Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
1. Bezpieczeństwo w sieci operatora
Sesja edukacyjna
Sebastian Pasternacki
CCIE#17541 RS/SEC/SP/WLAN CCDE #2012::9
Cisco Systems
2.
3.
4.
5.
6. Plan treningowy
• Rozgrzewka
• Ściąganie wyciągu z zagrożeniami
• Podciąganie infrastruktury w opadzie
• Martwy ciąg wersja SDN
• Rozciąganie i Wychładzanie
15. The 6 Phase Incident Response Methodology
1. Preparation: Best Practices / planning
2. Detection: Something is wrong
3. Classification: What is wrong
4. Traceback: Find ingress path
5. Mitigation: Counter measures
• Contain / insert ACLs
• Quarantine / Redirection
• Scrubbing
6. Post Mortem Review
timecritical
16. What is DoS/DDoS attack?
• An attempt to consume finite resources, exploit weaknesses in software
design or implementation, or exploit lack of infrastructure capacity
• Targets the availability and utility of computing and network resources
• Attacks are almost always distributed for more significant effect
• The collateral damage caused by an attack can be as bad, if not worse,
than the attack itself
• DDoS attacks affect availability!
No availability = no applications / services / data / Internet! No revenue!
17. Main types of DDoS Attacks
ISP 2
ISP 1
ISP n
ISP
Firewall IPS
Load
Balancer
Volumetric Attacks
• Overloads links
• 10-500 Gpbs
Application Layer Attacks
• Stealth attacks, < 1Gbps, 100+ requests per sec
• No impacton infrastructure
• Huge load on applications
Application
TCP State-Exhausting Attacks
• Targets stateful devices (load balancers,
firewalls,application servers)
• Usually 1-10Gbps,but a lot of Mpps
Source: Arbor Networks
19. It’s All About the Packet
• Packets can be classified into 4 categories:
Packet ?
Ingress
Interface
Egress
Interface
CPU
CEF
BGP
Route Processor OSPF
SSH
Transit IP
Receive IP
Non-IP
Exceptions IP
Forward,
Receive or
Drop?
Slow
path
Fast
path
20. The Four Planes - Data, Control, Management and Services
• Data plane contains transit packets
• Control Plane contains routing, signalling and link-state packets
• Management plane contains management traffic
• Service plane contains transit traffic which need special add-on
handling (for example encryption)
NOC
Data
Control
Management
Service
21. Data Plane Security Tools
Network Foundation Protection
§ Infrastructure ACLs (iACLs)
§ Unicast Reverse Path Forwarding (uRPF)
§ Flexible Packet Matching (FPM)
§ Committed Access Rate (CAR)
§ IP Options Filtering
§ IP Fragment Filtering
§ TTL Filtering
§ MacSec 802.1AE
§ Private IP Addressing
§ DDoS Traffic Scrubbing
§ Port Profiles for Virtual Machines (VN-Link)
L1
L2
L3
L4
L5
L6
L7
22. Filter Bogons!
§ Filter bogons in control plane (eg BGP)
§ Filter bogons in data plane (iACL sources)
§ Please note – they frequently change!
§ Must keep updating
§ Or use the Bogon route server to feed the prefixes
§ Sources:
§ http://www.team-cymru.org/Services/Bogons/
§ RFC 1918
§ RFC 3330
§ www.iana.org
23. Control Plane Security Tools
Network Foundation Protection
§ Receive ACLs (rACLs)
Control Plane Policing (CoPP - IOS)
Local Packet Transport System (LPTS - XR)
§ Routing Update Authentication
§ Passive Routing Interfaces
§ Generalized TTL Security Method (GTSM)
§ (eBGP) Prefix Filtering ingress & egress
§ (eBGP) Max Prefix Filtering
§ OS Modularity
L1
L2
L3
L4
L5
L6
L7
24. Control Plane Policing (CoPP)
§ Network Devices handle traffic in the Data Plane, Control Plane, and Management Plane…
– We need to assert positive control over the types and quantity of packets that can reach to RP of
the network device
Ingress
Interface
Egress
Interface
CPU
CEF
AAA
SYSLOG
SNMP
OSPF
BGP
Route Processor
Transit IP
Receive IP
Non-IP
Exceptions IP
Interface ACL
CoPP
25. Sample CoPP Traffic Classification
1. Pre-Undesirable—drop
malicious traffic we expect to see
vulnerabilities
fragments and the like
2. Critical Traffic—no rate limit
control plane
routing protocols
3. Important Traffic—maybe rate-limit – be careful
management plane
SNMP, SSH, AAA, NTP
4. Normal Traffic—rate limit
Other expected non-malicious traffic- ping and other ICMP
5. Post-Undesirable—drop
Other potentially malicious traffic
6. Catch-all—rate limit
remaining unclassified IP traffic
For Your
Reference
26. § Pre-Undesirable—Traffic that should never touch the RP
ip access-list extended pre-undesirable-acl
permit tcp any any fragments
permit udp any any fragments
permit icmp any any fragments
permit ip any any fragments
permit tcp any any eq 139
permit tcp any any eq 445
permit udp any any eq 1434
§ Permit means match NOT allow
§ Security vulnerabilities go in this class
§ Do you need fragments?
