Security today

1
Security today

• 10/15/2004
• Ruri Hiromi/Intec NetCore, Inc.
• (hiromi_at_inetcore.com)

2
index

• 1. Lecture overview
• ISPs today have to fight for various kinds of
  security attacks.
• In this lecture, classification of the threats
  and a basic
• principle of designing network topologies to
  protect such attacks
• are described, then practical know how on how to
  build the
• network and running the network safely are
  discussed.
• 2. Sharing security
• o attack/threat classification
• o concerns about legal/politics matter
• o japanese situation(DSL career and ISP)
• 3. Consider ISP network
• 4. Supportive info
• 5. Movement at user side
• o security model

3
Introduction,who I am
Name Ruri Hiromi Work forAS2915/2713( setting
up an ISP) ? AS9609(setting up a DSL company) ?
AS18146(setting up a RD company)
Intec NetCore, Inc.(http//www.inetcore.com/e/inde
x2.html) As a senior researcher. Area
IPv6 RD, mainly IPv6 security model
draft-kondo-quarantine-overview-01.txt http//www
.wide.ad.jp/project/security-j.html E-Mail
hiromi_at_inetcore.com
4
Todays goal

• Scope
• Target a large scale, an ISP network
• Networks security
• Security model next generation
• Operational trend
• Out of scope
• Target home, SOHO(small/mid enterprise) network
• Machine, Device, data securities
• Firewall/IDS/IPS themselves
• Virus checker and other software techniques
• Spam related things
• social engineering, human management
• Consider both of IPv4 and IPv6 network
• A little bit focused on IPv6

5
Sharing security
6
Threats(1)

• Break into the system
• falsification of data
• Data leakage
• Computer virus
• SPAM
• DoS

7
Threats(2)
Complete this chart!
Account intrusion
tapping
Unauthorised access
Man in the middle attack
Translation and tunneling mechanism
Arp and DHCP attacks
Header manipulation and fragmentation
phishing
Bug attack
worm
virus
Port scan
smurf
spoof
sniffing
8
Attacks reported by enterprises
Virus, worm
3rd party relay
Phishing(WEB)
falsification of data,db
DoS attack
From 2004 governmental report
Server break down
Ip/mail address fake
Steal passwd
Sniff,tapping
Data leaking
unauthorized access
Social engineering
War dialing(modem scan)
Data loss by natural disaster
Abuse,complaint on web
other
9
Japanese telecommunication Situation

• International
• Convention on Cyber crime
• Regulations
• Telecommunications Business/Service Law
• unauthorized computer access law
• law protecting personal information
• Law protecting ISP rights for recompense
• law authorizing wiretaps in investigations
  involving organized crime
• (SPAM act? to be?)

10
Consider ISP network
11
design

• Service estimation
• Budget, cost estimation
• Location(POP,NOC,IX,etc)
• Line and topology
• IP Address assignment
• Logical network topology
• Backup and redundant
• Backdoor
• Equipments
• Management accounts,,,,,
• security consideration! Define network security
  policy

12
An example of a large ISP in Japan
Physical connection of IPv6 network
13
Inside ISP Network
14
Required Treatment
IDS/IPS
configuration
peering management
filtering
User Service-Segment
monitoring
Securing BGP
monitoring
To Upstream/peering
AS9999
operation management
Server protection
User education
device management
User management
Secure provisioning
monitoring
Securing BGP
monitoring
filtering
Load ballancer
User(ISP)-Segment
User management
User-access-Segment
Access provider
monitoring
Traffic shaping
15
Router/routing protection(1)

• Avoid incorrectly configuration of routing and
  network interfaces
• Securing BGP
• S-BGP
• so-BGP(Secure Origin BGP)
• IRV(inter domain validation)/ATT research
• Secure path vector /CMU

16
Router/routing protection(2)

• Filtering
• Bogons
• Martian
• AS path
• Special case?

