Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier.

Similar presentations


Presentation on theme: "© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier."— Presentation transcript:

1 © Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier Ethernet Market Development Ralph.Santitoro@us.Fujitsu.com

2 © Copyright 2011 Fujitsu Network Communications, Inc. Current Best Practices MAC Address Denial of Service (DoS) Attacks AAttack Scenario Attacker floods network with many different MAC addresses Network Element MAC address table overflows and resets –c–causing MAC addresses learning process to occur again AA ttacker Objective: Service Disruption SServices affected Any service using Ethernet bridging PPopular Best Practices Threat Mitigation Limit number of subscriber MAC addresses Use router (single MAC address) at customer premises Use tunneling technology (e.g., PBB) to tunnel MAC addresses Use 802.1X to authenticate CPE connecting to SP’s network Santa Clara, CA USA | February 2011 2 There is a simpler, alternative approach to solving this problem

3 © Copyright 2011 Fujitsu Network Communications, Inc. What is Connection-Oriented Ethernet ?  High performance implementation of Carrier Ethernet Used for P2P and P2MP metro and wide area networking  Disables Ethernet bridging behavior No Spanning Tree Protocol No MAC address learning/flooding  Ethernet paths (EVCs) provisioned by Mgmt. System  Implementations use “label-based” frame forwarding Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs PBB-TE: BMAC Address + B-VID MPLS-TP: Pseudowire / LSP labels Santa Clara, CA USA | February 2011 3

4 © Copyright 2011 Fujitsu Network Communications, Inc. Connection-Oriented Ethernet Security  No MAC Address Learning / Flooding Vulnerabilities Immune to MAC Address spoofing of Network Elements (NE) Immune to MAC address table overflow DoS attacks in NEs  No Spanning Tree Protocol (STP) Vulnerabilities Immune to STP Denial of Service (DoS) attacks  Doesn’t use IP protocols Immune to IP protocol vulnerabilities and attacks  Uses few Layer 2 protocols Fewer protocols = Fewer network security vulnerabilities Santa Clara, CA USA | February 2011 4 COE provides security comparable to SONET or OTN networks

5 © Copyright 2011 Fujitsu Network Communications, Inc. Security Vulnerabilities vs. Service Flexibility COE vs. Connectionless (bridged) Ethernet (CLE) 5 Security Vulnerabilities Service Flexibility EPL Service Flexibility Ranking Protocol (most flexible)Protocol (most flexible) Physical Port (least flexible)Physical Port (least flexible) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) Security Vulnerability Ranking Physical Port (most secure)Physical Port (most secure) Protocol (least secure)Protocol (least secure) EVPL EVP-LAN EVP-Tree EP-Tree EP-LAN COE provides security comparable to Layer 1 networks while supporting the most popular Ethernet services COE CLE COECLE EoS EoS


Download ppt "© Copyright 2011 Fujitsu Network Communications, Inc. Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier."

Similar presentations


Ads by Google