mahajan security for sp
TRANSCRIPT
-
8/13/2019 Mahajan Security for Sp
1/188
12003, Cisco Systems, Inc. All rights reserved.SP Security
Security for SPsincluding-DDOS PreventionWireless Security
Pravin Mahajan, [email protected]
Mumbai
22 Jan 2006
SANOG 7
-
8/13/2019 Mahajan Security for Sp
2/188
2222003, Cisco Systems, Inc. All rights reserved.SP Security
Agenda
Challenges
Trends
Threats
The first step - Telemetry Next Steps
Techniques
Modular Application to SP infrastructure
Wireless Security
Case Study
-
8/13/2019 Mahajan Security for Sp
3/188
32003, Cisco Systems, Inc. All rights reserved.SP Security
Security Challenges
-
8/13/2019 Mahajan Security for Sp
4/188
4442003, Cisco Systems, Inc. All rights reserved.SP Security
Introduction: Emerging Threats
-
8/13/2019 Mahajan Security for Sp
5/188
5552003, Cisco Systems, Inc. All rights reserved.SP Security
Todays Reality
-
8/13/2019 Mahajan Security for Sp
6/188
6662003, Cisco Systems, Inc. All rights reserved.SP Security
Evolution of Availabil ity Threats
InfrastructureAttacks
-
8/13/2019 Mahajan Security for Sp
7/188
7772003, Cisco Systems, Inc. All rights reserved.SP Security
Economic Impact of DDoS
Source: CSI/FBI 2004 Computer Crime and Security Survey
Dollar Amount of Losses by Type:
DoS Is 2nd
in ImpactAfter
Viruses!
-
8/13/2019 Mahajan Security for Sp
8/188
8882003, Cisco Systems, Inc. All rights reserved.SP Security
The Internet today
ISP Backbone
POP 1
Peering Links
POP 2
NOCBilling
Provisioning
WEBHosting
NSP Backbone
Peering Links
Internet Links
Customers
NOCEngineering
Provisioning
The new Internet Economybrought new services and
new players: NSPs, ASPs,etc
E-commerce has becomepart of the business model.
Customers now depend onthe Internet
Attacks targeted tocustomers can and do affect
the infrastructure.Availability is not just matterof duplicating gear.
-
8/13/2019 Mahajan Security for Sp
9/188
9992003, Cisco Systems, Inc. All rights reserved.SP Security
Collateral Damage
Attacks targeted to a particular customerCAN and DO affect the infrastructure
www.myweb.com
Customers
POP
SPBackbone
SP Network
Upstream/Peers
SP wont
be out of it
-
8/13/2019 Mahajan Security for Sp
10/188
1010102003, Cisco Systems, Inc. All rights reserved.SP Security
Infrastructure Attacks
a wake up call
Now elements of the SP
infrastructure are being directlytargeted too:
Services: DNS, DHCP,SMTP, WWW, FTP
Routers
Routing
-
8/13/2019 Mahajan Security for Sp
11/188
1111112003, Cisco Systems, Inc. All rights reserved.SP Security
Role of Service Providers
Protect their own infrastructure (from Customers
and Internet)Help protect other peersProtect customers from attacks coming from theinfrastructure or other customers
CustomerOther ISPs
Data Plane
Management Plane
Attacks Attacks
Attacks
-
8/13/2019 Mahajan Security for Sp
12/188
122003, Cisco Systems, Inc. All rights reserved.SP Security
Security Trends
-
8/13/2019 Mahajan Security for Sp
13/188
1313132003, Cisco Systems, Inc. All rights reserved.SP Security
Evolution of Security Challenges
GLOBALInfrastructure
Impact
REGIONAL
Networks
MULTIPLENetworks
INDIVIDUALNetworks
INDIVIDUALComputer
GLOBALGLOBALInfrastructureInfrastructure
ImpactImpact
REGIONALREGIONAL
NetworksNetworks
MULTIPLEMULTIPLENetworksNetworks
INDIVIDUALINDIVIDUALNetworksNetworks
INDIVIDUALINDIVIDUALComputerComputer
Target and Scopeof DamageTarget and ScopeTarget and Scopeof Damageof Damage
1980s1980s 1990s1990s TodayToday FutureFuture
SecondsSeconds
MinutesMinutes
DaysDays
WeeksWeeksFirst Gen
Bootviruses
First Gen
Bootviruses
Second GenMacroviruses
Denial ofService
Second GenMacroviruses
Denial ofService
Third Gen
DistributedDenial of
ServiceBlendedthreats
Third Gen
DistributedDenial of
ServiceBlendedthreats
Next Gen
Flashthreats
MassivebotdrivenDDoS
Damagingpayloadworms
Next Gen
Flashthreats
MassivebotdrivenDDoS
Damagingpayloadworms
Rapidly Escalating Threat to Businesses
-
8/13/2019 Mahajan Security for Sp
14/188
1414142003, Cisco Systems, Inc. All rights reserved.SP Security
Evolution of Security Strategies
1990s 2000 2002
Integrated securi tyRouters
Switches
Appliances
Endpoints
FW + VPN + IDS.
Integratedmanagement
software
Evolving advanced
services
Security
appliances
Enhanced router
security
Separate Mgt
software
Basic router
security
Command l ine
interface
2003
End-point posture
enforcement
Network device
protection
Dynamic/Secure
connectivity
Dynamic
communicationbetween elements
Automated threat
response
Self-Defending
Networks
2004
Integrated
SecurityDefense-
In-Depth
PointProducts
Basic
Security
Multiple
technologies
Multiple
locations
Multipleappliances
Little/no
integration
-
8/13/2019 Mahajan Security for Sp
15/188
1515152003, Cisco Systems, Inc. All rights reserved.SP Security
Self-Defending Network
IP + SecurityIP + Security
2. Disparate
Security
Services
2. Disparate
Security
Services
3. ReactiveSecurity
3. ReactiveSecurity
CollaborativeSecuritySystems
CollaborativeCollaborativeSecuritySecuritySystemsSystems
AdaptiveSecurity
AdaptiveAdaptiveSecuritySecurity
1. Point
Products
1. Point
ProductsIntegrated
Security
IntegratedIntegrated
SecuritySecurity
-
8/13/2019 Mahajan Security for Sp
16/188
1616162003, Cisco Systems, Inc. All rights reserved.SP Security
Self-Defending Network:Controlling the Who, What, Where, When, Why and How
Whoallows access to data only by authorized personnel
Whatprevents data from ever being stored, copied, orprinted outside the secure environment
Whereprovides layers of protection and auditing to ensure
that data is only stored in a controlled location Whenusers process data normally, but the data never
sleeps outside of the secure area
Whyonly authorized personnel allowed to process data Howdata access is restricted, authenticated, and audited by
the Self-Defending Network
-
8/13/2019 Mahajan Security for Sp
17/188
1717172003, Cisco Systems, Inc. All rights reserved.SP Security
Self Defending Networks
From Point Products to Holistic System
Security as an Option Security, INTEGRAL to the System
Reduced complexity Easier deployment and
management
Security risks effectively
mitigated Lower TCO
Reduced complexityReduced complexity Easier deployment andEasier deployment and
managementmanagement
Security risks effectivelySecurity risks effectively
mitigatedmitigated Lower TCOLower TCO
Very complex environment Higher integration cost
Security risks not mit igated
Lower reliability
Very complex environmentVery complex environment Higher integration costHigher integration cost
Security risks not mit igatedSecurity risks not mit igated
Lower reliabilityLower reliability
-
8/13/2019 Mahajan Security for Sp
18/188
182003, Cisco Systems, Inc. All rights reserved.SP Security
Threats
-
8/13/2019 Mahajan Security for Sp
19/188
1919192003, Cisco Systems, Inc. All rights reserved.SP Security
Introduction: The Basic ModelTypes of Communication:1) People Accessing
Information Assets
2) People Communicatingwith One and Other
3) Machine to MachineCommunication
Attack Targets:
1) End-points Themselves
2) Traffic Leaving
3) Traffic in Flight
4) Traffic Entering
Policy Primitives:1) User / Service Identity
2) Machine Security Posture
-
8/13/2019 Mahajan Security for Sp
20/188
2020202003, Cisco Systems, Inc. All rights reserved.SP Security
Introduction: Appropriate Risk Mitigation
LEVEL OF RISK AVERSION
DEPTH OFMITIGATIONSTRATEGY
RISKTOLERANT
RISKNEUTRAL
RISKAVERSE
Conclusion:Determine in advance the level of riskappropriate to the business
-
8/13/2019 Mahajan Security for Sp
21/188
2121212003, Cisco Systems, Inc. All rights reserved.SP Security
Worms and Viruses Virus:Malicious piece of software that typically
propagates by attaching itself to some other
form of communication. May exploit avulnerabili ty, but always requires humaninterventionto spread.
Worm:Malicious piece of software that self-
propagates. Always exploits a vulnerabili ty toinfect, and does not require human interventionto spread
-
8/13/2019 Mahajan Security for Sp
22/188
2222222003, Cisco Systems, Inc. All rights reserved.SP Security
Worms and Viruses: What Happens
Injection code arrives
at end point
Can either self-execute by havinganother processexecute it , or can havea user execute it
Some are completelyself-contained, someneed to pull downadditional propagationand payload code to
operate
InjectionPropagation
PayloadCode replicates itself,
and begins topropagate to otherhosts
Propagation can bemulti -vector (Nimda)
Mass propagation aretypically why thecasual user learns ofthese
Can cause network-level Denial of Service(Blaster) due tomassive consumptionof resources
Potential for mostdamaging portion ofinfection
Historically, often not
malicious (e.g.Slammer)
Sometimes triggers areboot (Nachi), oftento further embed itselfin the system
Increasingly, used toinstall backdoors ortrojans, and to patchthe injection vector
-
8/13/2019 Mahajan Security for Sp
23/188
2323232003, Cisco Systems, Inc. All rights reserved.SP Security
Recent Trends in Worms and Viruses
Change in Purpose
Shift from fame to profit
Shift from being noisy to developing an asset
with economic value Change in Expected Behavior
Less Noisy
More Sophisticated
More Variants, smaller scope of each
-
8/13/2019 Mahajan Security for Sp
24/188
2424242003, Cisco Systems, Inc. All rights reserved.SP Security
A Birthday Message for You!!!
