SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
1.
Secured Internet Gateway for ISP with
and
Out of the Routing Box
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net
2.
DDoS Attacks Trending Up for Service Providers
● 2021 Q1 Sees 2.9 Million DDoS Attacks Launched
● ATLAS Security Engineering & Response Team
(ASERT) has warned that last year's record-breaking
volume of DDoS attacks could be exceeded in 2021.
● In 2020, more than 10 million DDoS incidents
● Analyzing which industries attackers chose to hit,
researchers observed that healthcare, education and
online services were prime targets.
3.
DDoS is New Normal
● Many attacks (42%) lasted between five and ten minutes, while assaults lasting fewer than five minutes dropped from
24% to 19%.
● Global estimates of the total number of DDoS attacks are anticipated to double to 14.5 million by 2022.
● No DDoS mitigation tools is full proof.
● UDP-based DDoS attack vectors fuel attack increases.
Duration of Attack
5.
Spot on Bangladesh
● Round the year among the network operators DDoS were most shouted incident.
● Though there is no statistics but even some operators experienced few times in a month.
● Mostly volumetric DDoS attack.
● Mostly Mikrotik is used as core router there is only few options to handle the incidents.
● Some operators use BGP community to drop malicious sources.
● A hacker group called ‘Hafnium’ has launched attacks on more than 200 organizations in Bangladesh.
Destination ports Used for Attacks
6.
Out of the Router Appliance Box Solution Planning
● We have router box Cisco,Juniper, Mikrotik in current network.
● Now we can use BGP community feed to stop bad actors.
● ISPs fetching frequent outage due to DDoS.
● In most cases operators using Mikrotik Routers.
● We were looking for a open source technology that is easy to implement and cost effective.
● Some ISPs has only few resources to maintain core network ,we tried to find a simple solution.
● We choose FRR for BGP and pfSense to make the router security aware and to maintain cyber
hygiene from core network.
7.
pfSense: Firewall with threat intel feeds
● pfSense , A free, open source customized distribution of FreeBSD tailored for using as a smart-firewall and router.
● Netgate is current maintainer of pfSense.
● Firewall.
● Routing.
● Redundancy.
● Traffic shaping.
● Routers not aware of security incidents and threats.
● We are talking in a locality where mostly used Mikrotik in operator’s network.
8.
Some Community Threat intel IP & DNS Feed Sources (Blocklist)
● Spamhaus
● CINS Army
● Talosintelligence
● Firehol ( Collection of Cybercrime IP Feeds).
● MaxMind GeoIP Blocklist. (& Top Spammers).
● Juniper Security.
● malwaredomainlist.com
● Adway.
● Easy List (Privacy, Tracker).
● DNSBL SafeSearch by Google, Yandex, DuckDuckGo, Bing and Pixabay.
● … and many more.
10.
Threat Intel:Proofpoint ET IQRISK IPv4 Reputation
11.
FRR:Roots from Quagga
● FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms with the collaboration of Linux Foundation.
● It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.
● RPKI supported
● SDN can be overlay with FRR
● Support Segment routing
● TNSR has developed carrier grade router using FRR (incl VPP+DPDK)
● Packet forwarding is challenge that can overcome with Vector Packet Processing & DPDK
12.
RECOMMENDED SYSTEM REQUIREMENTS
Processor: Intel Xeon D1541/ Intel 2600 Series v3/v4 2.4GHz+, 8-Core/16 Thread
RAM: 16GB | SSD: 128G
NIC: Intel/Mellanox/Chelsio Multique NIC / Smart-NIC
pfSense version 2.4.5-p1 - Most Stable (FreeBSD 11x) - Recommended
pfSense version 2.5.1-p0 - New Stable (FreeBSD 12x) - For Latest Hardware
Tested Throughput :
# IMIX TRAFFIC #
L3 Forwarding: 10Gbps
Firewall: 5Gbps+ (10k ACLs)
13.
Case study 1: (Replaced MikroTik)
-> Better User Experience, Less Threat Vector.
-> Very Less Customer complaint
-> Does not require frequent rebooting of core devices.
-> Stable and Better Services than MikroTik.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Support /31 Network Configuration
14.
Case study 1 : More Stable Service and Better User Experience, Less Threat Vector.
15.
Case Study 1: Filtering based on Attacker Geo location and threat intel
● It can also filter bad actors IP based on
threat intelligence data.
● When pfSense block threat source IPs , that
is huge sanitization for the whole network
from malicious traffic.
16.
Case Study 1: Visibility on malicious activity
17.
Case study 2:incorporate pfSense in existing MikroTik Based Network
-> Does not need to change existing setup over-night.
-> Gain Better User Experience, Less Threat Vector.
-> Blocks Most of the Malware, Spyware, Adware, Tracking.
-> Several steps ahead to gain safe internet experience.
-> Spammer IPs can be blocked based on threat intel data
18.
Case Study 2: pfSense along with Mikrotik
● pfSense placed as core router and firewall
● FRR will be used to peer with Internet only
● Other IX and local peer will be with Mikrotik to maintain local traffic queues as ease as usual.
● pfSense will be a safeguard for internet facing threats
19.
Gain Cyber Hygiene from power of open source
● It’s always challenging to maintain good cyber hygiene for customer network
● pfSense firewall is efficient without losing quality of service and easy to implement and easy to
maintain
● Through pfSense network operator can get good number of reputed threat intelligence data
and protection from threat sources based on the theat data.
● Network Operators will get better visibility to his network
● Log server can be integrate easily for compliance
20.
Thank you
QA?
Md. Rezaul Karim , Omnitech Systems Suman Kumar Saha, ADN Telecom
rkarim@omnitechone.com suman@adnsl.net
0 likes
Be the first to like this
Views
Total views
400
On SlideShare
0
From Embeds
0
Number of Embeds
0
You have now unlocked unlimited access to 20M+ documents!
Unlimited Reading
Learn faster and smarter from top experts
Unlimited Downloading
Download to take your learnings offline and on the go
You also get free access to Scribd!
Instant access to millions of ebooks, audiobooks, magazines, podcasts and more.
Read and listen offline with any device.
Free access to premium services like Tuneln, Mubi and more.