Mahajan Security for Sp

download Mahajan Security for Sp

of 188

Transcript of Mahajan Security for Sp

  • 8/13/2019 Mahajan Security for Sp

    1/188

    12003, Cisco Systems, Inc. All rights reserved.SP Security

    Security for SPsincluding-DDOS PreventionWireless Security

    Pravin Mahajan, [email protected]

    Mumbai

    22 Jan 2006

    SANOG 7

  • 8/13/2019 Mahajan Security for Sp

    2/188

    2222003, Cisco Systems, Inc. All rights reserved.SP Security

    Agenda

    Challenges

    Trends

    Threats

    The first step - Telemetry Next Steps

    Techniques

    Modular Application to SP infrastructure

    Wireless Security

    Case Study

  • 8/13/2019 Mahajan Security for Sp

    3/188

    32003, Cisco Systems, Inc. All rights reserved.SP Security

    Security Challenges

  • 8/13/2019 Mahajan Security for Sp

    4/188

    4442003, Cisco Systems, Inc. All rights reserved.SP Security

    Introduction: Emerging Threats

  • 8/13/2019 Mahajan Security for Sp

    5/188

    5552003, Cisco Systems, Inc. All rights reserved.SP Security

    Todays Reality

  • 8/13/2019 Mahajan Security for Sp

    6/188

    6662003, Cisco Systems, Inc. All rights reserved.SP Security

    Evolution of Availabil ity Threats

    InfrastructureAttacks

  • 8/13/2019 Mahajan Security for Sp

    7/188

    7772003, Cisco Systems, Inc. All rights reserved.SP Security

    Economic Impact of DDoS

    Source: CSI/FBI 2004 Computer Crime and Security Survey

    Dollar Amount of Losses by Type:

    DoS Is 2nd

    in ImpactAfter

    Viruses!

  • 8/13/2019 Mahajan Security for Sp

    8/188

    8882003, Cisco Systems, Inc. All rights reserved.SP Security

    The Internet today

    ISP Backbone

    POP 1

    Peering Links

    POP 2

    NOCBilling

    Provisioning

    WEBHosting

    NSP Backbone

    Peering Links

    Internet Links

    Customers

    NOCEngineering

    Provisioning

    The new Internet Economybrought new services and

    new players: NSPs, ASPs,etc

    E-commerce has becomepart of the business model.

    Customers now depend onthe Internet

    Attacks targeted tocustomers can and do affect

    the infrastructure.Availability is not just matterof duplicating gear.

  • 8/13/2019 Mahajan Security for Sp

    9/188

    9992003, Cisco Systems, Inc. All rights reserved.SP Security

    Collateral Damage

    Attacks targeted to a particular customerCAN and DO affect the infrastructure

    www.myweb.com

    Customers

    POP

    SPBackbone

    SP Network

    Upstream/Peers

    SP wont

    be out of it

  • 8/13/2019 Mahajan Security for Sp

    10/188

    1010102003, Cisco Systems, Inc. All rights reserved.SP Security

    Infrastructure Attacks

    a wake up call

    Now elements of the SP

    infrastructure are being directlytargeted too:

    Services: DNS, DHCP,SMTP, WWW, FTP

    Routers

    Routing

  • 8/13/2019 Mahajan Security for Sp

    11/188

    1111112003, Cisco Systems, Inc. All rights reserved.SP Security

    Role of Service Providers

    Protect their own infrastructure (from Customers

    and Internet)Help protect other peersProtect customers from attacks coming from theinfrastructure or other customers

    CustomerOther ISPs

    Data Plane

    Management Plane

    Attacks Attacks

    Attacks

  • 8/13/2019 Mahajan Security for Sp

    12/188

    122003, Cisco Systems, Inc. All rights reserved.SP Security

    Security Trends

  • 8/13/2019 Mahajan Security for Sp

    13/188

    1313132003, Cisco Systems, Inc. All rights reserved.SP Security

    Evolution of Security Challenges

    GLOBALInfrastructure

    Impact

    REGIONAL

    Networks

    MULTIPLENetworks

    INDIVIDUALNetworks

    INDIVIDUALComputer

    GLOBALGLOBALInfrastructureInfrastructure

    ImpactImpact

    REGIONALREGIONAL

    NetworksNetworks

    MULTIPLEMULTIPLENetworksNetworks

    INDIVIDUALINDIVIDUALNetworksNetworks

    INDIVIDUALINDIVIDUALComputerComputer

    Target and Scopeof DamageTarget and ScopeTarget and Scopeof Damageof Damage

    1980s1980s 1990s1990s TodayToday FutureFuture

    SecondsSeconds

    MinutesMinutes

    DaysDays

    WeeksWeeksFirst Gen

    Bootviruses

    First Gen

    Bootviruses

    Second GenMacroviruses

    Denial ofService

    Second GenMacroviruses

    Denial ofService

    Third Gen

    DistributedDenial of

    ServiceBlendedthreats

    Third Gen

    DistributedDenial of

    ServiceBlendedthreats

    Next Gen

    Flashthreats

    MassivebotdrivenDDoS

    Damagingpayloadworms

    Next Gen

    Flashthreats

    MassivebotdrivenDDoS

    Damagingpayloadworms

    Rapidly Escalating Threat to Businesses

  • 8/13/2019 Mahajan Security for Sp

    14/188

    1414142003, Cisco Systems, Inc. All rights reserved.SP Security

    Evolution of Security Strategies

    1990s 2000 2002

    Integrated securi tyRouters

    Switches

    Appliances

    Endpoints

    FW + VPN + IDS.

    Integratedmanagement

    software

    Evolving advanced

    services

    Security

    appliances

    Enhanced router

    security

    Separate Mgt

    software

    Basic router

    security

    Command l ine

    interface

    2003

    End-point posture

    enforcement

    Network device

    protection

    Dynamic/Secure

    connectivity

    Dynamic

    communicationbetween elements

    Automated threat

    response

    Self-Defending

    Networks

    2004

    Integrated

    SecurityDefense-

    In-Depth

    PointProducts

    Basic

    Security

    Multiple

    technologies

    Multiple

    locations

    Multipleappliances

    Little/no

    integration

  • 8/13/2019 Mahajan Security for Sp

    15/188

    1515152003, Cisco Systems, Inc. All rights reserved.SP Security

    Self-Defending Network

    IP + SecurityIP + Security

    2. Disparate

    Security

    Services

    2. Disparate

    Security

    Services

    3. ReactiveSecurity

    3. ReactiveSecurity

    CollaborativeSecuritySystems

    CollaborativeCollaborativeSecuritySecuritySystemsSystems

    AdaptiveSecurity

    AdaptiveAdaptiveSecuritySecurity

    1. Point

    Products

    1. Point

    ProductsIntegrated

    Security

    IntegratedIntegrated

    SecuritySecurity

  • 8/13/2019 Mahajan Security for Sp

    16/188

    1616162003, Cisco Systems, Inc. All rights reserved.SP Security

    Self-Defending Network:Controlling the Who, What, Where, When, Why and How

    Whoallows access to data only by authorized personnel

    Whatprevents data from ever being stored, copied, orprinted outside the secure environment

    Whereprovides layers of protection and auditing to ensure

    that data is only stored in a controlled location Whenusers process data normally, but the data never

    sleeps outside of the secure area

    Whyonly authorized personnel allowed to process data Howdata access is restricted, authenticated, and audited by

    the Self-Defending Network

  • 8/13/2019 Mahajan Security for Sp

    17/188

    1717172003, Cisco Systems, Inc. All rights reserved.SP Security

    Self Defending Networks

    From Point Products to Holistic System

    Security as an Option Security, INTEGRAL to the System

    Reduced complexity Easier deployment and

    management

    Security risks effectively

    mitigated Lower TCO

    Reduced complexityReduced complexity Easier deployment andEasier deployment and

    managementmanagement

    Security risks effectivelySecurity risks effectively

    mitigatedmitigated Lower TCOLower TCO

    Very complex environment Higher integration cost

    Security risks not mit igated

    Lower reliability

    Very complex environmentVery complex environment Higher integration costHigher integration cost

    Security risks not mit igatedSecurity risks not mit igated

    Lower reliabilityLower reliability

  • 8/13/2019 Mahajan Security for Sp

    18/188

    182003, Cisco Systems, Inc. All rights reserved.SP Security

    Threats

  • 8/13/2019 Mahajan Security for Sp

    19/188

    1919192003, Cisco Systems, Inc. All rights reserved.SP Security

    Introduction: The Basic ModelTypes of Communication:1) People Accessing

    Information Assets

    2) People Communicatingwith One and Other

    3) Machine to MachineCommunication

    Attack Targets:

    1) End-points Themselves

    2) Traffic Leaving

    3) Traffic in Flight

    4) Traffic Entering

    Policy Primitives:1) User / Service Identity

    2) Machine Security Posture

  • 8/13/2019 Mahajan Security for Sp

    20/188

    2020202003, Cisco Systems, Inc. All rights reserved.SP Security

    Introduction: Appropriate Risk Mitigation

    LEVEL OF RISK AVERSION

    DEPTH OFMITIGATIONSTRATEGY

    RISKTOLERANT

    RISKNEUTRAL

    RISKAVERSE

    Conclusion:Determine in advance the level of riskappropriate to the business

  • 8/13/2019 Mahajan Security for Sp

    21/188

    2121212003, Cisco Systems, Inc. All rights reserved.SP Security

    Worms and Viruses Virus:Malicious piece of software that typically

    propagates by attaching itself to some other

    form of communication. May exploit avulnerabili ty, but always requires humaninterventionto spread.

    Worm:Malicious piece of software that self-

    propagates. Always exploits a vulnerabili ty toinfect, and does not require human interventionto spread

  • 8/13/2019 Mahajan Security for Sp

    22/188

    2222222003, Cisco Systems, Inc. All rights reserved.SP Security

    Worms and Viruses: What Happens

    Injection code arrives

    at end point

    Can either self-execute by havinganother processexecute it , or can havea user execute it

    Some are completelyself-contained, someneed to pull downadditional propagationand payload code to

    operate

    InjectionPropagation

    PayloadCode replicates itself,

    and begins topropagate to otherhosts

    Propagation can bemulti -vector (Nimda)

    Mass propagation aretypically why thecasual user learns ofthese

    Can cause network-level Denial of Service(Blaster) due tomassive consumptionof resources

    Potential for mostdamaging portion ofinfection

    Historically, often not

    malicious (e.g.Slammer)

    Sometimes triggers areboot (Nachi), oftento further embed itselfin the system

    Increasingly, used toinstall backdoors ortrojans, and to patchthe injection vector

  • 8/13/2019 Mahajan Security for Sp

    23/188

    2323232003, Cisco Systems, Inc. All rights reserved.SP Security

    Recent Trends in Worms and Viruses

    Change in Purpose

    Shift from fame to profit

    Shift from being noisy to developing an asset

    with economic value Change in Expected Behavior

    Less Noisy

    More Sophisticated

    More Variants, smaller scope of each

  • 8/13/2019 Mahajan Security for Sp

    24/188

    2424242003, Cisco Systems, Inc. All rights reserved.SP Security

    A Birthday Message for You!!!

