MPLS infrastructure ACL

Unanswered Question
Jan 14th, 2009
User Badges:

We have 6 remote branches that connect to the main site via MPLS.


The Main site has a connection to the Internet.


All of these branches use the Main site for their Internet access.


We recently had a security audit and they mentioned putting access-lists on the serial interfaces of all of the MPLS links.


If the remote branches are using the main site internet connection, the inbound traffic at the remote branch could be potentially from ANY ip address.


Is there any practical way to do what the audit suggests?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jon Marshall Wed, 01/14/2009 - 04:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


Did they suggest which direction the acl shoule be applied and for what purpose these acls would be used.


If the remote sites have direct internet access via the main site ie. they do not use a proxy at the main site then you are right in what you say ie.


from the branch to the main site the destination IP could be any

from the main site back to the branch the source IP could be any


Perhaps if you provided a bit more detail as to what the acl's are meant to accomplish ?


Jon

wilson_1234_2 Wed, 01/14/2009 - 07:43
User Badges:

My understanding is that it is to protect from any unwanted traffic from the WAN MPLS cloud from getting in and not so much from the Internet.


We have the Internet firewalled and an IPS in the ASA as well.




Giuseppe Larosa Wed, 01/14/2009 - 08:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Richard,

if you have bought a L3 MPLS VPN service you shouldn't receive unwanted traffic on the WAN MPLS unless the service provider makes mistakes and add some other company's site to your VPN or there is some worm/virus that has taken control of some PCs at remote sites.


these ACls looks like to be anti-spoofing ACLs you should accept on the serial links only the expected source addresses:

the ip addresses of the subnets of your remote site(s).

This allows to block infected PCs that are using spoofed addresses out of your address block to be able to reach the internet or your intranet and it is seen as good practice.


Hope to help

Giuseppe


marikakis Thu, 01/15/2009 - 01:01
User Badges:
  • Gold, 750 points or more

Hello,


I am not sure of the requirements for this scenario. Hoping to help, I will write down my thoughts on this so far. As far as I know:

1) The term "infrastructure" ACLs is typically used to refer to ACLs intended to protect your networking infrastructure in particular (e.g. make sure that someone from the internet cannot connect to your CE device or some other of your network devices). "Infrastructure" typically does not include end user PCs. Also, have in mind that a direct connection to your network device does not have to happen for someone to perform a DoS attack towards it (all that is needed is the capability to somehow use a destination IP address to send packets directly to the device from the internet, so the device IP's should be protected in advance. Post-measures are typically too late, while puting those ACLs in place is not too difficult).

2) L3 MPLS VPNs as a specification do not have an inherent security vulnerability. However, overall "security" depends more on the implementation of the specification and the configuration rather than the specification itself. Since you opened your VPN to the internet, it is good practice to cover your back with additional measures, such as infrastructure ACLs (if one part of the security chain breaks, there still exist other mechanisms to prevent total breaking in).

3) The same point mentioned in 2) holds for the firewall argument as well. Infrastructure ACLs are a good thing to have in place.

4) I think protecting the branches from the cloud might include protecting those from the internet (since branches connect to main and main connects to the internet). I think the protection from the internet is the most important issue (but it can include both directions of traffic to eliminate any possibilities).


Kind Regards,

M.


p.s. For more on infrastructure ACLs, you can have a look at the following document:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Actions

This Discussion