Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting.

Published byEdward Palmer Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting."— Presentation transcript:

1 http://www.grnet.gr Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting 27-28 November 2014

2 Network threats GRNET Cloud IaaS

3 DDoS illustrated

4 GRNET - Rapid Anomaly Detection Python tool - rady VolumetricPackets (WP-pingback)

5 Consequences Performance degradation – GÉANT Backbone – NRENs Outages Services malfunction Resources – Human – Equipment

6 Mitigation Techniques though time acls, firewall filtersRTBHBGP flowspec

7 The acl way Detect attack Profile it Apply local ACL Notify upstream Apply NREN ACLs Notify upstream Apply upstream ACLs Phone calls Emails TIME TIME TIME

8 The BGP way Well established model of trust Stable and robust – Powers the internet Remote triggered black-hole routing BGP flow specification – “My name is Wall, Fire Wall”

9 Who are you BGP Flowspec? BGP Flowspec defined in RFC 5575 Layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intra- domain and inter-domain basis Match – source/dest prefix – source/dest port – ICMP type/code – packet size – DSCP – TCP flag – fragment type – Etc Actions – accept – discard – rate-limit – sample – redirect – etc

10 A firewall filter over BGP??? Propagates wherever BGP flow spec is enabled – Currently supported by Juniper To the very ends of the network To peering networks – Downstream – Upstream Ideas! Apply to a single point and let it propagate to my borders Sounds like attacks are now mitigated closer to source!!! – YES!!!! Seems that it is more granular than RTBH – YES!!!! Can we automate this?? Can we go from RFC to tool? – Have already done this!!!

11 Can you remind me why we need BGP flowspec? Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration ACL S Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI BGP RTHB

12 Firewall on Demand – from RFC to tool D EVELOPED BY : GRNET G RANULARITY : Per-flow level A CTION : Drop, rate-limit, redirect S PEED : 1-2 orders of magnitude quicker E FFICIENCY : closer to the source, multi-domain A UTOMATION : integration with other systems M ANAGEABILITY : status track, web interface N EED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS

13 GRNET setup

14 How does it work? Customer’s NOC logs in web tool & describes flows and actions Destination validated against customer’s IP space A dedicated router is configured to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire Web NETCONF eBGP iBGP

15 Have you tried it in production? GRNET network in production since 2011 3 years 21Tbytes 100rules 40 users 20 peers

16 Is there a chance that I shoot my leg???? BGP Flowspec is a “sharp knife” Protocol/Tool level protection – Flowspec filters – BGP filters – Authorization Users can only act for their networks – Application level protection Protected networks Alerts for violation Everything according to procedures

17 Time to go multidomain fod.geant.net

18 FoD recipe 1 central FoD instance BGP flowspec enabled in GÉANT routers 3 flavors – NREN without BGP flowspec supporting equipment – NREN with BGP flowspec equipment that uses local FoD – NREN with BGP flowspec equipment that uses GEANT’s FoD

19 All together

20 Phase 1 tests Click Apply 6 seconds later…

21 FoD Application Architecture https://code.grnet.gr/projects/flowspy http://flowspy.readthedocs.org O PEN S OURCE

22 Under the hood Django application – 1.4 – Debian Wheezy system packages Application server – Gunicorn HTTP server – Apache Proxy module Database – MySQL Caching – Memcached Job scheduler – Celeryd Que – Beanstalkd Network client – Ncclient - NETCONF

23 Installation and monitoring Extensively tested on Debian Wheezy – Using system packages Done in ~ 30 mins Monitored components – Host checks – Service checks Apache (check_http) Gunicorn (check_mk) Celeryd (check_mk)

24 Joining FoD Shibboleth attributes: – email (maps to HTTP_EMAIL) – persistent-nameid or persistent-id or targeted-id (all map to HTTP_REMOTE_USER) A valid institution/peer with active subnets

25 Support GRNET will actively support FoD Same codebase Small changes in single and multidomain – Shibboleth vs. eduGAIN Full installation documentation of multidomain flavor will be provided by the end of Nov 2014

26 To Do’s Full documentation for multidomain setup Multidomain repository Harden security – Limit access ACL – Introduce Shibboleth attributes (?) Test on production network with manual entry Invite 2-3 NRENs to join

27 http://www.grnet.gr Thank you

Download ppt "Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,

NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.

COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
BGP Flow specification Update

BGP Flow specification Update
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Similar presentations

Ads by Google