ISP對網路安全問題之處理與解決方式
     - 7th TWNIC OPM
     2006/11/23, Taipei




                         許至凱
             支援群工程處通訊網路部
...
Agenda
    http://www.seed.net.tw



                              ISP security profile
                              Cont...
ISP security profile
    http://www.seed.net.tw



                              Two positions to implement security
     ...
ISP security profile
    http://www.seed.net.tw


                                    Control plane
                      ...
Control plane security
    http://www.seed.net.tw



                              Security issues on ISP router
         ...
Control plane security
    http://www.seed.net.tw



                              Security issues on ISP router
         ...
Control plane security
    http://www.seed.net.tw



                              Security issues on ISP router
         ...
Control plane security
    http://www.seed.net.tw


                                     RADB




8
Control plane security
    http://www.seed.net.tw


                                     RADB




9
Control plane security
     http://www.seed.net.tw


                                                     RADB

          ...
Control plane security
     http://www.seed.net.tw


                                      Bogon list
                    ...
Control plane security
     http://www.seed.net.tw


                                      Bogon list
                    ...
Control plane security
     http://www.seed.net.tw


                                      Bogon list
                    ...
Control plane security
     http://www.seed.net.tw


                                      Bogon list
                    ...
Control plane security
     http://www.seed.net.tw


                                      Bogon list
                    ...
Control plane security
     http://www.seed.net.tw


                                      BGP prefix limitation




16
Control plane security
     http://www.seed.net.tw



                               Security issues on ISP router
       ...
Control plane security
     http://www.seed.net.tw


                                       Router event
                 ...
Control plane security
     http://www.seed.net.tw


                                      Routing event
                 ...
Control plane security
     http://www.seed.net.tw


                                       Routing event
                ...
Data plane security
     http://www.seed.net.tw



                               Security issues in ISP network
         ...
Data plane security
     http://www.seed.net.tw



                               Security issues in ISP network
         ...
Data plane security
     http://www.seed.net.tw



                               Security issues in ISP network
         ...
Data plane security
     http://www.seed.net.tw


                                       Black hole
                      ...
Data plane security
     http://www.seed.net.tw


                                       Black hole
                      ...
Data plane security
     http://www.seed.net.tw


                                       Sink hole
                       ...
Data plane security
     http://www.seed.net.tw


                                       Sink hole
                       ...
Data plane security
     http://www.seed.net.tw


                                       Sink hole
                       ...
Reference
     http://www.seed.net.tw



                               Books
                                 ISP Essenti...
Questions & Comments?




    sees your needs
Upcoming SlideShare
Loading in...5
×

How To Process And Solve Network Security In ISP

1,008

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,008
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How To Process And Solve Network Security In ISP

  1. 1. ISP對網路安全問題之處理與解決方式 - 7th TWNIC OPM 2006/11/23, Taipei 許至凱 支援群工程處通訊網路部 kae@du.net.tw
  2. 2. Agenda http://www.seed.net.tw ISP security profile Control plane security Data plane security Reference 2
  3. 3. ISP security profile http://www.seed.net.tw Two positions to implement security Physical position Logical position On logical position level, deploy security mechanism on: Control plane Data plane 3
  4. 4. ISP security profile http://www.seed.net.tw Control plane Data plane management routing protocol Control plane Data plane IP/MPLS packets 4
  5. 5. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the routing information secured Event logging 5
  6. 6. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the un-authorized traffic away Router ACL » telnet/ssh/IGP/BGP Out-of-band management Rate limit the traffic forward to control plane ICMP/UDP Use AAA when accessing the router Authentication Authorization Auditing 6
  7. 7. Control plane security http://www.seed.net.tw Security issues on ISP router Keep the routing information secured Authenticated routing exchange MD5 Authenticated the route prefix RADB Bogon list » Cymru Bogon list » CompleteWhois Bogon list Authenticated the routes prefix number BGP prefix limitation 7
  8. 8. Control plane security http://www.seed.net.tw RADB 8
  9. 9. Control plane security http://www.seed.net.tw RADB 9
  10. 10. Control plane security http://www.seed.net.tw RADB > whois -h whois.radb.net 139.175/16 route: 139.175.0.0/16 descr: Digital United Inc. (seednet) No. 220, Gangchi road, Nei-Hu district, Taipei, Taiwan, 11444 origin: AS4780 admin-c: KH54-AP tech-c: KH54-AP notify: cn@du.net.tw mnt-by: MAINT-AS4780 changed: jzs@du.net.tw 20031009 changed: kae@du.net.tw 20060605 #02:46:26(UTC) source: RADB 10
  11. 11. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 11
  12. 12. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 12
  13. 13. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 13
  14. 14. Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 14
  15. 15. Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 15
  16. 16. Control plane security http://www.seed.net.tw BGP prefix limitation 16
  17. 17. Control plane security http://www.seed.net.tw Security issues on ISP router Event logging Router event Log everything crucial in your router Log server Routing event IGP event » LSAs history » Routes add/withdrawn history BGP event » Routes add/withdrawn 17
  18. 18. Control plane security http://www.seed.net.tw Router event Log everything crucial in your router Log server Nov 21 06:25:27: %SONET-4-ALARM: POS2/3: SLOS Nov 21 06:25:29: %LINK-3-UPDOWN: Interface POS2/3, changed state to down Nov 21 06:25:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to down Nov 21 06:26:42: %SONET-4-ALARM: POS2/3: SLOS cleared Nov 21 06:26:44: %LINK-3-UPDOWN: Interface POS2/3, changed state to up Nov 21 06:26:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to up Log server 18
  19. 19. Control plane security http://www.seed.net.tw Routing event IGP event » LSAs history » Routes add/withdrawn history LS A Area 0 Local area A ABR LS RIP ASBR A LS LS LS A A A LS LSA log 19 Log server
  20. 20. Control plane security http://www.seed.net.tw Routing event BGP event » Routes add/withdrawn AS200 AS300 AS100 BGP update log 20 Log server
  21. 21. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow Prevent denied of service attack 21
  22. 22. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow from Internet Source address from Bogon list Source address spoofing to Internet Source address spoofing Unicast Reverse Path Forwarding (uRPF) 22
  23. 23. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent denied of service attack Black hole Drop packets from some BGP nodes Sink hole Redirect packets to special node 23
  24. 24. Data plane security http://www.seed.net.tw Black hole DDoS attack happened!!! AS200 AS100 AS300 24
  25. 25. Data plane security http://www.seed.net.tw Black hole Drop packets from some BGP nodes AS200 AS100 AS300 25
  26. 26. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 DDoS attack happened!!! 26
  27. 27. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 Sent some commands to border router 27
  28. 28. Data plane security http://www.seed.net.tw Sink hole Redirect packets to special node AS200 AS100 AS300 28
  29. 29. Reference http://www.seed.net.tw Books ISP Essentials http://www.ciscopress.com/title/1587050412 Papers “Operational Security Current Practices” http://www.ietf.org/internet-drafts/draft- ietf-opsec-current-practices-07.txt Web sites http://www.nanog.org/subjects.html#S http://www.cymru.com/Bogons/ http://www.completewhois.com/bogons/ 29
  30. 30. Questions & Comments? sees your needs
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×