& cplSiteName &

VPN Security: A Soft Spot?

Light Reading
News Analysis
Light Reading
10/30/2002

WASHINGTON, D.C. -- Controversy sprang up in an otherwise tame session at the MPLS 2002 conference yesterday. While fisticuffs didn't break out, the topic simmered during the lunch that followed the presentation.

The issue under debate was whether some of the new technologies used to address virtual private networks (VPNs) are secure enough. Specifically, questions were raised about an approach that uses Layer 3 Multiprotocol Label Switching (MPLS) based on the Internet Engineering Task Force (IETF) draft 2547.

Security in general has become a hot topic. Distributed denial-of-service attacks, like the one that occurred last week involving high-level DNS routers, have helped draw attention to the problem. Those attacks were targeted at Layer 3 routing technology.

“It is becoming a significant issue with respect to router selection,” says Mark Bieberich, senior analyst with Yankee Group. “Denial-of-service attacks are on the rise. But also with Layer 3 VPNs you have virtual routing going on, and anytime you have enterprises sharing the same physical platform, there are security concerns.”

Isocore, the independent test house that sponsored the MPLS 2002 event, believes that more attention should be given to the matter. In fact, it invited Howard A. Schmidt, a White House official serving as vice chair to the President’s critical infrastructure protection board, to give the opening keynote address earlier in the week. While Schmidt had little to say about technical strategies for solving security issues, he emphasized the importance for engineers and network architects to build more secure products and networks.

“There hasn’t been enough awareness about security out there,” he said in an interview following his talk. “My job is to spread the word and get these people thinking about how to build security into the networks from the ground up.”

The controversy at the conference began when Magued Barsoum, system architect from Quarry Technologies Inc., a company which has built a multiservice edge device based on ATM technology, presented his slideshow on MPLS VPNs. In his presentation, he argued that Layer 3 MPLS VPNs based on RFC 2547 that use the routing protocol BGP (Border Gateway Protocol) are not as secure as Layer 2 technology such as Asynchronous Transfer Mode (ATM) and Frame Relay.

In his slide presentation, he made several assumptions about the treatment of BGP in RFC 2547; based upon these assumptions, he gave several reasons why he thought the technology was not secure.

He argued that the approach used by MPLS to "tag" specific streams of traffic could easily be spoofed by hackers. He also said that BGP/MPLS offered no authentication, integrity, or data confidentiality. And he criticized the technology for being immature in comparison to ATM and Frame Relay.

He suggested using another technology -- IPSec -- to encrypt traffic within the service provider network. Unlike most other implementations of IPSec, he suggested initiating encryption from within the service provider's network, instead of directly between customer sites.

Several audience members took exception to his presentation, contending that Barsoum’s assumptions about how BGP works in RFC 2547 are not accurate. One network architect from AT&T Corp. (NYSE: T), who didn’t want to be named, said that BGP used in 2547 is not the same BGP used in the Internet, and therefore separate sessions of the protocol can occur at the same time. This means that Internet traffic and VPN traffic are logically separated. He said that in AT&T’s implementation of RFC 2547 there is no problem with the traffic types bleeding into one another.

Ferit Yegenoglu, a director at Isocore, said the security risk comes when an enterprise hands its security over to a service provider. The customer must trust that the service provider will configure the network properly and not tamper with its traffic.

He agrees that IPSec is most likely the best method for guaranteeing security, but he disagrees with Barsoum on where it should be implemented.

“If you don’t trust your service provider to configure BGP properly, why would you trust it to implement IPSec?” he asked. “If they encrypt traffic within the carrier network, they have the keys -- not the customer.”

He says the best method is to use a hybrid approach that includes both RFC 2547 and IPSec.

But Yegenoglu admits that this is not an easy solution to craft. There are still problems that need to be worked out when it comes to combining Layer 3 MPLS VPNs using BGP and IPSec VPNs. For example, there are issues regarding dynamic routing. “Route updates are not easily incorporated into security associations of IPSec,” he noted.

Members of the IETF are already working on drafts that could help solve these problems. But a complete solution is still far off.

