2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Chapter 9: Access Control Lists
FIREWALLS Chapter 11.
Sink Holes 111. Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. –BGP speaking Router or Workstation that built to suck in.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo
1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...
Chapter 11 Firewalls.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
– Chapter 4 – Secure Routing
Intranet, Extranet, Firewall. Intranet and Extranet.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Access Control List ACL. Access Control List ACL.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols.
Operational Security Capabilities for IP Network Infrastructure
Access Control List (ACL)
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security fundamentals Topic 10 Securing the network perimeter.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Chapter 4: Implementing Firewall Technologies
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Secure Software Confidentiality Integrity Data Security Authentication
Computer Data Security & Privacy
Goals of soBGP Verify the origin of advertisements
Chapter 11: It’s a Network
– Chapter 3 – Device Security (B)
* Essential Network Security Book Slides.
– Chapter 3 – Device Security (B)
Introduction to Network Security
Protection Mechanisms in Security Management
Validating MANRS of a network
Presentation transcript:

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo Author: Designing Network Security (ISBN# )

2006 Double Shot Security, Inc. All rights reserved 2 Infrastructure Security Peer Customer NOC Syslog, TFTP, AAA, DNS, SMTP NetFlow, SNMP

2006 Double Shot Security, Inc. All rights reserved 3 How Do Large ISPs Protect Their Infrastructures ? Understand the Problem Establish an Effective Security Policy – physical security – logical security – control/management plane – routing plane – data plane Have Procedures In Place For Incident Response – procedures for assessing software vulnerability risk – auditing configuration modifications

2006 Double Shot Security, Inc. All rights reserved 4 Attack Sources Passive vs Active –Writing and/or reading data on the network On-Path vs Off-Path –How easy is it to subvert network topology? Insider or Outsider –What is definition of perimeter? Deliberate Attack vs Unintentional Event –Configuration errors and software bugs are as harmful as a deliberate malicious network attack

2006 Double Shot Security, Inc. All rights reserved 5 Operational Security Impact Unauthorized Disclosure –circumstance or event whereby entity gains access to data for which it is not authorized Deception –circumstance or event that may result in an authorized entity receiving false data and believing it to be true Disruption –circumstance or event that interrupts or prevents the correct operation of system services and functions Usurpation –circumstance or event that results in control of system services or functions by an unauthorized entity

2006 Double Shot Security, Inc. All rights reserved 6 Security Services User Authentication User Authorization Data Origin Authentication Access Control Data Integrity Data Confidentiality Auditing / Logging DoS Mitigation

2006 Double Shot Security, Inc. All rights reserved 7 Functional Considerations Device Physical Access Device In-Band Management Device OOB Management Data Path Routing Control Plane Software Upgrade / Configuration Integrity Logging Filtering DoS Tracking /Tracing –Sink Hole Routing –Black-Hole Triggered Routing –Unicast Reverse Path Forwarding (uRPF) –Rate Limiting

2006 Double Shot Security, Inc. All rights reserved 8 Device Physical Access Equipment kept in highly restrictive environments Console access –password protected –access via OOB management Individual users authenticated Social engineering training and awareness

2006 Double Shot Security, Inc. All rights reserved 9 Device In-Band Management SSH primarily used; Telnet only from jumphosts All access authenticated –Varying password mechanisms –AAA usually used –Single local database entry for backup Each individual has specific authorization Strict access control via filtering Access is audited with triggered pager/ notifications SNMP is read-only –community strings updated every days

2006 Double Shot Security, Inc. All rights reserved 10 Device OOB Management SSH primarily used; Telnet only from jumphosts All access authenticated –Varying password mechanisms –AAA usually used (server typically different for in-band vs OOB) –Single local database entry for backup Each individual has specific authorization Strict access control via filtering Access is audited with triggered pager/ notifications SNMP is read-only –community strings updated every days

2006 Double Shot Security, Inc. All rights reserved 11 Data Path Filtering and rate limiting are primary mitigation techniques BCP-38 guidelines for ingress filtering Null-route and black-hole any detected malicious traffic Netflow is primary method used for tracking traffic flows Unicast Reverse Path Forwarding is not consistently implemented Logging of Exceptions

2006 Double Shot Security, Inc. All rights reserved 12 Routing Control Plane MD-5 authentication –Some only deploy this at customer’s request Route filters limit what routes are believed from a valid peer Packet filters limit which systems can appear as a valid peer Limiting propagation of invalid routing information –Prefix filters –AS-PATH filters (trend is leaning towards this) –Route dampening (latest consensus is that it causes more harm than good) Not yet possible to validate whether legitimate peer has authority to send routing update

2006 Double Shot Security, Inc. All rights reserved 13 Software Upgrade / Integrity Files stored on specific systems with limited access All access to these systems are authenticated and audited SCP is used where possible and FTP is NEVER used Configuration files are polled and compared on an hourly basis Filters limit uploading / downloading of files to specific systems Many system binaries use MD-5 checks for integrity Configuration files are stored with obfuscated passwords

2006 Double Shot Security, Inc. All rights reserved 14 Filtering Considerations DNS Server Mail Server AAA, Syslog, SNMP Server(s) Telnet, SSH Routing Control Plane Management Plane Data Forwarding Plane

2006 Double Shot Security, Inc. All rights reserved 15 DoS Tracking / Mitigation ( Sink Hole ) –Router or workstation built to divert traffic and assist in analyzing attacks and determine the source. –Used to redirect attacks away from the customer – working the attack on a router built to withstand the attack. –Used to monitor attack noise, scans, data from mis- configuration and other activity (via the advertisement of default or unused IP space) Peer Border Aggregation CPE Internet Backscatter Scanners Worms Diverts unwanted packets. Large CIDR Block Out Customer’s Allocated Block

2006 Double Shot Security, Inc. All rights reserved 16 DoS Tracking / Mitigation ( Black-Hole Triggered Routing ) Several Techniques: –Destination-based BGP Blackhole Routing –Source-based BGP Blackhole Routing (coupling uRPF) –Customer-triggered Exploits router’s forwarding logic which typically results in desired packets being dropped with minimal or no performance impact FIB Ingress Packet Filter Null0/ Discard Packets Arrive Forward packet to the Bit Bucket Saves on CPU and ACL processing Egress Interface

2006 Double Shot Security, Inc. All rights reserved 17 IP Header In Out Src Addr: Dest Addr: x.x.x.x Data CEF Table: Fddi 2/0/ attached Fddi 2/0/ Fddi 2/0/ attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/ E…AAAA IP Header Data RPF Checks to See if the Source Address is in the FIB Drop Routing Table: via is directly connected, Fddi 2/0/ via is directly connected, Fddi 2/0/0 Unicast RPF If OK, RPF Passed the Packet to be Forwarded Source Address must match the FIB information in the CEF Table. If in the FIB – then OK. If equal to Null 0, then drop. DoS Tracking / Mitigation ( uRPF )

2006 Double Shot Security, Inc. All rights reserved 18 IPv4 vs IPv6 Same considerations exist for IPv6 networks although the same tools are not yet there for IPv6 transports IPv6 / IPv4 tunnels used to hide malicious traffic from filtering rules is a concern Flow collection tools are not yet capable of detecting much malicious traffic

2006 Double Shot Security, Inc. All rights reserved 19 Operational Practices Summary Risk mitigation techniques similar yet different –Similar conceptual safeguards –Differences based on performance issues and operational complexity Infrastructure products need standardized capabilities for more effective security deployments

2006 Double Shot Security, Inc. All rights reserved 20 THANK YOU! ( draft-ietf-opsec-current-practices-06.txt )