In this chapter, you learn about the following:
How a threat model is constructed
Which threats exist against a VPN, the core, an extranet, and the Internet
Specific threats in an Inter-AS and CsC environments
How threats within one zone and reconnaissance attacks are classified
To be able to evaluate MPLS security, it is necessary to define a threat model for the various zones of trust. This chapter uses the zones of trust that were defined in Chapter 1 and outlines the threats against those zones. Later in this book, MPLS VPN security is analyzed based on this threat model, and mechanisms are discussed to defend against the threats.
A complete threat model (for example, one designed for use as a security policy) must identify threats from outside and inside a trusted zone. This is because, in practice, many threats come from the inside. For example, a thief might come from the outside of an office building, but more frequently in many enterprises, thefts occur by internal trusted staff members. Therefore, a complete threat model must consider both internal and external threats.
For the analysis of MPLS VPNs, however, only threats from the outside of a trusted zone are relevant, because internal threats are, in most cases, independent of the VPN architecture. A virus, for example, can propagate independently within a bank's VPN (within the trusted zone), whether the bank is using ATM or MPLS VPNs. It must, however, be examined whether such a virus could also intrude from another VPN or from the Internet.
In the example of the office building, this means that when analyzing the security of the building itself, internal thefts can be ignored. Translated to the networking world, this means that someone executing attacks on a LAN (for example, with tools such as ARP spoofing) can do so independently of whether the site attacked is connected via MPLS to the other VPN sites or via Frame Relay.
In the following sections, threats are viewed from each of the trusted zones and are explained.