rent-now

Rent More, Save More! Use code: ECRENTAL

5% off 1 book, 7% off 2 books, 10% off 3+ books

9781587051838

Mpls Vpn Security

by ;
  • ISBN13:

    9781587051838

  • ISBN10:

    1587051834

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2005-06-08
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $69.99
  • Digital
    $79.19*
    Add to Cart

    DURATION
    PRICE
    *To support the delivery of the digital material to you, a digital delivery fee of $3.99 will be charged on each digital item.

Summary

The definitive guide to understanding MPLS security and implementing and operating secure MPLS networks.

Author Biography

Michael H. Behringer is a distinguished engineer at Cisco®, where his expertise focuses on MPLS VPN security, service provider security, and denial-of-service (DoS) attack prevention. Prior to joining Cisco Systems, he was responsible for the design and implementation of pan-European networks for a major European Internet service provider. 

Monique J. Morrow is a CTO consulting engineer at Cisco Systems, to which she brings more than 20 years’ experience in IP internetworking, design, and service development for service providers. Monique led the engineering project team for one of the first European MPLS VPN deployments for a European Internet service provider.

Table of Contents

Foreword xvii
Introduction xx
Part I MPLS VPN and Security Fundamentals
3(42)
MPLS VPN Security: An Overview
5(22)
Key Security Concepts
5(6)
Security Differs from Other Technologies
5(2)
What Is ``Secure''?
7(1)
No System Is 100 Percent Secure
8(1)
Three Components of System Security
8(2)
Principle of the Weakest Link
10(1)
Principle of the Least Privilege
11(1)
Other Important Security Concepts
11(1)
Overview of VPN Technologies
12(3)
Fundamentals of MPLS VPNs
15(7)
Nomenclature of MPLS VPNs
15(1)
Three Planes of an MPLS VPN Network
16(1)
How the Control Plane Works
16(2)
How the Data Plane Works
18(1)
How the Management Plane Works
19(2)
Security Implications of Connectionless VPNs
21(1)
A Security Reference Model for MPLS VPNs
22(2)
Summary
24(3)
A Threat Model for MPLS VPNs
27(18)
Threats Against a VPN
27(4)
Intrusions into a VPN
28(2)
Denial of Service Against a VPN
30(1)
Threats Against an Extranet Site
31(1)
Threats Against the Core
32(8)
Monolithic Core
32(1)
Intrusions
33(1)
DoS Attacks
33(1)
Internal Threats
34(2)
Inter-AS: A Multi-AS Core
36(1)
Carrier's Carrier: A Hierarchical Core
37(2)
Threats Against a Network Operations Center
39(1)
Threats Against the Internet
40(1)
Threats from Within a Zone of Trust
41(1)
Reconnaissance Attacks
42(1)
Summary
43(2)
Part II Advanced MPLS VPN Security Issues
45(150)
MPLS Security Analysis
47(32)
VPN Separation
47(5)
Address Space Separation
48(2)
Traffic Separation
50(2)
Robustness Against Attacks
52(3)
Where an MPLS Core Can Be Attacked
53(1)
How an MPLS Core Can Be Attacked
54(1)
How the Core Can Be Protected
54(1)
Hiding the Core Infrastructure
55(3)
Protection Against Spoofing
58(1)
Specific Inter-AS Considerations
59(10)
Model A: VRF-to-VRF Connections at the AS Border Routers
59(2)
Model B: EBGP Redistribution of Labeled VPN-IPv4 Routes from AS to Neighboring AS
61(1)
How Model B Works
61(1)
Security of Model B
62(2)
