Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall on Demand Introduction SA3-T1 Meeting Vienna March 7th 2016

Published byHilary Ryan Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewall on Demand Introduction SA3-T1 Meeting Vienna March 7th 2016"— Presentation transcript:

1 Firewall on Demand Introduction SA3-T1 Meeting Vienna March 7th 2016
GEANT Information & Infrastructure Security Team Evangelos Spatharas Security Engineer SA3-T1 Meeting Vienna March 7th 2016

2 INDEX DDoS seen by GÉANT FoD Tutorial What Firewall on Demand is
Why Flowspec? Why Firewall on Demand? How to subscribe Future plans

3 Who Sees DDoS Attacks?

4 DDoS – Ramifications Network Staff & Company Clients 36 Gb/s
Performance degradation Services malfunction Outages Staff & Company Productivity reduction Wasted resources Reputation Profit reduction Clients Dissatisfaction Change upstream?

5 How to Deal with DDoS? Firewall filter deployment DDoS Scrubbing
Manual ACLs Time Consuming Prone to mistakes Highly effective RTBH Fast Too coarse BGP FlowSpec DDoS Scrubbing Highly effective (if setup correctly) Very expensive Or to just disconnect the cable Firewall filters might be just rate-limiting packets, or be more granular and against ports and src and dst Ips All firewall filters, would require some CLI configuration, making it difficult to track work, open close tickets.

6 From RFC to a WEB based tool
fod.geant.net New school rules – Forget CLI and JunOS language Developed and designed by

7 What Firewall on Demand is
Firewall on Demand, abbreviated as FoD, is an application with a WEB front which allows subscribed users to disseminate firewall filters easily without any hassle. The traits that make it unique are multifold: Convenience - NREN users can use web portal themselves, or make request by phone or . Simplicity - The web portal uses intuitive, non-vendor specific GUI-based wizard to configure router firewall filters. The magic of FoD is powered on by the cutting edge flowspec technology as described by the RFC *NOC/CERT users can still contact GEANT CERT using the traditional methods to request blocking

8 Speed Effectiveness Efficiency Why Flowspec? Why FlowSpec?
Speed - No need to spend time on finding the peer where the traffic enters the network, find the correct filter, and then visiting each filter on different routers, flowspec propagates itself within seconds via a BGP update Efficiency - Blocking the traffic as close to the source, at the borders of GEANT Effectiveness - Filters are installed on the inetflow.0 table, blocking all BGP IPv4 traffic, at the PFE level Why FoD? Value add tool part of the NSHaRP service. NREN's are not anymore restricted on the process of opening tickets with us to block traffic affecting them Easier audit of flowspec filters - search box finds rules based on a number of attributes Easier removal - Filters have auto-expire on FoD, which makes sure that the flowspec table won't be 1000 lines after years of usage Cleaner filters without "temp" terms that piled up after years of operation In the future, reporting will be supported too

9 Why Firewall on Demand? Value add tool part of the NSHaRP service
Easier audit of flowspec filters Easier removal (auto-expire) Cleaner traditional filters without "temp" terms that pile up with time Reporting (to be supported) What? You want more?

10 What you CAN do with FoD Propagate flowspec filters across GÉANT network Filters CAN have DST address from YOUR administrative IP space Submit as many filters as you want (TBC) Have an sent to yourself or ticketing system for tracking after rule submission/edit/withdrawn See all rules submitted by you or your colleagues by state (active/deactivated) from past to the most current

11 What you CANNOT do with FoD
Propagate IPv6 filters (TBC) Propagate a filter with a DST subnet bigger than /29 Access FoD platform from an IP space other than your NOC’s/GEANT network’s space

12 Eligibility and How to Subscribe and Access
All GÉANT member NRENs may subscribe. The subscription process is as follows: NREN APM fills out the FoD application form (MS Excel based) – NREN authorized users (by address); NOC subnet (for white-listing); NREN’s AS number or AS-set. NREN APM sends completed form to GÉANT security team and info is entered into FoD Authorised NREN user, using host in NOC subnet, accesses and clicks at the “Shibboleth Login” button on the top right. Login in using standard eduGAIN method New user’s account will be activated within 1 business day (assuming login details match info provided by APM)

13 Shibboleth Attributes
FoD’s Shibboleth module requires the release of the following attributes: givenName mail persistent-id principalName Surname (family name) uniqueID

14 How to Use FoD After your account is activated for which you’ll be notified by , you are ready to start Firewall-ing on Demand. The process is as simple as follows: Re-visit the page and click on the “Shibboleth Login” button After supplying with your credentials you’ll have access to 5 main tabs: Dashboard Rules Add Rule My Profile Admin

15 How to Use FoD - Dashboard
Dashboard page displays the latest 10 rules that have been submitted for your Institution along with their current status. Deactivated ones can be re-activated and vice versa.

