Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

Published byStuart Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore..."— Presentation transcript:

1 1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

2 2 Presentation_ID © 1999, Cisco Systems, Inc. The Internet Today NetAid’s October 9th Event 3 System architected for 60 million hits per hour, one million hits per minute, or just over 16,000 transactions per second to support 50,000,000 users over a multi- day event … while under constant cyber-probes and attacks. 3 NetAid was consistently probed and attacked through out the life of the event. It is an example of how today’s Internet networks need to be built - to ride out attacks, maintain the service, collect information on the attack, and counter the attack.

3 3 Presentation_ID © 1999, Cisco Systems, Inc. The ISP’s World Today Consumers Large Enterprises Small Businesses Professional Office ISP Other ISPs (the Internet)

4 4 Presentation_ID © 1999, Cisco Systems, Inc. The ISP’s World Today Changing Threat 3 User Friendly Tools make is easier for the amateur cyberpunks to do more damage 3 E-Commerce provides a monetary motivation 3 Direct attacks on the Internet’s core infrastructure means that the NET is not scared anymore. Source: Placeholder for Notes, etc. 14 pt., bold

5 5 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing Newest Denial of Service attack 3 Network-based, fills access pipes 3 Uses ICMP echo/reply packets with broadcast networks to multiply traffic 3 Requires the ability to send spoofed packets Abuses “bounce-sites” to attack victims 3 Traffic multiplied by a factor of 50 to 200

6 6 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing

7 7 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing Perpetrator has T1 bandwidth available (typically a cracked account), and uses half of it (768 Kbps) to send spoofed packets, half to bounce site 1, half to bounce site 2 Bounce site 1 has a switched co-location network of 80 hosts and T3 connection to net Bounce site 2 has a switched co-location network of 100 hosts and T3 connection to net

8 8 Presentation_ID © 1999, Cisco Systems, Inc. For example - Smurfing (384 Kbps * 80 hosts) = 30 Mbps outbound traffic for bounce site 1 (384 Kbps * 100 hosts) = 37.5 Mbps outbound traffic for bounce site 2 Victim is pounded with 67.5 Mbps (!) from half a T1! Warning! The newest source of high speed connections are in people’s homes. How many home’s with xDSL and Cable access have any sort of security?

9 9 Presentation_ID © 1999, Cisco Systems, Inc. 10.1.1.1 Good By Attack Methods—WinNuke

10 10 Presentation_ID © 1999, Cisco Systems, Inc. Attack Methods—Crack Shareware

11 11 Presentation_ID © 1999, Cisco Systems, Inc. ISPs need to: 3 Protect themselves 3 Help protect their customers from the Internet 3 Protect the Internet from their customers What do ISPs need to do?

12 12 Presentation_ID © 1999, Cisco Systems, Inc. 2) Secure Firewall, Encryption, Authentication (PIX, Cisco IOS, FW, IPSEC, TACACS+Radius) 1) ISP’s Security Policy 3) Monitor and Respond Intrusion Detection (i.e. NetRanger) 4) Test Vulnerability Scanning (i.e. NetSonar, SPA) 5) Manage and Improve Network Operations and Security Professionals What do ISPs need to do? Security in a is not optional!

13 13 Presentation_ID © 1999, Cisco Systems, Inc. Implement Best Common Practices (BCPs) 3 ISP Infrastructure security 3 ISP Network security 3 ISP Services security Work with Operations Groups, Standards Organisations, and Vendors on new solutions What do ISPs need to do?

14 14 Presentation_ID © 1999, Cisco Systems, Inc. BCP Examples System Architecture 3 Use AAA for staff 3 Modular Network Design with Layered Security 3 Transaction Logging (SNMP, SYSLOG, etc. ) 3 Peering, Prefix, and Route Flap Filters 3 Premises Security Features 3 Turn off unnecessary features 3 Routing Protocol MD5 3 Route Filters 3 Anti-Spoof filters or Unicast RPF 3 Rate Limiting filters on ICMP (active or scripts)

15 15 Presentation_ID © 1999, Cisco Systems, Inc. Hardware Vendor’s Responsibilities The roll of the hardware vendor is to support the network’s objectives. Hence, there is a very synergistic relationship between the ISP and the hardware vendor to insure the network is resistant to security compromises.

16 16 Presentation_ID © 1999, Cisco Systems, Inc. Hardware Vendor’s Responsibilities Cisco System’s Example: 3 Operations People working directly with the ISPs 3 Emergency Reaction Teams (i.e. PSIRT) 3 Developers working with customers on new features 3 Security Consultants working with customers on attacks, audits, and prosecution. 3 Individuals tracking the hacker/phracker communities

17 17 Presentation_ID © 1999, Cisco Systems, Inc. For Example... CEF Unicast RPF In Out Unicast RPF Drop IP HeaderData Src Addr: 210.210.1.1 Dest Addr: x.x.x.x IP HeaderData Routing Table: 210.210.0.0 via 172.19.66.7 172.19.0.0 is directly connected, Fddi 2/0/0 CEF Table: 210.210.0.0 172.19.66.7 Fddi 2/0/0 172.19.0.0 attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800 RPF Checks to see if the source address’s reverse path matches the input port. If OK, RPF passed the packet to be forwarded by CEF. Customer’s Packets

18 18 Presentation_ID © 1999, Cisco Systems, Inc. For Example... CEF Unicast RPF In Out Unicast RPF Drop IP HeaderData Src Addr: 144.64.21.1 Dest Addr: x.x.x.x IP HeaderData Routing Table: 210.210.0.0 via 172.19.66.7 172.19.0.0 is directly connected, Fddi 2/0/0 CEF Table: 210.210.0.0 172.19.66.7 Fddi 2/0/0 172.19.0.0 attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800 RPF Checks to see if the source address’s reverse path matches the input port. If not OK, RPF drops the packet. Customer’s Packets Spoofed Packets

19 19 Presentation_ID © 1999, Cisco Systems, Inc. For More Information… URLs Referenced in the Presentation This presentation 3 http://www.cisco.com/public/cons/isp/document/Hoover-Security.pdf BCPs for ISPs - Essentials IOS Features Every ISP Should Consider 3 http://www.cisco.com/public/cons/isp/documents/ Product Security Incident Response Team (PSIRT) 3 http://www.cisco.com/warp/public/707/sec_incident_response.shtml Improving Security on Cisco Routers 3 http://www.cisco.com/warp/public/707/21.html

20 20 Presentation_ID © 1999, Cisco Systems, Inc. For More Information… Industry Resources http://www.icsa.net/library 3 Many security articles by National Computer Security Assoc., and great tutorial on firewalls ftp://info.cert.org 3 Published warnings and downloadable files of solutions for defeating various types of attacks that have been reported to Computer Emergency Response Team http://www-ns.rutgers.edu/www-security/reference.html 3 Llinks to Web sites, mailing lists, standards documents, etc., related to WWW and/or Internet security

21 21Presentation_ID © 1999, Cisco Systems, Inc.

Download ppt "1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore..."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.

Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn,

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.

Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google