How To Make A Network Secure

Transcription

1 1

2 2

3 3

4 4

5 -Lower yellow line is graduate student enrollment -Red line is undergradate enrollment -Green line is total enrollment numbers are projected to be near 20,000 (on-campus) not including distance education numbers. 5

6 6

7 7

8 8

9 9

10 10

11 11

12 -High security isolated networks are being demanded for things like: -Health/medical data under HIPAA regulatory requirements -Administrative natured applications that require higher security -Isolation of credit card point of sale processing devices (subject to PCI DSS) -Some academic researchers asking for increased security. -Our customers were demanding us to service increasing diversity with increased availability. 12

13 University networks are a diverseplace. We are like a large enterprise only without the ability to exert much in the way of standards or control over our environments. This lack of ability to control the environment is especially true for the diversity of communication endpoints attaching to the network. 13

14 14

15 -Similarto VLAN s only more powerful, MPLS allows for the separation of traffic on the same physical media -Unlike VLAN s, MPLS does this at the network layer (layer 3) -This enables us to scale up network virtualization considerably. -Since about the year 2000, MPLS has been widely popular with ISP s due to the ability to serve many more customers from a single physical infrastructure. -Label switching separates the control plane from the data forwarding plane thus enabling ISP s to not have to carry a full Internet routing table through the core of their networks. -For us, MPLS is more interesting for its ability to create closed application groups within the network. 15

16 -The LSP is the path from the source to the destination for a data packet entering the MPLS network. -The LSP is the culmination of all of the outgoing interface label information within the entire network. Outgoing label information in locally significant on a per router / per interface basis. -Label distribution protocol is used between routers to propagate hop by hop forwarding information upstream. -Within an MPLSVPN infrastructure, the FEC becomes the unique layer 3 network or VPN identifier. 16

17 17

18 -Data always follows the label switched patch downstream whereas label distribution information is propagated upstream to the source router. -An MPLS label value unique identifies an IP destination prefix. -If the bottom of stack indicator is zero, then multiple labels are in use within the MPLS packet. -TTL functions exactlythe same way as TTL in an IP only network. That is to say, it is used for network loop prevention. -MPLS header TTL is decremented within each LSR. -When an IP packet enters an MPLS network, the TTL is typically copied from the IP header. -When the packet exists the MPLS, the TTL is copied back to the IP header. -process is called TTL propagation -TTL propagation can be disabled which will hide the MPLS network from the traceroute command. 18

19 -TheMPLS label stack is inserted between the Layer 2 header and the Layer 3 IP header as a SHIM header. 19

20 -Routing protocoldestination reachabilityinformation, and used to populate the RIB which in turn populates the FIB. -FIB maps destination prefixes to next-hop adjacencies. -LIB is populated only by the Label Distribution Protocol -LIB: ipdestination prefixes mapped to next-hop labels received from downstream neighbors. 20

21 -peer to peer modelmeans that routing information is exchanged between customer routers and provider routers -customer isolation is achieved on provider edge (PE) routers by using virtual routing and forwarding tables (VRFs) -similar to maintaining multiple dedicated routers for customers -individual route contexts can be used on PE routers and mapped to a VRF if desired. -example: route prefix /24 is received from CE1A -routes learned are redistributed into MP-BGP on PE1 -prefix is prepended with RD value 65000:100 and appended with RT of 65000:100 -VPN label is assigned for each prefix learned by PE1 s MP-BGP process -MP-BGP route update is received by PE2 and the route prefix is stored in the VRF CustAtable based on the VPN label. -received routes are redistributed into CE2A s route table. -PE router must run an IGP that provides NLRI for ibgp. (OSPF or ISIS) -From the data packet forwarding perspective, if CEA1 originates a packet for a route prefix belonging to CE2A, -PE1 receives the packet and appends a VPN label and outgoing LDP label. -packet is forwarded through the core network P1 and P2 with LDP label swapping as it goes. -P2 receives the packet, pops the top label and forwards to PE2 still retaining VPN label. -PE2 pops the VPN label and forwards the packet to CE2A. *The VPN label is never touched until it reaches the egress PE router towards the FEC. 21

