Analysis of Sources of Information Security Threats to MPLS-Based VPRNs

The leading Internet-service providers build the majority of virtual private networks as virtual private routed networks (VPRNs), i.e., based on multipleprotocol label switching (MPLS) networks. This decision is preferred over IPSec-based VPNs because of advantages of VPRNs in flexibility of quality-of-service, scalability, effectiveness of bandwidth usage, etc. The experience in VPRN designing and putting into operation has shown that analysis of information security threats should be conducted in all three security planes: network management, connection (signaling) control, end user activities (data). Certain schemes of interaction of virtual private networks in the environment with devices of the other network areas (VPRN technologies) are characteristic of different corporative VPRNs. The results of studying the information-security vulnerability to penetration threats and denial-of-service attacks of a trespasser are presented for six most characteristic corporative VPRN topologies. Sources of the information security violation are given. It is shown that some probable threats take place in the operated VPRNs. A mechanism implemented in the certain corporative VPRNs for protection against these threats is offered.

References

[1] Oliveyn V. Struktura i realizatsiya sovremennoy tekhnologii [The structure and implementation of modern technologies MPLS]. Moscow, Vil’yams Publ., 2004. 480 p.

[2] Gol’dshteyn F.B., Gol’dshteyn B.S. Tekhnologiya i protokoly MPLS [Technology and MPLS protocols]. St. Petersburg, BKhV-Peterburg Publ., 2005. 304 p.

[3] ITU-T Recommendation X.805. Security architecture for system providing end-to-end communication, 2003.

[4] Rosen E., Rekhter Y. RFC 4364, BGP/MPLS IP virtual private networks (VPNs), 2006.

[5] Fang L. Interprovider IP-MPLS services: requirements, implementations, and challenges. IEEE Commun. Mag., 2005, no. 5, pp. 119-128.

[6] Bel’fer R.A. Seti i sistemy svyazi (tekhnologii, bezopasnost’): elektronnoe uchebnoe izdanie [Networks and communication systems (technologies, security): electronic textbook]. Moscow, MGTU im. N.E. Baumana Publ., 2012. 738 p.

[7] Olifer V.G., Olifer N.A. Komp’yuternye seti [Computer networks]. St. Petersburg, Piter Publ., 2006. 997 p.

[8] Michael H.B., Monique J.M. MPLS VPN security. Cisco Press, 2005. 312 p.

[9] Rong Ren, Deng-Guo Feng, Ke Ma. A detailed implement and analysis of MPLS VPN based on IPSec. Proc. 3d Int. Conf. Mach. Learn. Cybern. Shanghai, 2004, pp. 2779-2783.

[10] Mu Zhang, ZhongPing Tao. Application research of MPLS VPN all-in-one campus card network based on IPSec, 4th Int. Conf. Comput. Inf. Sci., 2012, pp. 872-875.

[11] Pezeshki J. Performance implications of instantiating IPSec over BGP enabled RFC 4364 VPNS, IEEE Proc., 2007, pp. 1-7.

[12] Stallings W. Network security essentials: applications and standards. Prentice Hall Press, 2001. 432 p. (Russ. ed.: Stollings V. Osnovy zashchity setey. Prilozheniya i standarty. Moscow, Vil’yams Publ., 2002. 324 p.).

[13] Bel’fer R.A. VPN MPLS security threats in the area between neighboring routers and IPSec protection. Elektrosvyaz’ [Telecommunications], 2013, no. 4, pp. 25-27 (in Russ).

[14] Bonica R., Rekhter Y., Raszuk R., Rosen E., Tappa D. CE-to-CE member verification for layer 3 VPNs. Available at: http://tools.ietf.org/id/draft-ietf-l3vpn-auth-00.txt (accessed: 28 February 2003).

[15] Behringer M., Guichard J., Marques P. Layer 3 VPN import/export verification. Available at: http://tools.ietf.org/id/draft-ietf-l3vpn-vpn-verification-00.txt (accessed: 22 March 2005).