Upload File

how to process and solve network security in isp

30
ISP對網路安全問題之處理與解決方式 - 7th TWNIC OPM 2006/11/23, Taipei 許至凱 支援群工程處通訊網路部 [email protected]

Upload: kae-hsu

Post on 01-Dec-2014

1.838 views

Category:

Technology


2 download

Report

DESCRIPTION

 

TRANSCRIPT

  • 1. ISP - 7th TWNIC OPM 2006/11/23, Taipei [email protected]
  • 2. Agenda http://www.seed.net.tw ISP security profile Control plane security Data plane security Reference 2
  • 3. ISP security profile http://www.seed.net.tw Two positions to implement security Physical position Logical position On logical position level, deploy security mechanism on: Control plane Data plane 3
  • 4. ISP security profile http://www.seed.net.tw Control plane Data plane management routing protocol Control plane Data plane IP/MPLS packets 4
  • 5. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the routing information secured Event logging 5
  • 6. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the un-authorized traffic away Router ACL telnet/ssh/IGP/BGP Out-of-band management Rate limit the traffic forward to control plane ICMP/UDP Use AAA when accessing the router Authentication Authorization Auditing 6
  • 7. Control plane security http://www.seed.net.tw Security issues on ISP router Keep the routing information secured Authenticated routing exchange MD5 Authenticated the route prefix RADB Bogon list Cymru Bogon list CompleteWhois Bogon list Authenticated the routes prefix number BGP prefix limitation 7
  • 8. Control plane security http://www.seed.net.tw RADB 8
  • 9. Control plane security http://www.seed.net.tw RADB 9
  • 10. Control plane security http://www.seed.net.tw RADB > whois -h whois.radb.net 139.175/16 route: 139.175.0.0/16 descr: Digital United Inc. (seednet) No. 220, Gangchi road, Nei-Hu district, Taipei, Taiwan, 11444 origin: AS4780 admin-c: KH54-AP tech-c: KH54-AP notify: [email protected] mnt-by: MAINT-AS4780 changed: [email protected] 20031009 changed: [email protected] 20060605 #02:46:26(UTC) source: RADB 10
  • 11. Control plane security http://www.seed.net.tw Bogon list Cymru Bogon list 11
  • 12. Control plane security http://www.seed.net.tw Bogon list Cymru Bogon list 12
  • 13. Control plane security http://www.seed.net.tw Bogon list Cymru Bogon list 13
  • 14. Control plane security http://www.seed.net.tw Bogon list CompleteWhois Bogon list 14
  • 15. Control plane security http://www.seed.net.tw Bogon list CompleteWhois Bogon list 15
  • 16. Control plane security http://www.seed.net.tw BGP prefix limitation 16
  • 17. Control plane security http://www.seed.net.tw Security issues on ISP router Event logging Router event Log everything crucial in your router Log server Routing event IGP event LSAs history Routes add/withdrawn history BGP event Routes add/withdrawn 17
  • 18. Control plane security http://www.seed.net.tw Router event Log everything crucial in your router Log server Nov 21 06:25:27: %SONET-4-ALARM: POS2/3: SLOS Nov 21 06:25:29: %LINK-3-UPDOWN: Interface POS2/3, changed state to down Nov 21 06:25:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to down Nov 21 06:26:42: %SONET-4-ALARM: POS2/3: SLOS cleared Nov 21 06:26:44: %LINK-3-UPDOWN: Interface POS2/3, changed state to up Nov 21 06:26:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to up Log server 18
  • 19. Control plane security http://www.seed.net.tw Routing event IGP event LSAs history Routes add/withdrawn history LS A Area 0 Local area A ABR LS RIP ASBR A LS LS LS A A A LS LSA log 19 Log server
  • 20. Control plane security http://www.seed.net.tw Routing event BGP event Routes add/withdrawn AS200 AS300 AS100 BGP update log 20 Log server
  • 21. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow Prevent denied of service attack 21
  • 22. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow from Internet Source address from Bogon list Source address spoofing to Internet Source address spoofing Unicast Reverse Path Forwarding (uRPF) 22
  • 23. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent denied of service attack Black hole Drop packets from some BGP nodes Sink hole Redirect packets to special node 23
  • 24. Data plane security http://www.seed.net.tw Black hole DDoS attack happened!!! AS200 AS100 AS300 24
  • 25. Data plane security http://www.seed.net.tw Black hole Drop packets from some BGP nodes AS200 AS100 AS300 25
  • 26. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 DDoS attack happened!!! 26
  • 27. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 Sent some commands to border router 27
  • 28. Data plane security http://www.seed.net.tw Sink hole Redirect packets to special node AS200 AS100 AS300 28
  • 29. Reference http://www.seed.net.tw Books ISP Essentials http://www.ciscopress.com/title/1587050412 Papers Operational Security Current Practices http://www.ietf.org/internet-drafts/draft- ietf-opsec-current-practices-07.txt Web sites http://www.nanog.org/subjects.html#S http://www.cymru.com/Bogons/ http://www.completewhois.com/bogons/ 29
  • 30. Questions & Comments? sees your needs

IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

ISP/NSCBriefing Paper 05/01 J U LY 2 0 0 5 Security, Terrorism and

ISP 6 Micromix ISP 15 Micromix

NCMS & the Industrial Security Professional (ISP) Certification Preparation William L. Uttenweiler, ISP Lead Mentor, ISP Exam Prep Program Florida Space

System Architecture for ISP Hardware System Architecture for ISP Hardware FPGA Based ISP Simulator FPGA Based ISP Simulator FPGA Based ISP Simulator GUI

I LIST OF THE ISP LICENSES Nationwide-ISP - btrc.gov.bdbtrc.gov.bd/sites/default/files/operater_list/Internet Service Provider (ISP... · I LIST OF THE ISP LICENSES Nationwide-ISP

FortiWeb™ Web Application Security - ISP-TOOLS

Department of the Navy Information Security Program (ISP ... · (ISP) INSTRUCTION Ref: (a) Executive Order 12958, as Amended, Classified National Security Information, 25 Mar 03 (b)

ClearPass design scenarios that solve the toughest security policy requirements

ISP Redundancy e IPS Utilizando Check Point …jamhour/RSS/TCCRSS09A/Radames Bett - RSS0… · ISP Redundancy e IPS Utilizando Check Point Security Gateway Radamés Bett Curso de

How to Solve Your Top IT Security Reporting Challenges with AlienVault

[email protected] · 6'4.233.161.83 ISP 7-9. Alice ISP Bob ISP Alice ? ISP Bob ISP Alice snail-corn ISP Bob ISP Alice snail-corn ISP Bob ISP Alice email-corn ISP Bob

Food - · PDF fileNew Bounce Sport / Playmags Think Stores ... Project Genius Inc. Bears for Humanity TPF Toys OOLY ... ISP 11 ISP 12 ISP 13 ISP 14 ISP 15 ISP 16 ISP 17 ISP 2

Unit4 Information Security Policy and Program (ISP) for

Update on Industrial Security Professional (ISP) Exam Prep Program William L. Uttenweiler, ISP Lead Mentor, ISP Exam Prep Program The Aerospace Corporation,

ISP Security – Real World Techniques II€¦ · ISP Security – Real World Techniques II nIntruders Compromising Customer CPEs nMalicious Configuration Alteration nMalicious Route

Switching in LANs Lecture 5 CS 653, Fall 2008. Interconnected networks Tier 1 ISP NAP Tier-2 ISP local ISP local ISP local ISP local ISP local ISP Tier

Fracking A solution to solve UK Energy Security or an ...e680/energy/ENV-5022B/Fracking_paper_by... · 1 Fracking – A solution to solve UK Energy Security or an unacceptable step

Industrial Security Professional (ISP Certification Program

Can Universal Basic Income solve future Income Security ... · Can Universal Basic Income solve future Income Security Challenges? Some tentative answers from the Finnish Basic Income

ISP Network Design Scalable Network Design 1. ISP Network Design PoP Topologies and Design Backbone Design Addressing Routing Protocols Security Out of

ISP Essentials 2 Security Rev4

ISP Network Challenges: Network Security, Spam & Virus Controls By Carter Manucy, FMPA

Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges

Modern business security challenges and how to solve them · PDF fileModern business security challenges and how to solve them The flexible workplace issue Modern businesses need to

Internet Security: How the Internet works and some … Security: How the Internet works and some basic vulnerabilities Dan Boneh CS 155 Backbone ISP ISP Internet Infrastructure Local

FINAL REPORT Internet Service Provider (ISP) Network ...€¦ · Internet Service Provider (ISP) Network Protection Practices Working Group 8 . The Communications Security, Reliability

ASU, UNLV students collaborate to solve homeland security

INSTITUTE FOR SECURITY POLICY (ISP) WORKING PAPER · INSTITUTE FOR SECURITY POLICY (ISP) WORKING PAPER by Maxim SAMORUKOV Fellow at the Carnegie Moscow Center and Deputy Editor-in-Chief

ISP Security - Real World Techniques Version 1.0

IPv6 – Security Issues (IPSec does solve everything)

Solve the paradox Less Downtime More Security

ISP Essentials - Internet Societyws.edu.isoc.org/data/2003/16295198243fa01d7834d68/ISP Essentials.pdf · Cisco ISP Essentials

Internet ISP ISP ISP Your Computer Your Friend ’s Computer Internet Service Provider ( ISP )

Isp Security Routing and Switching