Analysis of Information Security Threats for Virtual Private Networks VPLS Based on Network MPLS
Authors: Bel’fer R.A., Petrukhin I.S., Tepikin A.P. | Published: 08.02.2015 |
Published in issue: #1(100)/2015 | |
DOI: 10.18698/0236-3933-2015-1-47-57 | |
Category: Informatics, Computer Engineering and Control | Chapter: Methods and Systems of Information Protection, Information Security | |
Keywords: virtual private network (VPN), information security, virtual private local area network (VlAN) service (VPLS), multiple protocol label switching (MPLS), customer edge router (CE), provider edge router (PE), pseudowire (PW), provider router |
The authors have analyzed information security threats for virtual private network (VPN), which is called a virtual private area network (LAN) service (VPLS). Two types of security threats of VPLS were considered: 1) threats of subscriber access between border routers of users LAN and MPLS; 2) threats, similar threats in a virtual local area network VLAN. Our research proposes to provide encryption algorithm on the site user’s access into a transit network MPLS. It is based on the algorithm adopted for the ISDN network and recommended by the International Telecommunication Union ITU-T. For some security threats (similar threats in the VLAN) protection mechanisms (implemented at configuring of network VPLS) are offered. These threats include: DoS-attacks on the spanning tree protocol STP, fictitious label insert in a frame structure of standard 802.1q, spoofing DHCP-server, table overflow of memory address CAM and other. But protection against such information security threats have not been supported according to the available domestic and foreign publications and manuals (including some foreign firms documents, on which VPLS network design have performed using communication networks of Russia). The authors suggest mechanism of protection against such threats implemented on some corporate networks VPLS.
References
[1] Gol
[2] Alwayn V. Advanced MPLS design and implementation (CCIE professional development). Cisco Press, 2001. 496 p. (Russ. ed.: Oliveyn V. Struktura i realizatsiya sovremennoy tekhnologii MPLS [Design and implementation of modern technology MPLS]. Moscow, Vil’yams Publ., 2004. 480 p.).
[3] Bel’fer R.A., Petrukhin I.S. Analysis of sources of information security threats to MPLS-based VPRNs. Vestn. Mosk. Gos. Tekh. Univ. im. N.E. Baumana, Priborostr. [Herald of the Bauman Moscow State Tech. Univ., Instrum. Eng.], 2013, no. 4, pp. 79-89 (in Russ.).
[4] Bel’fer R.A. VPN MPLS security threats in the area between neighboring routers and IPSec protection. Elektrosvyaz
[5] Tanenbaum A., Wetherall D. Computer Networks. Prentice Hall, 5 Ed., 2010. 960 p. (Russ. ed.: Tanenbaum E., Uezeroll D. Komp’yuternye seti. SPb., Piter Publ., 2012. 954 p.).
[6] IEEE 802.1d. Media Access Control Bridges. IEEE, 2011.
[7] IEEE 802.1q. Media Access Control Bridges and Virtual Bridged Local Area Networks. IEEE, 2013.
[8] Samoylenko N. DHCP snooping. WIKI-site on UNIX / LINUX-systems and systems with open source software (in Russ.). Available at: http://xgu.ru/wiki/DHCP_snooping (accessed 01.11.2014).
[9] Behringer Michael H., Morrow Monique J. MPLS VPN Security. Cisco Press, 2005. 312 p.
[10] ITU-T Recommendation X.509. Information technology - Open Systems Interconnection. The Directory: Authentication framework. ITU, 1993 ed., ver. 2. ITU, 1997 ed., ver. 3.
[11] ETSI ETS 300 841. Telecommunications Security; Integrated Services digital Network (ISDN); Encryption Key management system for audiovisual services. ETSI, 1998. 30 p. Available at: http://www.etsi.org/de-liver/etsi_i_ets/300800_300899/300841/01_30_9742/ets_300841e01v.pdf (accessed 01.11.2014).
[12] Bel’fer R.A. Seti i sistemy svyazi (tekhnologii, bezopasnost’). Elektronnoe uchebnoe izdanie na CD-ROOM [Network and communication system (technology, security). Electronic educational edition at CD-ROM]. Moscow, MGTU im.N.E. Baumana Publ., 2012. 738 p.