1

Security today

10/15/2004Ruri Hiromi/Intec NetCore, Inc.

(hiromi@inetcore.com)

index• 1. Lecture overview

ISPs today have to fight for various kinds of security attacks. In this lecture, classification of the threats and a basic principle of designing network topologies to protect such attacks are described, then practical know how on how to build the network and running the network safely are discussed.

• 2. Sharing “security”– attack/threat classification– concerns about legal/politics matter– japanese situation(DSL career and ISP)

• 3. Consider ISP network

• 4. Supportive info

• 5. Movement at user side– security model– NetWork design– consideration for the next generation network

• 6. transition period• 7. Exercise / Questions

2

Introduction,who I am

Name: Ruri HiromiWork for:AS2915/2713( setting up an ISP) → AS9609(setting up a DSL company) → AS18146(setting up a R&D company)

Intec NetCore, Inc.(http://www.inetcore.com/e/index2.html)As a senior researcher.

Area: IPv6 R&D, mainly IPv6 security modeldraft-kondo-quarantine-overview-01.txt

http://www.wide.ad.jp/project/security-j.html

E-Mail: hiromi@inetcore.com

Today’s goal• Scope

– Target: a large scale, an ISP network– Network’s security– Security model next generation– Operational trend

• Out of scope– Target: home, SOHO(small/mid enterprise) network– Machine, Device, data securities– Firewall/IDS/IPS themselves– Virus checker and other software techniques– Spam related things– social engineering, human management

• Consider both of IPv4 and IPv6 network– A little bit focused on IPv6

3

Sharing “security”

Threats(1)

– Break into the system– falsification of data– Data leakage– Computer virus– SPAM– DoS

4

Threats(2)

spyware

Keylogger

bounce

Sender fake

flodding

DNS fakeUnsolicited Bulk e-Mail(SPAM)

3

Dos,DDosDos(service intruption)5

Computer virus4

ReconnaissanceFalsification/leakage of data

2

Break into the system1

VariationType

smurfspoof

Account intrusion

Bug attack

sniffingPort scan

tapping

virusworm

Unauthorised access

phishing

Man in the middle attack

Arp and DHCP attacks

Header manipulation and fragmentation

Translation and tunneling mechanism

Complete this chart!

Attacks reported by enterprisesVirus, worm

3rd party relay

Phishing(WEB)

falsification of data,db

DoS attack

Server break down

Ip/mail address fake

Steal passwd

Sniff,tapping

Data leakingunauthorized access

Social engineering

War dialing(modem scan)

Data loss by natural disasterAbuse,complaint on web

other

From 2004 governmental report

5

Japanese telecommunication Situation

• International– Convention on Cyber crime

• Regulations– Telecommunications Business/Service Law– unauthorized computer access law– law protecting personal information– Law protecting ISP rights for recompense– law authorizing wiretaps in investigations involving

organized crime– (SPAM act← to be?)

Consider ISP network

6

design• Service estimation• Budget, cost estimation• Location(POP,NOC,IX,etc)• Line and topology• IP Address assignment• Logical network topology• Backup and redundant• Backdoor• Equipments• Management accounts,,,,,• + security consideration! Define network security policy

An example of a large ISP in Japan

Physical connection of IPv6 network

7

Inside ISP Network

AS9999

User Service-Segment

User-access-Segment

To Upstream/peering

User(ISP)-Segment User User User

User User UserUser(ISP)

User(ISP)

User(ISP)

DNS Mail Radius

Access provider

Required Treatment

AS9999

User Service-Segment

User-access-Segment

To Upstream/peering

User(ISP)-Segment User User User

User User UserUser(ISP)

User(ISP)

User(ISP)

DNS Mail Radius

Access provider

Securing BGP

Server protection

Securing BGP

filtering

filtering

monitoring monitoring

monitoring

monitoring

monitoring

User management

User management

Secure provisioning

User educationoperation management

device management

configuration

peeri

ng m

anag

emen

t

IDS/IPS

Traffic shaping

Load ballancer

8

Router/routing protection(1)• Avoid incorrectly configuration of routing and

network interfaces

• Securing BGP– S-BGP– so-BGP(Secure Origin BGP)– IRV(inter domain validation)/AT&T research– Secure path vector /CMU

Router/routing protection(2)

• Filtering– Bogons– Martian– AS path– Special case?