-
8/13/2019 Mahajan Security for Sp
25/188
2525252003, Cisco Systems, Inc. All rights reserved.SP Security
Anatomy of a Trojan
Troj/LdPinch-BD is a password-stealing Trojan for Windowsplatforms
Troj/LdPinch-BD steals information, including passwords,from various applications. Information stolen may include:
computer details (OS version, memory, CPU etc.)
available drives (drive letter, type and free space)
hostname and IP address
Windows folder volume information
Passwords and confidential information from 'Protected Storage
POP3 and IMAP server information, usernames and passwordsFTP usernames and passwords
RAS dial-up settings
The Trojan may steal information relating to applicationsincluding the following:
Mirabilis ICQ
Opera
CuteFTP
WS_FTP
Windows Commander
Total Commander
The Trojan attempts to download and run further maliciouscode.
Source: http://sophos.com/virusinfo/analyses/trojldpinchbd.html
-
8/13/2019 Mahajan Security for Sp
26/188
2626262003, Cisco Systems, Inc. All rights reserved.SP Security
Harvesting and Asset Development
Creation of bot-netnetworks of thousands ofcompromised machines
Used as:
Launch points for otherattacks
Spam-nets (sold or rented tospammers)
DDoS For Hire networks (soldor rented to attackers)
MACHINEHARVESTING
INFORMATIONHARVESTING
Harvesting identityinformation (account names,numbers, passwords,
personal information, etc) Used for:
Direct sale on the openmarket
Compromise other networks
Trust-enablement for fraud(traditional cons and newcons such as phishing)
-
8/13/2019 Mahajan Security for Sp
27/188
2727272003, Cisco Systems, Inc. All rights reserved.SP Security
Hacker
Zombies
Control Traffic
Attack Traff ic
Masters
Victim
(Web Server)
Customers Premises:
Server/FW/Switch/Router
Flooded PipeISP Edge Router
BotNet Operation
-
8/13/2019 Mahajan Security for Sp
28/188
2828282003, Cisco Systems, Inc. All rights reserved.SP Security
A New Class of Threat: Spyware
SPYWARE: malware that obtains ortransmits personal information with
intent to defraud*ADWARE: Spywares slightly more
reputable cousin
Recently, Spyware has exploded as asignificant security threat
Can be thought of as a drive up
virus skip the propagation step andcut out the middle-man!
Enhanced Concern: Threat to controlof Confidential Information
* From most recent draft of US Federal I-SPY act
-
8/13/2019 Mahajan Security for Sp
29/188
2929292003, Cisco Systems, Inc. All rights reserved.SP Security
Bundled in freeware/shareware
Social Engineering
Pestering pop-ups until user clicks yes
Confusing or buried EULA terms
User doesnt read EULA
Drive-by Download
Remote installation no physical access necessary Via Virus or Trojan
How Spyware/Adware Gets Installed
-
8/13/2019 Mahajan Security for Sp
30/188
3030302003, Cisco Systems, Inc. All rights reserved.SP Security
Denial of Service: A Refresher
Denial of Service (DoS) attacksgoal is to make serviceunavailable
The method may target:
A server
A network device
A network
Can be associated with:
Source IP spoofing
Collateral Damage includes:Saturation of networkforwarding tables
Exhausting processing power
Clogging links
mbehri ng
-
8/13/2019 Mahajan Security for Sp
31/188
3131312003, Cisco Systems, Inc. All rights reserved.SP Security
Denial Of Service: Whats Going On
Basic Denial of Service
Often L3/L4 based; SYN attacks common; spoofingcommon
Relatively easy to block sources and stop
Distributed Denial of Service
Similar to a basic DoS in approach, but sources appear
randomTens of thousands of broad-band connected machines in abot-net make it extremely difficult to track
Often stopped by closing down control channels
Emerging Threats:Application-layer Denial of ServiceEmail DoS
Web Front-end DoS
Web-Services and XML DoS
IP Telephony DoS
-
8/13/2019 Mahajan Security for Sp
32/188
3232322003, Cisco Systems, Inc. All rights reserved.SP Security
DDoS For Hire, and DoS Extortion
DDoS For Hire:Criminal service in which for a nominalfee, a site of your choosing can be taken off line
DoS Extortion:Criminal enterprise in which web-sitesmust pay a protection fee to avoid being taken offline,typically during a critical business period
ONLINE EXTORTION
How a Bookmaker and a Whiz
Kid Took On an Extortionist
and Won
Facing an online extortion threat, Mickey
Richardson bet his Web-based business ona networking whiz from Sacramento whofirst beat back the bad guys, then helpedthe cops nab them. If you collect revenueonline, you'd better read this.
http://www.csoonline.com/read/050105/extortion.html
US credit cardfirm fights DDoS attack
US credit card processing firm Authorize.Net is fightinga sustained distributed denial of service (DDoS) attackthat has left it struggling to stay online.
Glen Zimmerman, a spokesman for Authorize.Net'sparent company, Lightbridge, told the Boston Globe thatthe attacks followed an extortion letter. Lightbridge saidit was working with law enforcements officials to trackdown the attackers.
http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/
-
8/13/2019 Mahajan Security for Sp
33/188
3333332003, Cisco Systems, Inc. All rights reserved.SP Security
Real Traffic
Attack Traffic
Firewall
GEnet
Real Traffic
Attack Traffic ISP ISP 2
Web, DNS, Email,
AnomalyDetector
Guard Guard
AnomalyDetector
Router
Switch
Switch
Internal Network
Solutions: Basic DoS and DDoS
Server IsSubject to aDDoS Attack
DDos AttackDetected
-
8/13/2019 Mahajan Security for Sp
34/188
3434342003, Cisco Systems, Inc. All rights reserved.SP Security
Firewall
GEnet
Real Traffic
Attack Traffic ISP ISP 2
Web, DNS, Email,
AnomalyDetector
Guard Guard
AnomalyDetector
Router
Switch
CatalystSwitch
Internal Network
Solutions: Basic DoS and DDoS
Valid TrafficContinues onto Server Farm
Routing UpdateSent to Switch
Traffic Is Divertedto the Guard
Anomalous TrafficIs Detectedand Dropped
-
8/13/2019 Mahajan Security for Sp
35/188
3535352003, Cisco Systems, Inc. All rights reserved.SP Security
Further Solutions: Denial of Service
Denial of Service likely to continue to be a problem for anumber of years
Economic incentives drive behavior
Application Denial of Service a key piece of anApplication Security strategy
Look for solutions with real DoS protective capabilities
Partnerships are a Must
Enterprises must work with their Providers to set upresponse plans
Incident Response a Must
Have a plan before your attacked. DoS attacks are veryvisible, very quickly. Timeliness of response is key
-
8/13/2019 Mahajan Security for Sp
36/188
3636362003, Cisco Systems, Inc. All rights reserved.SP Security
Messaging Security
SPAM / SPIM / SPIT
Nuisance / Productivity Drain / DoS or Cost ImpositionVector for other Frauds
Phishing / Pharming
Solutions:
IIM (Identified Internet Mail) spec
2-factor auth for financialsUniform policy control: Message Hygiene solutions;Endpoint Posture Compliance
-
8/13/2019 Mahajan Security for Sp
37/188
3737372003, Cisco Systems, Inc. All rights reserved.SP Security
SPAMity Calamity
-
8/13/2019 Mahajan Security for Sp
38/188
3838382003, Cisco Systems, Inc. All rights reserved.SP Security
SPAMity Calamity
Evolution of SPAM:
NuisanceProductivity Drain
Offensive Content
Vector for Fraud
Dominant SourceToday: Bot-nets
SPAM is very much anunsolved problem
http://abcnews.go.com/US/wireStory?id=252318
Trial Shows HowSpammers Operate
Trial of Prolific Spammer ShowsHow He Sent 10 Million E-Mailsa Day, Made $750,000 a Month
LEESBURG, Va. Nov 14, 2004
-
8/13/2019 Mahajan Security for Sp
39/188
3939392003, Cisco Systems, Inc. All rights reserved.SP Security
The Changing Nature of Spam
SPAM explosion: Old Dog, New Tricks
SPIMSpam over InstantMessaging
SPITSpam over IP Telephony
Rise of Crime:
Fraud as a rising threat
Phishing
Criminalization of Spam:
CAN-SPAM act in US
Introduction to Phishing
-
8/13/2019 Mahajan Security for Sp
40/188
4040402003, Cisco Systems, Inc. All rights reserved.SP Security
Introduction to PhishingPhishing Basics
Introduction to Phishing
-
8/13/2019 Mahajan Security for Sp
41/188
4141412003, Cisco Systems, Inc. All rights reserved.SP Security
Introduction to PhishingPhishing Basics
PHISHING:Email Schemes, Called Phishing
or Carding , Are an Attempt toTrick Consumers into DisclosingPersonal and/or FinancialInformation; the Emails Appearto Come from Companies with
Whom Consumers May RegularlyConduct Business; Often Timesthe Email Threatens Terminationof Accounts Unless ConsumersUpdate Bill ing Information
Source:www.atg.wa.gov/consumer/idprivacy/phishing.shtm
In this Example, the Link ReallyLeads Through to:http://web.da-
us.citibank.com.userdll.com:4903/c/index.htm
CONCLUSION:Unsolicited Email Can Be More than Just an Annoyance
New Threats: Phishings
-
8/13/2019 Mahajan Security for Sp
42/188
4242422003, Cisco Systems, Inc. All rights reserved.SP Security
New Threats: Phishing sCousinPharming
MUNDO-BANK.COM
Hosts File:superbank.com = 172.168.254.254
172.168.1.1
Come see us atwww.superbank.com
MUNDO-BANK.COM
Unsol
icited
Email
MUNDO-BANK.COM
172.168.1.1
MUNDO-BANK.COM
MUNDO-BANK.COM
DNS
Poiso
ning
Regular
Onli
ne
Banking
PHISHING PHARMING
172.168.254.254 172.168.254.254
The Port 80 Problem
-
8/13/2019 Mahajan Security for Sp
43/188
4343432003, Cisco Systems, Inc. All rights reserved.SP Security
The Port 80 ProblemOpportunistic Applications Overloading Open Ports
Port Overloading enables
violation of Security Policy:Opportunistic applications tunnel
through open outbound ports. Legacy
firewalls cannot discern legitimatefrom illegitimate applications
Some Solutions:
Advanced firewalls can distinguish between applications by
protocol semantics and enforce security pol icy
Business Traffic
Peer to Peer,Tunneled Apps
PublicInternet
Opportunistic Applications:Peer-to-peer Apps
Instant Messaging
Remote PC Access Apps
Covert Channels
-
8/13/2019 Mahajan Security for Sp
44/188
4444442003, Cisco Systems, Inc. All rights reserved.SP Security
The Port 443 (SSL) Problem
Encrypted Port 80 Data confidentiality extends
to network devices as well
Can verify compliance withSSL protocol spec, but
beyond that, very difficult toenforce policy
S: 10.123.234.17D: 123.234.123.234Port: 443
Contents:100010111010100110010101100110101010001101011010011010111001010
Were planning on
pricing it less than$4000. I thought youdfind that interesting
oddballWhat is this?
