Wednesday, March 20, 2013

Is MPLS Network Really Secure? MPLS truth revealed against security.

Is MPLS Network Really Secure? MPLS truth revealed against security.

There is a common misconception that MPLS provides some level of security.

The truth is that MPLS offers-

• No protection against misconfiguration -
Human and machine errors as well as OS bugs can result in MPLS traffic being misrouted.

• No protection from attacks within the core - MPLS is vulnerable to all the traditional WAN attack vectors.

• No protection or detection of sniffing/snooping - It is impossible to detect if someone is siphoning or replicating data - there is no “alarm” that goes off if data is being stolen.

• No Data Security - The data is left in the clear and can be accessed, replicated, or used by anyone who gains access to it.


The illustration above shows the components of an MPLS header. Note the absence of any security measures within the header itself.

• The Label Value provides forwarding information used by the routers.
• Traffic Class (TC) bits are used to provide services such traffic prioritization.
• The Stacking bit (S) allows multiple labels to be used.
• TTL is a “time to live” marker to allow packets to expire.

None of these mechanisms provide security.


Also note that the original IP packet is unchanged, which means with MPLS- your data traverses a shared network in the clear.

Hackers and Data Thieves know better!

There are papers and video tutorials readily available on the Internet that provide a “cook book” approach to sniffing and redirecting MPLS traffic. Here’s what Black Hat had to say about MPLS security claims:

Providers say: Traffic streams are kept separate.
Hackers know: The mechanism used to separate traffic can also be used to identify targets of interest!

Providers say: There are controls around provisioning and management.
Hackers know: Provisioning and management are to data security what traffic lights are to bank robbers - they do not prevent data theft!

Providers say: There are gateways between the Internet and the MPLS network.
Hackers know: Traffic is not accidentally leaking out to the Internet, it is being stolen right off the MPLS backbone!

Providers say: They use Netflow/J-Flow to identify ”malicious activity”.
Hackers know: Post-event notification is not a substitute for prevention!

No comments:

Post a Comment