9

Router/routing protection(3)• BGP Advertisement

– Recognize your users,peers,private-as, which prefix– RFC3682 GTSM(The Generalized TTL Security

Mechanism) -- BGP TTL sanity check– MD5 check of BGP speakers

• ACL(access control list)

Router/routing protection(4)• traffic shaping, policing• Unicast Reverse Path Forwarding（uRPF）

– When discards packets lack of source address,violated address on the routing table

– check src address and I/f on the routing table(strict mode)

– Discards suspected packet then propagate discard info to other routers(loose mode)

• Triggered black hole filtering

10

Router/routing protection(5)• Authentication/authorization/accounting/certification

– Authenticates all user access– Authenticates individual users– Disable/enable local accounts– Define privilege levels– No default password– No hopping to control ports

• 3

Filtering

• Filter traffic to a device– For the case only for BGP peers and SNMP and ssh

connection from authorized segment.• Filter traffic through a device• Route filter• Filter on protocols/address/header fields• Filter inbound/outbound• Stateless packet filter

11

Example(URL block at router)

- In an effort to block urls and websites, I have created the followingservice-policy 'block_sites':

Policy Map block_sitesClass NBAR_BLOCKpolice cir 100000 bc 2000 be 2000conform-action dropexceed-action dropviolate-action drop

The class-map NBAR_BLOCK is:Class Map match-any NBAR_BLOCK (id 10)Match protocol http host "*dcn.yahoo.co*"Match protocol http url "*default.ida*"Match protocol http url "*cmd.exe*"Match protocol http url "*root.exe*"Match protocol http host "*aboutclicker*"

- The service policy was applied on the serial interface to another AS.

interface Serial11/1/0description "INTERNET-1st-LINK"ip address 1.1.1.1 255.255.255.252ip access-group UDP inip access-group UDP outno ip redirectsno ip proxy-arpip nat outsideno ip mroute-cacheload-interval 30service-policy input block_sitesservice-policy output block_sitesserial restart_delay 0no cdp enableend

Rate Limits

• Control bandwidth per user– Turn down based on protocol, src/dst ip

address, src/dst port, interface– Which direction, inbound/outbound/both?– Protocol = IP,ICMP, UDP/TCP– Bit status - SYN, SYN-Ack, RST

12

With other techniques

• SW/Quarantine network– For endpoint security– Mainly Authenticated VLAN

• Load balancer• Traffic shaper

Backup and backdoor

• Remote configuration backup• Remote configuration restore

13

redundancy

• Cold/Hot standby• Support protocol• To keep always managed!

other services on router/sw

• DNS• NTP• SNMP• Netflow,cflow,,,,• XML• Syslog

14

Peering management

• Peering agreement• Peering list• Set your peering policy?

configuration

• Take advantage for vulnerabilities – Stable,bug fixed version of OS– Test/aging

• Keep backup file and own backup way

15

Device management

• Equipment list• Logical/physical network map• Who in charge of the device?

Server protection

• Appropriate daemon• In case of Mail(3rd party relay)

– Client settings by SMTP auth, POP before SMTP, check envelope-from,etc.

– List control(white,black,gray)– SPF

16

IDS/IPS

• For protection of the server segment• AS a user service• For the user support

Secure provisioning

• SNMP– SNMPv3– public community– Read/Write community

• Uniform a procedure

17

monitoring

• Server/router logs• Traffic usage• Link• operation

Operation management

• Records all operations• NMS• Operator-training

– Learn hot skills• Up-to-date technique/knowledge

18

User management

• Provide your network service information• Education

– AUP?– Security– Network Manner

Issues still remains…

• Define your policy– IPsec-encrypted traffic?– Mobility?– Thin client/non-intelligent device

