Upload
vuongduong
View
217
Download
1
Embed Size (px)
Citation preview
25-Oct-13 2nd Annual NKN Workshop ‹#›
Efficient Interfacing Campus LAN with NKN
RS MANI [email protected]
25-Oct-13 2nd Annual NKN Workshop ‹#›
Efficient utilization
Come from:
– Good Campus LAN
• Speed Segregation of LANs
• QoS Resilient
• Access Controls ( L2 and L3)
• NMS
– Good Collaboration ( National / International)
– Good Internet Governance
Scientists/ Researchers
25-Oct-13 2nd Annual NKN Workshop ‹#›
Various Components
• Campus network best practice
• Different Layers function
• Firewall/IPS
• AAA/ DHCP/ DNS
• Server Farm
• Security Best practices IPV4 & IPv6
• VPN Services
• Gateway Services
25-Oct-13 2nd Annual NKN Workshop ‹#›
Various Components
• Campus network best practice
• Different Layers function
• Firewall/IPS
• AAA/ DHCP/ DNS
• Server Farm
• Security Best practices IPV4 & IPv6
• VPN Services
• Gateway Services
25-Oct-13 2nd Annual NKN Workshop ‹#›
NKN LINK 2
NKN Link 1
Edge Router
Firewall with IPS-active
Distribution Switch U
SER
S
1st F
2nd F
3rd F
Typical Campus Network
Architecture
Sever Switch
CAT 6a / 7 Gnd F
Edge Router
core switch
Outer Switch
Firewall with IPS- Standby
Distribution switch U
SER
S
1st F
2nd F
3rd F
Gnd F
10G backbone
10G Fibre
1G Fibre
DHCP server
25-Oct-13 2nd Annual NKN Workshop ‹#›
Security Devices
• Firewall/IPS integrated Stateful Inspection Firewall
• Maximizes network security with clear, deterministic L3/L4 policies
• Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.
• Zero-Day Protection with Anomaly Detection
• The Adoption and use of IPv6
• Remote Access VPN solution, provide VPN client and clientless access.
25-Oct-13 2nd Annual NKN Workshop ‹#›
Some of the Best Practices Campus Security
• Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard
• Use SSH to access devices instead of Telnet
• Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices
• Enable SYSLOG to a server. Collect and archive log
• When using SNMP use SNMPv3
• Configure access-lists to limit who all can access management and CLI services
• Enable control plane protocol authentication where it is available
• Apply basic protections offered by implementing RFC2827 filtering on external edge inbound interfaces
25-Oct-13 2nd Annual NKN Workshop ‹#›
Layer 2 Snoop Attack
Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap
00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb
Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy
Only Three MAC Addresses Allowed on the Port: Shutdown 400,000
Bogus MACs
per Second
Problem:
Solution:
25-Oct-13 2nd Annual NKN Workshop ‹#›
DHCP Snooping
• DHCP requests (discover) and responses (offer) tracked
• Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server
• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
DHCP
Server 1000s of DHCP Requests to Overrun the DHCP Server
1
2
25-Oct-13 2nd Annual NKN Workshop ‹#›
AAA server
Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric
Supports Compliance
Enables corporate governance through consistent access policy for all users and devices
Strengthens Security
Reduces IT overhead through centralized identity management and integrated policy enforcement
Increases Efficiency
25-Oct-13 2nd Annual NKN Workshop ‹#›
Multi-Homing
• Basic requirement
– IP numbers to be owned ( V4 or V6)
– ASN number ( 16 Bit or 32 Bit)
– Service Providers capable of doing BGP
– Router Capable BGP and Holding the routes
– Trained Manpower
25-Oct-13 2nd Annual NKN Workshop ‹#›
• An IP network infrastructure delivering private network services over a public infrastructure
– Use a layer 3 backbone
– Scalability, easy provisioning
– Global as well as non-unique private address space
– QoS
– Controlled access
– Easy configuration
What is an MPLS-VPN?
