SP S it Th tSP Security – Threats and Best Practices
Anthony Kirkham (CCIE #1378, CISSP)[email protected]
© 2008 Cisco Systems, Inc. All rights reserved. 1
Cisco World Wide Security Best Services Practice
Agenda
IntroductionSP Threat LandscapeIP NGN Security FrameworkSP Security Best Practices
Foundation device securityFoundation device security
SP Security Techniques
CClosing Remarks
© 2008 Cisco Systems, Inc. All rights reserved. 2
Introduction
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Service Provider Security
The relentless exploitation of networks, systems, andThe relentless exploitation of networks, systems, and subscribers has become a sophisticated global business
1998: Hackers 2008: Cybercrime Syndicates
For SP’s – The network IS the business
y
© 2008 Cisco Systems, Inc. All rights reserved. 4
Security is a critical business consideration!!
Cybercrime Industry: In the Past
End ValueWriters Asset
Fame
Theft
Tool and Toolkit Writers
Malware Writers
Compromise Individual
Host or Application
Espionage(Corporate/
Government)
Worms
Viruses
Malware Writers Application
Compromise Environment Government)Viruses
Trojans
Environment
© 2008 Cisco Systems, Inc. All rights reserved. 5
Cybercrime Industry : Today
Writers Middle Men Second Stage Abusers
First Stage Abusers End ValueAbusers
Tool and Toolkit Writers
Abusers
Hacker/Direct Attack Compromised
Host and Application
Fame
Theft
Bot-Net CreationWorms
Malware Writers
Machine Harvesting
Extortionist/ DDoS-for-Hire
Application
Espionage(Corporate/
Government)
E t t d P Off
Bot-Net Management:For Rent, for Lease,
for Sale
Viruses
Trojans
Spammer
Phisher
Commercial Sales
Fraudulent Sales
Extorted Pay-Offs
Personal Information
Spyware Information Harvesting
Information Brokerage
Pharmer/DNS Poisoning
Fraudulent Sales
Click-Through Revenue
Electronic IP Leakage
Internal Theft: Abuse of Privilege
BrokerageIdentity Theft Financial Fraud
© 2008 Cisco Systems, Inc. All rights reserved. 6
$$$ Flow of Money $$$
Security Mitigation EvolutionPhased Approach
Add Mitigation
AddService
Assurance
Phase 2• High
availability
Add Monitoring
Tools
MitigationTools
Assurance
Regulate and Harden Phase 1
Phase 2• Per service
policy control• Per user policy
availability• High resiliency• Guaranteed
QoS• SLA assurance
Today• Static access lists• Layer 3/4 firewalls
• User awareness• Data mining• Resource
monitoring
control• Content filtering• Dos protection• Virus prevention
• SLA assurance• New services
Increased y• Device hardening• Secure passwords• Authentication• Authorization
• Event correlation• Lawful
interception
• Worm detection• Attack
mitigation• Self-defending
Profitability
Security solutions can be deployed in phases to achieve increased visibility control
© 2008 Cisco Systems, Inc. All rights reserved. 7
in phases to achieve increased visibility, control and profitability
SP Threat LandscapeLandscape
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
SP IP NGN Networks…Threats Against IP Networks
Network security traditionally focuses on confidentiality,
Threats Against IP Networks…
integrity, and availability (CIA) in varying degrees.
Network convergence changes the importance of each g g pof these areas. Availability increases in importance.
– Availability is no longer simply a binary “up/down” or “on/off” function. Other metrics must be considered such as network latency caused by congestion and processing delays.
– Malicious traffic or non-malicious traffic (e g changes in the trafficMalicious traffic or non malicious traffic (e.g. changes in the traffic patterns of one service, say Internet data) may effect another service such as Voice over IP (VoIP) traffic traversing the same core routers but in a different “logical” services plane. g p
– Availability changes may disrupt the entire revenue model if high-value services cannot be run on a converged IP core that achieves CapEx and OpEx efficiencies
© 2008 Cisco Systems, Inc. All rights reserved. 9
CapEx and OpEx efficiencies.
SP IP NGN Networks…Threats to IP Networks (1/2)Threats to IP Networks (1/2)…
A Denial-of-service (DoS) attack aims to make the target unavailable for its intended service May be direct transit or
Resource Exhaustion
Description
unavailable for its intended service. May be direct, transit, or reflection-based.