Pre-Undesirable Traffic
27. Critical Traffic
§ Critical—Defined as control plane traffic - routing protocols
ip access-list extended critical-acl
!-- iBGP peers
permit tcp 192.168.60.0 0.0.0.255 gt 1024 192.168.60.0 0.0.0.255 eq bgp
permit tcp 192.168.60.0 0.0.0.255 eq bgp 192.168.60.0 0.0.0.255 gt 1024
!-- eBGP peers
permit tcp host 192.0.2.1 gt 1024 host 192.0.2.2 eq bgp
permit tcp host 192.0.2.1 eq bgp host 192.0.2.2 gt 1024
!-- IGP
permit ospf 192.168.60.0 0.0.0.255 host 224.0.0.5
permit ospf 192.168.60.0 0.0.0.255 host 224.0.0.6
permit ospf 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
§ 192.168.60.0/24 is our core address space, 192.0.2.1 is our eBGP peer, 192.0.2.2 is our eBGP address
§ Use summarization to your advantage—loopbacks and multicast are topology-independent
28. Important Traffic
§ Important—Defined as traffic required to manage the router
ip access-list extended important-acl
permit tcp 192.168.60.0 0.0.0.255 eq 22 any established
permit tcp 192.168.60.0 0.0.0.255 any eq 22
permit tcp host 192.168.100.1 eq tacacs 192.168.60.0 0.0.0.255 established
permit udp host 192.168.100.2 192.168.60.0 0.0.0.255 eq snmp
§ 192.168.60.0/24 is core address space, 192.168.100.1 is AAA, 192.168.100.2 is NMS
§ Specify source address space to limit zone of trust
§ Specify destination address to tighten security—use loopbacks
for management
29. Normal Traffic
§ Normal—Defined as other traffic destined for the router to track and
limit
ip access-list extended normal-acl
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any packet-too-big
30. Post-Undesirable Traffic
§ Post-Undesirable—Traffic that should never touch the RP
ip access-list extended post-undesirable-acl
permit udp any any eq snmp
§ If using a reactive undesirable class, this acl must exist otherwise default permit and all
matches
31. Catch-All Traffic
§ Catch-All — Defined as other IP traffic destined to the router
ip access-list extended catch-all-acl
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
§ Using a more granular ACL helps identify what falls into this
class in case policy corrections are necessary
32. § Define class for each “type” of traffic and associate appropriate ACL
class-map match-all CoPP-pre-undesirable
match access-group name pre-undesirable-acl
class-map match-all CoPP-critical
match access-group name critical-acl
class-map match-all CoPP-important
match access-group name important-acl
class-map match-any CoPP-normal
match access-group name normal-acl
class-map match-any CoPP-post-undesirable
match access-group name post-undesirable-acl
class-map match-any CoPP-catch-all
match access-group name catch-all-acl
CoPP—Sample Class-Map
33. CoPP—Sample Policy-Map
policy-map CoPP
class CoPP-pre-undesirable
drop
class CoPP-critical
<no operation specified – no rate-limit>
class CoPP-important
police <rate> conform-action transmit exceed-action transmit
class CoPP-normal
police <rate> conform-action transmit exceed-action drop
class CoPP-post-undesirable
drop
class CoPP-catch-all
police <rate> conform-action transmit exceed-action drop
34. § Apply Service-Policy to the Control Plane Interface
control-plane
service-policy input CoPP
§ In the inbound (input) direction
CoPP—Apply Sample Policy
35. Management Plane Security Tools
Network Foundation Protection
§ Secure Shell (SSH) / Secure FTP / SNMPv3
§ (Per VRF) AAA, SNMP, Telnet, DNS…
§ IOS XR Task Groups & User Groups
§ Role Based Access Control (RBAC)
§ Management Plane Protection (MPP)
§ Software Authentication Manager (SAM)
§ Connectivity Management Processor (CMP)
§ Autosecure
L1
L2
L3
L4
L5
L6
L7
Note: Network-based
security measures
become ineffective if
physical security has
been breached!