  • 8/13/2019 Mahajan Security for Sp

    25/188

    2525252003, Cisco Systems, Inc. All rights reserved.SP Security

    Anatomy of a Trojan

    Troj/LdPinch-BD is a password-stealing Trojan for Windowsplatforms

    Troj/LdPinch-BD steals information, including passwords,from various applications. Information stolen may include:

    computer details (OS version, memory, CPU etc.)

    available drives (drive letter, type and free space)

    hostname and IP address

    Windows folder volume information

    Passwords and confidential information from 'Protected Storage

    POP3 and IMAP server information, usernames and passwordsFTP usernames and passwords

    RAS dial-up settings

    The Trojan may steal information relating to applicationsincluding the following:

    Mirabilis ICQ

    Opera

    CuteFTP

    WS_FTP

    Windows Commander

    Total Commander

    The Trojan attempts to download and run further maliciouscode.

    Source: http://sophos.com/virusinfo/analyses/trojldpinchbd.html

  • 8/13/2019 Mahajan Security for Sp

    26/188

    2626262003, Cisco Systems, Inc. All rights reserved.SP Security

    Harvesting and Asset Development

    Creation of bot-netnetworks of thousands ofcompromised machines

    Used as:

    Launch points for otherattacks

    Spam-nets (sold or rented tospammers)

    DDoS For Hire networks (soldor rented to attackers)

    MACHINEHARVESTING

    INFORMATIONHARVESTING

    Harvesting identityinformation (account names,numbers, passwords,

    personal information, etc) Used for:

    Direct sale on the openmarket

    Compromise other networks

    Trust-enablement for fraud(traditional cons and newcons such as phishing)

  • 8/13/2019 Mahajan Security for Sp

    27/188

    2727272003, Cisco Systems, Inc. All rights reserved.SP Security

    Hacker

    Zombies

    Control Traffic

    Attack Traff ic

    Masters

    Victim

    (Web Server)

    Customers Premises:

    Server/FW/Switch/Router

    Flooded PipeISP Edge Router

    BotNet Operation

  • 8/13/2019 Mahajan Security for Sp

    28/188

    2828282003, Cisco Systems, Inc. All rights reserved.SP Security

    A New Class of Threat: Spyware

    SPYWARE: malware that obtains ortransmits personal information with

    intent to defraud*ADWARE: Spywares slightly more

    reputable cousin

    Recently, Spyware has exploded as asignificant security threat

    Can be thought of as a drive up

    virus skip the propagation step andcut out the middle-man!

    Enhanced Concern: Threat to controlof Confidential Information

    * From most recent draft of US Federal I-SPY act

  • 8/13/2019 Mahajan Security for Sp

    29/188

    2929292003, Cisco Systems, Inc. All rights reserved.SP Security

    Bundled in freeware/shareware

    Social Engineering

    Pestering pop-ups until user clicks yes

    Confusing or buried EULA terms

    User doesnt read EULA

    Drive-by Download

    Remote installation no physical access necessary Via Virus or Trojan

    How Spyware/Adware Gets Installed

  • 8/13/2019 Mahajan Security for Sp

    30/188

    3030302003, Cisco Systems, Inc. All rights reserved.SP Security

    Denial of Service: A Refresher

    Denial of Service (DoS) attacksgoal is to make serviceunavailable

    The method may target:

    A server

    A network device

    A network

    Can be associated with:

    Source IP spoofing

    Collateral Damage includes:Saturation of networkforwarding tables

    Exhausting processing power

    Clogging links

    mbehri ng

  • 8/13/2019 Mahajan Security for Sp

    31/188

    3131312003, Cisco Systems, Inc. All rights reserved.SP Security

    Denial Of Service: Whats Going On

    Basic Denial of Service

    Often L3/L4 based; SYN attacks common; spoofingcommon

    Relatively easy to block sources and stop

    Distributed Denial of Service

    Similar to a basic DoS in approach, but sources appear

    randomTens of thousands of broad-band connected machines in abot-net make it extremely difficult to track

    Often stopped by closing down control channels

    Emerging Threats:Application-layer Denial of ServiceEmail DoS

    Web Front-end DoS

    Web-Services and XML DoS

    IP Telephony DoS

  • 8/13/2019 Mahajan Security for Sp

    32/188

    3232322003, Cisco Systems, Inc. All rights reserved.SP Security

    DDoS For Hire, and DoS Extortion

    DDoS For Hire:Criminal service in which for a nominalfee, a site of your choosing can be taken off line

    DoS Extortion:Criminal enterprise in which web-sitesmust pay a protection fee to avoid being taken offline,typically during a critical business period

    ONLINE EXTORTION

    How a Bookmaker and a Whiz

    Kid Took On an Extortionist

    and Won

    Facing an online extortion threat, Mickey

    Richardson bet his Web-based business ona networking whiz from Sacramento whofirst beat back the bad guys, then helpedthe cops nab them. If you collect revenueonline, you'd better read this.

    http://www.csoonline.com/read/050105/extortion.html

    US credit cardfirm fights DDoS attack

    US credit card processing firm Authorize.Net is fightinga sustained distributed denial of service (DDoS) attackthat has left it struggling to stay online.

    Glen Zimmerman, a spokesman for Authorize.Net'sparent company, Lightbridge, told the Boston Globe thatthe attacks followed an extortion letter. Lightbridge saidit was working with law enforcements officials to trackdown the attackers.

    http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/

  • 8/13/2019 Mahajan Security for Sp

    33/188

    3333332003, Cisco Systems, Inc. All rights reserved.SP Security

    Real Traffic

    Attack Traffic

    Firewall

    GEnet

    Real Traffic

    Attack Traffic ISP ISP 2

    Web, DNS, Email,

    AnomalyDetector

    Guard Guard

    AnomalyDetector

    Router

    Switch

    Switch

    Internal Network

    Solutions: Basic DoS and DDoS

    Server IsSubject to aDDoS Attack

    DDos AttackDetected

  • 8/13/2019 Mahajan Security for Sp

    34/188

    3434342003, Cisco Systems, Inc. All rights reserved.SP Security

    Firewall

    GEnet

    Real Traffic

    Attack Traffic ISP ISP 2

    Web, DNS, Email,

    AnomalyDetector

    Guard Guard

    AnomalyDetector

    Router

    Switch

    CatalystSwitch

    Internal Network

    Solutions: Basic DoS and DDoS

    Valid TrafficContinues onto Server Farm

    Routing UpdateSent to Switch

    Traffic Is Divertedto the Guard

    Anomalous TrafficIs Detectedand Dropped

  • 8/13/2019 Mahajan Security for Sp

    35/188

    3535352003, Cisco Systems, Inc. All rights reserved.SP Security

    Further Solutions: Denial of Service

    Denial of Service likely to continue to be a problem for anumber of years

    Economic incentives drive behavior

    Application Denial of Service a key piece of anApplication Security strategy

    Look for solutions with real DoS protective capabilities

    Partnerships are a Must

    Enterprises must work with their Providers to set upresponse plans

    Incident Response a Must

    Have a plan before your attacked. DoS attacks are veryvisible, very quickly. Timeliness of response is key

  • 8/13/2019 Mahajan Security for Sp

    36/188

    3636362003, Cisco Systems, Inc. All rights reserved.SP Security

    Messaging Security

    SPAM / SPIM / SPIT

    Nuisance / Productivity Drain / DoS or Cost ImpositionVector for other Frauds

    Phishing / Pharming

    Solutions:

    IIM (Identified Internet Mail) spec

    2-factor auth for financialsUniform policy control: Message Hygiene solutions;Endpoint Posture Compliance

  • 8/13/2019 Mahajan Security for Sp

    37/188

    3737372003, Cisco Systems, Inc. All rights reserved.SP Security

    SPAMity Calamity

  • 8/13/2019 Mahajan Security for Sp

    38/188

    3838382003, Cisco Systems, Inc. All rights reserved.SP Security

    SPAMity Calamity

    Evolution of SPAM:

    NuisanceProductivity Drain

    Offensive Content

    Vector for Fraud

    Dominant SourceToday: Bot-nets

    SPAM is very much anunsolved problem

    http://abcnews.go.com/US/wireStory?id=252318

    Trial Shows HowSpammers Operate

    Trial of Prolific Spammer ShowsHow He Sent 10 Million E-Mailsa Day, Made $750,000 a Month

    LEESBURG, Va. Nov 14, 2004

  • 8/13/2019 Mahajan Security for Sp

    39/188

    3939392003, Cisco Systems, Inc. All rights reserved.SP Security

    The Changing Nature of Spam

    SPAM explosion: Old Dog, New Tricks

    SPIMSpam over InstantMessaging

    SPITSpam over IP Telephony

    Rise of Crime:

    Fraud as a rising threat

    Phishing

    Criminalization of Spam:

    CAN-SPAM act in US

    Introduction to Phishing

  • 8/13/2019 Mahajan Security for Sp

    40/188

    4040402003, Cisco Systems, Inc. All rights reserved.SP Security

    Introduction to PhishingPhishing Basics

    Introduction to Phishing

  • 8/13/2019 Mahajan Security for Sp

    41/188

    4141412003, Cisco Systems, Inc. All rights reserved.SP Security

    Introduction to PhishingPhishing Basics

    PHISHING:Email Schemes, Called Phishing

    or Carding , Are an Attempt toTrick Consumers into DisclosingPersonal and/or FinancialInformation; the Emails Appearto Come from Companies with

    Whom Consumers May RegularlyConduct Business; Often Timesthe Email Threatens Terminationof Accounts Unless ConsumersUpdate Bill ing Information

    Source:www.atg.wa.gov/consumer/idprivacy/phishing.shtm

    In this Example, the Link ReallyLeads Through to:http://web.da-

    us.citibank.com.userdll.com:4903/c/index.htm

    CONCLUSION:Unsolicited Email Can Be More than Just an Annoyance

    New Threats: Phishings

  • 8/13/2019 Mahajan Security for Sp

    42/188

    4242422003, Cisco Systems, Inc. All rights reserved.SP Security

    New Threats: Phishing sCousinPharming

    MUNDO-BANK.COM

    Hosts File:superbank.com = 172.168.254.254

    172.168.1.1

    Come see us atwww.superbank.com

    MUNDO-BANK.COM

    Unsol

    icited

    Email

    MUNDO-BANK.COM

    172.168.1.1

    MUNDO-BANK.COM

    MUNDO-BANK.COM

    DNS

    Poiso

    ning

    Regular

    Onli

    ne

    Banking

    PHISHING PHARMING

    172.168.254.254 172.168.254.254

    The Port 80 Problem

  • 8/13/2019 Mahajan Security for Sp

    43/188

    4343432003, Cisco Systems, Inc. All rights reserved.SP Security

    The Port 80 ProblemOpportunistic Applications Overloading Open Ports

    Port Overloading enables

    violation of Security Policy:Opportunistic applications tunnel

    through open outbound ports. Legacy

    firewalls cannot discern legitimatefrom illegitimate applications

    Some Solutions:

    Advanced firewalls can distinguish between applications by

    protocol semantics and enforce security pol icy

    Business Traffic

    Peer to Peer,Tunneled Apps

    PublicInternet

    Opportunistic Applications:Peer-to-peer Apps

    Instant Messaging

    Remote PC Access Apps

    Covert Channels

  • 8/13/2019 Mahajan Security for Sp

    44/188

    4444442003, Cisco Systems, Inc. All rights reserved.SP Security

    The Port 443 (SSL) Problem

    Encrypted Port 80 Data confidentiality extends

    to network devices as well

    Can verify compliance withSSL protocol spec, but

    beyond that, very difficult toenforce policy

    S: 10.123.234.17D: 123.234.123.234Port: 443

    Contents:100010111010100110010101100110101010001101011010011010111001010

    Were planning on

    pricing it less than$4000. I thought youdfind that interesting

    oddballWhat is this?

