© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier Ethernet Market Development
© Copyright 2011 Fujitsu Network Communications, Inc. Current Best Practices MAC Address Denial of Service (DoS) Attacks AAttack Scenario Attacker floods network with many different MAC addresses Network Element MAC address table overflows and resets –c–causing MAC addresses learning process to occur again AA ttacker Objective: Service Disruption SServices affected Any service using Ethernet bridging PPopular Best Practices Threat Mitigation Limit number of subscriber MAC addresses Use router (single MAC address) at customer premises Use tunneling technology (e.g., PBB) to tunnel MAC addresses Use 802.1X to authenticate CPE connecting to SP’s network Santa Clara, CA USA | February There is a simpler, alternative approach to solving this problem
© Copyright 2011 Fujitsu Network Communications, Inc. What is Connection-Oriented Ethernet ? High performance implementation of Carrier Ethernet Used for P2P and P2MP metro and wide area networking Disables Ethernet bridging behavior No Spanning Tree Protocol No MAC address learning/flooding Ethernet paths (EVCs) provisioned by Mgmt. System Implementations use “label-based” frame forwarding Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs PBB-TE: BMAC Address + B-VID MPLS-TP: Pseudowire / LSP labels Santa Clara, CA USA | February
© Copyright 2011 Fujitsu Network Communications, Inc. Connection-Oriented Ethernet Security No MAC Address Learning / Flooding Vulnerabilities Immune to MAC Address spoofing of Network Elements (NE) Immune to MAC address table overflow DoS attacks in NEs No Spanning Tree Protocol (STP) Vulnerabilities Immune to STP Denial of Service (DoS) attacks Doesn’t use IP protocols Immune to IP protocol vulnerabilities and attacks Uses few Layer 2 protocols Fewer protocols = Fewer network security vulnerabilities Santa Clara, CA USA | February COE provides security comparable to SONET or OTN networks
© Copyright 2011 Fujitsu Network Communications, Inc. Security Vulnerabilities vs. Service Flexibility COE vs. Connectionless (bridged) Ethernet (CLE) 5 Security Vulnerabilities Service Flexibility EPL Service Flexibility Ranking Protocol (most flexible)Protocol (most flexible) Physical Port (least flexible)Physical Port (least flexible) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) EVPL EVP-LAN EVP-Tree EP-Tree EP-LAN COE provides security comparable to Layer 1 networks while supporting the most popular Ethernet services COE CLE COECLE EoS EoS