Customer Site A1
Customer Site A2
EavesdropperPort mirroring
enabled
9
Port or VLAN Mirroring and Monitoring- Best Practices Threat Mitigation
• Best Practices Threat Mitigation– Deactivate all unused Ethernet ports– Physical access control and secured network
management access
• Threat Assessment: Manageable
Customer Site A1
Customer Site A2
EavesdropperPort mirroring
enabled
10
MAC Address DoS / Eavesdropping Attack- Attack Scenario and Affected Services
• Attack Scenario– Attacker floods network with many different MAC addresses– Result: Service disrupted and flooded traffic monitored
• Ethernet Services affected– EVP-LAN, EP-LAN, EVP-Tree and EP-Tree
Customer Site A1
Customer Site A3
MAC address table overflows and forwarding table reset, resulting in MAC addresses flooded to all ports
Customer Site A2
MAC Attack(er)
11
MAC Address DoS / Eavesdropping Attack- Best Practices Threat Mitigation
• Best Practices Threat Mitigation – Limit number of subscriber MAC addresses on a port– Use tunneling technology (PBB) to tunnel MAC addresses– Use router (single MAC address) at customer premises
• Threat Assessment: Manageable
Customer Site A1
Customer Site A3
MAC address table overflows and forwarding table reset, resulting in MAC addresses flooded to all ports
Customer Site A2
MAC Attack(er)
12
Spanning Tree Protocol DoS Attacks- Attack Scenario and Affected Services
• Attack Scenario– High volume of BPDUs overloads switch disrupting service
• Ethernet Services affected– EVP-LAN and EP-LAN
Customer Site A1 Customer
Site A3
STP attack from Customer Site A2 sends high volumes of BPDUs to switch causing processor overload that disrupts service
Customer Site A2 X
13
Spanning Tree Protocol DoS Attacks - Best Practices Threat Mitigation
• Best Practices Threat Mitigation – Control plane policing to rate limit BPDU traffic to prevent DoS– Discard BPDUs arriving from subscribers’ ports– Use L2CP tunneling technology, e.g., PBB, to tunnel subscribers’ BPDUs
• BPDUs should only be exchanged between provider’s switches
• Threat Assessment: Manageable
Customer Site A1
Customer Site A3
STP attack from Customer Site A2 sends high volumes of BPDUs to switch causing processor overload that disrupts service
Customer Site A2 X
14
• MEF Ethernet Service Classification
• Security Vulnerability versus Service Flexibility
• Service Provider and Enterprise Network Security Environments
• Ethernet Threats and Vulnerabilities– Which types of services are affected ?– Best practice mitigation techniques
• Carrier Ethernet Security Pillars
• Summary
Agenda
15
• Traffic Separation and Isolation
• Authentication of interconnected equipment
• Encryption of data in transit
• Inspection of data for threats
• OAM Security
Carrier Ethernet Security Pillars
The Pillars Address Different Security Aspects ofThe Pillars Address Different Security Aspects ofCarrier Ethernet Networks and ServicesCarrier Ethernet Networks and Services
16
Carrier Ethernet Security Pillars- Traffic Separation and Isolation
• All customer traffic eventually traverses a shared transport network infrastructure
– Subscriber traffic separation and isolation is required
• Traffic separation and isolation techniques inherited from transport network
– Ethernet over SDH/SONET: TDM channels (temporal separation)
– Ethernet over λ: Colors (wavelength separation)
– Provider Bridges (IEEE 802.1ad): S-VLAN Tag (protocol-based separation)
– Provider Backbone Bridges (IEEE 802.1ah): Provider MAC Address and VLAN Tag (protocol-based separation)
– MPLS Pseudowires: MPLS Label (protocol-based separation)
17
Carrier Ethernet Security Pillars- Authentication
• Do I trust the device attached to the network?
• Do I trust the data ingressing the network?
• Connection Authentication
– IEEE 802.1X to authenticate CE-1 and establish trust relationship between PE-1 and CE-1
• Controls what devices are permitted to access the network
– MACSec (IEEE 802.1AE) to authenticate packets exchanged between CE-1 and PE-1
• Controls what data is permitted to enter the network
18
Carrier Ethernet Security Pillars- Encryption
• Provides secrecy of sensitive data in transit
• Encryption accomplished at different levels
– Most commonly provided at IP Layer 3
• Ethernet and IP Encryption Standards
– MACSec for Ethernet
– IPSec/SSL for IP
19
Carrier Ethernet Security Pillars- Inspection
• Enterprise subscribers need stored and in transit data to be monitored to detect and thwart theft of information
– Sensitive data such as credit card, bank account, social security and tax identification numbers, and patient health care information
– © Copyrighted data such as Music and Movie files
• Inspection technologies scan for unwanted traffic (malicious or otherwise)
– Optionally allows for blocking or rate limiting the unwanted traffic
• Service providers can alert subscribers to threats (part of a managed security service)
– and contain (block) the threats before they can become widespread
Content inspection typically performed at the application layerContent inspection typically performed at the application layer
20
Carrier Ethernet Security Pillars- OAM Security
• OAM security at Data, Control and Management planes
– Ensure subscriber and service provider management frames do not “leak” into or trigger unwanted OAM function in each others’ network
• Provider’s management frames must be separated from subscribers’ data using, e.g., VLANs, SDH DCN, etc.
– Limited set of subscribers’ BPDUs appropriate for Ethernet service type acted upon by service provider’s network elements
• Certain service types, e.g., E-LAN, exchange L2CPs (L2 Control Protocols) between provider & subscriber NEs– Limited set of L2CPs need to be acted upon
• Any L2CPs outside this limited set tunneled or discarded per SLA
– Suspicious behavior of L2CPs requires rate-limiting and alarming
21
• All networking technologies have security threats and vulnerabilities
– Through due diligence and Security Best Practices, network operators can effectively manage them
• Carrier Ethernet Networks and Services
– Are as secure as other networking technologies
– Introduce new service flexibilities not possible or practical to deliver with other networking technologies
Summary
Questions?
For more information regarding joining the MEF:Visit: www.metroethernetforum.org
Email us at: [email protected]
Call us at: +1.310.258.8032 (California, USA)
For in-depth presentations of Carrier Ethernet for business, Ethernet services, technical overview, certification program etc., visit: www.metroethernetforum.org/presentations