SP S itSP Security – Th tThreats and Best Practices€¦ · IPv6 – Both theBoth the ‘same’...

SP S it Th tSP Security – Threats and Best Practices

Anthony Kirkham (CCIE #1378, CISSP)[email protected]

© 2008 Cisco Systems, Inc. All rights reserved. 1

Cisco World Wide Security Best Services Practice

Agenda

IntroductionSP Threat LandscapeIP NGN Security FrameworkSP Security Best Practices

Foundation device securityFoundation device security

SP Security Techniques

CClosing Remarks


Introduction

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3

Service Provider Security

The relentless exploitation of networks, systems, andThe relentless exploitation of networks, systems, and subscribers has become a sophisticated global business

1998: Hackers 2008: Cybercrime Syndicates

For SP’s – The network IS the business

y


Security is a critical business consideration!!

Cybercrime Industry: In the Past

End ValueWriters Asset

Fame

Theft

Tool and Toolkit Writers

Malware Writers

Compromise Individual

Host or Application

Espionage(Corporate/

Government)

Worms

Viruses

Malware Writers Application

Compromise Environment Government)Viruses

Trojans

Environment


Cybercrime Industry : Today

Writers Middle Men Second Stage Abusers

First Stage Abusers End ValueAbusers

Tool and Toolkit Writers

Abusers

Hacker/Direct Attack Compromised

Host and Application

Fame

Theft

Bot-Net CreationWorms

Malware Writers

Machine Harvesting

Extortionist/ DDoS-for-Hire

Application

Espionage(Corporate/

Government)

E t t d P Off

Bot-Net Management:For Rent, for Lease,

for Sale

Viruses

Trojans

Spammer

Phisher

Commercial Sales

Fraudulent Sales

Extorted Pay-Offs

Personal Information

Spyware Information Harvesting

Information Brokerage

Pharmer/DNS Poisoning

Fraudulent Sales

Click-Through Revenue

Electronic IP Leakage

Internal Theft: Abuse of Privilege

BrokerageIdentity Theft Financial Fraud


$$$ Flow of Money $$$

Security Mitigation EvolutionPhased Approach

Add Mitigation

AddService

Assurance

Phase 2• High

availability

Add Monitoring

Tools

MitigationTools

Assurance

Regulate and Harden Phase 1

Phase 2• Per service

policy control• Per user policy

availability• High resiliency• Guaranteed

QoS• SLA assurance

Today• Static access lists• Layer 3/4 firewalls

• User awareness• Data mining• Resource

monitoring

control• Content filtering• Dos protection• Virus prevention

• SLA assurance• New services

Increased y• Device hardening• Secure passwords• Authentication• Authorization

• Event correlation• Lawful

interception

• Worm detection• Attack

mitigation• Self-defending

Profitability

Security solutions can be deployed in phases to achieve increased visibility control


in phases to achieve increased visibility, control and profitability

SP Threat LandscapeLandscape


SP IP NGN Networks…Threats Against IP Networks

Network security traditionally focuses on confidentiality,

Threats Against IP Networks…

integrity, and availability (CIA) in varying degrees.

Network convergence changes the importance of each g g pof these areas. Availability increases in importance.

– Availability is no longer simply a binary “up/down” or “on/off” function. Other metrics must be considered such as network latency caused by congestion and processing delays.

– Malicious traffic or non-malicious traffic (e g changes in the trafficMalicious traffic or non malicious traffic (e.g. changes in the traffic patterns of one service, say Internet data) may effect another service such as Voice over IP (VoIP) traffic traversing the same core routers but in a different “logical” services plane. g p

– Availability changes may disrupt the entire revenue model if high-value services cannot be run on a converged IP core that achieves CapEx and OpEx efficiencies


CapEx and OpEx efficiencies.