Valid e-commerce?
Acceptable-use violations?Covert channel?Outbound attack?
Some Solutions:
Protocol compliance checking
Desktop application usagepolicy enforcement tools
Destination fi ltering viadomain/URL filtering
Close 443 to all but well-defined
business traffic
-
8/13/2019 Mahajan Security for Sp
45/188
4545452003, Cisco Systems, Inc. All rights reserved.SP Security
Securing Web Services
-
8/13/2019 Mahajan Security for Sp
46/188
4646462003, Cisco Systems, Inc. All rights reserved.SP Security
Web Services and XML Security
Exposing the application layer toexternal entities for the first time
Introduces new classes of credentialsfor access control
Introduces new classes of attacks: X-
malware, XML DoS, XPATH injection,etc.
Allows new services for confidentialityand integrity: Field-level encryption,
document signing, transformationservices, etc.
Ingress to the DataCenter / DMZ
Web-enabled Front-End
Appl ication Server
Database Layer
Some Solutions:
Secure Coding!
Schema validation toolsets
Attack prevention technologies
-
8/13/2019 Mahajan Security for Sp
47/188
4747472003, Cisco Systems, Inc. All rights reserved.SP Security
Social Engineering
Social Engineering Attacks: Attacks that
compromise the human elements of businessprocessing
Assuming an identity to exploit trust relationships
These forms of attack have been around forever
Not an emerging threat in and of itself, but aconstant force multipl ier on new threats
-
8/13/2019 Mahajan Security for Sp
48/188
482003, Cisco Systems, Inc. All rights reserved.SP Security
The First Step - Telemetry
Holistic Approach to
-
8/13/2019 Mahajan Security for Sp
49/188
4949492003, Cisco Systems, Inc. All rights reserved.SP Security
ppSystem-Wide Telemetry
Cardiologist
Ophthalmologist
Neurologist
NephrologistHematologist
Podiatrist
Holistic Approach to Patient CareUses a system-wide approach, coordinating with various specialists,
resulting in the patients better overall health and wellbeing.
Holistic Approach to
-
8/13/2019 Mahajan Security for Sp
50/188
5050502003, Cisco Systems, Inc. All rights reserved.SP Security
ppSystem-Wide Telemetry (Cont.)
Data Center:Ingress / egress trafficIntra Datacenter traffic
due to trust relationshipsof servers
Availability scheme
influenced traffic patternsNetwork element health
Customer Edge:Ingress traffic
[worm, attack]Egress traffic
[spreading worms]Shared resources
such as DNS,SMTP and suchservers
Network elementhealth
Core:Network element
healthInfrastructure
healthPerformancePacket paths
SP Peering:Ingress /
egress traffic
Asymmetrictraffic due topeering policy& topology
Networkelement health
P
P
P
P
PE
P
P
PE(s)L2 Agg.
Broadband,
Wireless (3G,802.11),Ethernet, FTTH,
Leased Line,ATM, Frame-
Relay
CPE(s)
P P
Data/ServiceCenter
CPE/ACCESS/AGGREGATION CORE PEERINGDATA/SVCCenter
ISP /Al t. Carrier
-
8/13/2019 Mahajan Security for Sp
51/188
5151512003, Cisco Systems, Inc. All rights reserved.SP Security
What Is One Listening to?
Ingress traffic flow
Egress traffic flow
Network element health
Resources such as CPU, memory, etc.
# flow to build baseline and detect anomaly
Top talkers
Open ports services etc.
Shared services
DNS, SMTP, Availabili ty related services, etc.
-
8/13/2019 Mahajan Security for Sp
52/188
5252522003, Cisco Systems, Inc. All rights reserved.SP Security
Understand the Concept of Data Gathering
Listening to a network elementPer device listening
Local data provide information about local threats
Listening to ManyCorrelation is a MUST
Intelligent analysis is a MUST
Risks and threats are NOTprevalent in one place ONLY
Need to watch everywhere to avoidbeing eaten by thousand turkeys...
Listen
Holistic Approach to
-
8/13/2019 Mahajan Security for Sp
53/188
5353532003, Cisco Systems, Inc. All rights reserved.SP Security
System-Wide Telemetry
Data Center:Inter as well as Intra Data
Center traffic
Customer Edge:Shared resources
and servicesshould beavailable
Core:Performance must
not be affectedSP Peering:Ability to trace
through
asymmetrictraffic
P
P
P
P
PE
P
P
PE(s)L2 Agg.
Broadband,
Wireless (3G,802.11),Ethernet, FTTH,
Leased Line,ATM, Frame-
Relay
CPE(s)
P P
Data/ServiceCenter
CPE/ACCESS/AGGREGATION CORE PEERINGDATA/SVCCenter
ISP /Al t. Carrier
Listen Listen
Listen
Listen
Network Telemetry:
-
8/13/2019 Mahajan Security for Sp
54/188
5454542003, Cisco Systems, Inc. All rights reserved.SP Security
Tools, Techniques and Protocols
Proactive Telemetry
NetFlow
SNMP
RMON
Syslog
Network element healthBGP
DNS
Telemetry During the Incident
Packet Capture
show commands
Network element health
Syslog
How to Gather Data or Information?
-
8/13/2019 Mahajan Security for Sp
55/188
5555552003, Cisco Systems, Inc. All rights reserved.SP Security
Netflow : What Is a Flow?
Defined by seven uniquekeys:
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol type
TOS byte (DSCP)Input logical interface(ifIndex)
Exported Data
N fl C i E P k
-
8/13/2019 Mahajan Security for Sp
56/188
5656562003, Cisco Systems, Inc. All rights reserved.SP Security
Netflow : Creating Export Packets
Core Network
Enable NetFlow
Traffic
CollectorNFC, flow-tools , Arbor
UDP NetFlow
Export
Packets
Application GUI
Arbor, FlowScan
PE
Export Packets
Approximately 1500 bytes Typically contain 20-50 flowrecords
Sent more frequently if trafficincreases on NetFlow-
enabled interfaces
N tfl K C t N tFl S l bilit
-
8/13/2019 Mahajan Security for Sp
57/188
5757572003, Cisco Systems, Inc. All rights reserved.SP Security
Netflow : Key ConceptNetFlow Scalability
Packet capture is like a wiretap
NetFlow is like a phone bill This level of granularity allows NetFlow to scale
for very large amounts of traffic
We can learn a lot from studying the phone bill!
Whos talking to whom, over what protocols & ports,for how long, at what speed, for what duration, etc.
NetFlow is a form of telemetrypushed from therouters/switches - each one can be a sensor!
N tFl I f t t
-
8/13/2019 Mahajan Security for Sp
58/188
5858582003, Cisco Systems, Inc. All rights reserved.SP Security
NetFlow Infrastructure
Applications:Applications:
Router:
Cache Creation
Data Export
Aggregation
Router:
Cache Creation
Data Export
Aggregation
Collector:
Collection
Filtering
Aggregation
Storage
File System Management
Account ing/Billing
Network Planning
Data Presentation
Wh t D l N tFl ?
-
8/13/2019 Mahajan Security for Sp
59/188
5959592003, Cisco Systems, Inc. All rights reserved.SP Security
Where to Deploy NetFlow?
Attack Detection
User (IP)monitoring
Applicationmonitoring
Billing
Chargeback AS Peer
Monitoring
Attack Detection
Billing
Chargeback AS Peer
Monitoring
Attack Detection
Traffic
EngineeringTraffic
Analys is
AttackDetection
Traffic
EngineeringTrafficAnalys is
AttackDetection
Applications Attack Detection
User (IP)monitoring
Applicationmonitoring
Billing
Chargeback AS Peer
Monitoring
AttackDetection
Billing
Chargeback AS Peer
Monitoring
AttackDetection
Ne
tworkLayer Access DistributionDistribution DistributionDistribution AccessCoreCore
NetFlow
Features
AggregationSchemes (v8) show ip cache
flow command
Arbor Networks
NetFlowMPLS EgressAccounting
BGP Next-hop(v9)
ArborNetworks
NetFlowMPLS EgressAccounting
BGP Next-hop(v9)
ArborNetworks
MPLS AwareNetFlow (v9)
BGP Next-hop(v9)
SampledNetFlow
Arbor Networks
MPLS AwareNetFlow (v9)
BGP Next-hop(v9)
Sampled
NetFlow
Arbor Networks
NetFlowMPLS EgressAccounting
BGP Next-hop(v9)
ArborNetworks
NetFlowMPLS EgressAccount ing
BGP Next-hop(v9)
ArborNetworks
AggregationSchemes (v8) show ip cache
flow command
Arbor Networks
Principal NetFlow Benefits
-
8/13/2019 Mahajan Security for Sp
60/188
6060602003, Cisco Systems, Inc. All rights reserved.SP Security
Principal NetFlow Benefits
Peering arrangements
SLA VPN user reporting
Usage-based billing
DoS/worm detection
Traffic engineering
Troubleshooting
Internet access
monitoring (protocoldistribution, trafficorigin/destination)
Associate cost of IT to
departments
More scalable than RMON
DoS/worm detection
Policy compliancemonitoring
Troubleshooting
SERVICE PROVIDER ENTERPRISE
Open Source Tools for NetFlow AnalysisThe OSU Flow Tools
-
8/13/2019 Mahajan Security for Sp
61/188
6161612003, Cisco Systems, Inc. All rights reserved.SP Security
The OSU Flow-Tools
Open source NetFlow collection and retrieval tools
Developed and maintained by Mark Fullmer, availablefrom http://www.splintered.net/sw/flow-tools/
Runs on common *NIX platforms (Linux, FreeBSD, MacOS/X, Solaris, etc.)