Exhaustion Attacks
An attack that uses packets that masquerade themselves with false data, such as the source IP address, to exploit a trusted Spoofing Attacksrelationship.Attacks that aim to prevent upper-layer communications between hosts, or to hijack established sessions in order to capitalize on any previous authentication measures enabling eavesdropping and
Transport Protocol Attacks
Attacks that attempt to destroy the router’s or network’s ability to perform routing tasks and, thereby, prevent new routing protocol
previous authentication measures, enabling eavesdropping and false data injection.
Protocol Attacks
perform routing tasks and, thereby, prevent new routing protocol peering, disrupt current peering, or redirect traffic flows in an attempt to inject false information, alter existing information, or remove valid information for the purposes of corrupting user data.
Routing Protocol Attacks
© 2008 Cisco Systems, Inc. All rights reserved. 10
SP IP NGN Networks…Threats to IP Networks (2/2)Threats to IP Networks (2/2)…
Attacks against important control plane services such as DHCP, Attacks against
Description
g p p ,DNS, and NTP may affect network availability and operations. other IP Control
Plane ServicesAttacks that attempt to gain unauthorized access to restricted systems and networks
Unauthorized access Attacks
A software defect that, if exploited, may compromise the confidentiality, integrity and availability of the router and associated data plane traffic.
Software Vulnerabilities
systems and networks.access Attacks
The process of gathering information about a target, often conducted in preparation for an attack. Enables the attacker to identify specific security weaknesses that may be exploited as part
Malicious network
Reconnaissance
data plane traffic.
of a future attack.Reconnaissance
© 2008 Cisco Systems, Inc. All rights reserved. 11
Client Attacks – ‘Drive by Downloads’
1. Hacker compromises l iti t b it3 Victim with vulnerable legitimate web site3. Victim with vulnerable
browser4. Legitimate connection to
hacked web site
5. Browser Exploit(i.e. hidden iframe)
2. Hacked Web Site6. Victims PC compromised and owned ... then part of a
botnet
The most common form of malware distribution on the
© 2008 Cisco Systems, Inc. All rights reserved. 12
Internet today
DoS and DDoS
Zombies C t ’ZombiesMasters
Customer’s Premises
Hacker
Victim Flooded PipeISP Edge
Router
Control traffic
Router
© 2008 Cisco Systems, Inc. All rights reserved. 13
Control traffic
Attack traffic
Example Customer DoS Attack
Peer A
A Peer B
Peer AIXP-W
IXP-E
B C
D
Upstream A
Upstream A
B C
E
A
Upstream B
Upstream B
E
NOCG
TargetTarget
© 2008 Cisco Systems, Inc. All rights reserved. 14
FGPOP Target is taken
out
Example Customer DoS Attack– Collateral Damage
Peer A
A Peer B
Peer AIXP-W
IXP-E
B C
D
Upstream A
Upstream AUpstream A
B C
E
A
Upstream B Upstream
BE B
NOCG
Target
Customers
© 2008 Cisco Systems, Inc. All rights reserved. 15
FGPOP Attack causes
Collateral Damage
Routers do get Directly Attacked
Peer A
Peer B
Peer AIXP-W
IXP-E
Upstream A
Upstream A
Upstream ASink HoleNetwork
AA
UpstreamB
UpstreamB Upstream
BUpstream
B
CustomerCustomer
NOCG
© 2008 Cisco Systems, Inc. All rights reserved. 16
POP GRouter under attack via a
spoofed TCP SYN Flood at the NTP Port
DNS Reflection AttacksSend queries with
victims source address
Botnet
Break in and publish big TXT record
Botnet
30,000 – 500,000 Open recursive
DNS servers
Query and Cache
Innocent DNS Server
DNS servers
Apx 60:1 amplification factor
Victim
amplification factor
© 2008 Cisco Systems, Inc. All rights reserved. 17
Victim
Other SP Security Issues
BGP Route HijackingBGP Route HijackingDNS PoisoningInternal Penetrations
R di OSS/BSS B k d S t I t l B i S tRadius, OSS/BSS, Backend Systems, Internal Business SystemsCompromised Routers
A huge number of compromised routers exist. Mostly due to the poor use of security featuresMiscreants commonly use ‘brute force’ techniques to crack accounts
IPv6 – Both the ‘same’ and ‘new’ security considerationsIPv6 Both the same and new security considerationsIf IPv6 is enabled, have the same controls as IPv4 been deployed?
