abilene update - internet2 operational security exercise 2006 january abilene update – joint techs...
TRANSCRIPT
Abilene UpdateJoint Techs – Winter 2006Albuquerque, NM
Steve CotterDirector, Network ServicesInternet2
Agenda2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 2
• Abilene Overview• Abilene Community• Abilene Operational Security Exercise • Abilene Network Security Monitoring • Additional Info
Abilene Overview2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 3
• 10-Gbps ‘best effort’, over-provisioned IP network• Current normal load ~2 Gbps; ~10 Gbps peak
• Carrier provisioned backbone λ’s (Q-Wave)• ~4.8 9’s availability over past 12 months
• SONET backhaul available to connectors• Dual stack IPv4/IPv6, native multicast, MPLS LSPs
• Purchasing 10 Mbps of IPv6 transit at PAIX• IPv6: 56 Participants, 26 Connectors, 40 Peers (3 Federal,
27 International, 10 Experimental/Non-production)• Network research facilitation (data + co-lo)
• Abilene Observatory project• Extensive domestic and int’l R&E peering• Cost recovery model motivates network utilization and
bandwidth upgrade
Abilene Community2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 4
• 36 direct connections (OC-3c → 10 Gbps)• 3 10 Gbps (10 GE) connections
• OC-192c SONET also supported• 7 OC-48c connections & 3 GE connectors• 24 connected at OC-12c (622 Mbps) or higher
• 242 Primary Participants – research universities and labs• Newest additions: Ruth Lilly Health Education Center,
City University of New York • Expanded Access
• 134 Sponsored Participants - Individual institutions, K-12 schools, museums, libraries, research institutes
• 34 Sponsored Educational Group Participants - state-based education networks
See: http://abilene.internet2.edu/
Abilene Federal & Research Peerings2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 5
2006 JanuaryA
bilene Update –
Joint Techs Winter 2006
Slide 6
Abilene International Network Peerings
Abilene IPv6 Peerings2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 7
Abilene Operational Security Exercise2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 8
Background:• One day long event, held in November 2005 in Indianapolis,
Indiana• Designed to initiate conversations on the Network Operation
Center's (NOC) activities in their support of AbileneGoals:• This was not an audit – purpose was to gather information and
produce a baseline document.• Detailed document recently released to participants. • A public document is also available.
For more info: Charles Yun, Internet2
Abilene Operational Security Exercise2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 9
Methodology:• “Table top” exercise (talking, no flows initiated)• Two scenarios, invented, refined, executed
• DDoS attack• Router compromise with press/reporter investigation
Findings:• Report identifies ~40 observations• Patterns of activity emerged in the two scenarios, some
expected and others not.• Some processes were in place and followed, others need to be
developed• Some observations revealed policy questions that should be
answered by Internet2 or the NOC
Abilene Operational Security Exercise2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 10
Lessons Learned:• Well designed, detailed scenarios are important to
respond to unexpected questions.• Engineers (plural) need to be involved in the design
*and* execution of the scenario. • Make sure that every external “event” or “character”
is represented by a real person. If someone is supposedly upset and sending email, have a real person start sending email… and then call a person’s cell phone.
• Test processes, not the cleverness of engineers.
Abilene Operational Security Exercise 2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 11
Follow Up:• I2 and NOC plan to initiate regularly occurring
Abilene Operational Exercises• Considering a *live* exercise• Contemplating involving GigaPoPs/RONs and our
international partners in the next one • Start off with a similar baseline exercise and evolve
into more complicated activities
Network Security Monitoring2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 12
• Installed Arbor Networks Peakflow tool in late Oct. ’05 • Covers 11 core routers, TransPAC2 router (temp), plus M5
router in ATL• Allows I2, REN-ISAC and Global NOC to actively monitor
the network for threat activity, e.g. DDOS, worms and other network events, and act upon those threats – not only across the backbone but also at affected members’ sites.• Provide threat information and alerts to the community
with the aim to strengthen defensive postures.• I2 and REN-ISAC are participating in the Arbor Fingerprint
Alliance, which provides the ability for all participating network service providers to share information regarding the fingerprints of active threat – permitting early warning regarding new/active threat.
Network Security Monitoring2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 13
• Capabilities:• Portal views of network traffic • Provides DDOS detection, classification, traceback, and
mitigation as well as zero day anomaly detection, worm and infected host detection and reporting
• Public reports from the Traffic and Routing Analysis component (TR) are being developed and published at http://www.ren-isac.net/monitoring.html
Network Security Monitoring2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 14For more info: Doug Pearson, REN-ISAC/IU NOC
Additional Info2006 January
Abilene U
pdate –Joint Techs W
inter 2006Slide 15
Plug for RONs/Connectors BoF:• Tuesday 6:00 – 8:00pm, Salon III• Additional info on:
• International Peerings• IPv6 routing/transit issues• Security
• Contact info:scotter @ internet2 . edu734.352.7024 (desk)Ann Arbor, Michigan, USA