Command-line tools allow for very display/sorting ofspecific criteria (source/dest IP, source/dest ASN,protocol, port, etc.)
Data can be batched and imported into database such as
Oracle, MySQL, Postgres, etc. Can be combined with other tools to provide visualization
of traffic patterns
Many other useful features - check it out today!
Open Source Tools for NetFlow AnalysisVisualization FlowScan
-
8/13/2019 Mahajan Security for Sp
62/188
6262622003, Cisco Systems, Inc. All rights reserved.SP Security
VisualizationFlowScan
Open source NetFlow graphing/visualization tools
Developed and maintained by Dave Plonka, available from
http://net.doit.wisc.edu/~plonka/FlowScan/
Runs on common *NIX platforms (Linux, FreeBSD, MacOS/X, Solaris, etc.)
Makes use of NetFlow data collected via flow-tools tobuild traffic graphs
Top-talkers by subnet, other types of reports supported
Makes use of RRDTool for graphing Add-ons such as JKFlow module allow more detailed
graphing
Open Source Tools for NetFlow AnalysisVisualization FlowScan (Cont )
-
8/13/2019 Mahajan Security for Sp
63/188
6363632003, Cisco Systems, Inc. All rights reserved.SP Security
Source: University of Wisconsin
VisualizationFlowScan (Cont.)
Investigate the spike
An identified cause of
the outage
Netflow : Coupling Control and Data Planes
-
8/13/2019 Mahajan Security for Sp
64/188
6464642003, Cisco Systems, Inc. All rights reserved.SP Security
Netflow : Coupling Control and Data Planes
SNMP
-
8/13/2019 Mahajan Security for Sp
65/188
6565652003, Cisco Systems, Inc. All rights reserved.SP Security
SNMP
SNMP = Simple Network Management Protocol
Canonical method of obtaining real-time information from
network devices SNMPv3provides authentication, encryption
MIBs support polling of statistics ranging from interface
bandwidth to CPU uti lization to chassis temperature, etc. Both a pull model for statistical poll ing and a push
model for trap generation based upon events such as linkup/down
Many open-source and commercial collection systems,visualization tools
Easiest way to get into profi ling of general network
characteristics
Displaying SNMP Data with MRTG
-
8/13/2019 Mahajan Security for Sp
66/188
6666662003, Cisco Systems, Inc. All rights reserved.SP Security
Displaying SNMP Data with MRTG
MRTGthe Multi Router Traffic Grapher
Open source SNMP visualization toolset developed by
Tobi Oetiker, available fromhttp://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Long track-record - (in general use since 1995)
Can be used to graph router/switch data, hostperformance info from systems running SNMP agents,etc. (generates HTML w/PNG images)
Runs on Linux, FreeBSD, Mac OS/X, Solaris, other *NIX,Windows
Written in Perl, has its own SNMP implementation
Powerful Visualization of SNMP with MRTG
-
8/13/2019 Mahajan Security for Sp
67/188
6767672003, Cisco Systems, Inc. All rights reserved.SP Security
Source: mrtg.org
Powerful Visualization of SNMP with MRTG
Powerful Visualization of SNMP with MRTG(Cont )
-
8/13/2019 Mahajan Security for Sp
68/188
6868682003, Cisco Systems, Inc. All rights reserved.SP Security
Source: mrtg.org
(Cont.)
Varioustype ofstatisticsgathering
anddisplay
Other Visualization Techniques UsingSNMP Data with RRDTool
-
8/13/2019 Mahajan Security for Sp
69/188
6969692003, Cisco Systems, Inc. All rights reserved.SP Security
SNMP Data with RRDTool
RRDToolthe Round Robin Database Tool
Another open source SNMP visualization toolset
developed by Tobi Oetiker, available fromhttp://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Improved graphing performance, new types of graphs
Can be used in conjunction with MRTG - does not do itsown SNMP collection (can also be used w/NetFlow viaOSU flow-tools & FlowScan)
Runs on Linux, FreeBSD, Mac OS/X, Solaris, other *NIX,
Windows Many nice HTML/PHP front-ends such as Cacti, Cricket,
Big Sister, etc.
Other Visualization Techniques UsingSNMP Data with RRDTool (Cont.)
-
8/13/2019 Mahajan Security for Sp
70/188
7070702003, Cisco Systems, Inc. All rights reserved.SP Security
Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
SNMP Data with RRDTool (Cont.)
Anomaly for DNS Queries
ThruputSpike
RTTSpike
Displaying SNMP Data with NMS Station
-
8/13/2019 Mahajan Security for Sp
71/188
7171712003, Cisco Systems, Inc. All rights reserved.SP Security
Displaying SNMP Data with NMS Station
Can be considered as Local telemetry
Network Management Systems (NMS) can serve as SNMP
consoles, among other things Many can use SNMP traps and/or other forms of telemetry
as triggers for paging, scripted actions, etc.
Pull ing information together can be useful for NOCs,operations teams
Commercial systems such as HP OpenView, MicromuseNetCool, IBM Tivoli, CA Unicenter
Several open source systems - Big Brother(http://bb4.com/), Big Sister (http://bigsister.graeff.com/),Nagios (http://www.nagios.org/), and others
Displaying SNMP Data with NMSNagios
-
8/13/2019 Mahajan Security for Sp
72/188
7272722003, Cisco Systems, Inc. All rights reserved.SP Security
Source: http://www.nagios.org
p y g g
Alarms
TopologyNagios
Stations
RMONRemote MONitoring
-
8/13/2019 Mahajan Security for Sp
73/188
7373732003, Cisco Systems, Inc. All rights reserved.SP Security
g
RMON is a standard defining how remote probes oragents relay network traffic information back to a central
console Not as prevalent as SNMP or NetFlow - supported mainly
by commercial network management systems
Cisco Network Analysis Module-2 (NAM-2), ntop(http://www.ntop.org) are examples of RMON probes
Most RMON probes look at raw packets via SPAN/RSPANand generate statistics from observed traffic
Mini-RMON statistics available on Catalyst 6500/NAM-2,provides detailed stats from layer-2 access ports
Displaying RMONntop Examples
-
8/13/2019 Mahajan Security for Sp
74/188
7474742003, Cisco Systems, Inc. All rights reserved.SP Security
Source: http://www.ntop.org
p y g p p
DetailedAnalysis i.e. TTL
Value of RMON:Utilizing NAM-2 Gathered Data
-
8/13/2019 Mahajan Security for Sp
75/188
7575752003, Cisco Systems, Inc. All rights reserved.SP Security
Source: Cisco Systems, Inc.
g
IETF Standard
Provides great analysiswith NAM-2 collected data
Mini-RMON available aswell
BGPWhy Do We Care?
-
8/13/2019 Mahajan Security for Sp
76/188
7676762003, Cisco Systems, Inc. All rights reserved.SP Security
Large-scale network security events such asworms, DDoS attacks, etc. often produce side-effects visible in the global routing table
CorrelatingBGP information with other forms oftelemetry (NetFlow, SNMP, RMON, etc.) can beeffective in determining the true impact ofincidents
BGP ExampleSQL Slammer
-
8/13/2019 Mahajan Security for Sp
77/188
7777772003, Cisco Systems, Inc. All rights reserved.SP Security
Correlating NetFlow and Routing Data
-
8/13/2019 Mahajan Security for Sp
78/188
7878782003, Cisco Systems, Inc. All rights reserved.SP Security
Matching data collectedfrom different tools
How to Deploy BGP?
