SECURITY CONTROLS FOR AN ENERGY SCIENCE DMZ Robert Marcoux 01/13/2013.

Slides:

Advertisements

Similar presentations

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

Chapter 9: Access Control Lists

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

MOBILITY SUPPORT IN IPv6

CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Lesson 19: Configuring Windows Firewall

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

BGP Flow specification Update

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

– Chapter 4 – Secure Routing

Chapter 4: Managing LAN Traffic

TCOM 515 Lecture 6.

Chapter 6: Packet Filtering

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing Protocols.

Access Control List ACL. Access Control List ACL.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Windows 7 Firewall.

10/8/2015CST Computer Networks1 IP Routing CST 415.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.2: Using NBAR for Classification.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Junos Intermediate Routing

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

Open-Eye Georgios Androulidakis National Technical University of Athens.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

DDoS Mitigation Using BGP Flowspec

Unit 2 Personal Cyber Security and Social Engineering Part 2.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.

OpenDaylight BGP Use-Cases

Introduction to Networking

Juniper Networks, Inc. Copyright © 2002 – Proprietary and Confidential

Chapter 4: Access Control Lists (ACLs)

* Essential Network Security Book Slides.

Chapter 3 VLANs Chaffee County Academy

Presentation transcript:

SECURITY CONTROLS FOR AN ENERGY SCIENCE DMZ Robert Marcoux 01/13/2013

2 Copyright © 2012 Juniper Networks, Inc. SCIENCE DMZ REQUIREMENTS The Science DMZ Model addresses several key issues in data intensive science, including:  Reducing or eliminating the packet loss that causes poor TCP performance  Implementing appropriate security architectures and controls so that high-performance applications are not hampered by unnecessary constraints  Providing an on-ramp for local science resources to access wide area science services including virtual circuits, software defined networking environments, and 100 Gigabit infrastructures.  Incorporating network testing, network measurement, and performance analysis through the deployment of perfSONAR

3 Copyright © 2012 Juniper Networks, Inc. SECURITY CONTROLS

4 Copyright © 2012 Juniper Networks, Inc. SECURITY CONTROLS – AGGRESSIVE FILTERING Firewall Filters -  Firewall Filters are a tool for controlling and restricting access to network resources.  A Firewall Filter examines the Layer 3 and Layer 4 headers on a packet-by-packet basis. Based on configured rules, a Firewall Filter decides whether the router forwards or drops the packet.  Firewall Filters differ from a stateful firewall, which examines the packet’s data and monitors the activity of TCP sessions. Firewall Filters use the data obtained by the Internet Processor ASIC on the Packet Forwarding Engine. Filter-Based Forwarding (Policy Based Routing) -  Filter-based forwarding allows you to control the next-hop selection for traffic by defining input packet filters that examine the fields in a packet’s header. If a packet satisfies the match conditions of the filter, the packet is forwarded using the routing instance specified in the filter action statement.

5 Copyright © 2012 Juniper Networks, Inc. SECURITY CONTROLS REMOTELY TRIGGERED BLACK HOLE (RTBH) Remotely Triggered Black Hole -  Destination based RTBH  Requires pre-configuration of discard route on all edge routers  Monitoring via separate mechanism identifies destination of attack  Monitoring router injects a discard route in forwarding target prefix  BGP community used to distribute the discard route  Routers drop traffic taking the target completely offline  Attack completed however collateral damage limited  S-RTBH  Behavior for match and filtering action defined in RFC 5635  Requires pre-configuration of discard route on all edge routers  Monitoring identifies source of attack and injects discard route  BGP community used to distribute the discard route  Routers drop traffic taking the target completely offline  Each participating router can take 2 actions based on capabilities: –Strict uRPF: On packet associated with a flow look up FIB determine if no route to originating prefix from the same interface discard else forward –Loose uRPF: On packet associated with a flow look up FIB determine if no route to originating prefix from any interface discard else forward  Junos Implementation  12.1 T-series uRPF loose mode to recognize discard nH behavior  12.2 MX uRPF loose mode to recognize discard nH behavior

