15
2Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
The Internet Today
• NetAid’s October 9th EventSystem architecture:- for 60 million hits per hour- just over 16,000 transactions per second- to support 50,000,000 users over a multi-day event
Consistent probes and attacks!!
3Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
• Protect themselves
• Help protect their customers from the Internet
• Protect the Internet from their customers
What do ISPs need to do?
4Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
ISP Security- Agenda -
• Hacking and Attacks… what the bad guys do
• Network Element Security… routers, switches, etc.
• Network Security… design, routing, filtering, etc.
• Incident Handling… working with customers, other ISPs, CERTs, etc.
5Presentation_ID © 1999, Cisco Systems, Inc.
Hacking and Attacks
5© 1999, Cisco Systems, Inc.
6Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
Types of Attacks
• Location of Attacks: Layer 1 - 7
GetsAccess
Gets noAccess
AuthorisedUser DoS
UnauthorisedUser Intrusion
7Presentation_ID © 1999, Cisco Systems, Inc.
Network Element Security
7© 1999, Cisco Systems, Inc.
8Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
Network Element Security
• No unnecessary services
• Secure Access (IPsec, SSH, OOB)
• AAA on device
• Secure management (SNMP, syslog, TFTP server, ...)
• Site security
9Presentation_ID © 1999, Cisco Systems, Inc.
Network Security
9© 1999, Cisco Systems, Inc.
10Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
Network Security
• Packet filtering / RPF• Routing:
prefix / prefix length / AS path filteringpeer authentication (!)dampening
• Redundancy (for availability)• Netflow, syslog, SNMP, security audit• Rate limiting: ICMP, maybe UDP• Secure Management / Site Security
11Presentation_ID © 1999, Cisco Systems, Inc.
Incident Handling
11© 1999, Cisco Systems, Inc.
12Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
How an ISP Detects an Incident
• Technical:
Intrusion Detection Systems
Network monitoring
syslogs, SNMP, netflow, ... (plus evaluation s/w)
• Non-Technical
Alert from customer / ISP / 3rd party
Alert from a CERT
13Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
What To Do in an Incident
• Alarm (customers, ISPs, CERTs, …)
• Block the attack (if possible)
Access lists, CAR, IDS
• Trace the attacker
routing, syslog, netflow
• Notify authorities, gather evidence
14Presentation_ID © 1999, Cisco Systems, Inc.
Wrap Up and Summary
14© 1999, Cisco Systems, Inc.
15Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
There is no 100% Security
“
”
The first day of summer vacations is the best example for a DDoS attack against the highway system
