Carrier Ethernet Security Threats and Mitigation Best Practices

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

89 εμφανίσεις

© Copyright 2011 Fujitsu Network Communications, Inc.

Carrier Ethernet Security Threats
and Mitigation Best Practices

Ralph Santitoro

Director of Carrier Ethernet Market Development

Ralph.Santitoro@us.Fujitsu.com

© Copyright 2011 Fujitsu Network Communications, Inc.

Current Best Practices

MAC Address Denial of Service (DoS) Attacks


Attack Scenario


Attacker floods network with many different MAC addresses


Network Element MAC address table overflows and resets


causing MAC addresses learning process to occur again


Attacker Objective: Service Disruption


Services affected


Any service using Ethernet bridging


Popular Best Practices Threat Mitigation


Limit number of subscriber MAC addresses


Use router (single MAC address) at customer premises


Use tunneling technology (e.g., PBB) to tunnel MAC addresses


Use 802.1X to authenticate CPE connecting to SP’s network


Santa Clara, CA USA | February 2011

2

There is a simpler, alternative approach to solving this problem

© Copyright 2011 Fujitsu Network Communications, Inc.

What is Connection
-
Oriented Ethernet ?


High performance implementation of Carrier Ethernet


Used for P2P and P2MP metro and wide area networking


Disables Ethernet bridging behavior


No Spanning Tree Protocol


No MAC address learning/flooding


Ethernet paths (EVCs) provisioned by Mgmt. System


Implementations use “label
-
based” frame forwarding


Ethernet / VLAN Tag Switching: C
-
VIDs + S
-
VIDs


PBB
-
TE: BMAC Address + B
-
VID


MPLS
-
TP: Pseudowire / LSP labels



Santa Clara, CA USA | February 2011

3

© Copyright 2011 Fujitsu Network Communications, Inc.

Connection
-
Oriented Ethernet Security


No MAC Address Learning / Flooding Vulnerabilities


Immune to MAC Address spoofing of Network Elements (NE)


Immune to MAC address table overflow DoS attacks in NEs


No Spanning Tree Protocol (STP) Vulnerabilities


Immune to STP Denial of Service (DoS) attacks


Doesn’t use IP protocols


Immune to IP protocol vulnerabilities and attacks


Uses few Layer 2 protocols


Fewer protocols = Fewer network security vulnerabilities


Santa Clara, CA USA | February 2011

4

COE provides security comparable
to SONET or OTN networks

© Copyright 2011 Fujitsu Network Communications, Inc.

Security Vulnerabilities vs. Service Flexibility

COE vs. Connectionless (bridged) Ethernet (CLE)

5

Security
Vulnerabilities

Service Flexibility

EPL

Service Flexibility Ranking


Protocol
(most flexible)


Physical Port
(least flexible)

Security
Vulnerability Ranking


Physical
Port
(most secure)


Protocol
(least secure)

EVPL

EVP
-
LAN

EVP
-
Tree

EP
-
Tree

EP
-
LAN

COE provides security comparable to Layer 1 networks

while supporting the most popular Ethernet services

COE

CLE

COE

CLE

EoS

EoS