VPN Security: A Soft Spot?
The issue under debate was whether some of the new technologies used to address virtual private networks (VPNs) are secure enough. Specifically, questions were raised about an approach that uses Layer 3 Multiprotocol Label Switching (MPLS) based on the Internet Engineering Task Force (IETF) draft 2547.
Security in general has become a hot topic. Distributed denial-of-service attacks, like the one that occurred last week involving high-level DNS routers, have helped draw attention to the problem. Those attacks were targeted at Layer 3 routing technology.
“It is becoming a significant issue with respect to router selection,” says Mark Bieberich, senior analyst with Yankee Group. “Denial-of-service attacks are on the rise. But also with Layer 3 VPNs you have virtual routing going on, and anytime you have enterprises sharing the same physical platform, there are security concerns.”
Isocore, the independent test house that sponsored the MPLS 2002 event, believes that more attention should be given to the matter. In fact, it invited Howard A. Schmidt, a White House official serving as vice chair to the President’s critical infrastructure protection board, to give the opening keynote address earlier in the week. While Schmidt had little to say about technical strategies for solving security issues, he emphasized the importance for engineers and network architects to build more secure products and networks.
“There hasn’t been enough awareness about security out there,” he said in an interview following his talk. “My job is to spread the word and get these people thinking about how to build security into the networks from the ground up.”
The controversy at the conference began when Magued Barsoum, system architect from Quarry Technologies Inc., a company which has built a multiservice edge device based on ATM technology, presented his slideshow on MPLS VPNs. In his presentation, he argued that Layer 3 MPLS VPNs based on RFC 2547 that use the routing protocol BGP (Border Gateway Protocol) are not as secure as Layer 2 technology such as Asynchronous Transfer Mode (ATM) and Frame Relay.
In his slide presentation, he made several assumptions about the treatment of BGP in RFC 2547; based upon these assumptions, he gave several reasons why he thought the technology was not secure.
He argued that the approach used by MPLS to "tag" specific streams of traffic could easily be spoofed by hackers. He also said that BGP/MPLS offered no authentication, integrity, or data confidentiality. And he criticized the technology for being immature in comparison to ATM and Frame Relay.
He suggested using another technology -- IPSec -- to encrypt traffic within the service provider network. Unlike most other implementations of IPSec, he suggested initiating encryption from within the service provider's network, instead of directly between customer sites.
Several audience members took exception to his presentation, contending that Barsoum’s assumptions about how BGP works in RFC 2547 are not accurate. One network architect from AT&T Corp. (NYSE: T), who didn’t want to be named, said that BGP used in 2547 is not the same BGP used in the Internet, and therefore separate sessions of the protocol can occur at the same time. This means that Internet traffic and VPN traffic are logically separated. He said that in AT&T’s implementation of RFC 2547 there is no problem with the traffic types bleeding into one another.
Ferit Yegenoglu, a director at Isocore, said the security risk comes when an enterprise hands its security over to a service provider. The customer must trust that the service provider will configure the network properly and not tamper with its traffic.
He agrees that IPSec is most likely the best method for guaranteeing security, but he disagrees with Barsoum on where it should be implemented.
“If you don’t trust your service provider to configure BGP properly, why would you trust it to implement IPSec?” he asked. “If they encrypt traffic within the carrier network, they have the keys -- not the customer.”
He says the best method is to use a hybrid approach that includes both RFC 2547 and IPSec.
But Yegenoglu admits that this is not an easy solution to craft. There are still problems that need to be worked out when it comes to combining Layer 3 MPLS VPNs using BGP and IPSec VPNs. For example, there are issues regarding dynamic routing. “Route updates are not easily incorporated into security associations of IPSec,” he noted.
Members of the IETF are already working on drafts that could help solve these problems. But a complete solution is still far off.
“This is a topic that needs to be addressed properly,” says Bijan Jabbari, president of Isocore. “I really hope that the IETF brings up these drafts for discussion at its next two meetings. It’s important to the whole industry.”
— Marguerite Reardon, Senior Editor, Light Reading