6 Copyright © 2012 Juniper Networks, Inc. JFLOW MONITORING: VERSIONS AND AVAILABILITY RE based monitoring  Sampled packets are sent to RE  RE generates flow records  Flow v5 and v8 are supported  Performance is ~7Kpps Service PIC based monitoring  Sampled packets are sent to a PIC  PIC generates flow records  Flow v5,v8 and v9 are supported for v9 (IPv4, IPv6, MPLS)  Performance starts from 1Mpps (IPv4) Forwarding plane/Trio based monitoring  All processing done inside Trio (including flow records)  IPFIX (version after v9) (IPv4 only)  Performance is line rate (no sampling needed)

7 Copyright © 2012 Juniper Networks, Inc. SECURITY CONTROLS – BGP FLOWSPEC (RFC-5575) BGP Flowspec -  Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute traffic flow specifications. This allows the routing system to propagate information regarding more specific components of the traffic aggregate defined by an IP destination prefix.  The information is carried via the BGP, thereby reusing protocol algorithms, operational experience, and administrative processes such as inter-provider peering agreements.  Flow spec addresses the limitations of existing solutions by allowing the “flow”- based NLRI to convey additional information about traffic filtering rules for traffic that should be discarded  Since a new address family is defined, filtering information is now separated from the routing information (and in fact this information is kept in a separate RIB: instance-name.inetflow.0)  Provides a tool for Network Operators to quickly react to DDOS attacks, saving valuable time between identification of attack and implementation of various remediation schemes.

8 Copyright © 2012 Juniper Networks, Inc. WHAT IS IN THE BGP FLOW SPEC NLRI? A Flow Specification NLRI is defined which may include several components in order to identify particular flows  The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as a 1 or 2 octet NLRI length field followed by a variable length NLRI value.  The NLRI length is expressed in octets | length (0xnn or 0xfn nn) | | NLRI value (variable) | Type 1 - Destination Prefix Type 2 - Source Prefix Type 3 - IP Protocol Type 4 – Source or Destination Port Type 5 – Destination Port Type 6 - Source Port Type 7 – ICMP Type Type 8 – ICMP Code Type 9 - TCP flags Type 10 - Packet length Type 11 – DSCP Type 12 - Fragment Encoding

9 Copyright © 2012 Juniper Networks, Inc. FLOW ROUTE ORIGINATION There are a couple of options:  Configure static flow routes from a central control point (RR or IRCP) or from distributed control points (PE or Peering Edge)  Supported today by Arbor Networks Flow Routes are automatically advertised by BGP once the Flow NLRI Control Plane is established

10 Copyright © 2012 Juniper Networks, Inc. BGP ADDRESS FAMILY: FLOW-SPEC A flow-spec “route” includes information about the action that should be taken for matching traffic (using BGP extended communities):  Drop the packet  Sample the packet for CFLOW export  Rate limit traffic to a rate included in the BGP update  Mark traffic with a DSCP value included in the BGP update  Redirect traffic into a VRF routing instance specified by the BGP update

11 Copyright © 2012 Juniper Networks, Inc. FLOW-SPEC EXAMPLE Flow-spec route is advertised into the network  All web traffic from host A to host B should be dropped Matching traffic is automatically dropped by the first router that sees the data Flow-spec route: Host A to Host B, TCP, HTTP: Drop A B

12 Copyright © 2012 Juniper Networks, Inc. SECURE CLEAN ROUTING USING BGP (SCRUB) Traffic matching flow-spec routes can be redirected, not just dropped Create tunnels (such as MPLS LSPs) from every router to a special scrubber router Traffic matching the flow-spec routes is redirected into the tunnels The scrubber router directs traffic through security devices to inspect the traffic Clean traffic is released back into the network

13 Copyright © 2012 Juniper Networks, Inc. SECURE CLEAN ROUTING USING BGP (SCRUB) A flow-spec route is currently advertised that selects all traffic from host A matching UDP port 53 Matching traffic is tunneled to the SCRUBnet router and fully inspected Legitimate traffic is released back into the network and routed normally to host B A B Flow-spec route: Source: Host A, UDP, DNS: Redirect

