To effectively launch certain types of attacks, a hacker usually needs some knowledge about the network topology or hardware used. The technique that gathers this type of information is called reconnaissance. Reconnaissance on its own is, in many environments, not a threat, but the intelligence found by employing it is often used later to attack a system or network. So, the threat of reconnaissance attacks is mostly an indirect one: after the network has been scanned, this information is used subsequently for attacks.
Often reconnaissance attacks go undetected for considerable time because they have usually no impact on the network. At best, this type of activity may be seen in some log files, but often it is not found.
It is good current practice to make networks and devices as "stealth" as possible, to make gathering information harder for potential attackers.
In the MPLS context, the core is already, to a large extent, hidden to the outside, as is shown in Chapter 3. So by default, only the PE-peering addresses are visible from the outside. These interfaces should be protected with ACLs so that the PE router does not accept packets targeted to the core or send any response. This hides the core and makes reconnaissance from outside the network very difficult.
VPN-specific infrastructure ACLs, which prevent the PEs from being targeted from the VPN, can be complicated depending on the addressing scheme used for all the CE-PE links in a VPN. Each PE, on the interface to each CE of a VPN, needs a deny statement for all PE addresses reachable from that VPN. See Chapter 5, "Security Recommendations."
There are two exceptions to this overall rule:
Although reconnaissance is not a direct threat, it enables further attacks and should therefore be taken seriously. Also, depending on the way the reconnaissance is carried out, it might consume resources on the core routers, and in the worst case lead to a DoS attack against a core device. For all those reasons, an MPLS core should be operated as a "black box"?that is, without giving any information about itself to outsiders. The most effective way of doing this is by using infrastructure ACLs, described in detail in Chapter 5, "Security Recommendations," which block all access from the outside into the core.