22 -The RD is unique per virtual routing table/ VRF on a PE router. -The use of RD enables two different customer networks to have overlapping address space. -Route Targets(RT) identify the VPN membership of the router learned from that specific site. -RT s are implemented using extended BGP communities in which the higher order 16-bits of the community are encoded with the VPN identifier. -When implementing complex VPN topologies, such as an extranet VPN, route targets play a critical role. 22

23 23

24 This packetdisplay from the Wiresharksniffer is captured on the outgoing interface of the originating router. It shows the imposition of the outgoing interface label as well as the VPN label. Notice that the IP header TTL value of 126 has been copied onto the MPLS header and then appropriately decremented by 1 showing LSR traversal. 24

25 This packet display from the Wiresharksniffer shows a packet that has been received on an interface of the destination router. -for efficiency, there exists only the VPN label which allows the router to simply perform an IPV4 prefix lookup in the FIB of the VRF this packet belongs to. -this is a process known as penultimate hop popping (PHP) done by the upstream router. -before final forwarding to the destination address, the TTL from the MPLS header will be copied back onto the IP header. -the source IP TTL is actually preserved but will be overwritten shortly. 25

26 TheMPLS network that UNCG is building treats the University buildings as individual layer 2 switched networks with multiple unique VLAN s per building. -Each VLAN is representative of a campus wide closed application group that has specific operational and security parameters. -The VLAN s that fall into one specific set of requirements map into a single VRF within the distribution layer PE routers. -Therefore, each VLANtypically represents a route prefix that is directly connected to a PE router. -Virtual Router Redundancy Protocol (VRRP) is used for multi-homing buildings in order to provide redundancy. -Additionally,for those VRF s that are forwarding route prefixes with only RFC-1918 addressing, a redundant firewall is provided in the Internet border PE routers in order to provide security and address translation. -At this time, none of our University building tech staff are interested in directly managing network routers, therefore we don t have a defined customer edge device and probably will not see that in the foreseeable future. --The switched networks in buildings are being upgraded to Cisco 3750 series equipment with gigabit copper access being offered. At the same time, we have increased the access network level of security by using features like MAC address limitations, ARP inspection, and DHCP snooping. 26

27 The process of migration was madeeasier by the ability to purchase a portion of the new network in the form of routers, and configure them ahead of time. Base router configuration involved setting up: -Point to point physical and IP /30 links between all routers. - Configuration of MPLS encapsulation on all links - Configuration of Label Distribution Protocol on all links. - Configuration of MP-BGP and core route reflectors -on each of the PE routers, connected routes must be redistributed in order for the SVI s to appear in the VRF route table. -Configuration of our first VRF to carry/encapsulate the legacy network traffic (VRF public) -Configuration of Multicast VPN as our existing network was multicast enabled. - -Connection of the legacy network to the new network - redistribution of OSPF into the new network s BGP process -redistribution of BGP routes back to the OSPF legacy network. Then, one by one we took Switched Virtual interfaces that faced buildings on the legacy network, and configured them into the public VRF on the new network. The interfaces could remain in an administratively down state until the physical building link itself was migrated. 27

28 28

29 29

30 30

31 31

32 32

33 33

34 -each of the clouds represented in this diagram mapsto a specific VRF within the MPLS network -the extranet in the center is used as a route distribution point to transmit routes to multiple client side VRFs. 34

35 35

36 -Forlayer 2 segments, we ended up using physical interfaces looped back to trunk interfaces. -we designated one PE router as the multi-point layer 2 source, then created point to point MPLS layer 2 tunnels from that device to all other PE devices. -to do so required a physical loopback. -when sniffing an MPLS encapsulated link, there is no guarantee you are going to see both directions of traffic. 36

37 37

38 38