    Valid e-commerce?

    Acceptable-use violations?Covert channel?Outbound attack?

    Some Solutions:

    Protocol compliance checking

    Desktop application usagepolicy enforcement tools

    Destination fi ltering viadomain/URL filtering

    Close 443 to all but well-defined

    business traffic

  • 8/13/2019 Mahajan Security for Sp

    45/188

    4545452003, Cisco Systems, Inc. All rights reserved.SP Security

    Securing Web Services

  • 8/13/2019 Mahajan Security for Sp

    46/188

    4646462003, Cisco Systems, Inc. All rights reserved.SP Security

    Web Services and XML Security

    Exposing the application layer toexternal entities for the first time

    Introduces new classes of credentialsfor access control

    Introduces new classes of attacks: X-

    malware, XML DoS, XPATH injection,etc.

    Allows new services for confidentialityand integrity: Field-level encryption,

    document signing, transformationservices, etc.

    Ingress to the DataCenter / DMZ

    Web-enabled Front-End

    Appl ication Server

    Database Layer

    Some Solutions:

    Secure Coding!

    Schema validation toolsets

    Attack prevention technologies

  • 8/13/2019 Mahajan Security for Sp

    47/188

    4747472003, Cisco Systems, Inc. All rights reserved.SP Security

    Social Engineering

    Social Engineering Attacks: Attacks that

    compromise the human elements of businessprocessing

    Assuming an identity to exploit trust relationships

    These forms of attack have been around forever

    Not an emerging threat in and of itself, but aconstant force multipl ier on new threats

  • 8/13/2019 Mahajan Security for Sp

    48/188

    482003, Cisco Systems, Inc. All rights reserved.SP Security

    The First Step - Telemetry

    Holistic Approach to

  • 8/13/2019 Mahajan Security for Sp

    49/188

    4949492003, Cisco Systems, Inc. All rights reserved.SP Security

    ppSystem-Wide Telemetry

    Cardiologist

    Ophthalmologist

    Neurologist

    NephrologistHematologist

    Podiatrist

    Holistic Approach to Patient CareUses a system-wide approach, coordinating with various specialists,

    resulting in the patients better overall health and wellbeing.

    Holistic Approach to

  • 8/13/2019 Mahajan Security for Sp

    50/188

    5050502003, Cisco Systems, Inc. All rights reserved.SP Security

    ppSystem-Wide Telemetry (Cont.)

    Data Center:Ingress / egress trafficIntra Datacenter traffic

    due to trust relationshipsof servers

    Availability scheme

    influenced traffic patternsNetwork element health

    Customer Edge:Ingress traffic

    [worm, attack]Egress traffic

    [spreading worms]Shared resources

    such as DNS,SMTP and suchservers

    Network elementhealth

    Core:Network element

    healthInfrastructure

    healthPerformancePacket paths

    SP Peering:Ingress /

    egress traffic

    Asymmetrictraffic due topeering policy& topology

    Networkelement health

    P

    P

    P

    P

    PE

    P

    P

    PE(s)L2 Agg.

    Broadband,

    Wireless (3G,802.11),Ethernet, FTTH,

    Leased Line,ATM, Frame-

    Relay

    CPE(s)

    P P

    Data/ServiceCenter

    CPE/ACCESS/AGGREGATION CORE PEERINGDATA/SVCCenter

    ISP /Al t. Carrier

  • 8/13/2019 Mahajan Security for Sp

    51/188

    5151512003, Cisco Systems, Inc. All rights reserved.SP Security

    What Is One Listening to?

    Ingress traffic flow

    Egress traffic flow

    Network element health

    Resources such as CPU, memory, etc.

    # flow to build baseline and detect anomaly

    Top talkers

    Open ports services etc.

    Shared services

    DNS, SMTP, Availabili ty related services, etc.

  • 8/13/2019 Mahajan Security for Sp

    52/188

    5252522003, Cisco Systems, Inc. All rights reserved.SP Security

    Understand the Concept of Data Gathering

    Listening to a network elementPer device listening

    Local data provide information about local threats

    Listening to ManyCorrelation is a MUST

    Intelligent analysis is a MUST

    Risks and threats are NOTprevalent in one place ONLY

    Need to watch everywhere to avoidbeing eaten by thousand turkeys...

    Listen

    Holistic Approach to

  • 8/13/2019 Mahajan Security for Sp

    53/188

    5353532003, Cisco Systems, Inc. All rights reserved.SP Security

    System-Wide Telemetry

    Data Center:Inter as well as Intra Data

    Center traffic

    Customer Edge:Shared resources

    and servicesshould beavailable

    Core:Performance must

    not be affectedSP Peering:Ability to trace

    through

    asymmetrictraffic

    P

    P

    P

    P

    PE

    P

    P

    PE(s)L2 Agg.

    Broadband,

    Wireless (3G,802.11),Ethernet, FTTH,

    Leased Line,ATM, Frame-

    Relay

    CPE(s)

    P P

    Data/ServiceCenter

    CPE/ACCESS/AGGREGATION CORE PEERINGDATA/SVCCenter

    ISP /Al t. Carrier

    Listen Listen

    Listen

    Listen

    Network Telemetry:

  • 8/13/2019 Mahajan Security for Sp

    54/188

    5454542003, Cisco Systems, Inc. All rights reserved.SP Security

    Tools, Techniques and Protocols

    Proactive Telemetry

    NetFlow

    SNMP

    RMON

    Syslog

    Network element healthBGP

    DNS

    Telemetry During the Incident

    Packet Capture

    show commands

    Network element health

    Syslog

    How to Gather Data or Information?

  • 8/13/2019 Mahajan Security for Sp

    55/188

    5555552003, Cisco Systems, Inc. All rights reserved.SP Security

    Netflow : What Is a Flow?

    Defined by seven uniquekeys:

    Source IP address

    Destination IP address

    Source port

    Destination port

    Layer 3 protocol type

    TOS byte (DSCP)Input logical interface(ifIndex)

    Exported Data

    N fl C i E P k

  • 8/13/2019 Mahajan Security for Sp

    56/188

    5656562003, Cisco Systems, Inc. All rights reserved.SP Security

    Netflow : Creating Export Packets

    Core Network

    Enable NetFlow

    Traffic

    CollectorNFC, flow-tools , Arbor

    UDP NetFlow

    Export

    Packets

    Application GUI

    Arbor, FlowScan

    PE

    Export Packets

    Approximately 1500 bytes Typically contain 20-50 flowrecords

    Sent more frequently if trafficincreases on NetFlow-

    enabled interfaces

    N tfl K C t N tFl S l bilit

  • 8/13/2019 Mahajan Security for Sp

    57/188

    5757572003, Cisco Systems, Inc. All rights reserved.SP Security

    Netflow : Key ConceptNetFlow Scalability

    Packet capture is like a wiretap

    NetFlow is like a phone bill This level of granularity allows NetFlow to scale

    for very large amounts of traffic

    We can learn a lot from studying the phone bill!

    Whos talking to whom, over what protocols & ports,for how long, at what speed, for what duration, etc.

    NetFlow is a form of telemetrypushed from therouters/switches - each one can be a sensor!

    N tFl I f t t

  • 8/13/2019 Mahajan Security for Sp

    58/188

    5858582003, Cisco Systems, Inc. All rights reserved.SP Security

    NetFlow Infrastructure

    Applications:Applications:

    Router:

    Cache Creation

    Data Export

    Aggregation

    Router:

    Cache Creation

    Data Export

    Aggregation

    Collector:

    Collection

    Filtering

    Aggregation

    Storage

    File System Management

    Account ing/Billing

    Network Planning

    Data Presentation

    Wh t D l N tFl ?

  • 8/13/2019 Mahajan Security for Sp

    59/188

    5959592003, Cisco Systems, Inc. All rights reserved.SP Security

    Where to Deploy NetFlow?

    Attack Detection

    User (IP)monitoring

    Applicationmonitoring

    Billing

    Chargeback AS Peer

    Monitoring

    Attack Detection

    Billing

    Chargeback AS Peer

    Monitoring

    Attack Detection

    Traffic

    EngineeringTraffic

    Analys is

    AttackDetection

    Traffic

    EngineeringTrafficAnalys is

    AttackDetection

    Applications Attack Detection

    User (IP)monitoring

    Applicationmonitoring

    Billing

    Chargeback AS Peer

    Monitoring

    AttackDetection

    Billing

    Chargeback AS Peer

    Monitoring

    AttackDetection

    Ne

    tworkLayer Access DistributionDistribution DistributionDistribution AccessCoreCore

    NetFlow

    Features

    AggregationSchemes (v8) show ip cache

    flow command

    Arbor Networks

    NetFlowMPLS EgressAccounting

    BGP Next-hop(v9)

    ArborNetworks

    NetFlowMPLS EgressAccounting

    BGP Next-hop(v9)

    ArborNetworks

    MPLS AwareNetFlow (v9)

    BGP Next-hop(v9)

    SampledNetFlow

    Arbor Networks

    MPLS AwareNetFlow (v9)

    BGP Next-hop(v9)

    Sampled

    NetFlow

    Arbor Networks

    NetFlowMPLS EgressAccounting

    BGP Next-hop(v9)

    ArborNetworks

    NetFlowMPLS EgressAccount ing

    BGP Next-hop(v9)

    ArborNetworks

    AggregationSchemes (v8) show ip cache

    flow command

    Arbor Networks

    Principal NetFlow Benefits

  • 8/13/2019 Mahajan Security for Sp

    60/188

    6060602003, Cisco Systems, Inc. All rights reserved.SP Security

    Principal NetFlow Benefits

    Peering arrangements

    SLA VPN user reporting

    Usage-based billing

    DoS/worm detection

    Traffic engineering

    Troubleshooting

    Internet access

    monitoring (protocoldistribution, trafficorigin/destination)

    Associate cost of IT to

    departments

    More scalable than RMON

    DoS/worm detection

    Policy compliancemonitoring

    Troubleshooting

    SERVICE PROVIDER ENTERPRISE

    Open Source Tools for NetFlow AnalysisThe OSU Flow Tools

  • 8/13/2019 Mahajan Security for Sp

    61/188

    6161612003, Cisco Systems, Inc. All rights reserved.SP Security

    The OSU Flow-Tools

    Open source NetFlow collection and retrieval tools

    Developed and maintained by Mark Fullmer, availablefrom http://www.splintered.net/sw/flow-tools/

    Runs on common *NIX platforms (Linux, FreeBSD, MacOS/X, Solaris, etc.)