-
8/13/2019 Mahajan Security for Sp
79/188
7979792003, Cisco Systems, Inc. All rights reserved.SP Security
Start with open source tools: Zebra and Auagga
Zebra (http://www.zebra.org) and Quagga(http://www.quagga.net) are two open source BGP daemonswhich can log BGP updates for further analysis
Arbor Peakflow SP Traffic provides BGP visualization, trending,NetFlow traffic correlation, additional functionality(http://www.arbornetworks.com/products_sp.php)
RIBs/updates available from http://archive.routeviews.org/,http://www.ripe.net/ris/index.html, http://www.renesys.com
(commerical, useful monitoring tools/services for your ASN)
Syslog
-
8/13/2019 Mahajan Security for Sp
80/188
8080802003, Cisco Systems, Inc. All rights reserved.SP Security
De facto logging standard for hosts, network infrastructuredevices, supported in all routers and switches
Many levels of logging detail availablechoose the level(s)
which are appropriate for each device/situation Logging of ACLs is generally contraindicated due to CPU
overheadNetFlow provides more info, doesnt max the box
Can be used in conjunction with Anycast and databases suchas MySQL (http://www.mysql.com) to provide a scalable, robustlogging infrastructure
Different facility numbers allows for segregation of log infobased upon device type, function, other criteria
Syslog-ng from http://www.balabit.com/products/syslog_ng/adds a lot of useful functionalityHOW-TO located athttp://www.campin.net/newlogcheck.html
Configuring Syslog on a Router
-
8/13/2019 Mahajan Security for Sp
81/188
8181812003, Cisco Systems, Inc. All rights reserved.SP Security
Syslog data is invaluable
Attack forensics
Day to day events and debugging To log messages to a syslog server host,
use the logging global configuration command
logging host
logging trap level
To log to internal buffer use:
logging buffered size
Ensure timestamps
service timestamps log
Benefits of Deploying Syslog
-
8/13/2019 Mahajan Security for Sp
82/188
8282822003, Cisco Systems, Inc. All rights reserved.SP Security
Syslog data can be available from a centralizedSysLog server(s) as well as routers local buffer
Deploy on routers, switches, firewall, IPSsensors and other network elements to get aholistic picture
Analysis tools available such as Cisco MARS,SEC, ModLogAn and others
SysLog Server such as Kiwi and syslog-ng
Network Time Protocol
-
8/13/2019 Mahajan Security for Sp
83/188
8383832003, Cisco Systems, Inc. All rights reserved.SP Security
Synchronize time across all devices
When security event occurs, data must haveconsistent timestamps
From external time source
Upstream ISP, Internet, GPS, atomic clockFrom internal t ime source
Router can act as stratum 1time source
ntp source loopback0
ntp server 10.1.1.1 source loopback0
Benefits of Deploying NTP
-
8/13/2019 Mahajan Security for Sp
84/188
8484842003, Cisco Systems, Inc. All rights reserved.SP Security
Very valuable on a global network with networkelements in different time zones
Easy to correlate data from a global or a sizablenetwork with a consistent time stamp
NTP based timestamp allows to trace security
events for chronological forensic work
Any compromise or alteration is easy to detectas network elements would go out of sync with
the main clock
Packet Capture
-
8/13/2019 Mahajan Security for Sp
85/188
8585852003, Cisco Systems, Inc. All rights reserved.SP Security
Sometimes, theres just no substi tute for looking at the packetson the wire
SPAN/RSPAN/ERSPAN allow packet capture from Catalystswitches; ip packet export allows packet capture from routers
Open source tools such as tcpdump, snoop, Ethereal(http://www.ethereal.com) on free *NIX or Windows allow
inexpensive packet-capture solutions to be bui lt and deployed
Commercial tools such as Cisco NAM-2, NAI Sniffer/DistributedSniffer, Wandel and Goltermann available
Use macroanalytical telemetry such as SNMP, NetFlow, RMONto guide your use of microanalytical telemetry (i.e., packetcapture)
Packet Capture Examples
-
8/13/2019 Mahajan Security for Sp
86/188
8686862003, Cisco Systems, Inc. All rights reserved.SP Security
Source: http://www.ethereal.com, Cisco Systems, Inc.
Wealth ofinformation, L1-L7
raw data foranalysis
How to Use Packet Capture
-
8/13/2019 Mahajan Security for Sp
87/188
8787872003, Cisco Systems, Inc. All rights reserved.SP Security
Mainly a reactionarytool
Generally a reaction after finding out that there is an anomaly
Used in telemetry duringthe security eventNeed to know where to capture the packet.
Sometimes, the same packet needs to be captured in mult ipleplaces
Wealth of information
Informs what type of outbreak one is observing on thenetwork
Provides raw data for further analysis
Helps by providing information on how to bring thesafeguards for short term and long tem mitigation
OkayTell Me Where to Start From?
-
8/13/2019 Mahajan Security for Sp
88/188
8888882003, Cisco Systems, Inc. All rights reserved.SP Security
1. NetFlow enablement on the network elements
2. NetFlow data correlation and analysis
3. SNMP / RMON [SNMP more prevalent]
1. CPU / Memory util
2. Link usage and display with MRTG4. SysLog collection and analysis
5. Monitoring to Routing, DNS queries, etc. [BGP, DNS]
6. Local and remote packet capture facili ty [Most have ittoday with sniffer, ethereal]
-
8/13/2019 Mahajan Security for Sp
89/188
892003, Cisco Systems, Inc. All rights reserved.SP Security
The Next Steps-Best Practice Techniques
SP network security system cycle
-
8/13/2019 Mahajan Security for Sp
90/188
9090902003, Cisco Systems, Inc. All rights reserved.SP Security
Secure
Monitor
Test
Improve SecurityPolicy
Stage 1: Secure
Stage 2: Monitor
Stage 3: Test
Stage 4: Improve
Security Best Practices - Overview
-
8/13/2019 Mahajan Security for Sp
91/188
9191912003, Cisco Systems, Inc. All rights reserved.SP Security
Define a Security Policyand the requiredprocedures to enforce it
this should include roles, responsibil ities, customer contacts,etc.
Create an Incident Response Team
should work in conjunction with the NOC/SOC
Establish a Relationshipwith other relevantorganizations
PSIRTs, CERTs, NSPs, and peering SPs
Security Best Practices Overview (cont)
-
8/13/2019 Mahajan Security for Sp
92/188
9292922003, Cisco Systems, Inc. All rights reserved.SP Security
Design and Implement Services with Securityin mind
Secure the infrastructure following a Modulardesign
Focus on the most cr itical areas first
Define a solid incident handling ProcedurePreparation
Identification
Classification
Traceback
Reaction
Post Mortem
Procedure : Preparation
Know the enemy
-
8/13/2019 Mahajan Security for Sp
93/188
9393932003, Cisco Systems, Inc. All rights reserved.SP Security
Know the enemy
Understand what drives the miscreants
Understand their techniques
Create the security team and planWho handles security during an event? Is it thesecurity folks? The networking folks?
A good operational security professional needs to be across between the two: silos are useless
Harden the devices
Prepare the tools
Network telemetry
Reaction tools
Understand performance characteristics
Preparation
-
8/13/2019 Mahajan Security for Sp
94/188
Preparing the Network
-
8/13/2019 Mahajan Security for Sp
95/188
9595952003, Cisco Systems, Inc. All rights reserved.SP Security
Understanding your network is crit ical topreparation
What is normal? What is healthy?
Monitor important indexes
Bandwidthpeer, router, interface, application
Routinghijacking, instabil ity
CPUpunted traffic, show ip traffic
Traffic patternsby AS, prefixes, ports
Preparation
Preparing the Network
-
8/13/2019 Mahajan Security for Sp
96/188
9696962003, Cisco Systems, Inc. All rights reserved.SP Security
Secure the control plane
Routing protocol authentication, BGP TTL check, prefix-filtering
Secure the management plane
Disable unnecessary services
Secured and authenticated device access AAA, VTY/SNMP
ACLs, Out-of-band management
Secure the data plane
Anti-spoofing via strict/loose uRPF, infrastructure ACLs
AuditingLogging, AAA records, SNMP traps
Harden the Network
Preparation
The Old World: Network Edge
-
8/13/2019 Mahajan Security for Sp
97/188
9797972003, Cisco Systems, Inc. All rights reserved.SP Security
Core routers individually secured
Every router accessible from outside
outside outside
Core
telnet snmp
Preparation
The New World: Network Edge
-
8/13/2019 Mahajan Security for Sp
98/188
9898982003, Cisco Systems, Inc. All rights reserved.SP Security
outside outside
Core
Core routers individually secured PLUS
Infrastructure protection Routers generally NOT accessible from outside
telnet snmp
Preparation
The Old World: Router Perspective
-
8/13/2019 Mahajan Security for Sp
99/188
9999992003, Cisco Systems, Inc. All rights reserved.SP Security
Policy enforced at process level (VTY ACL,SNMP ACL, etc.)
Some early features such as ingress ACL usedwhen possible
untrustedtelnet,
snmp
Attacks, junkRoute
rCPU
Preparation
The New World: Router Perspective
-
8/13/2019 Mahajan Security for Sp
100/188
1001001002003, Cisco Systems, Inc. All rights reserved.SP Security
Central policy enforcement, prior to processlevel
Granular protection schemes
On high-end platforms, hardwareimplementations
untrusted
telnet,snmp
Attacks, junkRouterCPU
Pro
tection
Preparation
ASIC-Based Platform: Main Components
-
8/13/2019 Mahajan Security for Sp
101/188
1011011012003, Cisco Systems, Inc. All rights reserved.SP Security
Forwarding/Feature
ASIC Cluster
ASICsSupporting
CPU
Receive Path PacketsRoute
Processor
CPU
Ingress Packets Forwarded PacketsTo Fab to Other
Line Cards
Punte
dPackets
RAW Queue(s)Also Called CPU
Queue(s) and Punt
Queue(s)
Packets Bound for
the LC CPU or RP
Preparation
Data Plane
-
8/13/2019 Mahajan Security for Sp
102/188
1021021022003, Cisco Systems, Inc. All rights reserved.SP Security
Forwarding/Feature
ASIC Cluster
ASICsSupporting
CPU
Receive Path PacketsRouteProcessor
CPU
Ingress Packets Forwarded PacketsTo Fab to Other
Line Cards
Punte
dPackets
Data Plane
AllPackets
Forwarded Through
the Platform
Data Plane
Preparation
Control Plane
-
8/13/2019 Mahajan Security for Sp
103/188
1031031032003, Cisco Systems, Inc. All rights reserved.SP Security
Forwarding/Feature
ASIC Cluster
ASICsSupporting
CPU
Receive Path PacketsRouteProcessor
CPU
Ingress Packets Forwarded PacketsTo Fab to Other
Line Cards
Punte
dPackets
Most
Control Plane PacketsGo to the RP
Control Plane
Control Plane
ARP, BGP, OSPF, and
Other Protocols that Glue
the Network Together
Preparation
Management Plane
-
8/13/2019 Mahajan Security for Sp
104/188
1041041042003, Cisco Systems, Inc. All rights reserved.SP Security
Forwarding/Feature
ASIC Cluster
ASICsSupporting
CPU
Receive Path PacketsRouteProcessor
CPU
Ingress Packets Forwarded PacketsTo Fab to Other
Line Cards
Punte
dPackets
AllManagement
Plane Traff ic
Goes to the RP
Management Plane
Management PlaneTelnet, SSH, TFTP, SNMP,
FTP, NTP, and Other
Protocols Used to
Manage the Device
Preparation
Preparing the NetworkInfrastructure Protection
l et
-
8/13/2019 Mahajan Security for Sp
105/188
1051051052003, Cisco Systems, Inc. All rights reserved.SP Security
outside outside
Core
Techniques to secure your transit networks
Infrastructure ACLs, Receive ACLs, Control PlanePolicing
telnet snmp
Preparation
PacketFiltering Viewed Horizontally
-
8/13/2019 Mahajan Security for Sp
106/188
1061061062003, Cisco Systems, Inc. All rights reserved.SP Security
Spoofed Source Addresses
Customer Traffic
Pa
cketShield
#
1
Pa
cketShield
#
2
Pa
cketShield
#
3
Pa
cketShield
#
4
Targeting the Infrastructure
Applicat ion FiltersPolicy Enforcement
Targeting the Customer
PacketFilteringRemember to Filter the Return Path
-
8/13/2019 Mahajan Security for Sp
107/188
1071071072003, Cisco Systems, Inc. All rights reserved.SP Security
Spoofed Source Addr.