14 Copyright © 2012 Juniper Networks, Inc. SECURE CLEAN ROUTING USING BGP (SCRUB) Traffic that doesn’t match any active flow-spec routes is routed normally No impact to non-suspect traffic A B Flow-spec route: Source: Host A, UDP, DNS: Redirect

15 Copyright © 2012 Juniper Networks, Inc. ADDITIONAL SECURITY CONTROLS – SERVICES DPC/MPC Services DPC/MPC – Security Controls that can be scaled across multiple services blades in lieu of being processed in the RE (Better Performance - Scalable)  Statefull Firewall  Netflow (offloaded)  Full IPS  IPSEC Tunnels

16 Copyright © 2012 Juniper Networks, Inc. SECURITY CONTOLS DEVELOPMENT – JUNOS SDK JUNOS Software Development Kit (SDK) -  Applications run on either a Routing Engine or a services module and so can be thought of as being either Routing Engine applications or service applications, respectively.  Routing Engine applications run on the control plane. Typically, these applications perform network management and protocol signaling. They also initiate servers. Positioned on the control plane, Routing Engine applications can coordinate other subsystems and services. A Routing Engine is always present in any device, so these applications are always deployable without the addition of any extra hardware or software. Service applications run on the services plane. The services plane is specialized to enable high-performance, customized, and stateful packet processing on the transit or monitored traffic selected for servicing. Service applications may also perform operations similar to Routing Engine applications, but such activities typically supplement packet processing.  On some of the smaller Juniper Networks devices, physical modules do not necessarily plug in to a chassis. Rather a single box contains the necessary hardware. Nonetheless, applications are still supported in the control and services planes and we continue to use the Routing Engine and services modules terminology.

17 Copyright © 2012 Juniper Networks, Inc. PROTECTING THE ROUTING ENGINE

18 Copyright © 2012 Juniper Networks, Inc. PROTECTING THE ROUTING ENGINE  Firewall Filter  Using Prefix-lists to Group Hosts or Networks  Using Apply-path to Build Dynamic Prefix-lists  Using Policers to Rate-limit Traffic  Firewall filters must be told in which direction to inspect traffic, and there are two directions in which to apply the filters:  Input: Packets are matched against the firewall filter as they enter the interface from the network.  Output: Packets are matched against the firewall filter as they leave the interface prior to reaching the network.

19 Copyright © 2012 Juniper Networks, Inc. DDOS PROTECTION To protect against DDoS attacks, you can configure policers for host-bound exception traffic. The policers specify rate limits for individual types of protocol control packets or for all control packet types for a protocol. You can monitor policer actions for packet types and protocol groups at the level of the router, Routing Engine, and line cards. You can also control logging of policer events. The policers at the Trio MPC are the first line of protection. Control traffic is dropped when it exceeds any configured policer values or, for unconfigured policers, the default policer values. Each violation generates a notification to alert operators about a possible attack. The violation is counted, the time that the violation starts is noted, and the time of the last observed violation is noted. When the traffic rate drops below the bandwidth violation threshold, a recovery timer determines when the traffic flow is consider to have returned to normal. If no further violation occurs before the timer expires, the violation state is cleared and a notification is generated. DDoS policers are present: One at the Trio chipset, two at the line card, and two at the Routing Engine.

20 Copyright © 2012 Juniper Networks, Inc. LINKS

21 Copyright © 2012 Juniper Networks, Inc. LINKS DDoS Protection Configuration Guide ddos-protection/config-guide-ddos-protection.pdf ddos-protection/config-guide-ddos-protection.pdf This Week: Hardening Junos Devices series/hardening-junos-devices-checklist/ series/hardening-junos-devices-checklist/ Day One: Configuring Junos Policies and Firewall Filters series/configuring-junos-policies/ series/configuring-junos-policies/ Day One: Securing the Routing Engine on M, MX, and T Series series/securing-routing-engine/ series/securing-routing-engine/ For iPads and iPhones, use your device’s iBook app. Search for “Juniper Networks” in the iBookstore. Download directly to your iPhone or iPad. For Kindles, Androids, Blackberry, iPhones/iPads, Macs. and PCs, download the free Kindle app for your device. Go to the Kindle Store using your device’s Kindle app and search for “Juniper.” Download directly to your device.