    Command-line tools allow for very display/sorting ofspecific criteria (source/dest IP, source/dest ASN,protocol, port, etc.)

    Data can be batched and imported into database such as

    Oracle, MySQL, Postgres, etc. Can be combined with other tools to provide visualization

    of traffic patterns

    Many other useful features - check it out today!

    Open Source Tools for NetFlow AnalysisVisualization FlowScan

  • 8/13/2019 Mahajan Security for Sp

    62/188

    6262622003, Cisco Systems, Inc. All rights reserved.SP Security

    VisualizationFlowScan

    Open source NetFlow graphing/visualization tools

    Developed and maintained by Dave Plonka, available from

    http://net.doit.wisc.edu/~plonka/FlowScan/

    Runs on common *NIX platforms (Linux, FreeBSD, MacOS/X, Solaris, etc.)

    Makes use of NetFlow data collected via flow-tools tobuild traffic graphs

    Top-talkers by subnet, other types of reports supported

    Makes use of RRDTool for graphing Add-ons such as JKFlow module allow more detailed

    graphing

    Open Source Tools for NetFlow AnalysisVisualization FlowScan (Cont )

  • 8/13/2019 Mahajan Security for Sp

    63/188

    6363632003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: University of Wisconsin

    VisualizationFlowScan (Cont.)

    Investigate the spike

    An identified cause of

    the outage

    Netflow : Coupling Control and Data Planes

  • 8/13/2019 Mahajan Security for Sp

    64/188

    6464642003, Cisco Systems, Inc. All rights reserved.SP Security

    Netflow : Coupling Control and Data Planes

    SNMP

  • 8/13/2019 Mahajan Security for Sp

    65/188

    6565652003, Cisco Systems, Inc. All rights reserved.SP Security

    SNMP

    SNMP = Simple Network Management Protocol

    Canonical method of obtaining real-time information from

    network devices SNMPv3provides authentication, encryption

    MIBs support polling of statistics ranging from interface

    bandwidth to CPU uti lization to chassis temperature, etc. Both a pull model for statistical poll ing and a push

    model for trap generation based upon events such as linkup/down

    Many open-source and commercial collection systems,visualization tools

    Easiest way to get into profi ling of general network

    characteristics

    Displaying SNMP Data with MRTG

  • 8/13/2019 Mahajan Security for Sp

    66/188

    6666662003, Cisco Systems, Inc. All rights reserved.SP Security

    Displaying SNMP Data with MRTG

    MRTGthe Multi Router Traffic Grapher

    Open source SNMP visualization toolset developed by

    Tobi Oetiker, available fromhttp://people.ee.ethz.ch/~oetiker/webtools/mrtg/

    Long track-record - (in general use since 1995)

    Can be used to graph router/switch data, hostperformance info from systems running SNMP agents,etc. (generates HTML w/PNG images)

    Runs on Linux, FreeBSD, Mac OS/X, Solaris, other *NIX,Windows

    Written in Perl, has its own SNMP implementation

    Powerful Visualization of SNMP with MRTG

  • 8/13/2019 Mahajan Security for Sp

    67/188

    6767672003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: mrtg.org

    Powerful Visualization of SNMP with MRTG

    Powerful Visualization of SNMP with MRTG(Cont )

  • 8/13/2019 Mahajan Security for Sp

    68/188

    6868682003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: mrtg.org

    (Cont.)

    Varioustype ofstatisticsgathering

    anddisplay

    Other Visualization Techniques UsingSNMP Data with RRDTool

  • 8/13/2019 Mahajan Security for Sp

    69/188

    6969692003, Cisco Systems, Inc. All rights reserved.SP Security

    SNMP Data with RRDTool

    RRDToolthe Round Robin Database Tool

    Another open source SNMP visualization toolset

    developed by Tobi Oetiker, available fromhttp://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

    Improved graphing performance, new types of graphs

    Can be used in conjunction with MRTG - does not do itsown SNMP collection (can also be used w/NetFlow viaOSU flow-tools & FlowScan)

    Runs on Linux, FreeBSD, Mac OS/X, Solaris, other *NIX,

    Windows Many nice HTML/PHP front-ends such as Cacti, Cricket,

    Big Sister, etc.

    Other Visualization Techniques UsingSNMP Data with RRDTool (Cont.)

  • 8/13/2019 Mahajan Security for Sp

    70/188

    7070702003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

    SNMP Data with RRDTool (Cont.)

    Anomaly for DNS Queries

    ThruputSpike

    RTTSpike

    Displaying SNMP Data with NMS Station

  • 8/13/2019 Mahajan Security for Sp

    71/188

    7171712003, Cisco Systems, Inc. All rights reserved.SP Security

    Displaying SNMP Data with NMS Station

    Can be considered as Local telemetry

    Network Management Systems (NMS) can serve as SNMP

    consoles, among other things Many can use SNMP traps and/or other forms of telemetry

    as triggers for paging, scripted actions, etc.

    Pull ing information together can be useful for NOCs,operations teams

    Commercial systems such as HP OpenView, MicromuseNetCool, IBM Tivoli, CA Unicenter

    Several open source systems - Big Brother(http://bb4.com/), Big Sister (http://bigsister.graeff.com/),Nagios (http://www.nagios.org/), and others

    Displaying SNMP Data with NMSNagios

  • 8/13/2019 Mahajan Security for Sp

    72/188

    7272722003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: http://www.nagios.org

    p y g g

    Alarms

    TopologyNagios

    Stations

    RMONRemote MONitoring

  • 8/13/2019 Mahajan Security for Sp

    73/188

    7373732003, Cisco Systems, Inc. All rights reserved.SP Security

    g

    RMON is a standard defining how remote probes oragents relay network traffic information back to a central

    console Not as prevalent as SNMP or NetFlow - supported mainly

    by commercial network management systems

    Cisco Network Analysis Module-2 (NAM-2), ntop(http://www.ntop.org) are examples of RMON probes

    Most RMON probes look at raw packets via SPAN/RSPANand generate statistics from observed traffic

    Mini-RMON statistics available on Catalyst 6500/NAM-2,provides detailed stats from layer-2 access ports

    Displaying RMONntop Examples

  • 8/13/2019 Mahajan Security for Sp

    74/188

    7474742003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: http://www.ntop.org

    p y g p p

    DetailedAnalysis i.e. TTL

    Value of RMON:Utilizing NAM-2 Gathered Data

  • 8/13/2019 Mahajan Security for Sp

    75/188

    7575752003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: Cisco Systems, Inc.

    g

    IETF Standard

    Provides great analysiswith NAM-2 collected data

    Mini-RMON available aswell

    BGPWhy Do We Care?

  • 8/13/2019 Mahajan Security for Sp

    76/188

    7676762003, Cisco Systems, Inc. All rights reserved.SP Security

    Large-scale network security events such asworms, DDoS attacks, etc. often produce side-effects visible in the global routing table

    CorrelatingBGP information with other forms oftelemetry (NetFlow, SNMP, RMON, etc.) can beeffective in determining the true impact ofincidents

    BGP ExampleSQL Slammer

  • 8/13/2019 Mahajan Security for Sp

    77/188

    7777772003, Cisco Systems, Inc. All rights reserved.SP Security

    Correlating NetFlow and Routing Data

  • 8/13/2019 Mahajan Security for Sp

    78/188

    7878782003, Cisco Systems, Inc. All rights reserved.SP Security

    Matching data collectedfrom different tools

    How to Deploy BGP?

  • 8/13/2019 Mahajan Security for Sp

    79/188

    7979792003, Cisco Systems, Inc. All rights reserved.SP Security

    Start with open source tools: Zebra and Auagga

    Zebra (http://www.zebra.org) and Quagga(http://www.quagga.net) are two open source BGP daemonswhich can log BGP updates for further analysis

    Arbor Peakflow SP Traffic provides BGP visualization, trending,NetFlow traffic correlation, additional functionality(http://www.arbornetworks.com/products_sp.php)

    RIBs/updates available from http://archive.routeviews.org/,http://www.ripe.net/ris/index.html, http://www.renesys.com

    (commerical, useful monitoring tools/services for your ASN)

    Syslog

  • 8/13/2019 Mahajan Security for Sp

    80/188

    8080802003, Cisco Systems, Inc. All rights reserved.SP Security

    De facto logging standard for hosts, network infrastructuredevices, supported in all routers and switches

    Many levels of logging detail availablechoose the level(s)

    which are appropriate for each device/situation Logging of ACLs is generally contraindicated due to CPU

    overheadNetFlow provides more info, doesnt max the box

    Can be used in conjunction with Anycast and databases suchas MySQL (http://www.mysql.com) to provide a scalable, robustlogging infrastructure

    Different facility numbers allows for segregation of log infobased upon device type, function, other criteria

    Syslog-ng from http://www.balabit.com/products/syslog_ng/adds a lot of useful functionalityHOW-TO located athttp://www.campin.net/newlogcheck.html

    Configuring Syslog on a Router

  • 8/13/2019 Mahajan Security for Sp

    81/188

    8181812003, Cisco Systems, Inc. All rights reserved.SP Security

    Syslog data is invaluable

    Attack forensics

    Day to day events and debugging To log messages to a syslog server host,

    use the logging global configuration command

    logging host

    logging trap level

    To log to internal buffer use:

    logging buffered size

    Ensure timestamps

    service timestamps log

    Benefits of Deploying Syslog

  • 8/13/2019 Mahajan Security for Sp

    82/188

    8282822003, Cisco Systems, Inc. All rights reserved.SP Security

    Syslog data can be available from a centralizedSysLog server(s) as well as routers local buffer