“This is a topic that needs to be addressed properly,” says Bijan Jabbari, president of Isocore. “I really hope that the IETF brings up these drafts for discussion at its next two meetings. It’s important to the whole industry.”

— Marguerite Reardon, Senior Editor, Light Reading
www.lightreading.com

(7)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
IP Everywhere
IP Everywhere
12/4/2012 | 9:26:31 PM
re: VPN Security: A Soft Spot?
Wow. What the heck is that quote from Yankee group?

Wow #2, I assume that was a typo on Marguerite's part about BGP being built into Layer 2?

Guys... proof read!
hyperunner
hyperunner
12/4/2012 | 9:26:29 PM
re: VPN Security: A Soft Spot?
I have to admit that I'm one of the folks that are confused by this issue.

Legal interception is simply a duplication of what's already done in telephone networks today. In other words there's no reason a crooked employee of a telephone company couldn't do the same thing Holy Grail has highlighted in upcoming MPLS networks. It's all a matter of perception.

The problem as I see it is that a lot of folks seem to think that technologies such as leased lines (ie. SONET), Frame Relay and ATM are "secure".

And in contrast the same folks believe that IP networks are "insecure".

The reality is that ALL networks are insecure to some degree.

I suppose you can argue that exposing the guts of the network to a population of trans-pubescent, socially stunted schoolboys who seem to have a lot of time on their hands makes the Internet a dangerous place. But remember that Cisco and the other IP-heads have been pretty successful in recent years getting carriers to use IP, rather than ISO addressing on the DCN of their SONET networks. To me that shouts "DDOS attack". SONET boxes are not blessed with a heck of a lot of CPU power, so flooding them with spurious management packets should be a lot easier than for a router. It's normal practice to physically separate the DCN from any other IP networks, but the simple fact that they're talking the same protocol now exposes a risk that wasn't there before.

I'd agree that I'd like to see a full LightReading report on VPN security.

hR.

Holy Grail
Holy Grail
12/4/2012 | 9:26:29 PM
re: VPN Security: A Soft Spot?

Dear LR,

Knowing how fond Mr. Heywood is of encouraging vigerous debate on controversial topics (Example -is MPLS BS?).

Might I suggest that you have more articles exploring this security topic, especially articles that focus in on the issues surrounding Enterprise data security in the context of Network based IP & Internet based VPN's.

It seems to me that there is at best inaccurate, and at worst deliberately misleading information being peddled out there in both the vendor and operator worlds.

Take for example this issue of legal interception, essentially operators are going to be required by law to give the authorities access to Enterprise private data, if they can do it for the authorities, why can't a crooked employee do it for personal gain?

Apart from the hacking threat inherent in being connected to a public network, what is the real risk involved in passing encrypted private data site to site via the Internet verses sending plain text traffic site to site via a network based VPN? I wonder what are real customer experiences, how many customers out there ever experienced or suspected any breach of network security using either of these two approaches?

How about a LR customer survey into the types of VPN that Enterprise customers currently use, and plan to use, and their satisfaction/perception that it is 100% secure. You could offer a free all expenses paid trip to Robin island or Alcatraz to Enterprise customers who complete the survey!

Just a thought.
billyjoebob
billyjoebob
12/4/2012 | 9:26:27 PM
re: VPN Security: A Soft Spot?
For the purpose of this discussion it would be useful to clarify the use of the acronym "VPN". A VPN in the PPP, PPTP and L2TP world is a Layer 2 connection with authentication and possibly encryption. With IPSec a VPN is a L3 connection with a suite of authentication and encryption options available. This level of security is inherently complex, which is reflected in the limited used of IPSec by Enterprise Networks. I believe GM attempted a very large IPSec network for their supply chain and had to eventually abandon the effort due to the very low level of interoperability and implementation experience.

MPLS BGP VPNs offer no authentication or encryption - but rather offer a selected path possibly pre-chosen or dynamically established - that ALL the traffic for that connection will follow.