Side effects of Internet WormsN j t i t ti till f fNo major event in recent times, still an area of concern for manyStealth worms are very common and used for harvesting machines into botnets‘Noise Level’ is now far lower…
© 2008 Cisco Systems, Inc. All rights reserved. 18
IP NGN Security FrameworkFramework
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
SP IP NGN Networks…Secure platform frameworkSecure platform framework…
Security Principals Security ActionsSecurity Security RolesBusiness Security Principals
The two primarysecurity principals of
security policy deployment
Security Actions
The essential actionsthat enable Improved Visibility and Control
MethodologiesThe development and monitoring of security policies and operations
Security Roles
Aligns security systems,and solutions to the
Security Actions
RelevanceCustomer-specific
business goals, and thethreats to goal
attainment deploymentattainment
Policies
Identify
Business Goals and Objectives Clean Pipes Access
Monitoring and Correlation
Network Foundation Protection
Design
IdentifyService Control
Adaptive and Responsive
Privacy and C fid ti lit
Deploy
urity
bler
s
Monitor
CorrelateVISIBILITY
iona
len
ce
nabl
eur
itysu
res
Assess
Audit
Confidentiality
Automation and instrumentation
Operate
Secu
Enab
Secure Fail-Open Peering
Virtual Private
Harden
IsolateCONTROL
Ope
rat
Exce
lle
Act
ion
Secu
Mea
s
Threat Models Policy
EnforcementNetFlow
Event Correlation
Virtual Private NetworksEnforce
Sec-Ops
© 2008 Cisco Systems, Inc. All rights reserved. 20
…
Creating Secure InfrastructuresLeveraging the IP NGN Security FrameworkLeveraging the IP NGN Security Framework
Cisco’s IP NGN Security Framework defines six keyCisco s IP NGN Security Framework defines six keyactions that enable service providers to deliver secure, reliable, and resilient services
IP NGN SecurityAssure Complete Control
Security Policy Enforcement and EventGain Total Visibility
Identity Trust Compliance Event and
Identify Monitor Correlate Isolate Enforce
Security Policy Enforcement and Event Mitigation
Identity, Trust, Compliance, Event, and Performance Monitoring
Harden
Identify and Assign Trust-
Levels to
Identify
Monitor Performance,
Behaviors
Monitor
Collect, Correlate, and
Correlate
Isolate Subscribers, Systems and
Isolate
Enforce Security
Policies and
Enforce
Harden the Transport,
Harden
Levels to Subscribers, Services, and
Traffic
Behaviors, Events, and Compliance with Policies
Analyze System-Wide
Events
Systems, and Services to Contain and
Protect
Policies and Mitigate Security Events
pServices, and Application
Infrastructures
© 2008 Cisco Systems, Inc. All rights reserved. 21
Secure, Reliable, and Resilient Services
SP Security Techniques and Best Practices
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
SP Security Techniques and Best Practices
Device SecurityDevice Security
Making the core network unreachable
Monitoring and security visualisation
Mitigation Techniques
© 2008 Cisco Systems, Inc. All rights reserved. 23
Router and Switch Security
IOS Feature
AAA, Secure Passwords, Secure Protocols – SSH.Device access
Physical access restrictionsPhysical security
Disable unused services – HTTP/HTTPS server.Services
AAA, Secure Passwords, Secure Protocols SSH. Device access
SNMP ACLs, Secure Passwords, Avoid SNMP-RW, Management
Control Plane Policing, rACL (GSR), LPTS, MPP (CRS-1)Control Plane
, , ,SNMPv3
gPlane
Max Prefix, MD5 Authentication, GTSM, Prefix and AS FiltersBGP
© 2008 Cisco Systems, Inc. All rights reserved. 24
Core Hiding – Making the Core Unreachable
“outside” “outside”coreprovider edge
Two Techniques:
provider edge
Two Techniques:Infrastructure ACLs - iACLIS-IS Core HidingIS IS Core Hiding
Concept: No traffic to core can’t be attackedPrevents intrusions 100%Prevents intrusions 100%DoS: Very hard, only with transit traffic
© 2008 Cisco Systems, Inc. All rights reserved. 25
Re-colour at edge precedence 6/7 to 0-5
ISIS Security
Uses CLNS:Uses CLNS: Not attackable with IP!
