Carrier Ethernet Security Threats and Mitigation Best Practices Ralph Santitoro Director of Carrier Ethernet Market Development Ralph.Santitoro@us.Fujitsu.com © Copyright 2011 Fujitsu Network Communications, Inc. Current Best Practices MAC Address Denial of Service (DoS) Attacks Attack Scenario • Attacker floods network with many different MAC addresses • Network Element MAC address table overflows and resets – causing MAC addresses learning process to occur again Attacker Objective: Service Disruption Services affected • Any service using Ethernet bridging Popular Best Practices Threat Mitigation • • • • Limit number of subscriber MAC addresses Use router (single MAC address) at customer premises Use tunneling technology (e.g., PBB) to tunnel MAC addresses Use 802.1X to authenticate CPE connecting to SP’s network There is a simpler, alternative© Copyright approach to solving this problem 2 2011 Fujitsu Network Communications, Inc. Santa Clara, CA USA | February 2011 What is Connection-Oriented Ethernet ? High performance implementation of Carrier Ethernet • Used for P2P and P2MP metro and wide area networking Disables Ethernet bridging behavior • No Spanning Tree Protocol • No MAC address learning/flooding Ethernet paths (EVCs) provisioned by Mgmt. System Implementations use “label-based” frame forwarding • Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs • PBB-TE: BMAC Address + B-VID • MPLS-TP: Pseudowire / LSP labels Santa Clara, CA USA | February 2011 © Copyright 2011 Fujitsu Network Communications, Inc. 3 Connection-Oriented Ethernet Security No MAC Address Learning / Flooding Vulnerabilities • Immune to MAC Address spoofing of Network Elements (NE) • Immune to MAC address table overflow DoS attacks in NEs No Spanning Tree Protocol (STP) Vulnerabilities • Immune to STP Denial of Service (DoS) attacks Doesn’t use IP protocols • Immune to IP protocol vulnerabilities and attacks Uses few Layer 2 protocols • Fewer protocols = Fewer network security vulnerabilities COE provides security comparable to SONET or OTN networks Santa Clara, CA USA | February 2011 © Copyright 2011 Fujitsu Network Communications, Inc. 4 Security Vulnerabilities vs. Service Flexibility COE vs. Connectionless (bridged) Ethernet (CLE) EVP-LAN CLE EVP-Tree Security Vulnerabilities COE EoS EP-LAN EP-Tree EVPL EPL Service Flexibility EoS COE CLE Service Flexibility Ranking Security Vulnerability Ranking • Protocol (most flexible) • Physical Port (least flexible) • Physical Port (most secure) • Protocol (least secure) COE provides security comparable to Layer 1 networks while supporting the most popular services © Copyright 2011 FujitsuEthernet Network Communications, Inc. 5