In point of fact an MPLS VPN is only marginally more secure than any other TCP session and it is not by design, but the nature of connection vs. connectionless forwarding. ATM and FR have always had that level of Gǣsecurity.Gǥ

I would hazard a guess that most "users" of MPLS VPNs are not listing security as one of their top 3 criteria - but view MPLS VPNs as a lower cost alternative to ATM or FR. MPLS VPNs offer some of the reliability of transport that ATM and FR provide. But MPLS VPNs support a one to many capability that L2 VPNs find difficult - eliminating the need to fully mesh multiple sites.

MPLS VPNs are not a Virtual Private Network - they are a dedicated L3 path service. The VPN tag must have been assigned by a marketing type who was trying to hype the benefits of MPLS other than transport. At the time (1999/2000) VPNs were all the rage in the trade rags (sorry LR) so . . .
cc_junk
cc_junk
12/4/2012 | 9:26:23 PM
re: VPN Security: A Soft Spot?
billyjoebob said:
"MPLS VPNs are not a Virtual Private Network - they are
a dedicated L3 path service. The VPN tag must have been
assigned by a marketing type who was trying to hype the
benefits of MPLS other than transport."

What is your definition of a VPN? The ITU definition is creating
a private network out of a shared public infrastructure. VPNs have been
around in the voice world long before the Internet became
available to enterprise business. The L3 MPLS VPN services
are being built on a common IP MPLS infrastructure where the
edge and backbone routers are being shared among many
customers. The technology allows each VPN to carry its own
independent routing/addressing information and the traffic in
one VPN is isolated from another VPN.

What more could a VPN be?

In fact, with that definition, public layer 2 services also
create VPNs. Any access circuit can get a layer 2 connection to
any other access circuit. It is a network based VPN because the
provider under the customer's direction creates the connections
among these access links. Now it has been defined how to do this
with an IP control plane and IP backbone at the IETF and called L2 VPN.
But from a customer view it is exactly same old FR, ATM and TLS service
that has been around for a decade before the IETF got into the act.


billyjoebob
billyjoebob
12/4/2012 | 9:26:20 PM
re: VPN Security: A Soft Spot?
"The technology allows each VPN to carry its own
independent routing/addressing information and the traffic in one VPN is isolated from another VPN."

This does not distinguish MPLS VPNs from any other L3 traffic except for a dedicated route rather than hop by hop forwarding of each packet. (Which poses an interesting question I don't know the answer too - how often do packets that compose a single PDU transit different paths vs. following a common path?) In point of fact between two routers LSPs are shared - label stacking - so the distinction somewhat vague.


"It is a network based VPN because the
provider under the customer's direction creates the connections among these access links. Now it has been defined how to do this with an IP control plane and IP backbone at the IETF and called L2 VPN. But from a customer view it is exactly same old FR, ATM and TLS service that has been around for a decade before the IETF got into the act."

Exactly my point - All they did was find a way to emulate L2 capabilities with L3 functionality (a very useful thing.) In order to sell it to service providers who already had L2 (and for that matter L1 - provisioned TDM circits) services they needed to create a "new" service. At the time - all the buzz was about VPNs - so somebody - Cisco, Juniper . . . somebody began calling MPLS LSPs VPNs, when in fact what they are selling is tunnels - defined as 1/2 of a VPN - the virtual part.

IP Everywhere
IP Everywhere
12/4/2012 | 9:26:15 PM
re: VPN Security: A Soft Spot?
"The technology allows each VPN to carry its own
independent routing/addressing information and the traffic in one VPN is isolated from another VPN."

>This does not distinguish MPLS VPNs from any other L3 traffic except for a dedicated route rather than hop by hop forwarding of each packet.

Sure it does.... you have completely separate and potentially overlapping address spaces (RFC1918 or otherwise) in each service instance. While the outer label is shared, then inner label is not and in fact is the demux mechanism.
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Multiband Microwave Provides High Capacity & High Reliability for 5G Transport
By Don Frey, Principal Analyst, Transport & Routing, Ovum
5G + Cloud + AI + Ecosystem, Opening New World of Video
By Samuel Chen, President, Cloud & Data Center Marketing, Huawei
All Partner Perspectives