Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Carrier Ethernet Security Threats and Mitigation Best Practices

advertisement 
Carrier Ethernet Security Threats
and Mitigation Best Practices
Ralph Santitoro
Director of Carrier Ethernet Market Development
Ralph.Santitoro@us.Fujitsu.com
© Copyright 2011 Fujitsu Network Communications, Inc.
Current Best Practices
MAC Address Denial of Service (DoS) Attacks
 Attack Scenario
• Attacker floods network with many different MAC addresses
• Network Element MAC address table overflows and resets
– causing MAC addresses learning process to occur again
 Attacker Objective: Service Disruption
 Services affected
• Any service using Ethernet bridging
 Popular Best Practices Threat Mitigation
•
•
•
•
Limit number of subscriber MAC addresses
Use router (single MAC address) at customer premises
Use tunneling technology (e.g., PBB) to tunnel MAC addresses
Use 802.1X to authenticate CPE connecting to SP’s network
There is a simpler, alternative© Copyright
approach
to solving this problem
2
2011 Fujitsu Network Communications, Inc.
Santa Clara, CA USA | February 2011
What is Connection-Oriented Ethernet ?
 High performance implementation of Carrier Ethernet
• Used for P2P and P2MP metro and wide area networking
 Disables Ethernet bridging behavior
• No Spanning Tree Protocol
• No MAC address learning/flooding
 Ethernet paths (EVCs) provisioned by Mgmt. System
 Implementations use “label-based” frame forwarding
• Ethernet / VLAN Tag Switching: C-VIDs + S-VIDs
• PBB-TE: BMAC Address + B-VID
• MPLS-TP: Pseudowire / LSP labels
Santa Clara, CA USA | February 2011
© Copyright 2011 Fujitsu Network Communications, Inc.
3
Connection-Oriented Ethernet Security
 No MAC Address Learning / Flooding Vulnerabilities
• Immune to MAC Address spoofing of Network Elements (NE)
• Immune to MAC address table overflow DoS attacks in NEs
 No Spanning Tree Protocol (STP) Vulnerabilities
• Immune to STP Denial of Service (DoS) attacks
 Doesn’t use IP protocols
• Immune to IP protocol vulnerabilities and attacks
 Uses few Layer 2 protocols
• Fewer protocols = Fewer network security vulnerabilities
COE provides security comparable to SONET or OTN networks
Santa Clara, CA USA | February 2011
© Copyright 2011 Fujitsu Network Communications, Inc.
4
Security Vulnerabilities vs. Service Flexibility
COE vs. Connectionless (bridged) Ethernet (CLE)
EVP-LAN
CLE
EVP-Tree
Security
Vulnerabilities
COE EoS
EP-LAN
EP-Tree
EVPL
EPL
Service Flexibility
EoS
COE
CLE
Service Flexibility Ranking
Security Vulnerability Ranking
• Protocol (most flexible)
• Physical Port (least flexible)
• Physical Port (most secure)
• Protocol (least secure)
COE provides security comparable to Layer 1 networks
while supporting the most
popular
services
© Copyright
2011 FujitsuEthernet
Network Communications,
Inc.
5
Related documents
Chp 3 Reading Organizer Student Version
Chp 3 Reading Organizer Student Version
Cisco Chapter 6 Revision Guide
Cisco Chapter 6 Revision Guide
Jaringan Komputer Lanjut
Jaringan Komputer Lanjut
Ethernet LANs - University of Calgary
Ethernet LANs - University of Calgary
Data Link Layer
Data Link Layer
Chapter 4
Chapter 4
Ch. 9 - Ethernet - Information Systems Technology
Ch. 9 - Ethernet - Information Systems Technology
Name
Name
Ch 13. Wired LANs: Ethernet
Ch 13. Wired LANs: Ethernet
Data Link Layer
Data Link Layer
CS408 Lab1 Packet Analysis With Ethereal Instructor PhD Albert
CS408 Lab1 Packet Analysis With Ethereal Instructor PhD Albert
HOW TO SCREEN CAPTURE
HOW TO SCREEN CAPTURE
Download
advertisement