Model C: Multihop eBGP Redistribution of Labeled VPN-IPv4 Routes Between Source and Destination ASs, with eBGP Redistribution of Labeled IPv4 Routes from AS to Neighboring AS
64(1)
How Model C Works
64(1)
Security of Model C
65(2)
Comparison of Inter-AS Security Considerations
67(2)
Specific Carrier's Carrier Considerations
69(3)
How CsC Works
69(2)
Security of CsC
71(1)
Security Issues Not Addressed by the MPLS Architecture
72(1)
Comparison to ATM/FR Security
73(3)
VPN Separation
74(1)
Robustness Against Attacks
74(1)
Hiding the Core Infrastructure
75(1)
Impossibility of VPN Spoofing
75(1)
CE-CE Visibility
75(1)
Comparison of VPN Security Technologies
76(1)
Summary
76(3)
Secure MPLS VPN Designs
79(56)
Internet Access
79(17)
MPLS Core Without Internet Connectivity
81(2)
Generic Internet Design Recommendations
83(5)
Internet in a VRF
88(1)
Internet in the Global Routing Table
89(1)
Hop-by-Hop Internet Routing in the Core
90(3)
Internet-Free MPLS Core
93(1)
Overview of Internet Provisioning
94(2)
Extranet Access
96(4)
MPLS VPNs and Firewalling
100(4)
Designing DoS-Resistant Networks
104(10)
Overview of DoS
105(1)
Designing a DoS-Resistant Provider Edge
106(2)
Tradeoffs Between DoS Resistance and Network Cost
108(1)
Single PE, Two Access Lines, and Two CEs
108(1)
Using a Single Access Line with Frame Relay Switching
109(1)
Using a Single Access Line with VRF Lite
110(1)
Why Policy-Based Routing Is Not Preferred
111(2)
Comparing the Options
113(1)
DoS Resistant Routers
114(1)
Inter-AS Recommendations and Traversing Multiple Provider Trust Model Issues
114(14)
Case A: VRF-to-VRF Connection on ASBRs
116(2)
Case B: eBGP Redistribution of Labeled VPN-IPv4 Routes
118(1)
Control Plane
118(3)
Data Plane
121(3)
Case C: Multi-Hop eBGP Distribution of Labeled VPN-IPv4 Routes with eBGP Redistribution of IPv4 Routes
124(4)
Carriers' Carrier
128(2)
Layer 2 Security Considerations
130(2)
Multicast VPN Security
132(1)
Summary
133(2)
Security Recommendations
135(60)
General Router Security
136(21)
Secure Access to Routers
136(3)
Disabling Unnecessary Services for Security
139(4)
IP Source Address Verification
143(1)
12000 Protection and Receive ACLs (rACLs)
143(1)
Syntax
144(1)
Basic Template and ACL Examples
144(2)
rACLS and Fragmented Packets
146(1)
Deployment Guidelines
146(2)
Control Plane Policing
148(1)
Command Syntax
149(1)
Developing a CoPP Policy
149(3)
CoPP Deployment Guidelines
152(2)
Risk Assessment
154(1)
CoPP Summary
154(1)
AutoSecure
155(2)
CE-Specific Router Security and Topology Design Considerations
157(4)
Managed CE Security Considerations
159(1)
Unmanaged CE Security Considerations
160(1)
CE Data Plane Security
160(1)
PE-Specific Router Security
161(1)
PE Data Plane Security
162(1)
PE-CE Connectivity Security Issues
162(1)
P-Specific Router Security
163(1)
Securing the Core
163(9)
Infrastructure Access Lists (iACLs)
164(1)
Techniques
165(1)
ACL Examples
165(2)
Developing a Protection ACL
167(2)
iACL Risk Assessment
169(1)
Deployment Examples
169(3)
Routing Security
172(6)
Neighbor Router Authentication
172(2)
MD5 for Label Distribution Protocol
174(1)
TTL Security Mechanism for BGP
174(2)
Configuring the TTL Security Check for BGP Peering Sessions
176(1)
Configuring the TTL Security Check for Multihop BGP Peering Sessions
176(1)
Benefits of the BGP Support for TTL Security Check Feature
