© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier.

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

Bridging & Broadcast Scenarios Carlos Ribeiro CTBC Telecom.
1 Introducing the Specifications of the Metro Ethernet Forum.
Ethernet over Any Infrastructure Yesterday, Today and Tomorrow Ralph Santitoro Director of Carrier Ethernet Market Development, Fujitsu Founding Member.
Heavy Reading Packet-Optical Transport Evolution – May 19, NYC Ralph Santitoro Carrier Ethernet Market Development
Ralph Santitoro Carrier Ethernet Market Development 22 March 2011 Connection-Oriented Ethernet for Cloud-based Unified Communications.
Ralph Santitoro Carrier Ethernet Market Development Understanding the Role of Connection- Oriented Ethernet in Packet Optical Transport.
Ralph Santitoro Carrier Ethernet Market Development December 2, 2010 Panel II: Ramping Up Ethernet Connection-Oriented Ethernet.
Ralph Santitoro Director of Carrier Ethernet Market Development October 12, 2009 Wholesale Ethernet Access Services: New.
1 Carrier Cloud Forum – February 13, 2012 – Santa Clara, CA Ralph Santitoro Founding Member and Director, MEF Director of Carrier Ethernet Market Development,
Security Best Practices for Carrier Ethernet Networks and Services
Connection-oriented Ethernet Attributes and Applications
Internetworking Introduction How Networks Differ How Networks Can Be Connected Concatenated Virtual Circuits Connectionless Internetworking Tunneling Fragmentation.
Ralph Santitoro Director of Carrier Ethernet Market Development April 1, 2010 Connection-Oriented Ethernet A No-Nonsense.
1 Computer Networks Internetworking Devices. 2 Repeaters Hubs Bridges –Learning algorithms –Problem of closed loops Switches Routers.
Ralph Santitoro Carrier Ethernet Market Development Packet Optical Networking for LTE Cell Tower Backhaul.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Ralph Santitoro Director, Carrier Ethernet Market Development Connection-Oriented Ethernet for Cell Tower Backhaul Glenn Wellbrock Director, Optical Transport.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Module Summary  Ethernet cables and segments can span only a limited physical distance,
Ralph Santitoro March 25, 2010 Delivering Next-Generation Services How Packet Optical Networking and Connection-Oriented Ethernet Are Changing Metro Networks.
Introduction to Ethernet Services
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.
Enabling Broadband On-Demand Services Ethernet Services.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Solving Network Challenges with Switched LAN Technology.
OSI Model Routing Connection-oriented/Connectionless Network Services.
Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE
Ralph Santitoro Director of Carrier Ethernet Market Development March 3, 2010 Connection-Oriented Ethernet for High Performance.
IEEE 802.1q - VLANs Nick Poorman.
Nortel Confidential Information 1 Provider Backbone Transport Alan Beard Dir Business Development 19 th November 2007.
– Chapter 5 – Secure LAN Switching
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement Spanning Tree Protocols LAN Switching and Wireless – Chapter 5.
CS 350 Chapter-11Switching. Switching Service Hardware-based bridging (ASIC: application-specific integrated circuits) Wire speed Low latency Low cost.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
Cisco 3 - Switch Perrine. J Page 110/3/2015 Chapter 7 How does STP provide a loop-free network? 1.By placing all ports in the blocking state 2.By placing.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
Ralph Santitoro Director of Carrier Ethernet Market Development February 23, 2012 Connection-Oriented Ethernet for Delivery.
Ralph Santitoro Director of Carrier Ethernet Market Development November 3, 2009 Success Stories: Carrier Ethernet Access.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Switching and Wireless Implement Spanning Tree Protocols (STP) Chapter.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Basic Switch Concept Prepared by: Akhyari Nasir Resources form Internet.
Ralph Santitoro Carrier Ethernet Market Development November 2, 2010 Carrier Ethernet-Based Converged Services Infrastructure:
1 Kyung Hee University Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs.
Computer Networks 15-1 Chapter 15. Connecting LANs, Backbone Networks, and Virtual LANs 15.1 Connecting devices 15.2 Backbone networks 15.3 Virtual LANs.
FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL
Click to edit Master subtitle style
McGraw-Hill©2003 The McGraw-Hill Companies, Inc. Chapter 11 Wide Area Networks.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
Chapter 6: Securing the Local Area Network
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter Ten Internetworking.
Optical + Ethernet: Converging the Transport Network An Overview.
Chapter 16 Connecting LANs, Backbone Networks, and Virtual LANs
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Spanning Tree Protocols (STP) LAN Switching and Wireless – Chapter.
1 1 Carrier Ethernet Services Overview 26 September2007 Moderator: Ralph Santitoro - Turin Networks Panelists: Tony Tam - Anda Networks Dr. Sarath Kumar.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
CCNA1 v3 Module 8 v3 CCNA 1 Module 8 JEOPARDY S Dow.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Instructor Materials Chapter 5: Network Security and Monitoring
Operating Wide-Area Ethernet Networks
– Chapter 5 – Secure LAN Switching
Chapter 5: Network Security and Monitoring
Connecting LANs, Backbone Networks, and Virtual LANs
Connecting LANs, Backbone Networks, and Virtual LANs
The University of Adelaide, School of Computer Science
NT2640 Unit 9 Activity 1 Handout
Connecting LANs, Backbone Networks,
Chapter 16 Connecting LANs, Backbone Networks, and Virtual LANs
Chapter 15. Connecting Devices
Presentation transcript:

© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier Ethernet Market Development

© Copyright 2011 Fujitsu Network Communications, Inc. Current Best Practices MAC Address Denial of Service (DoS) Attacks AAttack Scenario Attacker floods network with many different MAC addresses Network Element MAC address table overflows and resets –c–causing MAC addresses learning process to occur again AA ttacker Objective: Service Disruption SServices affected Any service using Ethernet bridging PPopular Best Practices Threat Mitigation Limit number of subscriber MAC addresses Use router (single MAC address) at customer premises Use tunneling technology (e.g., PBB) to tunnel MAC addresses Use 802.1X to authenticate CPE connecting to SP’s network Santa Clara, CA USA | February There is a simpler, alternative approach to solving this problem

© Copyright 2011 Fujitsu Network Communications, Inc. What is Connection-Oriented Ethernet ?  High performance implementation of Carrier Ethernet Used for P2P and P2MP metro and wide area networking  Disables Ethernet bridging behavior No Spanning Tree Protocol No MAC address learning/flooding  Ethernet paths (EVCs) provisioned by Mgmt. System  Implementations use “label-based” frame forwarding Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs PBB-TE: BMAC Address + B-VID MPLS-TP: Pseudowire / LSP labels Santa Clara, CA USA | February

© Copyright 2011 Fujitsu Network Communications, Inc. Connection-Oriented Ethernet Security  No MAC Address Learning / Flooding Vulnerabilities Immune to MAC Address spoofing of Network Elements (NE) Immune to MAC address table overflow DoS attacks in NEs  No Spanning Tree Protocol (STP) Vulnerabilities Immune to STP Denial of Service (DoS) attacks  Doesn’t use IP protocols Immune to IP protocol vulnerabilities and attacks  Uses few Layer 2 protocols Fewer protocols = Fewer network security vulnerabilities Santa Clara, CA USA | February COE provides security comparable to SONET or OTN networks

© Copyright 2011 Fujitsu Network Communications, Inc. Security Vulnerabilities vs. Service Flexibility COE vs. Connectionless (bridged) Ethernet (CLE) 5 Security Vulnerabilities Service Flexibility EPL Service Flexibility Ranking Protocol (most flexible)Protocol (most flexible) Physical Port (least flexible)Physical Port (least flexible) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) EVPL EVP-LAN EVP-Tree EP-Tree EP-LAN COE provides security comparable to Layer 1 networks while supporting the most popular Ethernet services COE CLE COECLE EoS EoS