Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Best Practices for Carrier Ethernet Networks and Services

Similar presentations


Presentation on theme: "Security Best Practices for Carrier Ethernet Networks and Services"— Presentation transcript:

1 Security Best Practices for Carrier Ethernet Networks and Services
Ralph Santitoro MEF Director and Security Working Group Co-chair

2 Acknowledgement Special thanks to Peter Hayman and Steve Holmgren for their significant contributions to the MEF’s Carrier Ethernet security white paper and review comments on this presentation

3 Agenda MEF Ethernet Service Classification
Security Vulnerability versus Service Flexibility Service Provider and Enterprise Network Security Environments Ethernet Threats and Vulnerabilities Which types of services are affected ? Best practice mitigation techniques Carrier Ethernet Security Pillars Summary

4 MEF Ethernet Service Definition Classification
Service Type Port-Based (All-to-One Bundling) VLAN-Based (Service Multiplexed) E-Line (Point-to-Point EVC) Ethernet Private Line (EPL) Ethernet Virtual Private Line (EVPL) E-LAN (multipoint-to-multipoint EVC) Ethernet Private LAN (EP-LAN) Ethernet Virtual Private LAN (EVP-LAN) E-Tree (rooted multipoint EVC) Ethernet Private Tree (EP-Tree) Ethernet Virtual Private Tree (EVP-Tree) MEF Services are classified into two categories: Port-based Single Service Instance per UNI (dedicated network resource) VLAN-based Multiple Service Instances per UNI (shared network resource)

5 Security Vulnerabilities versus Service Flexibility - Based on traffic separation techniques
EVP-LAN EVP-Tree EVPL EP-LAN EP-Tree EPL Service Flexibility Service Flexibility Ranking Protocol (most flexible) Time or Wavelength Physical Connection (least flexible) Security Ranking Physical Connection (most secure) Time or Wavelength Protocol (least secure) Some Ethernet Services are inherently more secure than others Traffic Isolation/Separation techniques play a key role

6 Service Provider and Enterprise Comparison
Property Enterprise Environment Service Provider Environment Physical Access and Security Mix of low security common areas and restricted access data centers and wiring closets Restricted access buildings with electronic access cards with video surveillance Mobility Users can easily move PCs and laptops around, even use wireless technology to roam. Equipment and connections permanently installed & inventoried in database to track any changes Network Access Ports Pervasive in the environment, typically enabled in most places Limited to physical network equipment only. Generally disabled except when provisioned Network Reachability May be partitioned into subnets or VLANs. Internet access through firewall generally accessible from anywhere. Circuits provisioned by port as part of customer network. No default network or Internet access. Wireless Access Available in most places, sometimes with greater security than hard-wired ports. Typically not available due to interference and security concerns

7 Agenda MEF Ethernet Service Classification
Security Vulnerability versus Service Flexibility Service Provider and Enterprise Network Security Environments Ethernet Threats and Vulnerabilities Which types of services are affected ? Best practice mitigation techniques Carrier Ethernet Security Pillars Summary

8 Ethernet Services affected
Port or VLAN Mirroring and Monitoring - Threat Scenario and Affected Services Customer Site A2 Customer Site A1 Port mirroring enabled Eavesdropper Threat Scenario Eavesdropper gains control of switch and enables mirroring so subscriber’s traffic can be monitored and copied Ethernet Services affected EVPL, EVP-LAN and EVP-Tree EPL unaffected since transported through dedicated transport, e.g., SDH

9 Best Practices Threat Mitigation
Port or VLAN Mirroring and Monitoring - Best Practices Threat Mitigation Customer Site A2 Customer Site A1 Port mirroring enabled Eavesdropper Best Practices Threat Mitigation Deactivate all unused Ethernet ports Physical access control and secured network management access Threat Assessment: Manageable Threat Assessment: Manageable Confined to provider’s network since requires access to physical port Tight physical access and network management access make hostile control of network equipment very difficult.

10 Ethernet Services affected
MAC Address DoS / Eavesdropping Attack - Attack Scenario and Affected Services Customer Site A3 Customer Site A1 Customer Site A2 MAC address table overflows and forwarding table reset, resulting in MAC addresses flooded to all ports MAC Attack(er) Attack Scenario Attacker floods network with many different MAC addresses Result: Service disrupted and flooded traffic monitored Ethernet Services affected EVP-LAN, EP-LAN, EVP-Tree and EP-Tree Attack Scenario Attacker floods network with many different MAC addresses MAC address tables overflow resulting in MAC address flooding to all ports to reconstruct MAC forwarding table

11 Best Practices Threat Mitigation
MAC Address DoS / Eavesdropping Attack - Best Practices Threat Mitigation Customer Site A1 Customer Site A3 Customer Site A2 MAC address table overflows and forwarding table reset, resulting in MAC addresses flooded to all ports MAC Attack(er) Best Practices Threat Mitigation Limit number of subscriber MAC addresses on a port Use tunneling technology (PBB) to tunnel MAC addresses Use router (single MAC address) at customer premises Threat Assessment: Manageable

12 Spanning Tree Protocol DoS Attacks - Attack Scenario and Affected Services
Customer Site A1 Customer Site A3 X Customer Site A2 STP attack from Customer Site A2 sends high volumes of BPDUs to switch causing processor overload that disrupts service Attack Scenario High volume of BPDUs overloads switch disrupting service Ethernet Services affected EVP-LAN and EP-LAN

