Академический Документы
Профессиональный Документы
Культура Документы
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
2
Frequency
v Over 4,000 Distributed DoS attacks a week
Sophistication
v Distributed DoS attacks hard to detect & stop v Network elements recently targeted
Impact
v Yahoo, eBay, Microsoft make headlines v Cloud 9 (UK) ISP out of business
Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks
Packet Sniffers
IP Spoofing
1994
Host Based Attacks
Source: Published CERT figures
1996
1998
Network Based Attacks
Juniper Networks, Inc. Copyright 2002
2000
Attacks Target Network
3
Performance
SLA Target
Partial
u Enable security at specific
Reactive
u Security enabled after
Time
attack is detected
u High operational effort u Performance SLAs affected
or software allow
u Does not provide reliable
security
Juniper Networks, Inc. Copyright 2002 4
Ubiquitous
v Juniper Networks: Single Image, Security on All Interfaces
Continuous
v Juniper Networks: Low impact turn it on it, leave it on
Economical
v Juniper Networks: Included in the basic platform
Proven
v Juniper Networks: Shipping since 2000 and in use in
production networks around the world Lets You, Rather Than Your Equipment, Dictate Your Network Security Policy.
Juniper Networks, Inc. Copyright 2002 5
Retention
v Increased
Services
v Lawful
Intercept v Intrusion Detection Services v High Speed Encrypted VPNs v Attack Resistant Web Hosting v Denial of Service Protection/Control v Spoofing Protection
Juniper Networks, Inc. Copyright 2002 6
H/W Based Packet Filtering Individual Command Authorization Traffic Policing Firewall Syslogs/MIB Syslogs/MIB H/W Based Router Protection
Customer Protection
3.
2.
4.
Detection
5.
Real time traffic analysis (port mirroring) for Lawful Intercept, IDS I/O filters to block attack flows Rate limiting
6.
Suppression
7. 8.
9.
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
9
System Architecture
Junos Internet Software
Forwarding Table
Routing Engine
v
Maintains routing table and constructs forwarding table using knowledge of the network
Forwarding Table
Switch Fabric
I/O Card I/O Card v
Receives packet forwarding table from Routing Engine Copies packets from an input interface to an output interface Conducts incremental table updates without forwarding interruption
10
IP II ASIC Overview
u
Internet Processor II
u
Leverages proven, predictable ASIC forwarding technology of Internet Processor Provides breakthrough technology to support performance-based, enhanced Services
v
Security and bandwidth control (I.e. filtering) at speed Visibility into network operations at speed
11
Filtering
u IP- II enables significant Filter Specification
filter my-filter ip { rule 10 { protocol tcp ; source-address 128.100.1/24 ; port [ smtp ftp-data 666 1024-1536 ]; action { reject tcp-reset ; } } } Multiple rules may be specified.
TCP
Interface Mgmt
Protocols
u u u
Operating System
13
Traffic Framework
Management, Control and Data planes u Source, Destination and Type
u
Router Management Router Management Routing Control Routing Control
ICMP Notification
User Data
14
Security
Purpose built for Internet scale Modular design for high reliability Best-in-class routing protocol implementations Foundation for new services with MPLS traffic engineering
Chassis Mgmt
Common software across entire product line leverages stability, interoperability, and a wide range of features
SNMP
Route Control
Import filters u Export filters u Mark u Limit
u
v Announcements v Prefixes
15
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
No SNMP set support for editing configuration data u Default Martian addresses
u
17
Secure Shell
v Ssh v1 / v2 v Support connexion limit + rate limit
u
Central Authentification
v TACACS+ / RADIUS v User classes with specific privileges
18
Need to be CPU based Protocols need processing power for fast updates and to minimize convergence time. Forged routing packets (BGP,OSPF,RIP,etc..) Bogus management traffic (ICMP, SNMP, SSH,etc) Rates in excess of 40M/second CPU based filtering unable to keep up Attacks consume CPU resources needed for control traffic. Danger of protocol time-outs, leading to network instabilities.