19

Supportive information

RFC3871

• Operational Security Requirements for Large ISP IP Network Infrastructure

– Appendix is useful for architecture design

20

Useful free tools for network operation

• Monitor– Mrtg– BB– Ghost route hunter

• Configuration– Bogon list

• Coordination– IRR– Looking glass

Human communication• Network operators group• CERT/CC• Registry• IETF• (government?,UN?)• ML/web site

– https://puck.nether.net/mailman/listinfo/– http://www.cymru.com/– http://www.cidr-report.org/– http://www.potaroo.net/

21

From vender• http://www.juniper.net/techpubs/software/nog/• Cisco ACL

http://www.cisco.com/warp/public/707/iacl.html• http://www.ispbook.com/(cisco)

Movement at user side

22

Recent problems on FireWall

• Problems on border-defence– Traffic volume and packet inspection– Encrypted end-to-end connection– Quick responding and filtering rule update

• Changes in the network technology/environment – Mobility– Home LAN– VPN– New application

Firewall next generation?

Firewall checks policy on every clients to get on their net, put

admission to use of the network….

23

Post Firewall Models(1)• Distributed Firewall

– Every nodes has fw function– no network border for “trusted”, “untrusted”– Exchange node information on the “trusted” netowork

• AT&T、Euro6• Moving Firewall

– Protect for DDoS in a fw hierarchy– A FW inspect DDoS then send protection info to other firewalls

to stop• NTT

• FireBreak– Put firebreak box at the edge of firebreak ring– Traffic inspection and stop

• Paul Francis@Cornell University

Moving firewall

From resonant, NTT

24

Post Firewall Models(2)

• Authenticate VLAN– VLAN group has security policy– Dynamic VLAN-ID matching by security policy

• Alcatel, etc.

• NAC(Network Admission Control)– nodes has security agent– 802.1x + VLAN + authentication + policy

= self defence– Inspection then separation

• Cisco(and security vendors)

Post Firewall Models(3)

• Quarantine model– Network segment has own security policy– After quarantine, node is participated in a

suitable network segment– Network policy server periodically checks

node-health– Once it goes wrong, the node put isolated

-Some ISP provide security solution, virus check and other features, as their customer service

- ISP considers this applying to their network, especially customer segment

25

Quarantine model

Estimation

○△△△Resent application

○○×△Mobile nodes

○△×△Flexibility for operation

△××○Proxy,tunnel,encryption

○△△○bottleneck

○○×△Inner network security

End node/network segment

Network segment

Network segment

End nodeSecurity BorderL2/3/4L2L2/3/4L3/4Layer

LANLANWAN/BackBoneLANapplicability

Quarantine model

Authenticated VLAN

Moving fwDistributed fw

26

links

1. http://download.zonelabs.com/bin/free/jp/enterprise/overviewIntegrity.html

2. http://www.eurov6.org/3. http://www.ntt.co.jp/news/news03/0302/0

30218.html4. http://www.ind.alcatel.co.jp/technologies/i

-vlan.html5. http://www.cisco.com/japanese/warp/pub

lic/3/jp/solution/netsol/security/nac/

transition period

27

IPv6 over IPv4tunnel

Attach tunnel server to your v4 network,You can get v6 world easier.

Tunnel brokerAuto-configuration mechanismFor setting up tunnel between client and server(1) Intermediate config(2) Put v4address into v6 address¥(6over4, 6to4, ISATAP, teredo)

- authenticate client- Load balancing to other broker- Dynamic DNS- Prefix advertisement- Notify DNS server address

28

Transition docs

• Important to see and consider network design with the security point of the view

• IETF v6ops– Transition Senarios– http://www.ietf.org/html.charters/v6ops-charter.html

• IPv6 Promotion Council– http://www.v6pc.jp/en/wg/transWG/index.html

Exercise/Question• 1 “Do you know your country’s regulation about

network operation?”– Describe your country’s regulation.

• ２ “what is considered on security if IP address has global reachability at the end site(customer side)?”

• ３ “How do you set your policy for P2P network/traffic, in case of IPsec?”

• 4 “What is to be problem/harm if we adapt quarantine model at the customer segment?”