SP IP NGN Networks…Threats to IP Networks (1/2)Threats to IP Networks (1/2)…

A Denial-of-service (DoS) attack aims to make the target unavailable for its intended service May be direct transit or

Resource Exhaustion

Description

unavailable for its intended service. May be direct, transit, or reflection-based.

Exhaustion Attacks

An attack that uses packets that masquerade themselves with false data, such as the source IP address, to exploit a trusted Spoofing Attacksrelationship.Attacks that aim to prevent upper-layer communications between hosts, or to hijack established sessions in order to capitalize on any previous authentication measures enabling eavesdropping and

Transport Protocol Attacks

Attacks that attempt to destroy the router’s or network’s ability to perform routing tasks and, thereby, prevent new routing protocol

previous authentication measures, enabling eavesdropping and false data injection.

Protocol Attacks

perform routing tasks and, thereby, prevent new routing protocol peering, disrupt current peering, or redirect traffic flows in an attempt to inject false information, alter existing information, or remove valid information for the purposes of corrupting user data.

Routing Protocol Attacks


SP IP NGN Networks…Threats to IP Networks (2/2)Threats to IP Networks (2/2)…

Attacks against important control plane services such as DHCP, Attacks against

Description

g p p ,DNS, and NTP may affect network availability and operations. other IP Control

Plane ServicesAttacks that attempt to gain unauthorized access to restricted systems and networks

Unauthorized access Attacks

A software defect that, if exploited, may compromise the confidentiality, integrity and availability of the router and associated data plane traffic.

Software Vulnerabilities

systems and networks.access Attacks

The process of gathering information about a target, often conducted in preparation for an attack. Enables the attacker to identify specific security weaknesses that may be exploited as part

Malicious network

Reconnaissance

data plane traffic.

of a future attack.Reconnaissance


Client Attacks – ‘Drive by Downloads’

1. Hacker compromises l iti t b it3 Victim with vulnerable legitimate web site3. Victim with vulnerable

browser4. Legitimate connection to

hacked web site

5. Browser Exploit(i.e. hidden iframe)

2. Hacked Web Site6. Victims PC compromised and owned ... then part of a

botnet

The most common form of malware distribution on the


Internet today

DoS and DDoS

Zombies C t ’ZombiesMasters

Customer’s Premises

Hacker

Victim Flooded PipeISP Edge

Router

Control traffic

Router


Control traffic

Attack traffic

Example Customer DoS Attack

Peer A

A Peer B

Peer AIXP-W

IXP-E

B C

D

Upstream A

Upstream A

B C

E

A

Upstream B

Upstream B

E

NOCG

TargetTarget


FGPOP Target is taken

out

Example Customer DoS Attack– Collateral Damage

Peer A

A Peer B

Peer AIXP-W

IXP-E

B C

D

Upstream A

Upstream AUpstream A

B C

E

A

Upstream B Upstream

BE B

NOCG

Target

Customers


FGPOP Attack causes

Collateral Damage

Routers do get Directly Attacked

Peer A

Peer B

Peer AIXP-W

IXP-E

Upstream A

Upstream A

Upstream ASink HoleNetwork

AA

UpstreamB

UpstreamB Upstream

BUpstream

B

CustomerCustomer

NOCG


POP GRouter under attack via a

spoofed TCP SYN Flood at the NTP Port

DNS Reflection AttacksSend queries with

victims source address

Botnet

Break in and publish big TXT record

Botnet

30,000 – 500,000 Open recursive

DNS servers

Query and Cache

Innocent DNS Server

DNS servers

Apx 60:1 amplification factor

Victim

amplification factor


Victim

Other SP Security Issues

BGP Route HijackingBGP Route HijackingDNS PoisoningInternal Penetrations

R di OSS/BSS B k d S t I t l B i S tRadius, OSS/BSS, Backend Systems, Internal Business SystemsCompromised Routers

A huge number of compromised routers exist. Mostly due to the poor use of security featuresMiscreants commonly use ‘brute force’ techniques to crack accounts

IPv6 – Both the ‘same’ and ‘new’ security considerationsIPv6 Both the same and new security considerationsIf IPv6 is enabled, have the same controls as IPv4 been deployed?

