The AT&T Seven Pillars of MPLS
Security
Helping Protect Your Network
As networking evolves to meet sophisticated communications needs,
enhanced application performance becomes a strategic priority for
most enterprises. To support the complexity associated with changing
application requirements, many businesses are responding by converging
multiple networks onto a single IP/MPLS network. By providing voice,
data and video on the same network, IP maximizes network
infrastructure investments, simplifies control and administration and
facilitates the management of multiple applications. Security needs
to evolve with the demands of this new environment.
According to Tom Siracusa, Director of VPN Strategy at AT&T Labs, “In
a converged environment, the complexity of the network tends to grow
exponentially. Complexity means added security must be put in place
to manage that environment effectively. Security in the network is
critical and should be the first line of defense from security breaches.”
Staying Ahead of the Hackers
Viruses have moved from an occasional nuisance to a critical daily
concern for companies everywhere. Hackers create more than 200 new
viruses and worms every month that are becoming more sophisticated
and resistant to anti-virus software. Privileged data in the network is
more exposed than ever to outside intruders, particularly as alternative
access methods like wireless continue to grow.
Keeping a corporate network secure is more than just installing firewall
technologies. Security in a converged environment is multi-faceted. It
should address all infrastructure layers, including physical transport,
the network and applications. To be effective, security measures must
be end-to-end, extending from the network to the customer application.
Some providers suggest that simply isolating corporate networks from
the Internet can guarantee security. However, avoiding the Internet
to prevent security issues can undermine the basic effectiveness and
productivity of business operations. Systems can be protected using a
combination of a secure, MPLS-enabled network, and a comprehensive
security plan that crosses all networking layers.
The Network is a Frontline Security Device
AT&T’s security starts within its Global Network, and extends to
customers and their applications. According to Ed Amoroso, AT&T’s
Chief Information Security Officer, “AT&T’s network is a major component
in the security model that customers are building for their businesses.”
To protect customer networks and services, AT&T uses a “defense
in depth” security architecture, with security built into every network
layer and every supporting process. The theory of “defense
in depth” is that if the security fails at the first layer, the second layer
has more security with which to contend. Thus, it can be difficult to
penetrate because there are many layers of security built into every
system, process and piece of the network architecture.
No single layer of security can guard against information theft,
corruption, disclosure and denial of service. Unique security services
at each layer are needed to provide enhanced protection – preventing
unauthorized access and attempting to detect, respond and mitigate
the damage if access is achieved.
The Best Defense? Using Real-Time Data to Prevent Attacks
“The best defense companies have is to formulate proactive plans,
advanced networking and security solutions. This strategy can assess
risk and eradicate attacks that are brewing-long before they penetrate
the network,” states Amoroso. AT&T takes a preventative approach to
security to identify, detect and manage intrusions before they inflict
damage. AT&T collects, analyzes, interprets and communicates data to
customers real-time, enabling incident response. Traffic anomalies are
detected and cyber attacks are predicted in the early stages. This
advance notice enables customers to take quick remedial action to
contain and minimize damage inflicted by an attack.
AT&T’s security architecture includes:
• Secure connectivity
• Perimeter security
• Intrusion management
• Identity management
• Policy management
• Monitoring and management
• Incident management
Security is viewed at both the macro level, addressing routers, firewalls
and gateways, and at the micro level, looking deep inside packets
traveling on the network.
Secure Customer Applications on the AT&T Global Network
AT&T has evolved to a single, global, Multi-Protocol Label Switching
(MPLS) enabled backbone over an intelligent optical core network.
MPLS, an industry standard, is the key technological component
underpinning this network evolution. Enabled by the new IP
Multimedia Subsystems (IMS) Standard, AT&T’s traditional voice
network will convert to a packet-based architecture for transport over
our global MPLS backbone. The result? AT&T can support businesses’
migration to a converged environment with a range of networking
solutions to meet their needs.
Applications such as Voice over IP and Enterprise Resource Planning
(ERP) are designed to solve specific networking problems faced by
customers. These applications demand networking flexibility, quality of
service, and often require capabilities beyond those found on a private
network. How do businesses satisfy the networking requirements of
these applications while minimizing security risks?
MPLS adds significant reliability and performance capabilities, enabling
applications to perform and scale as business needs change. AT&T
is regarded as one of the MPLS industry leaders based on our early
and continuing work with the technology, and continues to pioneer
its use by offering a suite of virtual private networks (VPNs) that
enable MPLS.
MPLS Facts
• MPLS separates the traffic of one business’s VPN from
another’s, avoiding potential security breaches from
unauthorized viewing and access
• MPLS enables Class of Service (CoS) to prioritize
network applications, eliminating the need to overprovision
for expected network utilization
• MPLS enables network scalability to accommodate new
applications and technology standards
• MPLS in the “core” network infrastructure enables
enhanced restoration, providing better performance
for applications
The combined force of MPLS in conjunction with AT&T’s multilayered
security protection ensures that businesses can utilize a secure
network that is flexible and scalable for future applications.
Does Your Provider Follow the Seven Pillars?
As IP networks are embedded in the critical processing of applications,
it is essential to ensure superior levels of carrier-grade security. With
the integration of MPLS, AT&T has developed a set of seven basic
security protection methods, or “pillars.” These pillars maintain a
constant security focus in all design, deployment, and operational
processes around our MPLS core network infrastructure. Does your
provider follow the principles of the Seven Pillars?