    Deploy on routers, switches, firewall, IPSsensors and other network elements to get aholistic picture

    Analysis tools available such as Cisco MARS,SEC, ModLogAn and others

    SysLog Server such as Kiwi and syslog-ng

    Network Time Protocol

  • 8/13/2019 Mahajan Security for Sp

    83/188

    8383832003, Cisco Systems, Inc. All rights reserved.SP Security

    Synchronize time across all devices

    When security event occurs, data must haveconsistent timestamps

    From external time source

    Upstream ISP, Internet, GPS, atomic clockFrom internal t ime source

    Router can act as stratum 1time source

    ntp source loopback0

    ntp server 10.1.1.1 source loopback0

    Benefits of Deploying NTP

  • 8/13/2019 Mahajan Security for Sp

    84/188

    8484842003, Cisco Systems, Inc. All rights reserved.SP Security

    Very valuable on a global network with networkelements in different time zones

    Easy to correlate data from a global or a sizablenetwork with a consistent time stamp

    NTP based timestamp allows to trace security

    events for chronological forensic work

    Any compromise or alteration is easy to detectas network elements would go out of sync with

    the main clock

    Packet Capture

  • 8/13/2019 Mahajan Security for Sp

    85/188

    8585852003, Cisco Systems, Inc. All rights reserved.SP Security

    Sometimes, theres just no substi tute for looking at the packetson the wire

    SPAN/RSPAN/ERSPAN allow packet capture from Catalystswitches; ip packet export allows packet capture from routers

    Open source tools such as tcpdump, snoop, Ethereal(http://www.ethereal.com) on free *NIX or Windows allow

    inexpensive packet-capture solutions to be bui lt and deployed

    Commercial tools such as Cisco NAM-2, NAI Sniffer/DistributedSniffer, Wandel and Goltermann available

    Use macroanalytical telemetry such as SNMP, NetFlow, RMONto guide your use of microanalytical telemetry (i.e., packetcapture)

    Packet Capture Examples

  • 8/13/2019 Mahajan Security for Sp

    86/188

    8686862003, Cisco Systems, Inc. All rights reserved.SP Security

    Source: http://www.ethereal.com, Cisco Systems, Inc.

    Wealth ofinformation, L1-L7

    raw data foranalysis

    How to Use Packet Capture

  • 8/13/2019 Mahajan Security for Sp

    87/188

    8787872003, Cisco Systems, Inc. All rights reserved.SP Security

    Mainly a reactionarytool

    Generally a reaction after finding out that there is an anomaly

    Used in telemetry duringthe security eventNeed to know where to capture the packet.

    Sometimes, the same packet needs to be captured in mult ipleplaces

    Wealth of information

    Informs what type of outbreak one is observing on thenetwork

    Provides raw data for further analysis

    Helps by providing information on how to bring thesafeguards for short term and long tem mitigation

    OkayTell Me Where to Start From?

  • 8/13/2019 Mahajan Security for Sp

    88/188

    8888882003, Cisco Systems, Inc. All rights reserved.SP Security

    1. NetFlow enablement on the network elements

    2. NetFlow data correlation and analysis

    3. SNMP / RMON [SNMP more prevalent]

    1. CPU / Memory util

    2. Link usage and display with MRTG4. SysLog collection and analysis

    5. Monitoring to Routing, DNS queries, etc. [BGP, DNS]

    6. Local and remote packet capture facili ty [Most have ittoday with sniffer, ethereal]

  • 8/13/2019 Mahajan Security for Sp

    89/188

    892003, Cisco Systems, Inc. All rights reserved.SP Security

    The Next Steps-Best Practice Techniques

    SP network security system cycle

  • 8/13/2019 Mahajan Security for Sp

    90/188

    9090902003, Cisco Systems, Inc. All rights reserved.SP Security

    Secure

    Monitor

    Test

    Improve SecurityPolicy

    Stage 1: Secure

    Stage 2: Monitor

    Stage 3: Test

    Stage 4: Improve

    Security Best Practices - Overview

  • 8/13/2019 Mahajan Security for Sp

    91/188

    9191912003, Cisco Systems, Inc. All rights reserved.SP Security

    Define a Security Policyand the requiredprocedures to enforce it

    this should include roles, responsibil ities, customer contacts,etc.

    Create an Incident Response Team

    should work in conjunction with the NOC/SOC

    Establish a Relationshipwith other relevantorganizations

    PSIRTs, CERTs, NSPs, and peering SPs

    Security Best Practices Overview (cont)

  • 8/13/2019 Mahajan Security for Sp

    92/188

    9292922003, Cisco Systems, Inc. All rights reserved.SP Security

    Design and Implement Services with Securityin mind

    Secure the infrastructure following a Modulardesign

    Focus on the most cr itical areas first

    Define a solid incident handling ProcedurePreparation

    Identification

    Classification

    Traceback

    Reaction

    Post Mortem

    Procedure : Preparation

    Know the enemy

  • 8/13/2019 Mahajan Security for Sp

    93/188

    9393932003, Cisco Systems, Inc. All rights reserved.SP Security

    Know the enemy

    Understand what drives the miscreants

    Understand their techniques

    Create the security team and planWho handles security during an event? Is it thesecurity folks? The networking folks?

    A good operational security professional needs to be across between the two: silos are useless

    Harden the devices

    Prepare the tools

    Network telemetry

    Reaction tools

    Understand performance characteristics

    Preparation

  • 8/13/2019 Mahajan Security for Sp

    94/188

    Preparing the Network

  • 8/13/2019 Mahajan Security for Sp

    95/188

    9595952003, Cisco Systems, Inc. All rights reserved.SP Security

    Understanding your network is crit ical topreparation

    What is normal? What is healthy?

    Monitor important indexes

    Bandwidthpeer, router, interface, application

    Routinghijacking, instabil ity

    CPUpunted traffic, show ip traffic

    Traffic patternsby AS, prefixes, ports

    Preparation

    Preparing the Network

  • 8/13/2019 Mahajan Security for Sp

    96/188

    9696962003, Cisco Systems, Inc. All rights reserved.SP Security

    Secure the control plane

    Routing protocol authentication, BGP TTL check, prefix-filtering

    Secure the management plane

    Disable unnecessary services

    Secured and authenticated device access AAA, VTY/SNMP

    ACLs, Out-of-band management

    Secure the data plane

    Anti-spoofing via strict/loose uRPF, infrastructure ACLs

    AuditingLogging, AAA records, SNMP traps

    Harden the Network

    Preparation

    The Old World: Network Edge

  • 8/13/2019 Mahajan Security for Sp

    97/188

    9797972003, Cisco Systems, Inc. All rights reserved.SP Security

    Core routers individually secured

    Every router accessible from outside

    outside outside

    Core

    telnet snmp

    Preparation

    The New World: Network Edge

  • 8/13/2019 Mahajan Security for Sp

    98/188

    9898982003, Cisco Systems, Inc. All rights reserved.SP Security

    outside outside

    Core

    Core routers individually secured PLUS

    Infrastructure protection Routers generally NOT accessible from outside

    telnet snmp

    Preparation

    The Old World: Router Perspective

  • 8/13/2019 Mahajan Security for Sp

    99/188

    9999992003, Cisco Systems, Inc. All rights reserved.SP Security

    Policy enforced at process level (VTY ACL,SNMP ACL, etc.)

    Some early features such as ingress ACL usedwhen possible

    untrustedtelnet,

    snmp

    Attacks, junkRoute

    rCPU

    Preparation

    The New World: Router Perspective

  • 8/13/2019 Mahajan Security for Sp

    100/188

    1001001002003, Cisco Systems, Inc. All rights reserved.SP Security

    Central policy enforcement, prior to processlevel

    Granular protection schemes

    On high-end platforms, hardwareimplementations

    untrusted

    telnet,snmp

    Attacks, junkRouterCPU

    Pro

    tection

    Preparation

    ASIC-Based Platform: Main Components

  • 8/13/2019 Mahajan Security for Sp

    101/188

    1011011012003, Cisco Systems, Inc. All rights reserved.SP Security

    Forwarding/Feature

    ASIC Cluster

    ASICsSupporting

    CPU

    Receive Path PacketsRoute

    Processor

    CPU

    Ingress Packets Forwarded PacketsTo Fab to Other

    Line Cards

    Punte

    dPackets

    RAW Queue(s)Also Called CPU

    Queue(s) and Punt

    Queue(s)

    Packets Bound for

    the LC CPU or RP

    Preparation

    Data Plane

  • 8/13/2019 Mahajan Security for Sp

    102/188

    1021021022003, Cisco Systems, Inc. All rights reserved.SP Security

    Forwarding/Feature

    ASIC Cluster

    ASICsSupporting

    CPU

    Receive Path PacketsRouteProcessor

    CPU

    Ingress Packets Forwarded PacketsTo Fab to Other

    Line Cards

    Punte

    dPackets

    Data Plane

    AllPackets

    Forwarded Through

    the Platform

    Data Plane

    Preparation

    Control Plane

  • 8/13/2019 Mahajan Security for Sp

    103/188

    1031031032003, Cisco Systems, Inc. All rights reserved.SP Security

    Forwarding/Feature

    ASIC Cluster

    ASICsSupporting

    CPU

    Receive Path PacketsRouteProcessor

    CPU

    Ingress Packets Forwarded PacketsTo Fab to Other

    Line Cards

    Punte

    dPackets

    Most

    Control Plane PacketsGo to the RP

    Control Plane

    Control Plane

    ARP, BGP, OSPF, and

    Other Protocols that Glue

    the Network Together

    Preparation

    Management Plane

  • 8/13/2019 Mahajan Security for Sp

    104/188

    1041041042003, Cisco Systems, Inc. All rights reserved.SP Security

    Forwarding/Feature

    ASIC Cluster

    ASICsSupporting

    CPU

    Receive Path PacketsRouteProcessor

    CPU

    Ingress Packets Forwarded PacketsTo Fab to Other

    Line Cards

    Punte

    dPackets

    AllManagement

    Plane Traff ic

    Goes to the RP

    Management Plane

    Management PlaneTelnet, SSH, TFTP, SNMP,

    FTP, NTP, and Other

    Protocols Used to

    Manage the Device

    Preparation

    Preparing the NetworkInfrastructure Protection

    l et

  • 8/13/2019 Mahajan Security for Sp

    105/188

    1051051052003, Cisco Systems, Inc. All rights reserved.SP Security

    outside outside

    Core

    Techniques to secure your transit networks

    Infrastructure ACLs, Receive ACLs, Control PlanePolicing

    telnet snmp

    Preparation

    PacketFiltering Viewed Horizontally

  • 8/13/2019 Mahajan Security for Sp

    106/188

    1061061062003, Cisco Systems, Inc. All rights reserved.SP Security

    Spoofed Source Addresses

    Customer Traffic

    Pa

    cketShield

    #

    1

    Pa

    cketShield

    #

    2

    Pa

    cketShield

    #

    3

    Pa

    cketShield

    #

    4

    Targeting the Infrastructure

    Applicat ion FiltersPolicy Enforcement

    Targeting the Customer

    PacketFilteringRemember to Filter the Return Path

  • 8/13/2019 Mahajan Security for Sp

    107/188

    1071071072003, Cisco Systems, Inc. All rights reserved.SP Security

    Spoofed Source Addr.