Denied Apps Out
Ingress
PacketShield
#
1
Ingress
PacketShield
#
2
Ingress
PacketShield
#
3
Ingress
PacketShield
#
4
Targeting the Infra.
Applicat ion
FiltersPolicy
Enforcement
Targeting the Customer
Permit ted Customer Traffic
Spoofed Source Addresses
Egress
PacketShield
#
2
Egress
Packet
Shield
#
1
Permit ted Customer Traffic
Infrastructure Protection Tools
Infrastructure ACLs (iACLs)Originally the only approach
-
8/13/2019 Mahajan Security for Sp
108/188
1081081082003, Cisco Systems, Inc. All rights reserved.SP Security
Infrastructure ACLs (iACLs)Originally, the only approach
Create policies (ACLs or MQC) for control plane traffic to block all unwantedIP traffic destined to the core
Applied to ALL ingress portaffects ALL traffic (control anddata plane)
Receive Path ACLs (rACLs)The first step
Create ACLs to block unwanted IP traffic destined to the core
Global (single) configuration affects all receive path packets
Only affects control plane traffic
Only available for Cisco 12000 and Cisco 7500 routers
Control Plane Policing (CoPP)The newest approach
Extends rACLs by adding Modular QoS CLI (MQC) policing
Modify input path to split control and data plane traffic priorto input feature application
Old
New
Control Plane Policing Deployment Policies
Define Service Policy
-
8/13/2019 Mahajan Security for Sp
109/188
1091091092003, Cisco Systems, Inc. All rights reserved.SP Security
Start with a simplistic policy that will notdisrupt network operations
For critical, important, and normal traffictypes, conform actions are transmit
For undesirable traffic, all actions areunconditionally drop regardless of rate
For default traffic, rate-limit the amount oftraffic permitted above a certain bps
Modify the policy over time as more
confidence is gained in trafficratesparticularly for critical traffic
A very low rate might discard necessarytraffic, whereas a high rate might allowthe Route Processor to be inundated with aflood of non-critical packets
The appropriate rates are dependent onplatform capabilities and CPU capacity
The appropr iate rates are typically site-specific as well, depending on localtopology and routing table size
Strive for constant improvementto keep pace with new attacks,and to cover new services
Basic Control Plane Policing Service Policy
DropTransmit 8,000Default
DropDrop 8,000Undesirable
TransmitTransmit 15,000Normal
TransmitTransmit 125,000Important
TransmitTransmit N/ACritical
ExceedAction
ConformAction
Rate (bps)TrafficClass
Hybrid Control Plane Policing Service Policy
DropTransmit 8,000DefaultDropDrop 8,000Undesirable
DropTransmit 15,000Normal
DropTransmit 125,000Important
TransmitTransmit N/ACritical
ExceedAction
ConformAction
Rate (bps)TrafficClass
ExampleOnly
Define Service Policy
Prepare the Tools
Sinkholes
-
8/13/2019 Mahajan Security for Sp
110/188
1101101102003, Cisco Systems, Inc. All rights reserved.SP Security
Sinkholes are a versatile function of routing topology and hardenedinfrastructure
Infrastructure protectionSinkhole your core address space to minimize attack
Identification/classification
Monitor dark IP space for attack noise and worm/botnet scanning
Redirect attacks for analysis
Traceback
Use backscatter to trace spoofed hosts
Reaction
Divert attacks from the victim
Sinkholes
Preparation
Sink Hole Architecture
-
8/13/2019 Mahajan Security for Sp
111/188
1111111112003, Cisco Systems, Inc. All rights reserved.SP Security
Dedicated network component to attract traffic
Can also be used on demand : Pull the DoS/DDoS attackto the sinkhole
Sink Hole design can also incorporate scrubbers
To ISP
Backbone
To ISP
Backbone
To ISP
Backbone
SINKHOLEGATEWAY
TARGETROUTER?
SNIFFERS AND
ANALYZERS
Static ARP to
Target Router
Preparation
Sinkholes: Worm Detection
-
8/13/2019 Mahajan Security for Sp
112/188
1121121122003, Cisco Systems, Inc. All rights reserved.SP Security
Customer
May Also Use NetFlow
Data from Edge Routersfor This Purpose
Computer StartsScanning the Internet
SINKHOLE
NETWORK
SQL
Sinkhole Advertising
Bogon and Dark IP Space
Preparation
RANDOM DESTINATIONS
Backscatter Analysis of Attack Noise
IngressOther
-
8/13/2019 Mahajan Security for Sp
113/188
1131131132003, Cisco Systems, Inc. All rights reserved.SP Security
RANDOM DESTINATIONS
Target
gRoutersISPs
RANDOMSOURCES
RAND
OMSOURC
ES
Sink Hole Router
Preparation
Sink Hole Routers/Networks
-
8/13/2019 Mahajan Security for Sp
114/188
1141141142003, Cisco Systems, Inc. All rights reserved.SP Security
Target of
Attack
172.168.20.1 is attacked
172.168.20.0/24 targets network
Sink Hole Network
Preparation
Sink Hole Routers/Networks
Router advertises
-
8/13/2019 Mahajan Security for Sp
115/188
1151151152003, Cisco Systems, Inc. All rights reserved.SP Security
Target of
Attack
172.168.20.1 is attacked
172.168.20.0/24 targets network
Router advertises
172.168.20.1/32
Sink Hole Network
Preparation
Identifying Attacks
P ti l it i t l d d k IP
-
8/13/2019 Mahajan Security for Sp
116/188
1161161162003, Cisco Systems, Inc. All rights reserved.SP Security
Proactively monitor internal and dark IPspace
Build baselines for all traffic to exposeanomalous behavior
Util ize tools that enable network-widecorrelation of control and data planes (e.g.,CPU utilization, route stability, Netflow, etc..)
Notify your customers before they notify yoube proactive!
Identification
Changes to Network Baselines
SNMP data
-
8/13/2019 Mahajan Security for Sp
117/188
1171171172003, Cisco Systems, Inc. All rights reserved.SP Security
SNMP data
Unexplained changes in link utilization
Worms can generate a lot of traffic, sudden changes in linkuti lization can indicate an attack or a worm
Unexplained changes in CPU utilization
Attack/Worm scans can affect routers/switches resulting in
increased CPU both process and interrupt switched
Unexplained syslog entries
These are examples
Changes dont always indicate an attack/worm!Need to know whats normal to identify abnormal behavior
Identification
-
8/13/2019 Mahajan Security for Sp
118/188
Identification Examples
-
8/13/2019 Mahajan Security for Sp
119/188
1191191192003, Cisco Systems, Inc. All rights reserved.SP Security
BGP Flaps
Packet Size
CPU
Identification
Classification
ClassificationUnderstanding the type
-
8/13/2019 Mahajan Security for Sp
120/188
1201201202003, Cisco Systems, Inc. All rights reserved.SP Security
g ypof attack and what damage is it causing
You need to know what you (or yourcustomer) are getting hit with
Determines the rest of the incident response
What tools are available?
How can you do this without crashing a
router?
Classification
Classification
What type of attack has been identified?
-
8/13/2019 Mahajan Security for Sp
121/188
1211211212003, Cisco Systems, Inc. All rights reserved.SP Security
yp
Qualify and quantify the attack withoutjeopardizing services availability (e.g.,crashing a router):
What type of attack has been identif ied?Whats the effect of the attack on the victim(s)?
What next steps are required (if any)?
Classification
Ways to Classify DoS Attacks
-
8/13/2019 Mahajan Security for Sp
122/188
1221221222003, Cisco Systems, Inc. All rights reserved.SP Security
NetFlow: Flow information
ACLs (maybe with logging)
Backscatter
Sniffers
Anomaly Detector
Classification
Classifying DoS with ACLs
Requires ACLs to be in place (for detection)E d d IP l i 169
-
8/13/2019 Mahajan Security for Sp
123/188
1231231232003, Cisco Systems, Inc. All rights reserved.SP Security
Looks Like
Smurf Attack
Found:
Attack typeInterface
Extended IP access l ist 169
permit icmp any any echo (2 matches)
permit icmp any any echo-reply (21374 matches)
permit udp any any eq echo
permit udp any eq echo any
permit tcp any any established (150 matches)
permit tcp any any (15 matches)
permit ip any any (45 matches)
Watch performance impact
Used on demand, not pro-active
More used for checking than for detection
Some ASIC based LCs do not show counters
Classification
Traceback
TracebackFrom where is the attacki i ti ?
-
8/13/2019 Mahajan Security for Sp
124/188
1241241242003, Cisco Systems, Inc. All rights reserved.SP Security
originating?
Deterrence works. Traceback a few attacks totheir source, capture the attacker, prosecute,and lock them up and you will have a credibledeterrence.
Foundation Techniques
How to traceback to the edge of the Network?
