Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,
Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.
Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COEN 252: Computer Forensics Router Investigation.
Design and Implementation of SIP-aware DDoS Attack Detection System.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
BGP Flow specification Update
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
TCOM 515 Lecture 6.
Chapter 6: Packet Filtering
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Scalable, efficient, personalized, end-to-end QoS Provisioning Polyrakis Andreas Dimitrios Kalogeras GRNET.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Security fundamentals Topic 10 Securing the network perimeter.
GÉANT - Implementing Security at Terabit Speed
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
DDoS Mitigation Using BGP Flowspec
SECURITY CONTROLS FOR AN ENERGY SCIENCE DMZ Robert Marcoux 01/13/2013.
DKNOG6 - DDoS Mitigation Using BGP Flowspec - Mikkel Troest1.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Networks ∙ Services ∙ People GEANT Information & Infrastructure Security Team TNC16 – Networking Conference Introduction DDoS at GÉANT Prague.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Firewall on Demand Introduction SA3-T1 Meeting Vienna March 7th 2016
Critical Security Controls
CONNECTING TO THE INTERNET
OpenDaylight BGP Use-Cases
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
CompTIA Security+ Study Guide (SY0-401)
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls Routers, Switches, Hubs VPNs
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting November 2014

Network threats GRNET Cloud IaaS

DDoS illustrated

GRNET - Rapid Anomaly Detection Python tool - rady VolumetricPackets (WP-pingback)

Consequences Performance degradation – GÉANT Backbone – NRENs Outages Services malfunction Resources – Human – Equipment

Mitigation Techniques though time acls, firewall filtersRTBHBGP flowspec

The acl way Detect attack Profile it Apply local ACL Notify upstream Apply NREN ACLs Notify upstream Apply upstream ACLs Phone calls s TIME TIME TIME

The BGP way Well established model of trust Stable and robust – Powers the internet Remote triggered black-hole routing BGP flow specification – “My name is Wall, Fire Wall”

Who are you BGP Flowspec? BGP Flowspec defined in RFC 5575 Layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intra- domain and inter-domain basis Match – source/dest prefix – source/dest port – ICMP type/code – packet size – DSCP – TCP flag – fragment type – Etc Actions – accept – discard – rate-limit – sample – redirect – etc

A firewall filter over BGP??? Propagates wherever BGP flow spec is enabled – Currently supported by Juniper To the very ends of the network To peering networks – Downstream – Upstream Ideas! Apply to a single point and let it propagate to my borders Sounds like attacks are now mitigated closer to source!!! – YES!!!! Seems that it is more granular than RTBH – YES!!!! Can we automate this?? Can we go from RFC to tool? – Have already done this!!!

Can you remind me why we need BGP flowspec? Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration ACL S Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI BGP RTHB

Firewall on Demand – from RFC to tool D EVELOPED BY : GRNET G RANULARITY : Per-flow level A CTION : Drop, rate-limit, redirect S PEED : 1-2 orders of magnitude quicker E FFICIENCY : closer to the source, multi-domain A UTOMATION : integration with other systems M ANAGEABILITY : status track, web interface N EED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS

GRNET setup

How does it work? Customer’s NOC logs in web tool & describes flows and actions Destination validated against customer’s IP space A dedicated router is configured to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire Web NETCONF eBGP iBGP

Have you tried it in production? GRNET network in production since years 21Tbytes 100rules 40 users 20 peers

Is there a chance that I shoot my leg???? BGP Flowspec is a “sharp knife” Protocol/Tool level protection – Flowspec filters – BGP filters – Authorization Users can only act for their networks – Application level protection Protected networks Alerts for violation Everything according to procedures

Time to go multidomain fod.geant.net

FoD recipe 1 central FoD instance BGP flowspec enabled in GÉANT routers 3 flavors – NREN without BGP flowspec supporting equipment – NREN with BGP flowspec equipment that uses local FoD – NREN with BGP flowspec equipment that uses GEANT’s FoD

All together

Phase 1 tests Click Apply 6 seconds later…

FoD Application Architecture O PEN S OURCE

Under the hood Django application – 1.4 – Debian Wheezy system packages Application server – Gunicorn HTTP server – Apache Proxy module Database – MySQL Caching – Memcached Job scheduler – Celeryd Que – Beanstalkd Network client – Ncclient - NETCONF

Installation and monitoring Extensively tested on Debian Wheezy – Using system packages Done in ~ 30 mins Monitored components – Host checks – Service checks Apache (check_http) Gunicorn (check_mk) Celeryd (check_mk)

Joining FoD Shibboleth attributes: – (maps to HTTP_ ) – persistent-nameid or persistent-id or targeted-id (all map to HTTP_REMOTE_USER) A valid institution/peer with active subnets

Support GRNET will actively support FoD Same codebase Small changes in single and multidomain – Shibboleth vs. eduGAIN Full installation documentation of multidomain flavor will be provided by the end of Nov 2014

To Do’s Full documentation for multidomain setup Multidomain repository Harden security – Limit access ACL – Introduce Shibboleth attributes (?) Test on production network with manual entry Invite 2-3 NRENs to join

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.