    Denied Apps Out

    Ingress

    PacketShield

    #

    1

    Ingress

    PacketShield

    #

    2

    Ingress

    PacketShield

    #

    3

    Ingress

    PacketShield

    #

    4

    Targeting the Infra.

    Applicat ion

    FiltersPolicy

    Enforcement

    Targeting the Customer

    Permit ted Customer Traffic

    Spoofed Source Addresses

    Egress

    PacketShield

    #

    2

    Egress

    Packet

    Shield

    #

    1

    Permit ted Customer Traffic

    Infrastructure Protection Tools

    Infrastructure ACLs (iACLs)Originally the only approach

  • 8/13/2019 Mahajan Security for Sp

    108/188

    1081081082003, Cisco Systems, Inc. All rights reserved.SP Security

    Infrastructure ACLs (iACLs)Originally, the only approach

    Create policies (ACLs or MQC) for control plane traffic to block all unwantedIP traffic destined to the core

    Applied to ALL ingress portaffects ALL traffic (control anddata plane)

    Receive Path ACLs (rACLs)The first step

    Create ACLs to block unwanted IP traffic destined to the core

    Global (single) configuration affects all receive path packets

    Only affects control plane traffic

    Only available for Cisco 12000 and Cisco 7500 routers

    Control Plane Policing (CoPP)The newest approach

    Extends rACLs by adding Modular QoS CLI (MQC) policing

    Modify input path to split control and data plane traffic priorto input feature application

    Old

    New

    Control Plane Policing Deployment Policies

    Define Service Policy

  • 8/13/2019 Mahajan Security for Sp

    109/188

    1091091092003, Cisco Systems, Inc. All rights reserved.SP Security

    Start with a simplistic policy that will notdisrupt network operations

    For critical, important, and normal traffictypes, conform actions are transmit

    For undesirable traffic, all actions areunconditionally drop regardless of rate

    For default traffic, rate-limit the amount oftraffic permitted above a certain bps

    Modify the policy over time as more

    confidence is gained in trafficratesparticularly for critical traffic

    A very low rate might discard necessarytraffic, whereas a high rate might allowthe Route Processor to be inundated with aflood of non-critical packets

    The appropriate rates are dependent onplatform capabilities and CPU capacity

    The appropr iate rates are typically site-specific as well, depending on localtopology and routing table size

    Strive for constant improvementto keep pace with new attacks,and to cover new services

    Basic Control Plane Policing Service Policy

    DropTransmit 8,000Default

    DropDrop 8,000Undesirable

    TransmitTransmit 15,000Normal

    TransmitTransmit 125,000Important

    TransmitTransmit N/ACritical

    ExceedAction

    ConformAction

    Rate (bps)TrafficClass

    Hybrid Control Plane Policing Service Policy

    DropTransmit 8,000DefaultDropDrop 8,000Undesirable

    DropTransmit 15,000Normal

    DropTransmit 125,000Important

    TransmitTransmit N/ACritical

    ExceedAction

    ConformAction

    Rate (bps)TrafficClass

    ExampleOnly

    Define Service Policy

    Prepare the Tools

    Sinkholes

  • 8/13/2019 Mahajan Security for Sp

    110/188

    1101101102003, Cisco Systems, Inc. All rights reserved.SP Security

    Sinkholes are a versatile function of routing topology and hardenedinfrastructure

    Infrastructure protectionSinkhole your core address space to minimize attack

    Identification/classification

    Monitor dark IP space for attack noise and worm/botnet scanning

    Redirect attacks for analysis

    Traceback

    Use backscatter to trace spoofed hosts

    Reaction

    Divert attacks from the victim

    Sinkholes

    Preparation

    Sink Hole Architecture

  • 8/13/2019 Mahajan Security for Sp

    111/188

    1111111112003, Cisco Systems, Inc. All rights reserved.SP Security

    Dedicated network component to attract traffic

    Can also be used on demand : Pull the DoS/DDoS attackto the sinkhole

    Sink Hole design can also incorporate scrubbers

    To ISP

    Backbone

    To ISP

    Backbone

    To ISP

    Backbone

    SINKHOLEGATEWAY

    TARGETROUTER?

    SNIFFERS AND

    ANALYZERS

    Static ARP to

    Target Router

    Preparation

    Sinkholes: Worm Detection

  • 8/13/2019 Mahajan Security for Sp

    112/188

    1121121122003, Cisco Systems, Inc. All rights reserved.SP Security

    Customer

    May Also Use NetFlow

    Data from Edge Routersfor This Purpose

    Computer StartsScanning the Internet

    SINKHOLE

    NETWORK

    SQL

    Sinkhole Advertising

    Bogon and Dark IP Space

    Preparation

    RANDOM DESTINATIONS

    Backscatter Analysis of Attack Noise

    IngressOther

  • 8/13/2019 Mahajan Security for Sp

    113/188

    1131131132003, Cisco Systems, Inc. All rights reserved.SP Security

    RANDOM DESTINATIONS

    Target

    gRoutersISPs

    RANDOMSOURCES

    RAND

    OMSOURC

    ES

    Sink Hole Router

    Preparation

    Sink Hole Routers/Networks

  • 8/13/2019 Mahajan Security for Sp

    114/188

    1141141142003, Cisco Systems, Inc. All rights reserved.SP Security

    Target of

    Attack

    172.168.20.1 is attacked

    172.168.20.0/24 targets network

    Sink Hole Network

    Preparation

    Sink Hole Routers/Networks

    Router advertises

  • 8/13/2019 Mahajan Security for Sp

    115/188

    1151151152003, Cisco Systems, Inc. All rights reserved.SP Security

    Target of

    Attack

    172.168.20.1 is attacked

    172.168.20.0/24 targets network

    Router advertises

    172.168.20.1/32

    Sink Hole Network

    Preparation

    Identifying Attacks

    P ti l it i t l d d k IP

  • 8/13/2019 Mahajan Security for Sp

    116/188

    1161161162003, Cisco Systems, Inc. All rights reserved.SP Security

    Proactively monitor internal and dark IPspace

    Build baselines for all traffic to exposeanomalous behavior

    Util ize tools that enable network-widecorrelation of control and data planes (e.g.,CPU utilization, route stability, Netflow, etc..)

    Notify your customers before they notify yoube proactive!

    Identification

    Changes to Network Baselines

    SNMP data

  • 8/13/2019 Mahajan Security for Sp

    117/188

    1171171172003, Cisco Systems, Inc. All rights reserved.SP Security

    SNMP data

    Unexplained changes in link utilization

    Worms can generate a lot of traffic, sudden changes in linkuti lization can indicate an attack or a worm

    Unexplained changes in CPU utilization

    Attack/Worm scans can affect routers/switches resulting in

    increased CPU both process and interrupt switched

    Unexplained syslog entries

    These are examples

    Changes dont always indicate an attack/worm!Need to know whats normal to identify abnormal behavior

    Identification

  • 8/13/2019 Mahajan Security for Sp

    118/188

    Identification Examples

  • 8/13/2019 Mahajan Security for Sp

    119/188

    1191191192003, Cisco Systems, Inc. All rights reserved.SP Security

    BGP Flaps

    Packet Size

    CPU

    Identification

    Classification

    ClassificationUnderstanding the type

  • 8/13/2019 Mahajan Security for Sp

    120/188

    1201201202003, Cisco Systems, Inc. All rights reserved.SP Security

    g ypof attack and what damage is it causing

    You need to know what you (or yourcustomer) are getting hit with

    Determines the rest of the incident response

    What tools are available?

    How can you do this without crashing a

    router?

    Classification

    Classification

    What type of attack has been identified?

  • 8/13/2019 Mahajan Security for Sp

    121/188

    1211211212003, Cisco Systems, Inc. All rights reserved.SP Security

    yp

    Qualify and quantify the attack withoutjeopardizing services availability (e.g.,crashing a router):

    What type of attack has been identif ied?Whats the effect of the attack on the victim(s)?

    What next steps are required (if any)?

    Classification

    Ways to Classify DoS Attacks

  • 8/13/2019 Mahajan Security for Sp

    122/188

    1221221222003, Cisco Systems, Inc. All rights reserved.SP Security

    NetFlow: Flow information

    ACLs (maybe with logging)

    Backscatter

    Sniffers

    Anomaly Detector

    Classification

    Classifying DoS with ACLs

    Requires ACLs to be in place (for detection)E d d IP l i 169

  • 8/13/2019 Mahajan Security for Sp

    123/188

    1231231232003, Cisco Systems, Inc. All rights reserved.SP Security

    Looks Like

    Smurf Attack

    Found:

    Attack typeInterface

    Extended IP access l ist 169

    permit icmp any any echo (2 matches)

    permit icmp any any echo-reply (21374 matches)

    permit udp any any eq echo

    permit udp any eq echo any

    permit tcp any any established (150 matches)

    permit tcp any any (15 matches)

    permit ip any any (45 matches)

    Watch performance impact

    Used on demand, not pro-active

    More used for checking than for detection

    Some ASIC based LCs do not show counters

    Classification

    Traceback

    TracebackFrom where is the attacki i ti ?

  • 8/13/2019 Mahajan Security for Sp

    124/188

    1241241242003, Cisco Systems, Inc. All rights reserved.SP Security

    originating?

    Deterrence works. Traceback a few attacks totheir source, capture the attacker, prosecute,and lock them up and you will have a credibledeterrence.

    Foundation Techniques

    How to traceback to the edge of the Network?

    How to continue traceback over the ISP ISPboundary

    Traceback

    Traceback

    Traceback to network perimeter

    Netflow

  • 8/13/2019 Mahajan Security for Sp

    125/188

    1251251252003, Cisco Systems, Inc. All rights reserved.SP Security

    Netflow

    Backscatter

    Packet accounting

    IP Source

    Retain attack data

    Use to correlate inter-domain traceback

    Required for prosecution

    Deters future attacks

    Clarify billing and other disputes

    Post Mortem Analysis

    Traceback

    Tracing DoS Attacks

    Non-spoofed: Technically trivial (IRR)

  • 8/13/2019 Mahajan Security for Sp

    126/188

    1261261262003, Cisco Systems, Inc. All rights reserved.SP Security

    But: Potentially tracing 100s of sources

    Spoofed:IP Source Tracker: router by router

    NetFlow:Automatic if analysis tools are installed

    Manually: Router by router

    ACLs:Has performance impact on some platformsMostly manual: Router by router

    Backscatter technique:One step, fast, only for spoofed sources

    Traceback

    madrid% whois -h whois.arin.net 64.103.0.0

    The Internet Routing Registry (IRR):Network Info

  • 8/13/2019 Mahajan Security for Sp

    127/188

    1271271272003, Cisco Systems, Inc. All rights reserved.SP Security

    OrgName: Cisco Systems, Inc.