36. IP Services Plane
Network Foundation Protection
• The IP Services plane refers to user traffic that is
treated by specialized handling beyond Best
Effort Forwarding. This includes services such as:
• QoS
• VPNs (IPSec VPNs, MPLS VPNs, GRE, etc.)
• Policy-Based Routing
• SSL, Firewall, IPS, NAT, etc.
• Services typically require the application of
“premium” resources such as
encryption/decryption, or extra CPU-processing.
• Services must also be protected to prevent any
one service from disrupting any other service, or
best effort traffic form disrupting premium services L1
L2
L3
L4
L5
L6
L7
37. Network Telemetry
• Network telemetry offers extensive and useful detection capabilities – all packets have to
traverse the network and using the right tools, very useful information suddenly becomes
available J
• Many of these tools are based on using existing functionality, often combined with open source
tools
• Network telemetry is therefore relatively easy to get started with and is also inexpensive
• Pure Netflow and NBA (Network Behavioral Analysis)
• Syslog
38. But BGP Is Difficult to Configure!
• Configuring peers:
• Router A
• router bgp 65000
• neighbor 10.20.10.10 remote-as 65000
• Router B
• router bgp 65000
• neighbor 10.10.10.1 remote-as 65000
• Result
• *Apr 2 16:24:01.081: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Up
10.10.10.1 10.20.10.10
RouterA RouterB
39. Blackholing: Using BGP to Drop Traffic on Demand
• BGP allows you to ”announce” a host/subnet IP address which you want to drop traffic to or
from
• By enabling BGP on selected choke points, it becomes possible to control traffic dynamically
BGP update
Block
1.1.1.1
Block
1.1.1.1
1.1.1.1
NOC
BGP update:BGP update:
BGP update:
BGP update:BGP update:
BGP update:
IPv6
compatible
40. The #1 BGP Security Tool
Remote Triggered Blackhole (RTBH)
• RTBH is the most used security tool by Service Providers:
• It allows you to drop traffic from any source (*) or towards any destination IP address
• Works in seconds across global networks
• Possible to defines ”zones of effect” (Network wide, Edge, Wan)
• Easy to control using routers or BGP enabled workstation
• Now an IETF standard, see RFC 5635
• http://tools.ietf.org/html/rfc5635
* When used in combination with uRPF
41. “Loose Mode”
(a.k.a. “v2”)
router(config-if)# ip verify unicast source reachable-via any
FIB:
. . .
. . .
D à i/f 3
. . .
FIB:
. . .
S à i/f x
D à i/f 3
. . .
Src not in FIB
or route = null0:
Drop
i/f 2
i/f 3
i/f 1S D Data
Any i/f:
Forward
i/f 1 i/f 1
i/f 2
i/f 3
?
i/f 1S D Data
router(config-if)# ip verify unicast source reachable-via rx
FIB:
. . .
S à i/f 2
D à i/f 3
. . .
i/f 2
i/f 3
FIB:
. . .
S à i/f 1
D à i/f 3
. . .
i/f 1S D Data
Same i/f:
Forward
Other i/f:
Drop
i/f 1 i/f 1
i/f 1S D Data
i/f 2
i/f 3
“Strict Mode”
(a.k.a. “v1”)
uRPF Strict/Loose Modes
For Your
Reference
42. How Does RTBH Work?
• It’s Magic! J
• BGP allows specifying the next-hop IP address in routing updates. Other routing protocols
do not allow this and will automatically use the announcing device IP address as the
next-hop
• By setting the next-hop to a special reserved IP address, we can create a routing update
containing the IP address we want to block
• This routing update which when received, will merge the routing update with a pre-defined
static route on the receiving router
• After the merge, the routing table will contain a routing entry specifying that traffic for this
address, will be sent to the Null0 interface
43. ip route 192.0.2.1 255.255.255.255 Null0
Configuring RTBH Step 1
• Step 1: Prepare the edge routers
• Select a small block that will not be used for anything other than blackhole filtering; Test-Net
(192.0.2.0/24) is optimal since it should not be in use
• Create a static /32 route using a address from the Test-Net subnet and set the next-hop to
Null0. This is done on every edge router on the network
44. Configuring RTBH Step 2
• Step 2: Prepare the trigger router/workstation
• The idea is that when we want to block an IP address, we create a static
route for the address and tag it with a special tag
• ip route 172.19.61.1 255.255.255.255 Null0 Tag 99
• This static route is entered into the trigger router when we want to block
the traffic
• A route-map is then used to:
• Redistribute the static route into BGP
• Changing the next-hop to the IP address selected from the Test-Net earlier
• Announce the newly created BGP update to the network
45. Configuring RTBH Step 2 (Cont.)
• Step 2: The trigger router configuration
router bgp 65535
!
