1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Securing the Router Chris Cunningham.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
System and Network Security Practices COEN 351 E-Commerce Security.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.
Lesson 19: Configuring Windows Firewall
COEN 252: Computer Forensics Router Investigation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Enabling Secure Internet Access with ISA Server.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Distributed Denial of Service Attacks
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
The Intranet.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security fundamentals Topic 10 Securing the network perimeter.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.
TOPIC 3 DATA TRANSMISSION AND NETWORKING MEDIA. INTERNET SERVICE PROVIDER (ISP) also known as Internet Access Provider (IAP) It is a company that offers.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
The Intranet.
Working at a Small-to-Medium Business or ISP – Chapter 8
Firewalls.
IT443 – Network Security Administration Instructor: Bo Sheng
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Filtering Spoofed Packets
Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.
Firewalls.
Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.
CompTIA Security+ Study Guide (SY0-401)
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
* Essential Network Security Book Slides.
Computer Security Firewalls November 19, 2018 ©2004, Bryan J. Higgs.
Firewalls Purpose of a Firewall Characteristic of a firewall
دیواره ی آتش.
Global One Communications
Presentation transcript:

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

2 Presentation_ID © 1999, Cisco Systems, Inc. The Internet Today NetAid’s October 9th Event 3 System architected for 60 million hits per hour, one million hits per minute, or just over 16,000 transactions per second to support 50,000,000 users over a multi- day event … while under constant cyber-probes and attacks. 3 NetAid was consistently probed and attacked through out the life of the event. It is an example of how today’s Internet networks need to be built - to ride out attacks, maintain the service, collect information on the attack, and counter the attack.

3 Presentation_ID © 1999, Cisco Systems, Inc. The ISP’s World Today Consumers Large Enterprises Small Businesses Professional Office ISP Other ISPs (the Internet)

4 Presentation_ID © 1999, Cisco Systems, Inc. The ISP’s World Today Changing Threat 3 User Friendly Tools make is easier for the amateur cyberpunks to do more damage 3 E-Commerce provides a monetary motivation 3 Direct attacks on the Internet’s core infrastructure means that the NET is not scared anymore. Source: Placeholder for Notes, etc. 14 pt., bold

5 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing Newest Denial of Service attack 3 Network-based, fills access pipes 3 Uses ICMP echo/reply packets with broadcast networks to multiply traffic 3 Requires the ability to send spoofed packets Abuses “bounce-sites” to attack victims 3 Traffic multiplied by a factor of 50 to 200

6 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing

7 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing Perpetrator has T1 bandwidth available (typically a cracked account), and uses half of it (768 Kbps) to send spoofed packets, half to bounce site 1, half to bounce site 2 Bounce site 1 has a switched co-location network of 80 hosts and T3 connection to net Bounce site 2 has a switched co-location network of 100 hosts and T3 connection to net

8 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing (384 Kbps * 80 hosts) = 30 Mbps outbound traffic for bounce site 1 (384 Kbps * 100 hosts) = 37.5 Mbps outbound traffic for bounce site 2 Victim is pounded with 67.5 Mbps (!) from half a T1! Warning! The newest source of high speed connections are in people’s homes. How many home’s with xDSL and Cable access have any sort of security?

9 Presentation_ID © 1999, Cisco Systems, Inc Good By Attack Methods—WinNuke

10 Presentation_ID © 1999, Cisco Systems, Inc. Attack Methods—Crack Shareware

11 Presentation_ID © 1999, Cisco Systems, Inc. ISPs need to: 3 Protect themselves 3 Help protect their customers from the Internet 3 Protect the Internet from their customers What do ISPs need to do?

12 Presentation_ID © 1999, Cisco Systems, Inc. 2) Secure Firewall, Encryption, Authentication (PIX, Cisco IOS, FW, IPSEC, TACACS+Radius) 1) ISP’s Security Policy 3) Monitor and Respond Intrusion Detection (i.e. NetRanger) 4) Test Vulnerability Scanning (i.e. NetSonar, SPA) 5) Manage and Improve Network Operations and Security Professionals What do ISPs need to do? Security in a is not optional!

13 Presentation_ID © 1999, Cisco Systems, Inc. Implement Best Common Practices (BCPs) 3 ISP Infrastructure security 3 ISP Network security 3 ISP Services security Work with Operations Groups, Standards Organisations, and Vendors on new solutions What do ISPs need to do?

14 Presentation_ID © 1999, Cisco Systems, Inc. BCP Examples System Architecture 3 Use AAA for staff 3 Modular Network Design with Layered Security 3 Transaction Logging (SNMP, SYSLOG, etc. ) 3 Peering, Prefix, and Route Flap Filters 3 Premises Security Features 3 Turn off unnecessary features 3 Routing Protocol MD5 3 Route Filters 3 Anti-Spoof filters or Unicast RPF 3 Rate Limiting filters on ICMP (active or scripts)

15 Presentation_ID © 1999, Cisco Systems, Inc. Hardware Vendor’s Responsibilities The roll of the hardware vendor is to support the network’s objectives. Hence, there is a very synergistic relationship between the ISP and the hardware vendor to insure the network is resistant to security compromises.

16 Presentation_ID © 1999, Cisco Systems, Inc. Hardware Vendor’s Responsibilities Cisco System’s Example: 3 Operations People working directly with the ISPs 3 Emergency Reaction Teams (i.e. PSIRT) 3 Developers working with customers on new features 3 Security Consultants working with customers on attacks, audits, and prosecution. 3 Individuals tracking the hacker/phracker communities

17 Presentation_ID © 1999, Cisco Systems, Inc. For Example... CEF Unicast RPF In Out Unicast RPF Drop IP HeaderData Src Addr: Dest Addr: x.x.x.x IP HeaderData Routing Table: via is directly connected, Fddi 2/0/0 CEF Table: Fddi 2/0/ attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/ E…AAAA RPF Checks to see if the source address’s reverse path matches the input port. If OK, RPF passed the packet to be forwarded by CEF. Customer’s Packets

18 Presentation_ID © 1999, Cisco Systems, Inc. For Example... CEF Unicast RPF In Out Unicast RPF Drop IP HeaderData Src Addr: Dest Addr: x.x.x.x IP HeaderData Routing Table: via is directly connected, Fddi 2/0/0 CEF Table: Fddi 2/0/ attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/ E…AAAA RPF Checks to see if the source address’s reverse path matches the input port. If not OK, RPF drops the packet. Customer’s Packets Spoofed Packets

19 Presentation_ID © 1999, Cisco Systems, Inc. For More Information… URLs Referenced in the Presentation This presentation 3 BCPs for ISPs - Essentials IOS Features Every ISP Should Consider 3 Product Security Incident Response Team (PSIRT) 3 Improving Security on Cisco Routers 3

20 Presentation_ID © 1999, Cisco Systems, Inc. For More Information… Industry Resources 3 Many security articles by National Computer Security Assoc., and great tutorial on firewalls ftp://info.cert.org 3 Published warnings and downloadable files of solutions for defeating various types of attacks that have been reported to Computer Emergency Response Team 3 Llinks to Web sites, mailing lists, standards documents, etc., related to WWW and/or Internet security

21Presentation_ID © 1999, Cisco Systems, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.