MPLS VPN Security

MPLS VPN Security

by Michael H. Behringer, Monique J. Morrow
Released June 2005
Publisher(s): Cisco Press
ISBN: 1587051834

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A practical guide to hardening MPLS networks 

  • Define "zones of trust" for your MPLS VPN environment

  • Understand fundamental security principles and how MPLS VPNs work

  • Build an MPLS VPN threat model that defines attack points, such as VPN separation, VPN spoofing, DoS against the network’s backbone, misconfigurations, sniffing, and inside attack forms

  • Identify VPN security requirements, including robustness against attacks, hiding of the core infrastructure, protection against spoofing, and ATM/Frame Relay security comparisons

  • Interpret complex architectures such as extranet access with recommendations of Inter-AS, carrier-supporting carriers, Layer 2 security considerations, and multiple provider trust model issues

  • Operate and maintain a secure MPLS core with industry best practices

  • Integrate IPsec into your MPLS VPN for extra security in encryption and data origin verification

  • Build VPNs by interconnecting Layer 2 networks with new available architectures such as virtual private wire service (VPWS) and virtual private LAN service (VPLS)

  • Protect your core network from attack by considering Operations, Administration, and Management (OAM) and MPLS backbone security incidents 

    • Multiprotocol Label Switching (MPLS) is becoming a widely deployed technology, specifically for providing virtual private network (VPN) services. Security is a major concern for companies migrating to MPLS VPNs from existing VPN technologies such as ATM. Organizations deploying MPLS VPNs need security best practices for protecting their networks, specifically for the more complex deployment models such as inter-provider networks and Internet provisioning on the network.

    MPLS VPN Security is the first book to address the security features of MPLS VPN networks and to show you how to harden and securely operate an MPLS network. Divided into four parts, the book begins with an overview of security and VPN technology. A chapter on threats and attack points provides a foundation for the discussion in later chapters. Part II addresses overall security from various perspectives, including architectural, design, and operation components. Part III provides practical guidelines for implementing MPLS VPN security. Part IV presents real-world case studies that encompass details from all the previous chapters to provide examples of overall secure solutions.

    Drawing upon the authors’ considerable experience in attack mitigation and infrastructure security, MPLS VPN Security is your practical guide to understanding how to effectively secure communications in an MPLS environment.

    "The authors of this book, Michael Behringer and Monique Morrow, have a deep and rich understanding of security issues, such as denial-of-service attack prevention and infrastructure protection from network vulnerabilities. They offer a very practical perspective on the deployment scenarios, thereby demystifying a complex topic. I hope you enjoy their insights into the design of self-defending networks."

    —Jayshree V. Ullal, Senior VP/GM Security Technology Group, Cisco Systems®

    Table of contents

    1. Table of Contents (1/2)
    2. Table of Contents (2/2)
    3. Foreword
    4. Introduction
    5. Part I: MPLS VPN and Security Fundamentals
      1. Chapter 1 MPLS VPN Security: An Overview
        1. Key Security Concepts
        2. Other Important Security Concepts
        3. Overview of VPN Technologies
        4. Fundamentals of MPLS VPNs (1/2)
        5. Fundamentals of MPLS VPNs (2/2)
        6. A Security Reference Model for MPLS VPNs
        7. Summary
      2. Chapter 2 A Threat Model for MPLS VPNs
        1. Threats Against a VPN
        2. Threats Against an Extranet Site
        3. Threats Against the Core (1/2)
        4. Threats Against the Core (2/2)
        5. Threats Against the Internet
        6. Threats from Within a Zone of Trust
        7. Reconnaissance Attacks
        8. Summary
    6. Part II: Advanced MPLS VPN Security Issues
      1. Chapter 3 MPLS Security Analysis
        1. VPN Separation
        2. Robustness Against Attacks
        3. Hiding the Core Infrastructure
        4. Protection Against Spoofing
        5. Specific Inter-AS Considerations (1/2)
        6. Specific Inter-AS Considerations (2/2)
        7. Specific Carrier’s Carrier Considerations
        8. Security Issues Not Addressed by the MPLS Architecture
        9. Comparison to ATM/FR Security
        10. Summary
      2. Chapter 4 Secure MPLS VPN Designs
        1. Internet Access
        2. Extranet Access
        3. MPLS VPNs and Firewalling
        4. Designing DoS-Resistant Networks (1/2)
        5. Designing DoS-Resistant Networks (2/2)
        6. Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues (1/3)
        7. Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues (2/3)
        8. Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues (3/3)
        9. Carriers’ Carrier
        10. Layer 2 Security Considerations
        11. Multicast VPN Security
        12. Summary
      3. Chapter 5 Security Recommendations
        1. General Router Security (1/5)
        2. General Router Security (2/5)
        3. General Router Security (3/5)
        4. General Router Security (4/5)
        5. General Router Security (5/5)
        6. CE-Specific Router Security and Topology Design Considerations
        7. PE-Specific Router Security
        8. PE Data Plane Security
        9. PE-CE Connectivity Security Issues
        10. P-Specific Router Security
        11. Securing the Core
        12. Routing Security (1/2)
        13. Routing Security (2/2)
        14. CE-PE Routing Security Best Practices (1/2)
        15. CE-PE Routing Security Best Practices (2/2)
        16. Internet Access
        17. Sharing End-to-End Resources
        18. LAN Security Issues
        19. IPsec: CE to CE
        20. MPLS over IP Operational Considerations: L2TPv3
        21. Securing Core and Routing Check List
        22. Summary
    7. Part III: Practical Guidelines to MPLS VPN Security
      1. Chapter 6 How IPsec Complements MPLS
        1. IPsec Overview
        2. Location of the IPsec Termination Points (1/2)
        3. Location of the IPsec Termination Points (2/2)
        4. Deploying IPsec on MPLS
        5. Using Other Encryption Techniques
        6. Summary
      2. Chapter 7 Security of MPLS Layer 2 VPNs
        1. Generic Layer 2 Security Considerations
        2. C2 Ethernet Topologies
        3. C3 VPLS Overview
        4. C4 VPWS Overview
        5. C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview
        6. C6 VPLS and VPWS Security Overview
        7. Customer Edge (1/2)
        8. Customer Edge (2/2)
        9. Summary
      3. Chapter 8 Secure Operation and Maintenance of an MPLS Core
        1. Management Network Security
        2. Securely Managing CE Devices
        3. Securely Managing the Core Network
        4. Summary
    8. Part IV: Case Studies and Appendixes
      1. Chapter 9 Case Studies
        1. Internet Access
        2. Multi-Lite VRF Mechanisms
        3. Layer 2 LAN Access
        4. Summary
    9. Appendix A: Detailed Configuration Example for a PE (1/2)
    10. Appendix A: Detailed Configuration Example for a PE (2/2)
    11. Appendix B: Reference List
    12. Index
      1. A
      2. B
      3. C
      4. D
      5. E
      6. F
      7. G
      8. H
      9. I
      10. K–L
      11. M
      12. N
      13. O–P
      14. R
      15. S
      16. T
      17. U–V
      18. W–Z

    Product information

    • Title: MPLS VPN Security
    • Author(s): Michael H. Behringer, Monique J. Morrow
    • Release date: June 2005
    • Publisher(s): Cisco Press
    • ISBN: 1587051834