redistribute static route-map static-to-bgp
!
route-map static-to-bgp permit 10
match tag 99
set ip next-hop 192.0.2.1
set community no-export
set origin igp
Match Static
Route Tag
Redistribute
Static with a
Route-Map
Set the next hop
46. BGP Sent—172.19.61.1Next-Hop = 192.0.2.1
Static Route in Edge Router—192.0.2.1 = Null0
172.19.61.1= 192.0.2.1 = Null0
Next-Hop of 172.19.61.1
Is Now Equal to Null0
Activating RTBH The BGP update sent
out after step 2
The static route
entered in step 1
Q: What happens when the
next-hop in the routing table
is null0?
Using route recursion,
the next-hop = Null0
49. RTBH Demo – blocking source using uRPF
DATA
CENTER
CAMPUS
BRANCH
WAN
R3
R2
R5
R3
c7206
.6
.2 .1 .2
.3
R410.1.3.0/24
.1
10.1.2.0/2410.1.1.0/24
.2.1
DHCP
.1
192.168.254.0/24
R1-DC.1
.6
R6 - Mgmt
10.0.0.0/24
10.52.206.224/27
Attacker
.10
192.168.254.0/24
BGP update:
block 192.168.254.10
ip verify unicast source reachable-via any
50. The #2 BGP Security Tool
QPPB (QoS Policy Propagation Through BGP)
• QPPB is not as widely used as RTBH but is actually a lot more powerful!
• It allows you to assign either a QoS class or a IP Precedence tag to traffic from or to a specific IP address
• By mapping the QoS Class/IP Precedence tag to actions, it is possible to:
• Rate limit traffic
• Police Traffic
• Assign DSCP values on demand
• Apply any MQC action
• Measure traffic volumes
• If you have QoS already deployed in your network, QPPB can be used to dynamically map traffic into your QoS
policy
* Caveat: QPPB works only with routes carried in BGP
51. QPPB (QoS Policy Propagation
Through the Border Gateway Protocol)
• Using a very similar technique as described earlier, BGP allows you to ”announce” a
host/subnet IP address for which you want to control the traffic from or to
• This allows for using dynamic QoS policies (including rate-limit)
BGP Update
Rate-limit
1.1.1.1
Rate limit
1.1.1.1
1.1.1.1
NOC
BGP update:BGP update:
BGP update:
BGP update: BGP update:
BGP update:
Using BGP to Implement QoS Policies on Demand
IPv6 compatible
52. Sinkholes
• Sinkholes are used to pull in traffic for subnets which are not in use
• The reasoning is that if something goes wrong (misconfiguration, virus outbreak, attacks), the
traffic volume towards these subnets will change
• Sinkholes are used to:
• Perform traffic analysis
• Build traffic baselines
• Sinkholes can also be used as a on-demand security tool by direct attacks away from the
target (by announcing the target’s IP address)
