Security of the management network is critical because breaching the NOC network fundamentally exposes all customer VPNs that are reachable by the NOC. When securing the NOC, recall the principles highlighted in the previous chapters:
Do not permit packets into your core.
Secure the routing protocol.
Design for transit traffic.
From a NOC perspective, there are vectors that violate service provider security and control, such as hijacking bandwidth; attacks against infrastructure; distributed denial of service (DDoS) attacks against customers; worms, viruses, and botnets; and reflection attacks.
A NOC team can take steps to establish a service provider security framework that is the foundation for lines of defense in addition to a variety of tools that can be used within this security framework.
Figure 8-1 depicts an example of a service provider security framework that highlights roles, services, planes, and threat vectors. (Examples of roles are endpoints, customer premise equipment, access, aggregation, core, and so on.) These roles are further correlated to services such as voice, video, data, security, hosting, and metro, to name a few. Examples of planes include data, control, management, and services; in Figure 8-1, these are color-coded and aligned with the threat areas such as reconnaissance and DDoS.
Figure 8-2 provides an overview of a security service architecture and maps the architecture with the Cisco-specific toolkit applications that the NOC can use.
With the example of a service provider security framework, we can proceed to explore the operations factors for MPLS security. In OAM, we are fundamentally concerned with the Fault, Configuration, Accounting, Performance, and Security (FCAPS) model. The remainder of this chapter focuses on security.