25-Oct-13 2nd Annual NKN Workshop ‹#›
NKN MPLS for CUG
State TN
NKN BACKBONE
State
Router
VLAN1-VPN Green
VLAN2-Blue
VLAN3-Red
LAN of #2 Each Sub-Interface
associated with different VPN
v
v
802.1Q
Contents of VPN Green
Contents of Blue
Contents of RED
Multi-VRF Video/ Audio
Intra-vpn Internet
DC
Cloud
Institute #1
VLAN1-VPN Green
VLAN2-Blue
LAN of #1
v
Institute #2
25-Oct-13 2nd Annual NKN Workshop ‹#›
VPLS Network
Physics
Dept
Institute #5
PE
Router
Mumbai
PE
Router Indore
PE
Router
PE
Router
Virtual Circuits / Pseudo wires
Physics Department
Institute # 3
Institute #4
Institute # 2
Institute # 1
25-Oct-13 2nd Annual NKN Workshop ‹#›
#4
#3 #2 VC Equipment
#5 #7
#8 #9
VC Equipment
#6 #10
#11
VC Equipment
End to End QoS
25-Oct-13 2nd Annual NKN Workshop ‹#›
C
A B
D
MPLS VPNs • Many QoS-enabled islands • No interprovider QoS
A B
D
E C
The Internet • Richly interconnected providers • No QoS
C
A B
E
Goal: richly connected AND QoS-enabled
D
Inter Service Provider QoS
25-Oct-13 2nd Annual NKN Workshop ‹#›
Defense Depth and Breadth Security
Internet
Internet
Enterprise Network
NKN Core Network
E-mail, Web Servers
X
X Remote Access
Systems
Internal Assets, Servers
Transit
Transit
X
X
X
AS1
AS2
AS3
Network Operations Center (NOC)
Core
Edge
Edge
Interface ACLs
Unicast RPF
Flexible packet
matching
IP option filtering
Marking/rate-limiting
Routing techniques
eBGP techniques
ICMP techniques
Receive ACLs
CoPP
ICMP techniques
QoS techniques
Routing techniques
Disable unused
services
Protocol specific
filters
Password security
SNMP security
Remote terminal
access security
System banners
AAA
Network telemetry
Secure file systems
25-Oct-13 2nd Annual NKN Workshop ‹#›
Using Strict Mode uRPF to Battle BOTNETs
Access
POP
Access
POP
Access
POP
Access
POP
Access
POP
NKN Backbone
NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner
Target
ISP ISP
ISP
ISP
uRPF Strict
On NKN
Partner
Edge
NOC
BGP Trigger Community
– SRTBH on NKN
Partner Edge
25-Oct-13 2nd Annual NKN Workshop ‹#›
Government’s Role
Understand the Countries requirement Understand the Regional needs. Increase awareness, Encourage deployment Create joint programs in the region with similar
requirements. Facilitate the adoption of IPv6 Create Test Beds Showcase few case studies Participate in World Forums
25-Oct-13 2nd Annual NKN Workshop ‹#›
Transition Plan
Awareness program
Assessment program
Acquire IPv6 numbers
Testing of IPv6
Acceptance Test
Deployment of IPV6
25-Oct-13 2nd Annual NKN Workshop ‹#›
IPv6
IPV4 Address (Present)
IPV6 Address (Future)
• Total Addresses = 232 = 4 billion
Total Addresses = 2128 = 340 billion, billion, billion, billion
25-Oct-13 2nd Annual NKN Workshop ‹#›
First Hop Security
RS
RS
RA
RA
ICMP Type = 133 (RS) Src = link-local address (FE80::1/10) Dst = all-routers multicast address (FF02::2) Query = please send RA
ICMP Type = 134 (RA) Src = link-local address (FE80::2/10) Dst = all-nodes multicast address (FF02::1) Data = options, subnet prefix, lifetime, autoconfig flag
25-Oct-13 2nd Annual NKN Workshop ‹#›
First Hop Security
RS
RS
RA1
RS RA2
Attacker (R2)
Default Router: R1 and R2
Router (R1)
25-Oct-13 2nd Annual NKN Workshop ‹#›
WATCH OUT ?? Network Infrastructure:
Routers
Bandwidth Shapers
Switches Layer2
Layer3
Data centre Devices :
Load Balancers
Firewall
IPS/IDS
Virtual Machines (
VMWARE/ ZEN)
Blade management
consoles
IP KVM
Clients:
PC’s on the LAN
Server If any
Proxy/ UTM
Network Printers
Display System
Antivirus/ HIPS
25-Oct-13 2nd Annual NKN Workshop ‹#›
WATCH OUT ?? Infrastructure:
Power/Infra management
S/W
UPS management
Console
Building Management
System
Access Control System
Cameras
Digital Video Recorders
Wifi Systems:
WIFI controllers
Software Stacks:
Windows/Linux/Solaris/ AIX
IIS6 & above / Apache 2 &
above
AAA server
Bind 9.5 & above
Database ( Transaction Log )
Logging Server ( Syslog /
Special tools like Web trends)
25-Oct-13 2nd Annual NKN Workshop ‹#›
Security IPv6
Specific IPv6 Issues
IPv4 Vulnerabilities IPv6 Vulnerabilities
Specific IPv4 Issues
25-Oct-13 2nd Annual NKN Workshop ‹#›
• It quite same as the IPv4…
• Can we address all the drawbacks of IPv4 with respect to Security?
• With new innovations is it possible for the security agencies to keep track ?
• Borderless Domain: Making life of tracking much more difficult.
• Need for strong international collaboration to resolve inter border issues.
• Legal Interception needs to be ready in place before the vast scale deployment starts.
IPv6 National Concern?
25-Oct-13 2nd Annual NKN Workshop ‹#›
FINALLY :-- SAME ISSUES WITH IPv6 ( HACKING TOOLS )
► Packet forgers ►Scapy6
►SendIP
►Packit
►Spak6
► Complete tool
► Scanners ►IPv6 security scanner
►Halfscan6
►Nmap
►Strobe
►Netcat
► DoS Tools ►6tunneldos
►4to6ddos
►Imps6-tools ►http://www.thc.org/thc-ipv6/
► Sniffers/packet capture ►Snort
►TCPdump
►Sun Solaris snoop
►COLD
►Wireshark
►Analyzer
►Windump
►WinPcap
25-Oct-13 2nd Annual NKN Workshop ‹#›
What all can you start:
IPv6
MAIL MX
LDAP DNS ZONE
DNSSEC
Storage On Cloud
DR Strategy
Consulting
VPN L2/L3
Routing Table
Relay
SMS GW
Mirror
25-Oct-13 2nd Annual NKN Workshop ‹#›
Coming Soon
DDOS VOD
Social Network
WebStreaming
URL Filtering
Collab Cad
NMS Security VAT
ISO 2700X
25-Oct-13 2nd Annual NKN Workshop ‹#›
Thank You & Happy NKN
Project Implementation Unit National Knowledge Network National Informatics Centre
3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053
CONTACT NKN: 1800 111 555 [email protected]