For Your
Reference
53. Using Routing to Build a Network Sniffer!
Pulling Traffic into Sinkholes
• All networks have certain level of background noise
• When something goes wrong, the background noise will change
• Sinkholes ”pull in” this background noise and allow you to detect changes in the ”noise level”
Sinkhole
BGP update:BGP update:
BGP update:
BGP update: BGP update:
BGP update:
Send me
”unused”
subnet traffic
IPv6 compatible
60. Security by the SDN Security for the SDN
SDN Security
Infrastructure
Security
SDN
Telemetry
Threat
Defense
Segmentation
DDoS
Controller
Security
API
Security
Application
Security
Secure SDN Architecture
Secure SDN Architecture
61. Security for the SDN
Multiple layers of security to protect Software Defined Network
1
2
7
3
5
4
61. Securing Controller
2. Securing Infrastructure
3. Securing Network Services
4. Securing Application
5. Securing Management &
Orchestration
6. Securing API
7. Securing Communication
8. Security Technologies
8
62. 1. Securing Controller
§ Controller Security
• Management Security (SSH,
HTTPS)
• AAA& RBAC
• Strong Password
• Use TLS
§ Underlying OS Security
• Keep system updated apply
patches & fixes
• Strong password
• Disable unnecessary protocols,
Services, ports and devices
• Authentication, Authorization and
Accounting with RBAC
• Enable host based firewall and
allow only required
communication ports
1
http://www.cisco.com/web/about/security/intelligence/Linux_Hardening_Recommendations.pdf
63. 2. Securing Infrastructure
§ Secure Operation
• Keep device OS up to date
• Monitor PSIRT and perform bug
scrub
• Centralize log collection and
monitoring
• Configuration Management
§ Management Plane
• Use secure protocols to manage
Infrastructure: SSH, SCP, HTTPs,
SNMPv3, with ACL to restrict
access
• Control management and monitor
session with AAA
• Use encrypted local password
• Protect Console, AUX and VTY
• Disable unused services, no initial
configuration via TFTP
2
64. 2. Securing Infrastructure (contd..)
§ Control Plane
• Protect control plane: CoPP,
Routing protocol Security, FHRP
security
• ICMP redirects, icmp unreachable,
proxy arp
• Securing routing protocols: peer
authentication, route filtering,
managing resource consumption
§ Data Plane
• Protect data plane: DAI, IP Source
Guard, Port Security, unicast RPF
etc.
• Infrastructure ACLs, any-spoofing
ACLs, for Hardening of devices
• Disable IP source routing
• Private VLAN
2
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
65. 3 & 4. Securing Application and Services
§ Application Security
• Digital Signing of Code
• Certification Process
• Resource Allocation
• Code Isolation
• Strong Typing
• AAA(PKI)
§ Underlying platform Security
• Keep system updated apply
patches & fixes
• Strong password
• Disable unnecessary protocols,
Services and ports
• Authentication, Authorization and
Accounting, with RBAC
• Enable host based firewall, allow
only required ports
34
66. 4. Secure Application Development
http://developer.cisco.com/onepk/onePKDesignGuidelines/GUID-8604457A-BB6A-4D25-93A8-B4A309AAEA3B.html
http://www.cisco.com/web/about/security/cspo/csdl/index.html
Cisco Secure Development Lifecycle (CSDL)
§ Secure Development Lifecycle
• Threat Modeling
• Understanding and prioritizing risk
• Threat, Mitigation, Test
§ Secure Design Principles
• Principle of Least Privilege
• Fail Safely
• Economy of Mechanism
• Avoid (in)Security by Obscurity
• Psychological Acceptability
• Defense in Depth
• Perform Static Code Analysis: Buffer
Overflow, Resource Leaks, Null Pointer
Deference
• Follow Secure Coding Guidelines
67. 4. Secure Application Development
http://developer.cisco.com/onepk/onePKDesignGuidelines/GUID-8604457A-BB6A-4D25-93A8-B4A309AAEA3B.html
http://www.cisco.com/web/about/security/cspo/csdl/index.html
§ Secure Development Lifecycle
• Threat Modeling
• Understanding and prioritizing risk
• Threat, Mitigation, Test
§ Secure Design Principles
• Principle of Least Privilege
• Fail Safely
• Economy of Mechanism
• Avoid (in)Security by Obscurity
• Psychological Acceptability
• Defense in Depth
• Perform Static Code Analysis: Buffer
Overflow, Resource Leaks, Null Pointer
Deference
• Follow Secure Coding Guidelines
68. 5. Securing Orchestration / Automation / Provisioning
5
• Orchestration and Automation servers
should reside on a secure management
network, protected by firewall.
• Use Authentication , Authorization and
Accounting, assign Role Base Access
Control, least privilege
• Ensure hardening of underlying platform:
Disable unused services, configure host
based firewall and allow only required
ports, Use logging and monitoring, use
NTP
• Enforce strong passwords
• Use secure communication protocols
between portal, orchestrator and
element managers
• Ensure configuration and change
management is in place.
• Consider High Availability solution
69. 6 & 7. Securing API & Communication
• Use authentication and
authorization
• Use encryption: Transport Layer
Security, SSL, SSH, HTTPS
• Revocation of Access and
authorization using OCSP.
• Proactively using policy or
reactively as mitigation option to
an attack
• Logging of authentication and
authorization
• Manageability / Scalability
7
6