177(1)
How to Secure BGP Sessions with the BGP Support for TTL Security Check Feature
177(1)
Configuring the TTL-Security Check
177(1)
Restrictions
177(1)
CE-PE Routing Security Best Practices
178(7)
PE-CE Addressing
178(1)
Static Routing
178(1)
Dynamic Routing
179(1)
Key Chaining
179(1)
eBGP PE-CE Routing
179(1)
EIGRP PE-CE Routing
180(1)
OSPF PE-CE Routing
181(1)
RIPv2 PE-CE Routing
182(1)
PE-CE Routing Summary
182(1)
Prevention of Routes from Being Accepted by Nonrecognized Neighbors
182(1)
BGP Maximum-Prefix Mechanism
183(2)
Internet Access
185(1)
Resource Sharing: Internet and Intranet
185(1)
Sharing End-to-End Resources
186(1)
Additional Security
186(1)
Addressing Considerations
187(1)
LAN Security Issues
187(1)
LAN Factors for Peering Constructs
187(1)
IPsec: CE to CE
188(1)
IPsec PE-PE
189(1)
MPLS over IP Operational Considerations: L2TPv3
189(3)
MPLS over L2TPv3
191(1)
Securing Core and Routing Check List
192(1)
Summary
193(2)
Part III Practical Guidelines to MPLS VPN Security
195(48)
How IPsec Complements MPLS
197(14)
IPsec Overview
197(3)
Location of the IPsec Termination Points
200(6)
CE-CE IPsec
200(3)
PE-PE IPsec
203(2)
Remote Access IPsec into an MPLS VPN
205(1)
Deploying IPsec on MPLS
206(1)
Using Other Encryption Techniques
207(1)
Summary
208(3)
Security of MPLS Layer 2 VPNs
211(22)
Generic Layer 2 Security Considerations
211(1)
C2 Ethernet Topologies
212(2)
C3 VPLS Overview
214(1)
C4 VPWS Overview
215(1)
C5 VPLS and VPWS Service Summary and Metro Ethernet Architecture Overview
215(2)
C6 VPLS and VPWS Security Overview
217(4)
Physical Interconnection Option Details
219(1)
D1 SP Interconnect Models
219(1)
D3 Metro Ethernet Model
220(1)
Customer Edge
221(10)
CE Interconnection Service Is a Layer 3 Device
221(1)
Customer Edge Interconnection Service Is a Layer 2 Device
221(1)
Hijack Management Security
222(1)
Disable Password Recovery
222(1)
U-PE STP Priority
223(1)
Apply Broadcast Limiters
224(1)
Disable/Block Layer 2 Control Traffic
224(2)
VTP Transparent Operation
226(1)
MAC Address Limits and Port Security
227(1)
Controlling Reserved VLANs
228(1)
Removing Unused VLANs
228(1)
Hard-Code Physical Port Attributes
229(1)
Establish Network Reporting
230(1)
Enable 802.1x
230(1)
Summary
231(2)
Secure Operation and Maintenance of an MPLS Core
233(10)
Management Network Security
233(1)
Securely Managing CE Devices
234(5)
Management VRF Overview
236(1)
Management VRF Details
237(2)
Securely Managing the Core Network
239(2)
Summary
241(2)
Part IV Case Studies and Appendixes
243(24)
Case Studies
245(22)
Internet Access
245(16)
NAT Via Common Gateways
245(2)
PE to Multiple Internet Gateways
247(4)
NAT via a Single Common Gateway
251(1)
Registered NAT by CE
251(1)
Internet Access via Customer-Controlled NAT
252(3)
Internet Access Using Global Routing Table
255(1)
BGP Internet Routing Table from the Service Provider of an ISP
256(3)
Tier 3 ISP Connecting to an Upstream Tier via a Service Provider
259(1)
Hybrid Model
260(1)
Multi-Lite VRF Mechanisms
261(3)
Configuration Example for Internet and VPN Service Using the Same CE
261(3)
Layer 2 LAN Access
264(1)
Summary
265(2)
Appendix A Detailed Configuration Example for a PE 267(8)
Appendix B Reference List 275(4)
Index 279

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program