Side effects of Internet WormsN j t i t ti till f fNo major event in recent times, still an area of concern for manyStealth worms are very common and used for harvesting machines into botnets‘Noise Level’ is now far lower…


IP NGN Security FrameworkFramework


SP IP NGN Networks…Secure platform frameworkSecure platform framework…

Security Principals Security ActionsSecurity Security RolesBusiness Security Principals

The two primarysecurity principals of

security policy deployment

Security Actions

The essential actionsthat enable Improved Visibility and Control

MethodologiesThe development and monitoring of security policies and operations

Security Roles

Aligns security systems,and solutions to the

Security Actions

RelevanceCustomer-specific

business goals, and thethreats to goal

attainment deploymentattainment

Policies

Identify

Business Goals and Objectives Clean Pipes Access

Monitoring and Correlation

Network Foundation Protection

Design

IdentifyService Control

Adaptive and Responsive

Privacy and C fid ti lit

Deploy

urity

bler

s

Monitor

CorrelateVISIBILITY

iona

len

ce

nabl

eur

itysu

res

Assess

Audit

Confidentiality

Automation and instrumentation

Operate

Secu

Enab

Secure Fail-Open Peering

Virtual Private

Harden

IsolateCONTROL

Ope

rat

Exce

lle

Act

ion

Secu

Mea

s

Threat Models Policy

EnforcementNetFlow

Event Correlation

Virtual Private NetworksEnforce

Sec-Ops


…

Creating Secure InfrastructuresLeveraging the IP NGN Security FrameworkLeveraging the IP NGN Security Framework

Cisco’s IP NGN Security Framework defines six keyCisco s IP NGN Security Framework defines six keyactions that enable service providers to deliver secure, reliable, and resilient services

IP NGN SecurityAssure Complete Control

Security Policy Enforcement and EventGain Total Visibility

Identity Trust Compliance Event and

Identify Monitor Correlate Isolate Enforce

Security Policy Enforcement and Event Mitigation

Identity, Trust, Compliance, Event, and Performance Monitoring

Harden

Identify and Assign Trust-

Levels to

Identify

Monitor Performance,

Behaviors

Monitor

Collect, Correlate, and

Correlate

Isolate Subscribers, Systems and

Isolate

Enforce Security

Policies and

Enforce

Harden the Transport,

Harden

Levels to Subscribers, Services, and

Traffic

Behaviors, Events, and Compliance with Policies

Analyze System-Wide

Events

Systems, and Services to Contain and

Protect

Policies and Mitigate Security Events

pServices, and Application

Infrastructures


Secure, Reliable, and Resilient Services

SP Security Techniques and Best Practices


SP Security Techniques and Best Practices

Device SecurityDevice Security

Making the core network unreachable

Monitoring and security visualisation

Mitigation Techniques


Router and Switch Security

IOS Feature

AAA, Secure Passwords, Secure Protocols – SSH.Device access

Physical access restrictionsPhysical security

Disable unused services – HTTP/HTTPS server.Services

AAA, Secure Passwords, Secure Protocols SSH. Device access

SNMP ACLs, Secure Passwords, Avoid SNMP-RW, Management

Control Plane Policing, rACL (GSR), LPTS, MPP (CRS-1)Control Plane

, , ,SNMPv3

gPlane

Max Prefix, MD5 Authentication, GTSM, Prefix and AS FiltersBGP


Core Hiding – Making the Core Unreachable

“outside” “outside”coreprovider edge

Two Techniques:

provider edge

Two Techniques:Infrastructure ACLs - iACLIS-IS Core HidingIS IS Core Hiding

Concept: No traffic to core can’t be attackedPrevents intrusions 100%Prevents intrusions 100%DoS: Very hard, only with transit traffic


Re-colour at edge precedence 6/7 to 0-5

ISIS Security

Uses CLNS:Uses CLNS: Not attackable with IP!

