At present, Edge Routers are widely used, and there are also many problems. So I studied the security of MPLS-based VPN technology in Edge Routers, I would like to share it with you here and hope it will be useful to you. If an enterprise deploys a Multi-Protocol Label exchange MPLS) managed Virtual Private Network VPN (VPN) service, it will not only get high-quality services, but also greatly reduce costs, it can also enjoy the same security as frame relay and ATM technologies. As Cisco suggested and implemented by CiscoPoweredNetwork service providers, the good design and deployment of the supplier MPLS network can prevent or prevent DoS and fraud and other common attacks.
There are several misunderstandings about the security of MPLS technology. The biggest misunderstanding is that IP-based MPLS is insecure. In fact, to enhance security, MPLS provides many functions for local IP networks, including path isolation, data isolation, group filtering, and network hiding.
Another misunderstanding is that service provider customers can intrude into each other's VPN. In fact, this is simply impossible, because MPLSVPN is completely isolated from different customers. The third misunderstanding is that MPLSVPN is vulnerable to external DoS attacks. This is also wrong. The pure MPLSVPN network is extremely secure. If the supplier's edge router only provides VPN access and the MPLS core that provides Internet access, it can effectively prevent DoS attacks. Another common problem is that even if a dedicated supplier edge router is used for the VPN service, it is vulnerable to DoS attacks. Although theoretically correct, this problem has never been encountered in actual use, because it is easy to find and disconnect from intruders during use.
No need to modify the address
The managed VPN service does not need to make major changes to the enterprise's intranets, desktops, or servers. Most enterprises adopt a dedicated IP address plan. For cost and security reasons, enterprises want to use the original plan when porting to the shared network environment of the managed IPVPN service. MPLS allows different VPNs to use the same address space RFC1918 ). Because each IPv4 path is added with a 64-bit path identifier, even a shared address is unique in the MPLS core. Each VPN customer and MPLS core can use the entire IPv4 address space completely independently.
Routing and data separation
MPLS implements route separation in two ways. The first method is to allocate each VPN to a virtual route and forward the VRF instance. Each VRF on the edge router of the supplier retains only the path of a VPN. You can use the static configuration path or the routing protocol running between the edge router of the supplier and the client. The second method is to add a unique VPN identifier for multi-protocol edge Gateway Protocol BGP, such as a path identifier. Multi-Protocol BGP switches the VPN path between the related Edge Routers of the supplier, and saves the route information in the VPN-specific VRF. For each VPN, the routes on the MPLS network are separated from each other.
MPLSVPN achieves layer-3 data separation through the separation of IPVPN forwarding tables. The forwarding within the core of the service supplier is based on tags. MPLS sets the label switching path LSP between the beginning and end of the supplier's edge router ). The Group can only access the VPN through the edge router interface of the supplier associated with the VPN, and the interface determines which forwarding table the router should use. This separation of address plans, paths, and data can help MPLSVPN achieve security equivalent to frame relay or atm vpn.
Hide Core
Hiding MPLS core networks can increase the difficulty of attacks. The core method of MPLS hiding is to filter groups and display network information outside the edge. Grouping filtering can prevent external exposure of VPN customers' internal network information or MPLS core. Because only the supplier's edge router contains VPN-specific information, it does not need to display internal network topology information. The service supplier only needs to display the IP address of the supplier's edge router according to the dynamic routing protocol between the supplier edge and the customer edge.
When the path is provided dynamically, if the customer VPN must disclose the path to the MPLS network, it will not reduce network security, because the core only knows the network path, not the specific host path. Because the supplier network does not display address information to a third party or the Internet, the MPLSVPN environment can completely block attacks initiated by attackers. In the VPN service that provides Internet access, service providers can use network addresses to switch to NAT) to announce the path. Even with this method, the amount of information exposed to the Internet will not be higher than the typical Internet access service.
Block attacks
To prevent the router from being attacked, the service provider filters the groups and hides the addresses. The access control list ACL only contains access from the customer's edge router to the routing protocol port. The common method for external hackers is to first pass through the MPLS core, then directly attack the edge router of the supplier, or attack the MPLS signaling mechanism, and finally break into the 3rd-layer VPN. Configuring a vro appropriately can prevent both attacks. Although the device address is not disclosed to the public, internal hackers can guess. The MPLS address Separation Mechanism deems that the inner Transmission Group belongs to the address space of the VPN customer. Because it is not logically visible, hackers cannot guess the IP address to attack the core router.
Through routing configuration, service providers can prevent hackers from directly attacking known peer-to-peer interfaces on the supplier's edge router. Static Routing is the safest method. In this case, the supplier's edge router rejects dynamic routing requests. Static Routing points to the IP address of the supplier's edge router or the interface of the customer's edge router. When a route points to an interface, the customer's Edge Router does not need to know any IP address in the core network, or even the IP address of the supplier's edge router.