Security in a Carrier Network

1
Security in a Carrier Network

• Waqar Khan
• Director, IP Network Architecture
• Qwest Communication
• April 1, 2003

2
Agenda

• Carrier IP networks History and background
• Security issues facing Service Providers in
  general
• Initiatives to protect the Qwest IP network
• Service provider network evolution New services
  driving new demands
• Discussion How do we design (redesign) networks
  based on lessons learned to mitigate security
  risks in light of sophistication of attacks, and
  new demands being placed on IP networks?

3
Carrier IP Networks History and Background

• Most of the major IP networks were build in
  middle of last decade with global (open) peering
  connectivity
• IP Networks were built primarily to provide
  Internet access for consumer and businesses (i.e.
  open, any to any connectivity)
• Infrastructure security was important, but DDoS
  and other security attacks were not very
  prevalent
• Best effort packet delivery good enough to meet
  most SLAs for the primary service Internet
  transit (e.g. VPNs or VoIP services not widely
  deployed on IP networks)

4
Security Issues

• Today service provider are running many
  realtime, mission-critical applications like
  VoIP, ATM/FR and VPN on the IP backbone
• Service provider network is the prime target for
  most of external attacks
• Anomolies for one week in March 2003, Qwest saw
  over 900 anomalies across its IP backbone.
• 150 anomalies were protocol violations that
  should not be seen on the Internet
• Other 750 were anomalous bandwidth issues from
  dynamically baselined values
• One SP network instability affects other SP
  networks e.g. BGP instabilities from one SP
  can affect all SPs through peering points

• Type of attacks or security issues
• Network attacks
• Direct attacks
• Spoofed attacks
• Reflective attacks
• Remotely controlled IRC bot networks
• Worms
• Viruses
• Types of attacks
• TCP Syn flood
• ICMP
• Fragmentation
• BGP
• UDP floods

• What are they targeting?
• IRC Servers
• Web Servers
• Backbone routers
• DNS
• Root name servers
• Company name servers
• SNMP
• Syslog

5
Initiatives to protect the Qwest IP network

• No silver bullet to prevent all attacks
• One model to view security initiatives
• Monitoring / Detection
• Netflow/cflowd monitoring systems
• Detect DoS/DDoS type anomalies
• Traffic routing instabilities
• Customer / peer notification
• Back scattering techniques
• Mitigation
• Bandwidth capacity
• Blackhole filtering destination / source
• Extended ACLs selectively block protocols and
  IP addresses
• Rate limiting
• Load distribution local and global load
  balancing
• Industry cooperation
• Prevention
• New/upgraded product requirements and testing
• Policies and procedures
• IP spoofing prevention techniques uRPF, bogon
  filtering

6
Industry Cooperation

• One SPs network instability potentially affects
  other SP networks. Securing network is a
  collaborative effort among all SPs.
• NRIC Network Reliability and Interoperability
  Council (www.nric.org)
• SANS System Admin, Audit, Network Security.
  Organization that creates industry best practices
  and provides security training. Runs the
  Internet storm center for early incident alerts
  and analysis. Acts as an Internet security
  information clearinghouse (www.sans.org).
• CIS Center for Internet Security. Works in
  conjunction with SANS to develop router
  configuration best practices (www.cisecurity.org).
  
• NSP National service provider organization that
  is an ISP forum to discuss immediate security
  issues, concerns and attacks.
• Support and development of best practices, tools
  and documentation
• Virus and worm attack signatures
• Mitigation techniques
• Router auditing tools
• Industry best practices documents

7
Network evolution New Demands

• With increasing sophistication of attacks on
  Service provider networks, security of network
  infrastructure is a major issue.
• Service provider IP networks now poised to serve
  as the transport infrastructure for traditional
  and new services like
• VoIP
• Router Frame Relay
• ATM
• MPLS based products
• Different flavor of VPNs
• Private line with circuit emulation
• Such services on the IP backbone demand much more
  stringent SLAs and must be protected from
  general Internet instability
• With above mentioned services on SP IP backbone,
  Internet access may become a very small portion
  of total IP backbone traffic.
• Security of both control and data planes is
  critical So far most efforts are focused on
  data plane security

8
Discussion Designing a secure network

• Should SPs redesign existing networks to meet
  new security and applications requirements OR
  build a new separate private network for services
  that do not require Internet access?
• Redesigning the SP network to meet new security,
  SLAs and applications requirement can be achieved
  by
• Isolating the data and control plane of private
  edge nodes from the Internet
• Isolating the data plane of the Core network
  nodes from the Internet
• Protecting/Isolating control plane of the Core
  infrastructure from the Internet
• Protecting critical traffic in failure conditions
  (e.g. bandwidth reservation, pre-emption)
• A separate private network can be built for
  non-Internet (On-net) traffic
• Building separate private network isolates this
  network from Internet instability (in theory)
• Can a carrier network be truly private? (e.g.
  VoIP using SIP, off-net VPN access, Remote users
  of VPNs all these will need interconnections
  with other networks)
• Is a separate network the most cost effective
  solution?
• Can such a separate network be completely secure
  from all the external attacks?
• If providing Internet access to users of such a
  private network is a requirement, are we not
  opening it to external attacks?

9
Thank you!