Non-IP traffic higher priority in routersNon-IP traffic higher priority in routers
Routing on NSAP addresses: Can remove IP addressing!!
Best Practice Hide infrastr ct re addressesBest Practice: Hide infrastructure addressesInterface command “no isis advertise-prefix”
Global IS-IS configuration command “advertise-passive-only”
Prefixes removed from ISIS RIB!
Advantages:
Security
© 2008 Cisco Systems, Inc. All rights reserved. 26
Convergence time!!
“Normal” ISIS
h l b 7507 # h i i d t b d t ilhrnsplab-7507c#sh isis database detailIS-IS Level-1 Link State DatabaseLSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL.
.
. <skip>
.hrnsplab-12008.00-00 0x00003F00 0x54E3 697 0/0/0
dd 49 0010Area Address: 49.0010NLPID: 0xCCHostname: hrnsplab-12008bRouter ID: 9.0.0.16IP Address: 9.0.0.16
can see infrastructure addressesIP Address: 9.0.0.16Metric: 10 IP 9.0.1.4/30Metric: 10 IP 9.0.2.16/30Metric: 10 IP 9.0.2.0/30Metric: 10 IP 9.0.2.4/30Metric: 0 IP 9.0.0.16/32Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-7507b 00
© 2008 Cisco Systems, Inc. All rights reserved. 27
Metric: 10 IS Extended hrnsplab 7507b.00
ISIS with “advertise-passive-only”
hrnsplab-7507c#sh isis database detailIS-IS Level-1 Link State DatabaseLSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL.. <skip>.hrnsplab-12008 00-00 0x000040AA 0x7F15 1048 hrnsplab 12008.00 00 0x000040AA 0x7F15 1048 0/0/0Area Address: 49.0010NLPID: 0xCCHostname: hrnsplab-12008b can see only loopbacksRouter ID: 9.0.0.16IP Address: 9.0.0.16Metric: 0 IP 9.0.0.16/32Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008 00
can see only loopbacks
Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-7507b.00
© 2008 Cisco Systems, Inc. All rights reserved. 28
“advertise-passive-only” - Summary
Link addresses not reachable from outsideLink addresses not reachable from outsideCannot ping, telnet, etc.
Loopbacks still reachableLoopbacks still reachableNeed to filter with iACLs
Traceroute still works (!!!) IPs exist, and can be used as source
They are just not advertised!
© 2008 Cisco Systems, Inc. All rights reserved. 29
Netflow
Useful security toolHighly scalable
Multi-gigabit speeds
Seven Unique KeysSource IP addressDestination IP addressSource portDestination portDestination portLayer 3 protocol typeTOS byte (DSCP)Input logical interface (ifIndex)
Export and analyse flow informationExported Data
© 2008 Cisco Systems, Inc. All rights reserved. 30
Visualization and Correlation ToolsC
Root-cause of the problem
Open the Meta-Event to see related alerts
163434 07:04 07:19 208.15.82.21168.178.232.995
© 2008 Cisco Systems, Inc. All rights reserved. 31
A DDoS Attack Scenario
IngressR t
OtherISP RoutersISPs
Target 1 -Under AttackUnder Attack
Target 2OK – But Link
Congested
© 2008 Cisco Systems, Inc. All rights reserved. 32
g
Black Hole Routing
IngressR t
OtherISP RoutersISPs
Target 1IsolatedIsolated
Target 1g
Target 2OK
Target 1
© 2008 Cisco Systems, Inc. All rights reserved. 33
Remote Triggered ‘Black Hole’ Routing
IngressR t
OtherISP
Keeps line to customer clearRoutersISPs But target host still cut off completely
Target 1
iBGP
Isolated
Target 1g
Target 2OK
iBGP
OK
Trigger RouterTarget 1
© 2008 Cisco Systems, Inc. All rights reserved. 34
Source Address – ‘Black Hole’ Routing
IngressR t
OtherISP
Detect and drop attack trafficRoutersISPs Based on SOURCE addresses now
Attack traffic dropped at ISP edge
Legitimate traffic unaffectedLegitimate traffic unaffected
iBGPTarget 1
OK
Legitimate TrafficLegitimate Traffic
iBGPTarget 2
OKAttack Traffic iBGP
Trigger Router
OK
© 2008 Cisco Systems, Inc. All rights reserved. 35
Dimensioning - Network Bandwidth Concepts and PPS Engineeringand PPS Engineering…
1,488,0095 pps
14,8800,950 pps
PS) 812,740 pps
100,000 pps 81,274 pps
cket
Rat
e (P
PPa
c
© 2008 Cisco Systems, Inc. All rights reserved. 36
Packet Size (Bytes)200 50084 1538
Cisco Guard – Enterprise IDC Example
ISP 1 ISP 2
I
S
C ta ys5 0
P r p yS S P w p
RI
IOS Router
ISP 2
Ci G dCi G d tr c s r
GEnetAlert
Cisco Guard
Alert
Cisco Guard
C S T S
C S S
Cisco Anomaly
Internal network
Cisco Anomaly Detector
Target
Cisco Anomaly Detector
te a et oTarget
© 2008 Cisco Systems, Inc. All rights reserved. 37
DNS ServersWeb, Chat, E-mail, etc.