Non-IP traffic higher priority in routersNon-IP traffic higher priority in routers

Routing on NSAP addresses: Can remove IP addressing!!

Best Practice Hide infrastr ct re addressesBest Practice: Hide infrastructure addressesInterface command “no isis advertise-prefix”

Global IS-IS configuration command “advertise-passive-only”

Prefixes removed from ISIS RIB!

Advantages:

Security


Convergence time!!

“Normal” ISIS

h l b 7507 # h i i d t b d t ilhrnsplab-7507c#sh isis database detailIS-IS Level-1 Link State DatabaseLSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL.

.

. <skip>

.hrnsplab-12008.00-00 0x00003F00 0x54E3 697 0/0/0

dd 49 0010Area Address: 49.0010NLPID: 0xCCHostname: hrnsplab-12008bRouter ID: 9.0.0.16IP Address: 9.0.0.16

can see infrastructure addressesIP Address: 9.0.0.16Metric: 10 IP 9.0.1.4/30Metric: 10 IP 9.0.2.16/30Metric: 10 IP 9.0.2.0/30Metric: 10 IP 9.0.2.4/30Metric: 0 IP 9.0.0.16/32Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-7507b 00


Metric: 10 IS Extended hrnsplab 7507b.00

ISIS with “advertise-passive-only”

hrnsplab-7507c#sh isis database detailIS-IS Level-1 Link State DatabaseLSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL.. <skip>.hrnsplab-12008 00-00 0x000040AA 0x7F15 1048 hrnsplab 12008.00 00 0x000040AA 0x7F15 1048 0/0/0Area Address: 49.0010NLPID: 0xCCHostname: hrnsplab-12008b can see only loopbacksRouter ID: 9.0.0.16IP Address: 9.0.0.16Metric: 0 IP 9.0.0.16/32Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008 00

can see only loopbacks

Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-12008.00Metric: 10 IS-Extended hrnsplab-7507b.00


“advertise-passive-only” - Summary

Link addresses not reachable from outsideLink addresses not reachable from outsideCannot ping, telnet, etc.

Loopbacks still reachableLoopbacks still reachableNeed to filter with iACLs

Traceroute still works (!!!) IPs exist, and can be used as source

They are just not advertised!


Netflow

Useful security toolHighly scalable

Multi-gigabit speeds

Seven Unique KeysSource IP addressDestination IP addressSource portDestination portDestination portLayer 3 protocol typeTOS byte (DSCP)Input logical interface (ifIndex)

Export and analyse flow informationExported Data


Visualization and Correlation ToolsC

Root-cause of the problem

Open the Meta-Event to see related alerts

163434 07:04 07:19 208.15.82.21168.178.232.995


A DDoS Attack Scenario

IngressR t

OtherISP RoutersISPs

Target 1 -Under AttackUnder Attack

Target 2OK – But Link

Congested


g

Black Hole Routing

IngressR t

OtherISP RoutersISPs

Target 1IsolatedIsolated

Target 1g

Target 2OK

Target 1


Remote Triggered ‘Black Hole’ Routing

IngressR t

OtherISP

Keeps line to customer clearRoutersISPs But target host still cut off completely

Target 1

iBGP

Isolated

Target 1g

Target 2OK

iBGP

OK

Trigger RouterTarget 1


Source Address – ‘Black Hole’ Routing

IngressR t

OtherISP

Detect and drop attack trafficRoutersISPs Based on SOURCE addresses now

Attack traffic dropped at ISP edge

Legitimate traffic unaffectedLegitimate traffic unaffected

iBGPTarget 1

OK

Legitimate TrafficLegitimate Traffic

iBGPTarget 2

OKAttack Traffic iBGP

Trigger Router

OK


Dimensioning - Network Bandwidth Concepts and PPS Engineeringand PPS Engineering…

