security today - wide university today 10/15/2004 ... 2 1 break into the system type variation spoof...
TRANSCRIPT
![Page 1: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/1.jpg)
1
Security today
10/15/2004Ruri Hiromi/Intec NetCore, Inc.
index• 1. Lecture overview
ISPs today have to fight for various kinds of security attacks. In this lecture, classification of the threats and a basic principle of designing network topologies to protect such attacks are described, then practical know how on how to build the network and running the network safely are discussed.
• 2. Sharing “security”– attack/threat classification– concerns about legal/politics matter– japanese situation(DSL career and ISP)
• 3. Consider ISP network
• 4. Supportive info
• 5. Movement at user side– security model– NetWork design– consideration for the next generation network
• 6. transition period• 7. Exercise / Questions
![Page 2: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/2.jpg)
2
Introduction,who I am
Name: Ruri HiromiWork for:AS2915/2713( setting up an ISP) → AS9609(setting up a DSL company) → AS18146(setting up a R&D company)
Intec NetCore, Inc.(http://www.inetcore.com/e/index2.html)As a senior researcher.
Area: IPv6 R&D, mainly IPv6 security modeldraft-kondo-quarantine-overview-01.txt
http://www.wide.ad.jp/project/security-j.html
E-Mail: [email protected]
Today’s goal• Scope
– Target: a large scale, an ISP network– Network’s security– Security model next generation– Operational trend
• Out of scope– Target: home, SOHO(small/mid enterprise) network– Machine, Device, data securities– Firewall/IDS/IPS themselves– Virus checker and other software techniques– Spam related things– social engineering, human management
• Consider both of IPv4 and IPv6 network– A little bit focused on IPv6
![Page 3: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/3.jpg)
3
Sharing “security”
Threats(1)
– Break into the system– falsification of data– Data leakage– Computer virus– SPAM– DoS
![Page 4: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/4.jpg)
4
Threats(2)
spyware
Keylogger
bounce
Sender fake
flodding
DNS fakeUnsolicited Bulk e-Mail(SPAM)
3
Dos,DDosDos(service intruption)5
Computer virus4
ReconnaissanceFalsification/leakage of data
2
Break into the system1
VariationType
smurfspoof
Account intrusion
Bug attack
sniffingPort scan
tapping
virusworm
Unauthorised access
phishing
Man in the middle attack
Arp and DHCP attacks
Header manipulation and fragmentation
Translation and tunneling mechanism
Complete this chart!
Attacks reported by enterprisesVirus, worm
3rd party relay
Phishing(WEB)
falsification of data,db
DoS attack
Server break down
Ip/mail address fake
Steal passwd
Sniff,tapping
Data leakingunauthorized access
Social engineering
War dialing(modem scan)
Data loss by natural disasterAbuse,complaint on web
other
From 2004 governmental report
![Page 5: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/5.jpg)
5
Japanese telecommunication Situation
• International– Convention on Cyber crime
• Regulations– Telecommunications Business/Service Law– unauthorized computer access law– law protecting personal information– Law protecting ISP rights for recompense– law authorizing wiretaps in investigations involving
organized crime– (SPAM act← to be?)
Consider ISP network
![Page 6: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/6.jpg)
6
design• Service estimation• Budget, cost estimation• Location(POP,NOC,IX,etc)• Line and topology• IP Address assignment• Logical network topology• Backup and redundant• Backdoor• Equipments• Management accounts,,,,,• + security consideration! Define network security policy
An example of a large ISP in Japan
Physical connection of IPv6 network
![Page 7: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/7.jpg)
7
Inside ISP Network
AS9999
User Service-Segment
User-access-Segment
To Upstream/peering
User(ISP)-Segment User User User
User User UserUser(ISP)
User(ISP)
User(ISP)
DNS Mail Radius
Access provider
Required Treatment
AS9999
User Service-Segment
User-access-Segment
To Upstream/peering
User(ISP)-Segment User User User
User User UserUser(ISP)
User(ISP)
User(ISP)
DNS Mail Radius
Access provider
Securing BGP
Server protection
Securing BGP
filtering
filtering
monitoring monitoring
monitoring
monitoring
monitoring
User management
User management
Secure provisioning
User educationoperation management
device management
configuration
peeri
ng m
anag
emen
t
IDS/IPS
Traffic shaping
Load ballancer
![Page 8: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/8.jpg)
8
Router/routing protection(1)• Avoid incorrectly configuration of routing and
network interfaces
• Securing BGP– S-BGP– so-BGP(Secure Origin BGP)– IRV(inter domain validation)/AT&T research– Secure path vector /CMU
Router/routing protection(2)
• Filtering– Bogons– Martian– AS path– Special case?
