Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Published byLogan Curtis Modified over 9 years ago

Similar presentations

Presentation on theme: "Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,"— Presentation transcript:

1 Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services scotter@internet2.edu Steve Cotter Director, Network Services scotter@internet2.edu

2 2 Basic Premise Policy determined by basic properties of a IP network Control is at the edge Hosts determine when and where to send packets and initiate flows This control often leads to vulnerabilities Hosts can become compromised Hosts may be used to compromise other hosts Can lead to large amounts of traffic sent to other hosts As a backbone network, we view Abilene as a ‘pipe’ and not a controlling entity

3 3 Network Control The Abilene backbone does have the means to apply some control across the network: Possible to block traffic on some ports Possible to block all traffic from a particular IP addresses Security Policy #1: Abilene does not unilaterally filter traffic on a network wide basis unless the network itself is under attack. Scenario: Compromised hosts use port 135 to propagate a virus to infect other hosts. Abilene would not unilateral block that port That function handled more efficiently at the edge Had the routers or switches themselves been under attack, would have blocked that traffic immediately

4 4 Filtering Traffic The Abilene backbone will filter traffic in some situations: If one or more hosts on a connector or peer were under attack If requested by an institution, peer or connector (noc@abilene.iu.edu, 317-278-6622) Security Policy #2: Abilene will filter traffic to a connector or peer if requested by that particular connector or peer network, filtering the appropriate traffic through the connection in question. Abilene will make every possible attempt to authenticate those making requests for traffic filtering through interconnection points. Abilene’s method for blocking this traffic is our BGP Discard Routing procedure

5 5 Filtering Traffic Abilene reserves the right to protect itself and its connectors / peers from other connectors and peers. If a threat to the network exists through a particular connector, Abilene reserves the right to filter that traffic Ultimately, Abilene could disconnect the offending connector or peer Security Policy #3: Abilene reserves the right to filter all traffic or terminate any connection if it is under attack. Every attempt will be made to contact the network in question to discuss various options and alternatives.

6 6 Research and Education Information Sharing Analysis Center (REN-ISAC) The REN-ISAC supports higher education and the research community by: Provides advanced security services to national supporting networks Supports efforts to protect the national cyberinfrastructure by participating in the formal sector ISAC infrastructure Security Policy #4: Abilene will report all known incidents of security threats to the REN-ISAC Determining what traffic is a security threat is a network research problem. A measurement infrastructure is part of Abilene’s network operations (Abilene Observatory).

7 7 Data Collection Abilene collects flow statistics on a sampling basis that potentially could identify source and destination addresses and ports This data is anonomyzed (11 lower order bits of all IP addresses are zeroed out) before it is saved to disk For privacy reasons: Abilene does not collect data pertaining to communications between identifiable hosts However, this information could identify compromised hosts Security Policy #4: During times of security attacks, the REN-ISAC can unanonomyze data, but only that data related to the attack itself. The resulting data is anonomyzed as soon as possible after the attack is understood.

8 8 Data Analysis Information derived from analysis of the flow data that identifies specific institutions or hosts is treated as confidential information. Security Policy #5: Institutions may request specific sources of cyber security attacks located on their respective networks. Only security related information we be reported to the institutions. Abilene data is meant to supplement, not replace, data collected by individual institutions or connectors. Internet2 strongly encourages institutions to collect their own data, potentially providing a greater degree of specificity to particular security problems.

9 9 BGP Discard Routing Connectors can advertise routes to Abilene via BGP for which all traffic to those routes will be discarded by the Abilene routers. This is useful during a DoS attack because the traffic can be dropped before it crosses the link to the connector. Here are a few important points: Discard routes will NOT be accepted for routes larger than a /24 There is no way to place a limit on the number of discard routes a connector can advertise. The limit on the total number of routes a Connector can advertise is currently 3,000. Abilene's default policy is to not accept routes smaller than a /27. There have been some exceptions made to this policy. For those /28 and smaller routes, it will not be possible to announce more specific discard routes.

10 10 Abilene Information For more Information: http://abilene.internet2.edu http://abilene.internet2.edu/observatory/ http://abilene.internet2.edu/security/ Or contact us at: scotter@internet2.edu heather.bruning@internet2.edu abilene@internet2.edu

11 11

Download ppt "Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,"

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.

IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Semester 1 2008-2009Copyright USM EEE442 Computer Networks Introduction: Protocols En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK)

Semester Copyright USM EEE442 Computer Networks Introduction: Protocols En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK)
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google