Cisco Guard – Scrubbing Centre Example
attack
1. BGP: I’m next hop f 1 1 1 1
1. BGP: I’m next hop for 1 1 1 1
mbehring
for 1.1.1.1 for 1.1.1.1
2. Path to Guards
3. Injection into coreGuard
(2.2.2.2)Guard(4.4.4.4)
3. injection into core( )
T t (1 1 1 1)
© 2008 Cisco Systems, Inc. All rights reserved. 38
Target (1.1.1.1)
Closing Remarks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Network Security Architecture Review
Security architecture and configurationSecurity architecture and configuration assessment
Assesses alignment with SP security g y‘best practices’
Based on the IP NGN security architecture frameworkarchitecture framework
Provides highly actionable recommendations
Can incorporate unique requirements
Conducted by an SP security specialistConducted by an SP security specialist
P id l d t it di ti
© 2008 Cisco Systems, Inc. All rights reserved. 40
Provide a clear and strong security direction and action plan to the customer
External Security Posture Assessment (SPA)
SP Infrastructure
C tCorporateNetwork
E t l IP
DMZ
© 2008 Cisco Systems, Inc. All rights reserved. 41
External IP Assessment
Closing Comments
You do not have to be a expert—just someone willing p j gand motivated to make something happen Doing ‘something’ gets you one step closer….Quick Wins:
Device Security, COPP, iACL, Guard Deployment, Netflow…y, , , p y ,
Plan the more complex deployments We offer both consulting and assessment services toWe offer both consulting and assessment services to help customers
© 2008 Cisco Systems, Inc. All rights reserved. 42
What is a botnet?
Definition of: botnetDefinition of: botnet
(roBOT NETwork) Also called a "zombie army," a botnet is a large number of compromised computers that are used to create denial of service attacks or send spam. The computer is compromised via a Trojan that often opens an
IRC channel and waits for commands from the person in control of the botnet.
A botnet is NOT an attack it is an overlay infrastructure whichA botnet is NOT an attack – it is an overlay infrastructure, which runs across an underlying SP or Enterprise infrastructure
Botnets arose out of the desire to distribute attacks e.g. DDoS and gSPAM, but we are now seeing them to harvest information from computers
St i t l t id li ki thi jStringent regulatory guidelines are making this a major concern for Enterprises and Service Providers
Botnets are receiving mainstream attention from CXOs
© 2008 Cisco Systems, Inc. All rights reserved. 44
Botnets are receiving mainstream attention from CXOs
Detecting attacks with Netflow
B i h N tfl i th t kBasis: have Netflow running on the networkOn border routers every X min:
Count flowswith sampling 1/Y
On border routers, every X min:
with sampling 1/Y
during Z sec
if# of flows
> NAlarm!Y
> N
d
N
© 2008 Cisco Systems, Inc. All rights reserved. 45
end
Reputation
…Results in Accuracy and
The Dominant Force in Global Email 80%I t
Spam Caught by Reputation
yAdvanced Protection
and Web Traffic Monitoring…80%
50%40%
IronportCipherTrustBorderWare
N t k R h (C t ib ti N t k )120,000
4,0008,000
IronportCipherTrustBorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-SecureIronport
Virus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed vendors• 5B+ queries daily
• 150+ Email and Web parameters• 25% of the World’s Email Traffic
vendors.
© 2008 Cisco Systems, Inc. All rights reserved. 46