17
Router/routing protection(3)

• BGP Advertisement
• Recognize your users,peers,private-as, which
  prefix
• RFC3682 GTSM(The Generalized TTL Security
  Mechanism) -- BGP TTL sanity check
• MD5 check of BGP speakers
• ACL(access control list)

18
Router/routing protection(4)

• traffic shaping, policing
• Unicast Reverse Path Forwarding(uRPF)
• When discards packets lack of source
  address,violated address on the routing table
• check src address and I/f on the routing
  table(strict mode)
• Discards suspected packet then propagate discard
  info to other routers(loose mode)
• Triggered black hole filtering

19
Router/routing protection(5)

• Authentication/authorization/accounting/certificat
  ion
• Authenticates all user access
• Authenticates individual users
• Disable/enable local accounts
• Define privilege levels
• No default password
• No hopping to control ports

20
Filtering

• Filter traffic to a device
• For the case only for BGP peers and SNMP and ssh
  connection from authorized segment.
• Filter traffic through a device
• Route filter
• Filter on protocols/address/header fields
• Filter inbound/outbound
• Stateless packet filter

21
Example(URL block at router)
- In an effort to block urls and websites, I have
created the following service-policy
'block_sites' Policy Map block_sites Class
NBAR_BLOCK police cir 100000 bc 2000 be 2000
conform-action drop exceed-action
drop violate-action drop The class-map
NBAR_BLOCK is Class Map match-any NBAR_BLOCK (id
10) Match protocol http host "dcn.yahoo.co"
Match protocol http url "default.ida" Match
protocol http url "cmd.exe" Match protocol
http url "root.exe" Match protocol http host
"aboutclicker"
- The service policy was applied on the serial
interface to another AS. interface
Serial11/1/0 description "INTERNET-1st-LINK" ip
address 1.1.1.1 255.255.255.252 ip access-group
UDP in ip access-group UDP out no ip redirects no
ip proxy-arp ip nat outside no ip
mroute-cache load-interval 30 service-policy
input block_sites service-policy output
block_sites serial restart_delay 0 no cdp
enable end
22
Rate Limits

• Control bandwidth per user
• Turn down based on protocol, src/dst ip address,
  src/dst port, interface
• Which direction, inbound/outbound/both?
• Protocol IP,ICMP, UDP/TCP
• Bit status - SYN, SYN-Ack, RST

23
With other techniques

• SW/Quarantine network
• For endpoint security
• Mainly Authenticated VLAN
• Load balancer
• Traffic shaper

24
Backup and backdoor

• Remote configuration backup
• Remote configuration restore

25
redundancy

• Cold/Hot standby
• Support protocol
• To keep always managed!

26
other services on router/sw

• DNS
• NTP
• SNMP
• Netflow,cflow,,,,
• XML
• Syslog

27
Peering management

• Peering agreement
• Peering list
• Set your peering policy?

28
configuration

• Take advantage for vulnerabilities
• Stable,bug fixed version of OS
• Test/aging
• Keep backup file and own backup way

29
Device management

• Equipment list
• Logical/physical network map
• Who in charge of the device?

30
Server protection

• Appropriate daemon
• In case of Mail(3rd party relay)
• Client settings by SMTP auth, POP before SMTP,
  check envelope-from,etc.
• List control(white,black,gray)
• SPF

31
IDS/IPS

• For protection of the server segment
• AS a user service
• For the user support

32
Secure provisioning

• SNMP
• SNMPv3
• public community
• Read/Write community
• Uniform a procedure

33
monitoring

• Server/router logs
• Traffic usage
• Link
• operation

34
Operation management

• Records all operations
• NMS
• Operator-training
• Learn hot skills
• Up-to-date technique/knowledge

35
User management

• Provide your network service information
• Education
• AUP?
• Security
• Network Manner

36
Issues still remains

• Define your policy
• IPsec-encrypted traffic?
• Mobility?
• Thin client/non-intelligent device