19
20
10
addresses
u u u
Define protocols and ports that need to communicate Accept desired traffic and discard everything else One filter applied to the loopback interface protects router and all interfaces
firewall { filter protect-RE { term established { from { protocol tcp; tcp- established; } then accept; } term trusted -traffic { from { source -address { 10.10.10.0/24; 10.10.11.0/24; 10.10.12.0/24; 10.10.17.0/24; 10.10.18.0/24; } protocol [icmp tcp ospf udp]; destination -port [bgp domain ftp ftpdatasnmp ssh ntp] ; } then accept; term default { then { log; discard; } } 21 Juniper Networks, Inc. Copyright 2002 }
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
22
11
23
Delivers Private and Secure communication of mission-critical customer traffic u Provides up to 1,000 tunnels per PIC u Can Scale Using Multiple PICs
u
24
12
Tunnel/Transport Mode
u
Authentication Algorithms
u u
Encryption Algorithms
u u
IKE Features
Support for automated key management using Diffie-Hellman key establishment u Main/Aggressive mode supported for IKE SA setup u Quick Mode supported for IPSec SA setup
u
25
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
26
13
Why it is needed:
v IP address spoofing is a technique used in DOS attacks v Attacker pretends to be someone else v Makes it difficult to trace back the attacks v Common Operating Systems let users spoof machines IP
How it is done:
v Route table look-up performed on IP source address v Router determines if traffic is arriving on expected path
u u
27
Juniper Solution
v uRPF can be configured per- interface/sub- interface v Supports both IPv4 and IPv6 v Packet/Byte counters for traffic failing the uRPF check v Additional filtering available for traffic failing check:
u u
police/reject Can syslog the rejected traffic for later analysis Active-paths:
v
uRPF only considers the best path toward a particular destination uRPF considers all the feasible paths. This is used where routing is asymmetrical.
Feasible-paths:
v
28
14
Data Center
so-1/0/0.0
so-0/0/0.0
11.11.11.0/24
uRPF
Juniper Networks, Inc. Copyright 2002 29
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
30
15
Sampling and cflowd format export (v5 + v8) since JUNOS 5.4: Passive Monitoring PIC
v Application is primarly for secuity and traffic analysis v Monitors IPv4 packets and flows over SONET on:
u u
OC-3c, OC-12c and OC-48c PPP or HDLC (Cisco) layer 2 encapsulations IPSec or GRE tunnels can be used for exporting
31
32
16
Data Center
Mirrored Traffic
33
Pre-configure Destination Class Usage (DCU) on customerfacing ingress interfaces Accounting feature typically for billing Supported in JUNOS 4.3 (12/2000) and beyond Counts packets, bytes destined for each of up to 16 communities per interface Counters retrievable via SNMP Note: Source Class Usage is also supported (since JUNOS 5.4) Use BGP to announce victims /32 host address with special community Trigger SNMP polling of DCU counters on all ingress interfaces Apply heuristic to identify likely attack sources
u During Attack
v v v
34
17
Switch
Victim Network
Attacker Network
User Network
NOC
Attack Network
User Network
35
Switch
Attacker Network
128.8.128.80
User Network
NOC
Attack Network
User Network
36
18
37
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
38
19
} protocol icmp; } then { discard; log; } } } Juniper Networks, Inc. Copyright 2002 39
Rate Limiting
u
Juniper Advantage
v Architectural reasons we perform
u
Internet Processor ASIC not tied to an interface or release Stable operation, routing and management traffic unaffected
40
20
41
Traffic flow Attack flow All traffic gets drop During filter compilation
NOC
42
21
Traffic flow Attack flow Attack traffic gets dropped NOC operator applies or changes filters
NOC
43
Agenda
u u u u u u u u
Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary
44
22
Next Steps
u On
v Ensuring
Practices
Papers
v White
u Security
45
Further References
u
Available from
http://www.juniper.net/techcenter
46
23
juze@juniper.net
Thank You
24