![Page 9: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/9.jpg)
9
Router/routing protection(3)• BGP Advertisement
– Recognize your users,peers,private-as, which prefix– RFC3682 GTSM(The Generalized TTL Security
Mechanism) -- BGP TTL sanity check– MD5 check of BGP speakers
• ACL(access control list)
Router/routing protection(4)• traffic shaping, policing• Unicast Reverse Path Forwarding(uRPF)
– When discards packets lack of source address,violated address on the routing table
– check src address and I/f on the routing table(strict mode)
– Discards suspected packet then propagate discard info to other routers(loose mode)
• Triggered black hole filtering
![Page 10: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/10.jpg)
10
Router/routing protection(5)• Authentication/authorization/accounting/certification
– Authenticates all user access– Authenticates individual users– Disable/enable local accounts– Define privilege levels– No default password– No hopping to control ports
• 3
Filtering
• Filter traffic to a device– For the case only for BGP peers and SNMP and ssh
connection from authorized segment.• Filter traffic through a device• Route filter• Filter on protocols/address/header fields• Filter inbound/outbound• Stateless packet filter
![Page 11: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/11.jpg)
11
Example(URL block at router)
- In an effort to block urls and websites, I have created the followingservice-policy 'block_sites':
Policy Map block_sitesClass NBAR_BLOCKpolice cir 100000 bc 2000 be 2000conform-action dropexceed-action dropviolate-action drop
The class-map NBAR_BLOCK is:Class Map match-any NBAR_BLOCK (id 10)Match protocol http host "*dcn.yahoo.co*"Match protocol http url "*default.ida*"Match protocol http url "*cmd.exe*"Match protocol http url "*root.exe*"Match protocol http host "*aboutclicker*"
- The service policy was applied on the serial interface to another AS.
interface Serial11/1/0description "INTERNET-1st-LINK"ip address 1.1.1.1 255.255.255.252ip access-group UDP inip access-group UDP outno ip redirectsno ip proxy-arpip nat outsideno ip mroute-cacheload-interval 30service-policy input block_sitesservice-policy output block_sitesserial restart_delay 0no cdp enableend
Rate Limits
• Control bandwidth per user– Turn down based on protocol, src/dst ip
address, src/dst port, interface– Which direction, inbound/outbound/both?– Protocol = IP,ICMP, UDP/TCP– Bit status - SYN, SYN-Ack, RST
![Page 12: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/12.jpg)
12
With other techniques
• SW/Quarantine network– For endpoint security– Mainly Authenticated VLAN
• Load balancer• Traffic shaper
Backup and backdoor
• Remote configuration backup• Remote configuration restore
![Page 13: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/13.jpg)
13
redundancy
• Cold/Hot standby• Support protocol• To keep always managed!
other services on router/sw
• DNS• NTP• SNMP• Netflow,cflow,,,,• XML• Syslog
![Page 14: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/14.jpg)
14
Peering management
• Peering agreement• Peering list• Set your peering policy?
configuration
• Take advantage for vulnerabilities – Stable,bug fixed version of OS– Test/aging
• Keep backup file and own backup way
![Page 15: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/15.jpg)
15
Device management
• Equipment list• Logical/physical network map• Who in charge of the device?
Server protection
• Appropriate daemon• In case of Mail(3rd party relay)
– Client settings by SMTP auth, POP before SMTP, check envelope-from,etc.
– List control(white,black,gray)– SPF
![Page 16: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/16.jpg)
16
IDS/IPS
• For protection of the server segment• AS a user service• For the user support
Secure provisioning
• SNMP– SNMPv3– public community– Read/Write community
• Uniform a procedure
![Page 17: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/17.jpg)
17
monitoring
• Server/router logs• Traffic usage• Link• operation
Operation management
• Records all operations• NMS• Operator-training
– Learn hot skills• Up-to-date technique/knowledge
![Page 18: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/18.jpg)
18
User management
• Provide your network service information• Education
– AUP?– Security– Network Manner
Issues still remains…
• Define your policy– IPsec-encrypted traffic?– Mobility?– Thin client/non-intelligent device
![Page 19: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/19.jpg)
19
Supportive information
RFC3871
• Operational Security Requirements for Large ISP IP Network Infrastructure
– Appendix is useful for architecture design
![Page 20: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/20.jpg)
20
Useful free tools for network operation
• Monitor– Mrtg– BB– Ghost route hunter
• Configuration– Bogon list
• Coordination– IRR– Looking glass
Human communication• Network operators group• CERT/CC• Registry• IETF• (government?,UN?)• ML/web site
– https://puck.nether.net/mailman/listinfo/– http://www.cymru.com/– http://www.cidr-report.org/– http://www.potaroo.net/
![Page 21: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/21.jpg)
21
From vender• http://www.juniper.net/techpubs/software/nog/• Cisco ACL
http://www.cisco.com/warp/public/707/iacl.html• http://www.ispbook.com/(cisco)
Movement at user side
![Page 22: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/22.jpg)
22
Recent problems on FireWall
• Problems on border-defence– Traffic volume and packet inspection– Encrypted end-to-end connection– Quick responding and filtering rule update
• Changes in the network technology/environment – Mobility– Home LAN– VPN– New application
Firewall next generation?