37
Supportive information
38
RFC3871

• Operational Security Requirements for Large ISP
  IP Network Infrastructure
• Appendix is useful for architecture design

39
Useful free tools for network operation

• Monitor
• Mrtg
• BB
• Ghost route hunter
• Configuration
• Bogon list
• Coordination
• IRR
• Looking glass

40
Human communication

• Network operators group
• CERT/CC
• Registry
• IETF
• (government?,UN?)
• ML/web site
• https//puck.nether.net/mailman/listinfo/
• http//www.cymru.com/
• http//www.cidr-report.org/
• http//www.potaroo.net/

41
From vender

• http//www.juniper.net/techpubs/software/nog/
• Cisco ACL http//www.cisco.com/warp/public/707/iac
  l.html
• http//www.ispbook.com/(cisco)

42
Movement at user side
43
Recent problems on FireWall

• Problems on border-defence
• Traffic volume and packet inspection
• Encrypted end-to-end connection
• Quick responding and filtering rule update
• Changes in the network technology/environment
• Mobility
• Home LAN
• VPN
• New application

44
Firewall next generation?
Firewall checks policy on every clients to get on
their net, put admission to use of the network.
45
Post Firewall Models(1)

• Distributed Firewall
• Every nodes has fw function
• no network border for trusted, untrusted
• Exchange node information on the trusted
  netowork
• ATT?Euro6
• Moving Firewall
• Protect for DDoS in a fw hierarchy
• A FW inspect DDoS then send protection info to
  other firewalls to stop
• NTT
• FireBreak
• Put firebreak box at the edge of firebreak ring
• Traffic inspection and stop
• Paul Francis_at_Cornell University

46
Moving firewall
From resonant, NTT
47
Post Firewall Models(2)

• Authenticate VLAN
• VLAN group has security policy
• Dynamic VLAN-ID matching by security policy
• Alcatel, etc.
• NAC(Network Admission Control)
• nodes has security agent
• 802.1x VLAN authentication policy
• self defence
• Inspection then separation
• Cisco(and security vendors)

48
Post Firewall Models(3)

• Quarantine model
• Network segment has own security policy
• After quarantine, node is participated in a
  suitable network segment
• Network policy server periodically checks
  node-health
• Once it goes wrong, the node put isolated

• Some ISP provide security solution, virus check
  and other features,
• as their customer service
• - ISP considers this applying to their network,
  especially customer segment

49
Quarantine model
50
Estimation
51
links

• 1 http//download.zonelabs.com/bin/free/jp/enterpr
  ise/overviewIntegrity.html
• 2 http//www.eurov6.org/
• 3 http//www.ntt.co.jp/news/news03/0302/030218.htm
  l
• 4 http//www.ind.alcatel.co.jp/technologies/i-vlan
  .html
• 5 http//www.cisco.com/japanese/warp/public/3/jp/s
  olution/netsol/security/nac/

52
transition period
53
IPv6 over IPv4tunnel
Attach tunnel server to your v4 network, You can
get v6 world easier.
54
Tunnel broker

• Auto-configuration mechanism
• For setting up tunnel between
• client and server
• Intermediate config
• Put v4address into v6 address\
• (6over4, 6to4, ISATAP, teredo)
• authenticate client
• Load balancing to other broker
• Dynamic DNS
• Prefix advertisement
• Notify DNS server address

55
Transition docs

• Important to see and consider network design with
  the security point of the view
• IETF v6ops
• Transition Senarios
• http//www.ietf.org/html.charters/v6ops-charter.ht
  ml
• IPv6 Promotion Council
• http//www.v6pc.jp/en/wg/transWG/index.html

56
Exercise/Question

• 1 Do you know your countrys regulation about
  network operation?
• Describe your countrys regulation.
• 2 what is considered on security if IP address
  has global reachability at the end site(customer
  side)?
• 3 How do you set your policy for P2P
  network/traffic, in case of IPsec?
• 4 What is to be problem/harm if we adapt
  quarantine model at the customer segment?