AT&T’s seven pillars of MPLS security include:
1. Separation
Customer traffic is separated using MPLS Virtual Private Networks,
assuring data packets cannot leak from or to another customer’s VPN
or other data traffic on the backbone
• Containment: Traffic between customer-edge (CE) routers stays
inside that customer’s VPN. No spill over can occur
• Isolation: No customer’s VPN can in any way materially impact or
influence the content or privacy of another customer’s VPN
• Availability: Denial of service activities injected from a CE router will
only impact that customer’s VPN services
• Simplicity: Through development and innovation, AT&T automated
provisioning – resulting in improved security by reducing
configuration mistakes. MPLS also provides scalable provider
architectures that enable growth, while reducing router configuration
changes. These changes can potentially disrupt customers
To provide the highest level of security, most VPN customers are
connected to physically separate provider-edge devices from Internet
customers. This architecture provides:
• VPN route uniqueness and segregation through the use of route
distinguisher, virtual routing and forwarding tables, and route targets
• VPN traffic segregation
• Automated provisioning systems control VPN membership
The network core is shared across the services, with reliability
achieved using:
• A Label Switched Core: Internet and VPN traffic is Label switched
across the backbone
• Control Plane Protection: No backbone routers visible to outside
or reachable from external endpoint
• Data Plane Protection: VPN and Internet traffic are kept in separate
label switched paths so traffic can be differentiated in the core –
keeping VPN capacity protected if an Internet incident occurs
2. Automation
Automated perimeter security tools protect AT&T’s MPLS core, ensuring
customer-edge (CE) to provider-edge (PE) routes are properly
managed and represented.
• Filtering: AT&T uses automated provisioning and management of its
access control lists (ACLs) on all AT&T provider-edge (PE) routers
• Least Privilege: Infrastructure routers, and PE interfaces, are
hardened by turning-off, or severely restricting unnecessary
protocols and ports
TACACS+ Authentication for authorized AT&T technicians: TACACS+
(Terminal Access Controller Access Control System), a mechanism for
ensuring access control and authentication to any device, is used to
time-out, limit and lock out users after multiple access attempts. All
access to AT&T network elements is controlled by a TACACS+
authentication system, with a strict hierarchy enforced of which
technicians are allowed access to what commands. All changes are
logged on secure, high-capacity log servers to help ensure security
and accountability.
3. Monitoring
IP traffic net flow monitoring provides early warning of Internet viruses
and worms. A critical component of managing large-scale network
traffic is the capture, monitoring, and analysis of traffic flow data to detect
trends and anomalies, such as worms and viruses. This monitoring
provides unique protection benefits for the MPLS network in two ways:
(1) allowing security teams to take steps toward appropriate filtering,
and (2) reducing risk in the core by using the monitoring system to
detect any probes aimed at MPLS core address space.
• External Access: AT&T also monitors any external access to its core
address space from the Internet on a 24x7 basis
• Analysis: The world-class statisticians from AT&T continue to make
great strides in algorithms for security anomaly detection
4. Control
AT&T enforces strict operational security controls in its MPLS core.
• Processes: AT&T’s operations follow mature Methods and
Procedures (M&Ps) that are derived from decades of best practices
in operating customer networks
• Certification: AT&T’s operations are certified to the best industry
standards, wherever appropriate, and are compliant with the National
Reliability Industry Consortium (NRIC) certification requirements
• Root Cause Analysis: All incidents are subject to comprehensive
Root Cause Analysis steps to ensure process improvements through
any operational policy violations
5. Testing
AT&T ensures security compliance with testing, audits and reviews.
• Testing: Experts are constantly performing intrusion detection,
audits and penetration testing against server complexities for
network management, customer care and service support
– Because customer MPLS VPNs are configured by
an automated provisioning system, changes or
discrepancies in router configuration are detected
by regular exception reports
• Auditing: Ongoing independent audits are used to confirm
compliance with the AT&T Security Policy Requirements
• Reviews: All processes have embedded controls that require
expert security reviews
6. Response
AT&T’s security specialists’ rapid response mitigates risk.
• Tiered Response: Incidents are dealt with via a mature tiered
response infrastructure that includes senior security and
operations experts
• Proactive Indicators: The AT&T Computer Security Incident
Response Team acts routinely in a proactive manner on indicators
that typically precede any customer-visible problems
• Innovative Customer Notification Service: AT&T has extended this
capability to customers through a novel notification service to
extend the 24x7 knowledge to customer-specific environments
– AT&T offers a service called AT&T Internet ProtectSM in which
real-time indicators of anomalous behavior or detected
security events are provided to clients on a 24/7 basis
©2006 AT&T Knowledge Ventures. All rights reserved. 09/11/06 AB-0276-01
7. Innovation
AT&T funds extensive MPLS security research and is heavily involved in
industry standards bodies where MPLS innovations are taking place.
• Security is a key focus area of AT&T’s research laboratory, which
finds new techniques for protecting customer traffic and systems
• AT&T remains committed to networking, security and MPLS research
Trust Your Security to AT&T
“AT&T has a long legacy of security,” states Amoroso. “We have the
necessity to protect our own core IP backbone for customers, and
have taken that capability and developed it into core products. Products
that really answer the need to address a defense in depth architecture,
all the way from the information level to the network level.”
AT&T offers a complete range of security, availability and recovery
services that provide businesses with integrated business continuity
solutions to support complex networking requirements.
Glossary
Route Distinguisher – Qualifies a VPN’s IPV4 routes
Virtual Routing and Forwarding Tables – tables in which routes
are stored
Route Targets – Used to control iBGP distribution of a VPN’s routes
to its virtual routing and forwarding tables
For more information visit AT&T’s Networking Exchange, at
www.att.com/networkingexchange.