    OrgID: CISCOS-2

    Address: 170 West Tasman DriveCity: San Jose

    StateProv: CA

    PostalCode: 95134

    Country: US

    NetRange: 64.100.0.0 - 64.104.255.255

    CIDR: 64.100.0.0/14, 64.104.0.0/16

    [...]

    TechHandle: CAH5-ARIN

    TechName: Huegen, Craig

    TechPhone: +1-408-526-8104

    TechEmail: [email protected]

    OrgTechHandle: DN5-ORG-ARIN

    OrgTechName: Cisco Systems, Inc.

    OrgTechPhone: +1-408-527-9223

    OrgTechEmail: [email protected]

    Europe:whois.ripe.net

    Asia-Pac:whois.apnic.net

    USA and rest:whois.arin.net

    ContactInformation

    Traceback

    madrid% whois -h whois.arin.net as109

    OrgName: Cisco Systems Inc

    The Internet Routing Registry (IRR):AS Info

  • 8/13/2019 Mahajan Security for Sp

    128/188

    1281281282003, Cisco Systems, Inc. All rights reserved.SP Security

    OrgName: Cisco Systems, Inc.

    OrgID: CISCOS-2

    Address: 170 West Tasman Drive

    City: San JoseStateProv: CA

    PostalCode: 95134

    Country: US

    ASNumber: 109

    ASName: CISCOSYSTEMS

    ASHandle: AS109

    []

    TechHandle: MRK4-ARIN

    TechName: Koblas, Michelle

    TechPhone: +1-408-526-5269

    TechEmail: [email protected]

    OrgTechHandle: DN5-ORG-ARIN

    OrgTechName: Cisco Systems, Inc.

    OrgTechPhone: +1-408-527-9223

    OrgTechEmail: [email protected]

    Europe:whois.ripe.net

    Asia-Pac:whois.apnic.net

    USA and rest:whois.arin.net

    Also, if domain known:abuse@domain

    Traceback

    Routers need Netflow enabled

    Tracing Back with Netflow

    Victim

  • 8/13/2019 Mahajan Security for Sp

    129/188

    1291291292003, Cisco Systems, Inc. All rights reserved.SP Security

    The flows come from serial 1

    router1#sh ip cache flow | include Se1 Et0 11 0013 0007 159

    . (lots more flows to the same destination)

    router1#sh ip cef se1

    Prefix Next Hop Interface

    0.0.0.0/0 10.10.10.2 Serial1

    10.10.10.0/30 attached Serial1

    Victim

    Find the upstream

    router on serial 1

    Continue on this router

    Traceback

    Trace-Back in One Step: ICMP Backscatter

    IngressRouters

    OtherISPs

    iBGP U d t

  • 8/13/2019 Mahajan Security for Sp

    130/188

    1301301302003, Cisco Systems, Inc. All rights reserved.SP Security

    Target

    randomsources

    random

    sources

    Sink Hole Router

    iBGP Updates: Drop Packets to Target

    Traceback

    Trace-Back in One Step: ICMP Backscatter

    iBGP U d t

    IngressRouters

    OtherISPs

  • 8/13/2019 Mahajan Security for Sp

    131/188

    1311311312003, Cisco Systems, Inc. All rights reserved.SP Security

    Target

    Sink Hole Router

    with Logging

    ICMP

    Unreachables

    ICMP

    Unreachables

    iBGP Updates: Drop Packets to Target

    Traceback

    Reaction - Incident Response Principles

  • 8/13/2019 Mahajan Security for Sp

    132/188

    1321321322003, Cisco Systems, Inc. All rights reserved.SP Security

    1. Dont Panic!2. Use A Mitigation Methodology.

    3. Do not make drastic changes to thenetwork while the attack/worm isrampant.

    Reaction

    ISP Security Incident Response

    Given that ISPs are transit networks, theway incident response happens is slightly

  • 8/13/2019 Mahajan Security for Sp

    133/188

    1331331332003, Cisco Systems, Inc. All rights reserved.SP Security

    way incident response happens is slightly

    different from other networks. More effort is made to mitigate the effects

    of the attack and trace it back upstreamto

    its source.

    Working with ISP Security Teams have

    demonstrated six distinct phases in theway ISPs response to security incidents.

    Reaction

    Capacity as a Solution

    To many sorts of attacks, a common

  • 8/13/2019 Mahajan Security for Sp

    134/188

    1341341342003, Cisco Systems, Inc. All rights reserved.SP Security

    y ,solution is to add more capacity

    Not every problem gets solved this way

    Think about collateral damage

    Challenge is to solve all the problems inthe most economically feasible way

    Reaction

    Using IP Routing as a Security Tool

    ISPs use routingto get packets fromcustomers to the Internet

  • 8/13/2019 Mahajan Security for Sp

    135/188

    1351351352003, Cisco Systems, Inc. All rights reserved.SP Security

    customers to the Internet

    ISPs use routing to engineer trafficthrough their network

    ISPs manipulate traffic to get the most outof their available bandwidth

    What is the problem with manipulating

    bad traffic to get the most out of availablebandwidth?

    Reaction

    Using IP Routing as a Security Tool

    IP Routing can be used to manipulatetraffic on the ISPs network to:

  • 8/13/2019 Mahajan Security for Sp

    136/188

    1361361362003, Cisco Systems, Inc. All rights reserved.SP Security

    traffic on the ISPs network to:

    Null0 (Black Hole)

    Shunts

    Sink HoleAnalysis Devices

    Clean up Devices

    Rate-Limit

    Reaction

    Using IP Routing as a Security Tool

  • 8/13/2019 Mahajan Security for Sp

    137/188

    1371371372003, Cisco Systems, Inc. All rights reserved.SP Security

    And it is all done via BGP.

    Uses a BGP trigger router

    One router on the network connected via an

    iBGP route reflector that injects triggerupdate

    The BGP Update packet

    Reaction

    Source Based Remote TriggeredBlack Hole Filtering

    What do we have?

  • 8/13/2019 Mahajan Security for Sp

    138/188

    1381381382003, Cisco Systems, Inc. All rights reserved.SP Security

    Black Hole FilteringIf the destinationaddress equals

    Null 0 we drop the packet.

    RemoteTriggeredTrigger a prefix to equal Null 0 onrouters across the Network at iBGP speeds.

    uRPFLooseCheckIf the sourceaddress equals Null0, we drop the packet.

    Put them together and we have a tool to trigger

    drop for any packet coming into the networkwhose source or destination equals Null 0!

    Reaction

    Customer Is DOSedBefore

    A Peer B

    Peer AIXP-W

  • 8/13/2019 Mahajan Security for Sp

    139/188

    1391391392003, Cisco Systems, Inc. All rights reserved.SP Security

    NOC

    A

    BC

    D

    E

    FG

    Target

    Peer BIXP-E

    Upstream

    A

    Upstream

    B UpstreamB

    POP

    UpstreamA

    Target istaken

    out

    Reaction

    Customer Is DOSedAfter

    A Peer B

    Peer AIXP-W

  • 8/13/2019 Mahajan Security for Sp

    140/188

    1401401402003, Cisco Systems, Inc. All rights reserved.SP Security

    NOC

    BC

    D

    E

    FG

    iBGP

    Advertises

    List of Black

    HoledPrefixes

    based on

    SOURCE

    ADDRESSES

    Target

    Peer BIXP-E

    Upstream

    A

    Upstream

    B UpstreamB

    POP

    UpstreamA

    Reaction

    Mitigation: Packet Scrubbing

    Use the same BGP mechanism to redirecttraffic to scrubbing devices

  • 8/13/2019 Mahajan Security for Sp

    141/188

    1411411412003, Cisco Systems, Inc. All rights reserved.SP Security

    g

    Activate redirection:

    Redistribute host route for victim into BGPwith next-hop set to scrubbing devices

    Route is propagated using BGP to all BGPspeaker and traffic redirected

    When attack is over, BGP route can beremoved to return to normal operation

    Reaction

    Re-Directing Traffic from the Victim

    Ingress

    Routers

    Other

    ISPs

    Keeps l ine to customer clear But cuts target host off completely

    Di ith t !!!

  • 8/13/2019 Mahajan Security for Sp

    142/188

    1421421422003, Cisco Systems, Inc. All rights reserved.SP Security

    Target

    Sink Hole Router:

    Announces Route target/32

    Discuss with customer!!!

    Reaction

    Guard: Packet Scrubbing

    G dBGP A t

  • 8/13/2019 Mahajan Security for Sp

    143/188

    1431431432003, Cisco Systems, Inc. All rights reserved.SP Security

    GuardBGP Announcement

    Target

    1. Detect

    2.Activate: Auto/Manual

    3. Divert Only Targets Traffic

    Non-Targeted Servers

    Anomaly Detector, IDS,NetFlow

    Reaction

    Guard: Packet Scrubbing

    GuardTraffic Destined

  • 8/13/2019 Mahajan Security for Sp

    144/188

    1441441442003, Cisco Systems, Inc. All rights reserved.SP Security

    4. Identify and Filterthe Malicious

    Anomaly Detector, IDS,NetFlow,

    6.NonTargeted

    Traffic Flows

    Freely

    Target

    Legitimate Traffic

    to Target

    5.Forward the Legitimate

    Traffic Destined

    to The Target

    Non-Targeted Servers

    Reaction

    Post Mortem

    Post MortemAnalyzing what just happened.

  • 8/13/2019 Mahajan Security for Sp

    145/188

    1451451452003, Cisco Systems, Inc. All rights reserved.SP Security

    What can be done to build resistance to theattack happening again

    The step everyone forgets!

    Was the DOS attack you just handled, the real threat?Or was it a smoke screen for something else that justhappened?

    What can you do to make it faster, easier, less painful

    in the future?

    Post Mortem

    Post Mortem

  • 8/13/2019 Mahajan Security for Sp

    146/188

    1461461462003, Cisco Systems, Inc. All rights reserved.SP Security

    Analyze data, trends and discuss attack

    Fully history of attack(s), trends, etc..

    Determine what, if anything, could have beendone to be better preparedmake appropriatemodifications if necessary

    Post Mortem

    Post Mortem Activities

    Assess Incident Response Team Role

    Full Representation?

  • 8/13/2019 Mahajan Security for Sp

    147/188

    1471471472003, Cisco Systems, Inc. All rights reserved.SP Security

    Single/centralized Point of Contact?