How to continue traceback over the ISP ISPboundary
Traceback
Traceback
Traceback to network perimeter
Netflow
-
8/13/2019 Mahajan Security for Sp
125/188
1251251252003, Cisco Systems, Inc. All rights reserved.SP Security
Netflow
Backscatter
Packet accounting
IP Source
Retain attack data
Use to correlate inter-domain traceback
Required for prosecution
Deters future attacks
Clarify billing and other disputes
Post Mortem Analysis
Traceback
Tracing DoS Attacks
Non-spoofed: Technically trivial (IRR)
-
8/13/2019 Mahajan Security for Sp
126/188
1261261262003, Cisco Systems, Inc. All rights reserved.SP Security
But: Potentially tracing 100s of sources
Spoofed:IP Source Tracker: router by router
NetFlow:Automatic if analysis tools are installed
Manually: Router by router
ACLs:Has performance impact on some platformsMostly manual: Router by router
Backscatter technique:One step, fast, only for spoofed sources
Traceback
madrid% whois -h whois.arin.net 64.103.0.0
The Internet Routing Registry (IRR):Network Info
-
8/13/2019 Mahajan Security for Sp
127/188
1271271272003, Cisco Systems, Inc. All rights reserved.SP Security
OrgName: Cisco Systems, Inc.
OrgID: CISCOS-2
Address: 170 West Tasman DriveCity: San Jose
StateProv: CA
PostalCode: 95134
Country: US
NetRange: 64.100.0.0 - 64.104.255.255
CIDR: 64.100.0.0/14, 64.104.0.0/16
[...]
TechHandle: CAH5-ARIN
TechName: Huegen, Craig
TechPhone: +1-408-526-8104
TechEmail: [email protected]
OrgTechHandle: DN5-ORG-ARIN
OrgTechName: Cisco Systems, Inc.
OrgTechPhone: +1-408-527-9223
OrgTechEmail: [email protected]
Europe:whois.ripe.net
Asia-Pac:whois.apnic.net
USA and rest:whois.arin.net
ContactInformation
Traceback
madrid% whois -h whois.arin.net as109
OrgName: Cisco Systems Inc
The Internet Routing Registry (IRR):AS Info
-
8/13/2019 Mahajan Security for Sp
128/188
1281281282003, Cisco Systems, Inc. All rights reserved.SP Security
OrgName: Cisco Systems, Inc.
OrgID: CISCOS-2
Address: 170 West Tasman Drive
City: San JoseStateProv: CA
PostalCode: 95134
Country: US
ASNumber: 109
ASName: CISCOSYSTEMS
ASHandle: AS109
[]
TechHandle: MRK4-ARIN
TechName: Koblas, Michelle
TechPhone: +1-408-526-5269
TechEmail: [email protected]
OrgTechHandle: DN5-ORG-ARIN
OrgTechName: Cisco Systems, Inc.
OrgTechPhone: +1-408-527-9223
OrgTechEmail: [email protected]
Europe:whois.ripe.net
Asia-Pac:whois.apnic.net
USA and rest:whois.arin.net
Also, if domain known:abuse@domain
Traceback
Routers need Netflow enabled
Tracing Back with Netflow
Victim
-
8/13/2019 Mahajan Security for Sp
129/188
1291291292003, Cisco Systems, Inc. All rights reserved.SP Security
The flows come from serial 1
router1#sh ip cache flow | include Se1 Et0 11 0013 0007 159
. (lots more flows to the same destination)
router1#sh ip cef se1
Prefix Next Hop Interface
0.0.0.0/0 10.10.10.2 Serial1
10.10.10.0/30 attached Serial1
Victim
Find the upstream
router on serial 1
Continue on this router
Traceback
Trace-Back in One Step: ICMP Backscatter
IngressRouters
OtherISPs
iBGP U d t
-
8/13/2019 Mahajan Security for Sp
130/188
1301301302003, Cisco Systems, Inc. All rights reserved.SP Security
Target
randomsources
random
sources
Sink Hole Router
iBGP Updates: Drop Packets to Target
Traceback
Trace-Back in One Step: ICMP Backscatter
iBGP U d t
IngressRouters
OtherISPs
-
8/13/2019 Mahajan Security for Sp
131/188
1311311312003, Cisco Systems, Inc. All rights reserved.SP Security
Target
Sink Hole Router
with Logging
ICMP
Unreachables
ICMP
Unreachables
iBGP Updates: Drop Packets to Target
Traceback
Reaction - Incident Response Principles
-
8/13/2019 Mahajan Security for Sp
132/188
1321321322003, Cisco Systems, Inc. All rights reserved.SP Security
1. Dont Panic!2. Use A Mitigation Methodology.
3. Do not make drastic changes to thenetwork while the attack/worm isrampant.
Reaction
ISP Security Incident Response
Given that ISPs are transit networks, theway incident response happens is slightly
-
8/13/2019 Mahajan Security for Sp
133/188
1331331332003, Cisco Systems, Inc. All rights reserved.SP Security
way incident response happens is slightly
different from other networks. More effort is made to mitigate the effects
of the attack and trace it back upstreamto
its source.
Working with ISP Security Teams have
demonstrated six distinct phases in theway ISPs response to security incidents.
Reaction
Capacity as a Solution
To many sorts of attacks, a common
-
8/13/2019 Mahajan Security for Sp
134/188
1341341342003, Cisco Systems, Inc. All rights reserved.SP Security
y ,solution is to add more capacity
Not every problem gets solved this way
Think about collateral damage
Challenge is to solve all the problems inthe most economically feasible way
Reaction
Using IP Routing as a Security Tool
ISPs use routingto get packets fromcustomers to the Internet
-
8/13/2019 Mahajan Security for Sp
135/188
1351351352003, Cisco Systems, Inc. All rights reserved.SP Security
customers to the Internet
ISPs use routing to engineer trafficthrough their network
ISPs manipulate traffic to get the most outof their available bandwidth
What is the problem with manipulating
bad traffic to get the most out of availablebandwidth?
Reaction
Using IP Routing as a Security Tool
IP Routing can be used to manipulatetraffic on the ISPs network to:
-
8/13/2019 Mahajan Security for Sp
136/188
1361361362003, Cisco Systems, Inc. All rights reserved.SP Security
traffic on the ISPs network to:
Null0 (Black Hole)
Shunts
Sink HoleAnalysis Devices
Clean up Devices
Rate-Limit
Reaction
Using IP Routing as a Security Tool
-
8/13/2019 Mahajan Security for Sp
137/188
1371371372003, Cisco Systems, Inc. All rights reserved.SP Security
And it is all done via BGP.
Uses a BGP trigger router
One router on the network connected via an
iBGP route reflector that injects triggerupdate
The BGP Update packet
Reaction
Source Based Remote TriggeredBlack Hole Filtering
What do we have?
-
8/13/2019 Mahajan Security for Sp
138/188
1381381382003, Cisco Systems, Inc. All rights reserved.SP Security
Black Hole FilteringIf the destinationaddress equals
Null 0 we drop the packet.
RemoteTriggeredTrigger a prefix to equal Null 0 onrouters across the Network at iBGP speeds.
uRPFLooseCheckIf the sourceaddress equals Null0, we drop the packet.
Put them together and we have a tool to trigger
drop for any packet coming into the networkwhose source or destination equals Null 0!
Reaction
Customer Is DOSedBefore
A Peer B
Peer AIXP-W
-
8/13/2019 Mahajan Security for Sp
139/188
1391391392003, Cisco Systems, Inc. All rights reserved.SP Security
NOC
A
BC
D
E
FG
Target
Peer BIXP-E
Upstream
A
Upstream
B UpstreamB
POP
UpstreamA
Target istaken
out
Reaction
Customer Is DOSedAfter
A Peer B
Peer AIXP-W
-
8/13/2019 Mahajan Security for Sp
140/188
1401401402003, Cisco Systems, Inc. All rights reserved.SP Security
NOC
BC
D
E
FG
iBGP
Advertises
List of Black
HoledPrefixes
based on
SOURCE
ADDRESSES
Target
Peer BIXP-E
Upstream
A
Upstream
B UpstreamB
POP
UpstreamA
Reaction
Mitigation: Packet Scrubbing
Use the same BGP mechanism to redirecttraffic to scrubbing devices
-
8/13/2019 Mahajan Security for Sp
141/188
1411411412003, Cisco Systems, Inc. All rights reserved.SP Security
g
Activate redirection:
Redistribute host route for victim into BGPwith next-hop set to scrubbing devices
Route is propagated using BGP to all BGPspeaker and traffic redirected
When attack is over, BGP route can beremoved to return to normal operation
Reaction
Re-Directing Traffic from the Victim
Ingress
Routers
Other
ISPs
Keeps l ine to customer clear But cuts target host off completely
Di ith t !!!
-
8/13/2019 Mahajan Security for Sp
142/188
1421421422003, Cisco Systems, Inc. All rights reserved.SP Security
Target
Sink Hole Router:
Announces Route target/32
Discuss with customer!!!
Reaction
Guard: Packet Scrubbing
G dBGP A t
-
8/13/2019 Mahajan Security for Sp
143/188
1431431432003, Cisco Systems, Inc. All rights reserved.SP Security
GuardBGP Announcement
Target
1. Detect
2.Activate: Auto/Manual
3. Divert Only Targets Traffic
Non-Targeted Servers
Anomaly Detector, IDS,NetFlow
Reaction
Guard: Packet Scrubbing
GuardTraffic Destined
-
8/13/2019 Mahajan Security for Sp
144/188
1441441442003, Cisco Systems, Inc. All rights reserved.SP Security
4. Identify and Filterthe Malicious
Anomaly Detector, IDS,NetFlow,
6.NonTargeted
Traffic Flows
Freely
Target
Legitimate Traffic
to Target
5.Forward the Legitimate
Traffic Destined
to The Target
Non-Targeted Servers
Reaction
Post Mortem
Post MortemAnalyzing what just happened.
-
8/13/2019 Mahajan Security for Sp
145/188
1451451452003, Cisco Systems, Inc. All rights reserved.SP Security
What can be done to build resistance to theattack happening again
The step everyone forgets!
Was the DOS attack you just handled, the real threat?Or was it a smoke screen for something else that justhappened?
What can you do to make it faster, easier, less painful
in the future?
Post Mortem
Post Mortem
-
8/13/2019 Mahajan Security for Sp
146/188
1461461462003, Cisco Systems, Inc. All rights reserved.SP Security
Analyze data, trends and discuss attack
Fully history of attack(s), trends, etc..
Determine what, if anything, could have beendone to be better preparedmake appropriatemodifications if necessary
Post Mortem
Post Mortem Activities
Assess Incident Response Team Role
Full Representation?