16 How to Use FoD - Rules Rules page displays ALL (not just the latest 10) the rules that have been submitted for your Institution, sorted by status. From here, you can reactivate or deactivate rules, or even edit them. What is more, one can use the search box to look for particular rules and process them further.

17 How to Use FoD – Add Rule Add rule page is the place where you navigate when you first see an attack. To add a rule requires to populate all the necessary fields which are the following: Name Source Address Destination Address Then Actions Note: It is recommended that the rule’s name is of the following format: <NREN/Peering/IC>_<TYPE_OF_ATTACK>_<ACTION>_<DATE> This will aid you in the future when searching for a rule.

18 How to Use FoD – My Profile
My profile page displays information that has to do with your subscription such as your administrative networks and name, your username and .

19 Under the hood – Current Status
IX A GÈANT NREN A Internet Flowspec FoD IX B NSHaRP

20 Upgrade – Future Plans GÈANT NSHaRP & RepShield IX A NREN A Internet
Flowspec FoD IX B NSHaRP & RepShield

21 FoD Roadmap June 2013 Sept. 2014 Febr. 2015 Aug. 2015 Aug. 2015
Jan. 2016 Febr. 2016 Flowspec testing on GÉANT backbone FoD test system installation (RHEL) FoD pilot Pentest & secure code review FoD test system installation (Debian) Resolving FoD issues on RHEL FoD going live

22 How to Contact us In case you have any issues or queries in relation to FoD, please contact GÉANT Infrastructure & Security team at

23 GEANT OPS Security Team security@geant.net

Download ppt "Firewall on Demand Introduction SA3-T1 Meeting Vienna March 7th 2016"

Similar presentations

Web Center Certification Administration Web Center Certification Training Intuit Financial Services University.

Web Center Certification Administration Web Center Certification Training Intuit Financial Services University.
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Managing Your Organisation’s Portal Team Account Tutorial 7.

Managing Your Organisation’s Portal Team Account Tutorial 7.
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Open Call SM Contestant Guide BetterBNC version 4.3 BetterBNC SM.

Open Call SM Contestant Guide BetterBNC version 4.3 BetterBNC SM.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
1 State Records Center Entering New Inventory  Versatile web address:  Look for any new ‘Special Updates’ each.

1 State Records Center Entering New Inventory  Versatile web address:  Look for any new ‘Special Updates’ each.
Administrator – Employee Overview September, 2011.

Administrator – Employee Overview September, 2011.
Module 3: Administrator Set-Up Intuit Financial Services University Internet Banking Certification Training.

Module 3: Administrator Set-Up Intuit Financial Services University Internet Banking Certification Training.
Region 5 Portal Registration Guide 1 Portal Registration: A Quick Start Guide 12/31/08 Aum Sri Sai Ram Sathya Sai Baba Centers of North Central Region.

Region 5 Portal Registration Guide 1 Portal Registration: A Quick Start Guide 12/31/08 Aum Sri Sai Ram Sathya Sai Baba Centers of North Central Region.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
Vodafone India Partner On-boarding Quick Start Guide.

Vodafone India Partner On-boarding Quick Start Guide.
Installing the ALSMS Software on a Windows Platform Configuration Example Alcatel-Lucent Security Products Configuration Example Series.

Installing the ALSMS Software on a Windows Platform Configuration Example Alcatel-Lucent Security Products Configuration Example Series.
Remote Access Using a Netgear DG834 Router 1http://www.dvs.co.uk

Remote Access Using a Netgear DG834 Router 1http://
1 Logging into the new PCard (PaymentNet) System: www.paymentnet.jpmorgan.com PAYMENTNET * Introduction * May use IE 8.0 or greater or Firefox * Do not.

1 Logging into the new PCard (PaymentNet) System: PAYMENTNET * Introduction * May use IE 8.0 or greater or Firefox * Do not.

Similar presentations

Ads by Google