    Review and Update Technical AND Operational Functionsand Procedures

    Quantifyimpact of downtime

    Financial

    Operational

    What can we do better next t ime?

    Post Mortem

  • 8/13/2019 Mahajan Security for Sp

    148/188

    1482003, Cisco Systems, Inc. All rights reserved.SP Security

    The Next Steps-

    Modular Application of Techniquesto SP Infrastructure

    SP Network Infrastructure

    PeersIXP

    UpstreamDelivery Infrastructure

    Data Center

    Infrastructure Services

  • 8/13/2019 Mahajan Security for Sp

    149/188

    1491491492003, Cisco Systems, Inc. All rights reserved.

    SP Security

    SP Backbone

    BR

    BR

    Customer

    Customer

    Customer

    Customer

    Peering

    NOC/SOC

    Data Center

    Infrastructure

    Services

    NOC/SOC

    To POPs

    POP POP

    SP Functional Blocks

    Network Operation Center

    Security Operation Center

    Network Operation Center

    Security Operation Center

    Module 4

  • 8/13/2019 Mahajan Security for Sp

    150/188

    1501501502003, Cisco Systems, Inc. All rights reserved.SP Security

    Data CenterData CenterCore Infras.

    POP

    Core Infras.

    POP

    PeeringPeering

    Infrastructure ServicesInfrastructure Services

    Shared Server-FarmShared Server-Farm

    Dedicated Server-FarmDedicated Server-Farm

    Data Center EdgeData Center Edge

    DistributionDistributionCustomer

    Premises

    CustomerPremises

    POP

    Border

    POP

    BorderCPECPE

    CPECPE

    To POPsTo POPs

    Module 1Module 2 Module 3

    Why and the benefits of Modular Design

    Systematic approach where security isimplemented throughout the network rather thanpoint products

  • 8/13/2019 Mahajan Security for Sp

    151/188

    1511511512003, Cisco Systems, Inc. All rights reserved.SP Security

    point products

    Multiple layers of control provides higher security

    It allows you to focus on the most critical areas

    first

    Facilitates the enforcement of the security policy

    Contains the effects of attacks

    More flexible to adapt to keep up with the alwayschanging threats

    Module I - Typical POP & Core Infrastructure

    DistributionDistribution

    NetworkOperations

    Center

    D t

    POP BorderMedium SpeedPOP Border

    Medium Speed

  • 8/13/2019 Mahajan Security for Sp

    152/188

    1521521522003, Cisco Systems, Inc. All rights reserved.SP Security

    PeeringPeering

    Other ISPs

    Data

    Center

    POP BorderHigh Speed

    POP BorderHigh Speed

    3600/7200/7500

    Channelised T1/E1

    64K and nx64K circuits

    Mixture of channelised

    T1/E1, 56/64K and

    nx64K circui ts

    3640/7206/7507

    Channelised T3/E3

    T1 and E1 circui ts

    Mixture of channelised

    T3/E3 and T1/E1 circuits

    ISP BackboneISP Backbone

    OtherPOPs

    POP and Core typical threats

    Network Reconnaissance

  • 8/13/2019 Mahajan Security for Sp

    153/188

    1531531532003, Cisco Systems, Inc. All rights reserved.SP Security

    Denial of ServiceViruses and WormsIP Spoofing

    Direct ExploitsRouting Disruption..

    Module 1

    Securing POP & Core Infrastructure Module

    Harden routers and switches

    Prevents DoS and Direct attacks to routers andswitches

  • 8/13/2019 Mahajan Security for Sp

    154/188

    1541541542003, Cisco Systems, Inc. All rights reserved.SP Security

    switches

    Secure Dynamic Routing Exchange

    Route Authentication, Route Filters preventattacks on the Dynamic Routing

    Deploy packet fil ters

    Mitigates DoS attacks, spoofed attacks,reconnaissance, viruses/worms and direct attacks

    Attack detection, traceback andcontainment

    Module 1

  • 8/13/2019 Mahajan Security for Sp

    155/188

    Securing POP & Core Infrastructure ModuleSecure Dynamic Routing Exchange

    Secure Routing Route Authentication

    Plain text

    HMAC MD5

  • 8/13/2019 Mahajan Security for Sp

    156/188

    1561561562003, Cisco Systems, Inc. All rights reserved.SP Security

    HMAC-MD5

    Control Routing Updates

    Dynamic Routing Filter on Customers

    Dynamic Routing Filter to Peers

    Dynamic Routing Filter from Peers

    ..

    Module 1

    Securing POP & Core Infrastructure ModuleDeploy packet filters

    Packet Filters

    RFC 2827 BCP 38 Packet Filtering (source

  • 8/13/2019 Mahajan Security for Sp

    157/188

    1571571572003, Cisco Systems, Inc. All rights reserved.SP Security

    g (

    address spoofing)

    BCP 38 Ingress Packet Filtering

    Static BCP 38 Filtering

    Unicast RPF (strict mode )

    ..

    Module 1

    Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment

    Netflow

    Intrusion Detection System alerts

  • 8/13/2019 Mahajan Security for Sp

    158/188

    1581581582003, Cisco Systems, Inc. All rights reserved.SP Security

    Sink hole routers/networks

    Unusual CPU load reported via SNMP

    Circuits Saturated

    BGP Session Flapping

    Customer calls

    .Module 1

    Netflow with Anomaly Detection

    NOC/SOC

    IDS Mgt Tool

    Collects Alerts

    Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment

  • 8/13/2019 Mahajan Security for Sp

    159/188

    1591591592003, Cisco Systems, Inc. All rights reserved.SP Security

    CPE

    SP Core

    Peers

    PE

    PE

    CPE

    Peers

    The IDS uses Netflow to collect data on the flows through the network,looking for matches to known attacks while watching for newanomalies in the data flow

    Module 1

    Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment

    1. Apply temporary ACLs with log-inputand examine the logs

    2. Query Netflows flow table

    No changes to the router while the network is under attack;

  • 8/13/2019 Mahajan Security for Sp

    160/188

    1601601602003, Cisco Systems, Inc. All rights reserved.SP Security

    No changes to the router while the network is under attack;

    passive monitoring Scripts can be used to poll and sample throughout the network

    IDS products can plug into Netflow

    Working on a MIB for SNMP access

    3. Backscatter Traceback Technique

    Reduced Operational Risk to the Network while traceback is inprogress.

    Speedy Traceback Ability to hand off from one ISP to another potentially tracing

    back to its source.

    Module 1

    Backscatter Traceback Technique

    Dos Attack starts1

    All edge routers withstatic route Test-Net

    (192.0.2.0/24) tonull

    0

    Edge Routers

    start droppingpackets to the/32

    4

    Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment

  • 8/13/2019 Mahajan Security for Sp

    161/188

    1611611612003, Cisco Systems, Inc. All rights reserved.SP Security

    PE

    Router AdvertisesBogus and

    unallocatednetworks

    171.68.19.1

    Victim

    0

    Sink Hole configured withroute to the /32 under

    attack with next-hop equalto the Test-Net

    2

    BGP Propagates

    the update 3

    ICMP Unreachablebackscatter willstart sending

    packets tobogus/unallocated

    nets

    5

    Module 1

    Securing POP & Core Infrastructure ModuleAttack detection, traceback and containment

    ACLsManual upload/dynamic upload

    uRPFRemote trigger via BGP

  • 8/13/2019 Mahajan Security for Sp

    162/188

    1621621622003, Cisco Systems, Inc. All rights reserved.SP Security

    uRPF Remote trigger via BGP

    CARManual upload or remote triggervia BGP

    ..

    Module 1

    Remote Triggered uRPF

    Same as Backscatter

    uRPF loose check

  • 8/13/2019 Mahajan Security for Sp

    163/188

    1631631632003, Cisco Systems, Inc. All rights reserved.SP Security

    SP Core

    PE

    PE

    Traceback Technique butwith uRPF loose checkon all border routers

    If source = null then drop

    static to null also dropson destination

    BGP Propagates

    the update

    Module 1

    Remote Triggered CAR

    Quality Policy

    Pre-Configured Rate-

    Limits Are Triggered

  • 8/13/2019 Mahajan Security for Sp

    164/188

    1641641642003, Cisco Systems, Inc. All rights reserved.SP Security

    SP Core

    PE

    PE

    Propagation with BGP(QPPB) empowers CARto use updatestriggered by BGP. This

    enables a networkprotocol to trigger therate limits on

    source/destination

    iBGPAdvertises

    List of

    Rate-Limited

    Prefixes

    Module 1

    Module II - Secure Customer Premises

    Secure deployment and

  • 8/13/2019 Mahajan Security for Sp

    165/188

    1651651652003, Cisco Systems, Inc. All rights reserved.SP Security

    provisioning Secure management and

    configuration

    Integrated Security at the CPE

    Secure Provisioning and Deployment

    Provisioning and deployment are the phases in which the devicesare the most vulnerable:

    Not all devices come with secure defaults

  • 8/13/2019 Mahajan Security for Sp

    166/188

    1661661662003, Cisco Systems, Inc. All rights reserved.SP Security

    Initial configurations may include more items than needed forinitial setup (i.e. unnecessary services)

    The protocols and applications used for initial configuration maynot be secure

    Deployment may not include the authentication of the new device

    Pre-configure the new device with a secure configurationprior to its deployment (consider even before shipping)

    Once connected, use secure access for initial setup

    For high volume deployments use a hierarchical managementsolution

    Access Control\Authorization Using AAA

    Module 2

    Module III - Secure Data Center

    ServicesModule

    ServicesModule

    ISPBackboneISPBackbone

    ISPISP

  • 8/13/2019 Mahajan Security for Sp

    167/188

    1671671672003, Cisco Systems, Inc. All rights reserved.SP Security

    Shared CompartmentShared Compartment Dedicated CompartmentDedicated Compartment

    EdgeDistributionEdgeDistribution

    Content

    Engine

    Content

    switch

    Content

    switchSSL

    IDC Security Highlights

    Core, Distribution, Access model

    Resilience at layer 2 and 3

  • 8/13/2019 Mahajan Security for Sp

    168/188

    1681681682003, Cisco Systems, Inc. All rights reserved.SP Security

    Uses Scaling Modules

    Provides Baseline Content Services

    Access: Layer 2 VLAN separation

    Distribution: Aggregate VLANs,

    routing and layer 3 filtering

    Core: Provides L3 connectivityModule 3

    Secure Data Center Design

    Spoof Mitigation

    (D)DoS Rate-Limiting

    Spoof Mitigation

    (D)DoS Rate-Limiting

    Stateful Packet FilteringStateful Packet Filtering

    Host IDS LocalAttack

    Mitigation

    Host IDS LocalAttack

    Mitigation

    InfrastructureServices