-
8/13/2019 Mahajan Security for Sp
147/188
1471471472003, Cisco Systems, Inc. All rights reserved.SP Security
Single/centralized Point of Contact?
Review and Update Technical AND Operational Functionsand Procedures
Quantifyimpact of downtime
Financial
Operational
What can we do better next t ime?
Post Mortem
-
8/13/2019 Mahajan Security for Sp
148/188
1482003, Cisco Systems, Inc. All rights reserved.SP Security
The Next Steps-
Modular Application of Techniquesto SP Infrastructure
SP Network Infrastructure
PeersIXP
UpstreamDelivery Infrastructure
Data Center
Infrastructure Services
-
8/13/2019 Mahajan Security for Sp
149/188
1491491492003, Cisco Systems, Inc. All rights reserved.
SP Security
SP Backbone
BR
BR
Customer
Customer
Customer
Customer
Peering
NOC/SOC
Data Center
Infrastructure
Services
NOC/SOC
To POPs
POP POP
SP Functional Blocks
Network Operation Center
Security Operation Center
Network Operation Center
Security Operation Center
Module 4
-
8/13/2019 Mahajan Security for Sp
150/188
1501501502003, Cisco Systems, Inc. All rights reserved.SP Security
Data CenterData CenterCore Infras.
POP
Core Infras.
POP
PeeringPeering
Infrastructure ServicesInfrastructure Services
Shared Server-FarmShared Server-Farm
Dedicated Server-FarmDedicated Server-Farm
Data Center EdgeData Center Edge
DistributionDistributionCustomer
Premises
CustomerPremises
POP
Border
POP
BorderCPECPE
CPECPE
To POPsTo POPs
Module 1Module 2 Module 3
Why and the benefits of Modular Design
Systematic approach where security isimplemented throughout the network rather thanpoint products
-
8/13/2019 Mahajan Security for Sp
151/188
1511511512003, Cisco Systems, Inc. All rights reserved.SP Security
point products
Multiple layers of control provides higher security
It allows you to focus on the most critical areas
first
Facilitates the enforcement of the security policy
Contains the effects of attacks
More flexible to adapt to keep up with the alwayschanging threats
Module I - Typical POP & Core Infrastructure
DistributionDistribution
NetworkOperations
Center
D t
POP BorderMedium SpeedPOP Border
Medium Speed
-
8/13/2019 Mahajan Security for Sp
152/188
1521521522003, Cisco Systems, Inc. All rights reserved.SP Security
PeeringPeering
Other ISPs
Data
Center
POP BorderHigh Speed
POP BorderHigh Speed
3600/7200/7500
Channelised T1/E1
64K and nx64K circuits
Mixture of channelised
T1/E1, 56/64K and
nx64K circui ts
3640/7206/7507
Channelised T3/E3
T1 and E1 circui ts
Mixture of channelised
T3/E3 and T1/E1 circuits
ISP BackboneISP Backbone
OtherPOPs
POP and Core typical threats
Network Reconnaissance
-
8/13/2019 Mahajan Security for Sp
153/188
1531531532003, Cisco Systems, Inc. All rights reserved.SP Security
Denial of ServiceViruses and WormsIP Spoofing
Direct ExploitsRouting Disruption..
Module 1
Securing POP & Core Infrastructure Module
Harden routers and switches
Prevents DoS and Direct attacks to routers andswitches
-
8/13/2019 Mahajan Security for Sp
154/188
1541541542003, Cisco Systems, Inc. All rights reserved.SP Security
switches
Secure Dynamic Routing Exchange
Route Authentication, Route Filters preventattacks on the Dynamic Routing
Deploy packet fil ters
Mitigates DoS attacks, spoofed attacks,reconnaissance, viruses/worms and direct attacks
Attack detection, traceback andcontainment
Module 1
-
8/13/2019 Mahajan Security for Sp
155/188
Securing POP & Core Infrastructure ModuleSecure Dynamic Routing Exchange
Secure Routing Route Authentication
Plain text
HMAC MD5
-
8/13/2019 Mahajan Security for Sp
156/188
1561561562003, Cisco Systems, Inc. All rights reserved.SP Security
HMAC-MD5
Control Routing Updates
Dynamic Routing Filter on Customers
Dynamic Routing Filter to Peers
Dynamic Routing Filter from Peers
..
Module 1
Securing POP & Core Infrastructure ModuleDeploy packet filters
Packet Filters
RFC 2827 BCP 38 Packet Filtering (source
-
8/13/2019 Mahajan Security for Sp
157/188
1571571572003, Cisco Systems, Inc. All rights reserved.SP Security
g (
address spoofing)
BCP 38 Ingress Packet Filtering
Static BCP 38 Filtering
Unicast RPF (strict mode )
..
Module 1
Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment
Netflow
Intrusion Detection System alerts
-
8/13/2019 Mahajan Security for Sp
158/188
1581581582003, Cisco Systems, Inc. All rights reserved.SP Security
Sink hole routers/networks
Unusual CPU load reported via SNMP
Circuits Saturated
BGP Session Flapping
Customer calls
.Module 1
Netflow with Anomaly Detection
NOC/SOC
IDS Mgt Tool
Collects Alerts
Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment
-
8/13/2019 Mahajan Security for Sp
159/188
1591591592003, Cisco Systems, Inc. All rights reserved.SP Security
CPE
SP Core
Peers
PE
PE
CPE
Peers
The IDS uses Netflow to collect data on the flows through the network,looking for matches to known attacks while watching for newanomalies in the data flow
Module 1
Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment
1. Apply temporary ACLs with log-inputand examine the logs
2. Query Netflows flow table
No changes to the router while the network is under attack;
-
8/13/2019 Mahajan Security for Sp
160/188
1601601602003, Cisco Systems, Inc. All rights reserved.SP Security
No changes to the router while the network is under attack;
passive monitoring Scripts can be used to poll and sample throughout the network
IDS products can plug into Netflow
Working on a MIB for SNMP access
3. Backscatter Traceback Technique
Reduced Operational Risk to the Network while traceback is inprogress.
Speedy Traceback Ability to hand off from one ISP to another potentially tracing
back to its source.
Module 1
Backscatter Traceback Technique
Dos Attack starts1
All edge routers withstatic route Test-Net
(192.0.2.0/24) tonull
0
Edge Routers
start droppingpackets to the/32
4
Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment
-
8/13/2019 Mahajan Security for Sp
161/188
1611611612003, Cisco Systems, Inc. All rights reserved.SP Security
PE
Router AdvertisesBogus and
unallocatednetworks
171.68.19.1
Victim
0
Sink Hole configured withroute to the /32 under
attack with next-hop equalto the Test-Net
2
BGP Propagates
the update 3
ICMP Unreachablebackscatter willstart sending
packets tobogus/unallocated
nets
5
Module 1
Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment
ACLsManual upload/dynamic upload
uRPFRemote trigger via BGP
-
8/13/2019 Mahajan Security for Sp
162/188
1621621622003, Cisco Systems, Inc. All rights reserved.SP Security
uRPF Remote trigger via BGP
CARManual upload or remote triggervia BGP
..
Module 1
Remote Triggered uRPF
Same as Backscatter
uRPF loose check
-
8/13/2019 Mahajan Security for Sp
163/188
1631631632003, Cisco Systems, Inc. All rights reserved.SP Security
SP Core
PE
PE
Traceback Technique butwith uRPF loose checkon all border routers
If source = null then drop
static to null also dropson destination
BGP Propagates
the update
Module 1
Remote Triggered CAR
Quality Policy
Pre-Configured Rate-
Limits Are Triggered
-
8/13/2019 Mahajan Security for Sp
164/188
1641641642003, Cisco Systems, Inc. All rights reserved.SP Security
SP Core
PE
PE
Propagation with BGP(QPPB) empowers CARto use updatestriggered by BGP. This
enables a networkprotocol to trigger therate limits on
source/destination
iBGPAdvertises
List of
Rate-Limited
Prefixes
Module 1
Module II - Secure Customer Premises
Secure deployment and
-
8/13/2019 Mahajan Security for Sp
165/188
1651651652003, Cisco Systems, Inc. All rights reserved.SP Security
provisioning Secure management and
configuration
Integrated Security at the CPE
Secure Provisioning and Deployment
Provisioning and deployment are the phases in which the devicesare the most vulnerable:
Not all devices come with secure defaults
-
8/13/2019 Mahajan Security for Sp
166/188
1661661662003, Cisco Systems, Inc. All rights reserved.SP Security
Initial configurations may include more items than needed forinitial setup (i.e. unnecessary services)
The protocols and applications used for initial configuration maynot be secure
Deployment may not include the authentication of the new device
Pre-configure the new device with a secure configurationprior to its deployment (consider even before shipping)
Once connected, use secure access for initial setup
For high volume deployments use a hierarchical managementsolution
Access Control\Authorization Using AAA
Module 2
Module III - Secure Data Center
ServicesModule
ServicesModule
ISPBackboneISPBackbone
ISPISP
-
8/13/2019 Mahajan Security for Sp
167/188
1671671672003, Cisco Systems, Inc. All rights reserved.SP Security
Shared CompartmentShared Compartment Dedicated CompartmentDedicated Compartment
EdgeDistributionEdgeDistribution
Content
Engine
Content
switch
Content
switchSSL
IDC Security Highlights
Core, Distribution, Access model
Resilience at layer 2 and 3
-
8/13/2019 Mahajan Security for Sp
168/188
1681681682003, Cisco Systems, Inc. All rights reserved.SP Security
Uses Scaling Modules
Provides Baseline Content Services
Access: Layer 2 VLAN separation
Distribution: Aggregate VLANs,
routing and layer 3 filtering
Core: Provides L3 connectivityModule 3
Secure Data Center Design
Spoof Mitigation
(D)DoS Rate-Limiting
Spoof Mitigation
(D)DoS Rate-Limiting
Stateful Packet FilteringStateful Packet Filtering
Host IDS LocalAttack
Mitigation
Host IDS LocalAttack
Mitigation
InfrastructureServices