1. Home
  2. Networking
  3. Mpls VPN security

Chapter 5. Security Recommendations

In this chapter, you learn about the following:

  • Security recommendations for network elements

  • General router security measures

  • Security recommendations for the core network

  • IGP routing security recommendations

  • Operational considerations for MPLS over IP

In this chapter, we recommend security measures for every router and progress to customer edge, core infrastructure, and provider edge security mechanisms. The reader will find a full provider edge configuration example in Appendix A with a clarification of key security explanations.

In any network, security considerations devolve into essentially two areas of focus, this first area being compromises that can be either accidental or deliberate. Accidental compromises can occur as a result of misconfigurations or by anticipated changes in the network. Alternatively, compromises can be deliberate, such as attacks by some miscreant entity determined to cause havoc. In either case, the risk vectors are either external, such as issues driven by events external to the network in question, or internal, such as problems that are sourced from within the network itself.

The methods used to accomplish the compromises are the second area of focus. Most security-related problems fall into the categories of Denial of Service (DoS) or intrusion in any network. Security considerations devolve into essentially two sets of two types of issues. Compromises are either of the following:

  • Accidental? Problems that occur due to misconfigurations or anticipated changes in the network

  • Deliberate? Attacks by some entity bent on causing havoc

The risk factors of these compromises are either external (issues driven by events external to the network in question) or internal (problems sourced from within the network itself). Additionally, most security-related problems fall into two categories:

  • Denial of Service (DoS)? These events may be intentional or accidental.

  • Reconnaisance? These issues by definition are intentional.

It is essential to harden the network components and the entire system to minimize the likelihood of any of these scenarios. However, as with all resource-consuming features, you must strike a balance between maximizing security and offering the performance and usability the service is intended to provide. Clearly, a completely disconnected host or router has total security; however, its ability to forward data or provide services is substantially compromised.

The state of the network from an availability and security viewpoint may also differ with respect to the perspective of the interested party. That is, the concerns of the service provider and the customer intersect, but they do not completely overlap. Indeed, the perspective of the current status of the network may not be identical for the two parties.



    		Part I: MPLS VPN and Security Fundamentals
    		Part II: Advanced MPLS VPN Security Issues
    		Chapter 3. MPLS Security Analysis
    		Chapter 4. Secure MPLS VPN Designs
    		Chapter 5. Security Recommendations
    		General Router Security
    		CE-Specific Router Security and Topology Design Considerations
    		PE-Specific Router Security
    		PE Data Plane Security
    		PE-CE Connectivity Security Issues
    		P-Specific Router Security
    		Securing the Core
    		Routing Security
    		CE-PE Routing Security Best Practices
    		Internet Access
    		Sharing End-to-End Resources
    		LAN Security Issues
    		IPsec: CE to CE
    		MPLS over IP Operational Considerations: L2TPv3
    		Securing Core and Routing Check List
    		Summary
    		Part III: Practical Guidelines to MPLS VPN Security
    		Part IV: Case Studies and Appendixes