13 Spanning Tree Protocol DoS Attacks - Best Practices Threat Mitigation
Customer Site A1 Customer Site A3 X Customer Site A2 STP attack from Customer Site A2 sends high volumes of BPDUs to switch causing processor overload that disrupts service Best Practices Threat Mitigation Control plane policing to rate limit BPDU traffic to prevent DoS Discard BPDUs arriving from subscribers’ ports Use L2CP tunneling technology, e.g., PBB, to tunnel subscribers’ BPDUs BPDUs should only be exchanged between provider’s switches Threat Assessment: Manageable

14 Agenda MEF Ethernet Service Classification
Security Vulnerability versus Service Flexibility Service Provider and Enterprise Network Security Environments Ethernet Threats and Vulnerabilities Which types of services are affected ? Best practice mitigation techniques Carrier Ethernet Security Pillars Summary

15 Carrier Ethernet Security Pillars
Traffic Separation and Isolation Authentication of interconnected equipment Encryption of data in transit Inspection of data for threats OAM Security The Pillars Address Different Security Aspects of Carrier Ethernet Networks and Services

16 Carrier Ethernet Security Pillars - Traffic Separation and Isolation
All customer traffic eventually traverses a shared transport network infrastructure Subscriber traffic separation and isolation is required Traffic separation and isolation techniques inherited from transport network Ethernet over SDH/SONET: TDM channels (temporal separation) Ethernet over λ: Colors (wavelength separation) Provider Bridges (IEEE 802.1ad): S-VLAN Tag (protocol-based separation) Provider Backbone Bridges (IEEE 802.1ah): Provider MAC Address and VLAN Tag (protocol-based separation) MPLS Pseudowires: MPLS Label (protocol-based separation)

17 Carrier Ethernet Security Pillars - Authentication
Do I trust the device attached to the network? Do I trust the data ingressing the network? Connection Authentication IEEE 802.1X to authenticate CE and establish trust relationship between PE-1 and CE-1 Controls what devices are permitted to access the network MACSec (IEEE 802.1AE) to authenticate packets exchanged between CE-1 and PE-1 Controls what data is permitted to enter the network

18 Carrier Ethernet Security Pillars - Encryption
Provides secrecy of sensitive data in transit Encryption accomplished at different levels Most commonly provided at IP Layer 3 Ethernet and IP Encryption Standards MACSec for Ethernet IPSec/SSL for IP IPSec and MACSec provide for the identification of unauthorized connections and is a security infrastructure providing data confidentiality, data integrity and data origin authentication

19 Carrier Ethernet Security Pillars - Inspection
Enterprise subscribers need stored and in transit data to be monitored to detect and thwart theft of information Sensitive data such as credit card, bank account, social security and tax identification numbers, and patient health care information © Copyrighted data such as Music and Movie files Inspection technologies scan for unwanted traffic (malicious or otherwise) Optionally allows for blocking or rate limiting the unwanted traffic Service providers can alert subscribers to threats (part of a managed security service) and contain (block) the threats before they can become widespread When enterprises extend their switched networks across multiple locations, service providers can insert inspection and intrusion detection as a value added service to detect and prevent malicious and unwanted traffic from traversing from one site to another. Service attributes offered by service providers could include Managed Firewalls, Intrusion Prevention or even Anti-virus. Service Providers can often offer these as managed services to their subscribers less expensively than enterprises can do it themselves because the infrastructure and personnel are shared across multiple subscribers. When Enterprises extend their networks across multiple sites, they increase the risks of their broader network because infections at one site can traverse WAN and infect other sites. To control malicious and unauthorized traffic moving between sites, service providers can offer inspection technology as a valued added service to their subscribers. Content inspection typically performed at the application layer

20 Carrier Ethernet Security Pillars - OAM Security
OAM security at Data, Control and Management planes Ensure subscriber and service provider management frames do not “leak” into or trigger unwanted OAM function in each others’ network Provider’s management frames must be separated from subscribers’ data using, e.g., VLANs, SDH DCN, etc. Limited set of subscribers’ BPDUs appropriate for Ethernet service type acted upon by service provider’s network elements Certain service types, e.g., E-LAN, exchange L2CPs (L2 Control Protocols) between provider & subscriber NEs Limited set of L2CPs need to be acted upon Any L2CPs outside this limited set tunneled or discarded per SLA Suspicious behavior of L2CPs requires rate-limiting and alarming OAM security at Data, Control and Management planes Ensure subscriber and service provider management frames do not “leak” into or trigger any unwanted OAM function in each others’ network Ensure only authenticated and authorized operations staff have access to management plane of devices in the network Ethernet OAM functions monitored, separated and confined Only desired OAM frames trigger appropriate OAM functions in NEs For example, all OAM packets first authenticated as to their correct source and destination using IEEE 802.1X or MACSec Certain Ethernet service types, e.g., E-LAN, exchange L2CPs (L2 Control Protocols) between provider and subscriber NEs Limited set of L2CPs need to be acted upon Any L2CPs outside this limited set tunneled or discarded per SLA Suspicious behavior of L2CPs requires action e.g., rate-limiting and alarming Non-conforming frames dropped to eliminate potential DoS attack

21 Summary All networking technologies have security threats and vulnerabilities Through due diligence and Security Best Practices, network operators can effectively manage them Carrier Ethernet Networks and Services Are as secure as other networking technologies Introduce new service flexibilities not possible or practical to deliver with other networking technologies

22 Questions?

23 For more information regarding joining the MEF:
For in-depth presentations of Carrier Ethernet for business, Ethernet services, technical overview, certification program etc., visit: For more information regarding joining the MEF: Visit: us at: Call us at: (California, USA)


Download ppt "Security Best Practices for Carrier Ethernet Networks and Services"

Similar presentations


Ads by Google