1,488,0095 pps

14,8800,950 pps

PS) 812,740 pps

100,000 pps 81,274 pps

cket

Rat

e (P

PPa

c


Packet Size (Bytes)200 50084 1538

Cisco Guard – Enterprise IDC Example

ISP 1 ISP 2

I

S

C ta ys5 0

P r p yS S P w p

RI

IOS Router

ISP 2

Ci G dCi G d tr c s r

GEnetAlert

Cisco Guard

Alert

Cisco Guard

C S T S

C S S

Cisco Anomaly

Internal network

Cisco Anomaly Detector

Target

Cisco Anomaly Detector

te a et oTarget


DNS ServersWeb, Chat, E-mail, etc.

Cisco Guard – Scrubbing Centre Example

attack

1. BGP: I’m next hop f 1 1 1 1

1. BGP: I’m next hop for 1 1 1 1

mbehring

for 1.1.1.1 for 1.1.1.1

2. Path to Guards

3. Injection into coreGuard

(2.2.2.2)Guard(4.4.4.4)

3. injection into core( )

T t (1 1 1 1)


Target (1.1.1.1)

Closing Remarks


Network Security Architecture Review

Security architecture and configurationSecurity architecture and configuration assessment

Assesses alignment with SP security g y‘best practices’

Based on the IP NGN security architecture frameworkarchitecture framework

Provides highly actionable recommendations

Can incorporate unique requirements

Conducted by an SP security specialistConducted by an SP security specialist

P id l d t it di ti


Provide a clear and strong security direction and action plan to the customer

External Security Posture Assessment (SPA)

SP Infrastructure

C tCorporateNetwork

E t l IP

DMZ


External IP Assessment

Closing Comments

You do not have to be a expert—just someone willing p j gand motivated to make something happen Doing ‘something’ gets you one step closer….Quick Wins:

Device Security, COPP, iACL, Guard Deployment, Netflow…y, , , p y ,

Plan the more complex deployments We offer both consulting and assessment services toWe offer both consulting and assessment services to help customers


What is a botnet?

Definition of: botnetDefinition of: botnet

(roBOT NETwork) Also called a "zombie army," a botnet is a large number of compromised computers that are used to create denial of service attacks or send spam. The computer is compromised via a Trojan that often opens an

IRC channel and waits for commands from the person in control of the botnet.

A botnet is NOT an attack it is an overlay infrastructure whichA botnet is NOT an attack – it is an overlay infrastructure, which runs across an underlying SP or Enterprise infrastructure

Botnets arose out of the desire to distribute attacks e.g. DDoS and gSPAM, but we are now seeing them to harvest information from computers

St i t l t id li ki thi jStringent regulatory guidelines are making this a major concern for Enterprises and Service Providers

Botnets are receiving mainstream attention from CXOs


Botnets are receiving mainstream attention from CXOs

Detecting attacks with Netflow

B i h N tfl i th t kBasis: have Netflow running on the networkOn border routers every X min:

Count flowswith sampling 1/Y

On border routers, every X min:

with sampling 1/Y

during Z sec

if# of flows

> NAlarm!Y

> N

d

N


end

Reputation

…Results in Accuracy and

The Dominant Force in Global Email 80%I t

Spam Caught by Reputation

yAdvanced Protection

and Web Traffic Monitoring…80%

50%40%

IronportCipherTrustBorderWare

N t k R h (C t ib ti N t k )120,000

4,0008,000

IronportCipherTrustBorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-SecureIronport

Virus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed vendors• 5B+ queries daily

• 150+ Email and Web parameters• 25% of the World’s Email Traffic

vendors.


Date post:	11-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

SP S itSP Security – Th tThreats and Best Practices€¦ · IPv6 – Both theBoth the ‘same’...

Documents