Firewall checks policy on every clients to get on their net, put
admission to use of the network….
![Page 23: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/23.jpg)
23
Post Firewall Models(1)• Distributed Firewall
– Every nodes has fw function– no network border for “trusted”, “untrusted”– Exchange node information on the “trusted” netowork
• AT&T、Euro6• Moving Firewall
– Protect for DDoS in a fw hierarchy– A FW inspect DDoS then send protection info to other firewalls
to stop• NTT
• FireBreak– Put firebreak box at the edge of firebreak ring– Traffic inspection and stop
• Paul Francis@Cornell University
Moving firewall
From resonant, NTT
![Page 24: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/24.jpg)
24
Post Firewall Models(2)
• Authenticate VLAN– VLAN group has security policy– Dynamic VLAN-ID matching by security policy
• Alcatel, etc.
• NAC(Network Admission Control)– nodes has security agent– 802.1x + VLAN + authentication + policy
= self defence– Inspection then separation
• Cisco(and security vendors)
Post Firewall Models(3)
• Quarantine model– Network segment has own security policy– After quarantine, node is participated in a
suitable network segment– Network policy server periodically checks
node-health– Once it goes wrong, the node put isolated
-Some ISP provide security solution, virus check and other features, as their customer service
- ISP considers this applying to their network, especially customer segment
![Page 25: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/25.jpg)
25
Quarantine model
Estimation
○△△△Resent application
○○×△Mobile nodes
○△×△Flexibility for operation
△××○Proxy,tunnel,encryption
○△△○bottleneck
○○×△Inner network security
End node/network segment
Network segment
Network segment
End nodeSecurity BorderL2/3/4L2L2/3/4L3/4Layer
LANLANWAN/BackBoneLANapplicability
Quarantine model
Authenticated VLAN
Moving fwDistributed fw
![Page 26: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/26.jpg)
26
links
1. http://download.zonelabs.com/bin/free/jp/enterprise/overviewIntegrity.html
2. http://www.eurov6.org/3. http://www.ntt.co.jp/news/news03/0302/0
30218.html4. http://www.ind.alcatel.co.jp/technologies/i
-vlan.html5. http://www.cisco.com/japanese/warp/pub
lic/3/jp/solution/netsol/security/nac/
transition period
![Page 27: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/27.jpg)
27
IPv6 over IPv4tunnel
Attach tunnel server to your v4 network,You can get v6 world easier.
Tunnel brokerAuto-configuration mechanismFor setting up tunnel between client and server(1) Intermediate config(2) Put v4address into v6 address¥(6over4, 6to4, ISATAP, teredo)
- authenticate client- Load balancing to other broker- Dynamic DNS- Prefix advertisement- Notify DNS server address
![Page 28: Security today - WIDE University today 10/15/2004 ... 2 1 Break into the system Type Variation spoof smurf ... f i l t e r i n g filtering monitoring monitoring](https://reader034.vdocuments.mx/reader034/viewer/2022051802/5af0abe37f8b9ac62b8ef382/html5/thumbnails/28.jpg)
28
Transition docs
• Important to see and consider network design with the security point of the view
• IETF v6ops– Transition Senarios– http://www.ietf.org/html.charters/v6ops-charter.html
• IPv6 Promotion Council– http://www.v6pc.jp/en/wg/transWG/index.html
Exercise/Question• 1 “Do you know your country’s regulation about
network operation?”– Describe your country’s regulation.
• 2 “what is considered on security if IP address has global reachability at the end site(customer side)?”
• 3 “How do you set your policy for P2P network/traffic, in case of IPsec?”
• 4 “What is to be problem/harm if we adapt quarantine model at the customer segment?”