Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Slides:

Advertisements

Similar presentations

Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.

Advertisements

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Internetworking II: MPLS, Security, and Traffic Engineering

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Security Firewall Firewall design principle. Firewall Characteristics.

Chapter 11 Firewalls.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.

Semester Copyright USM EEE442 Computer Networks Introduction: Protocols En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK)

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

(Geneva, Switzerland, September 2014)

Internet Protocol Security (IPSec)

A Guide to major network components

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

Intranet, Extranet, Firewall. Intranet and Extranet.

Chapter 4: Managing LAN Traffic

TCOM 515 Lecture 6.

Chapter 4. After completion of this chapter, you should be able to: Explain “what is the Internet? And how we connect to the Internet using an ISP. Explain.

1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

– Chapter 5 – Secure LAN Switching

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Abilene Update Joint Techs Summer ’05 Vancouver, CA Steve Cotter Director, Network Services Steve Cotter Director, Network Services.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.

Delivering Circuit Services to Researchers: The HOPI Testbed Rick Summerhill Director, Network Research, Architecture, and Technologies, Internet2 Joint.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

NETWORK HARDWARE CABLES NETWORK INTERFACE CARD (NIC)

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.

Routing protocols. Static Routing Routes to destinations are set up manually Route may be up or down but static routes will remain in the routing tables.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Computer Networks Syed Md. Ashraful Karim Lecturer, CSE BU.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC

1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

GOOD MORNING TO ONE AND ALL. OUR TEAM VENKATESH THARUN SADIK FROM AVANTHI ENGG. COLLEGE.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,

Securing Access to Data Using IPsec Josh Jones Cosc352.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

1 CS716 Advanced Computer Networks By Dr. Amir Qayyum.

Visit for more Learning Resources

Lec # 22 Data Communication Muhammad Waseem Iqbal.

Computer Data Security & Privacy

* Essential Network Security Book Slides.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Panel on Network Data and Monitoring - The Abilene Network

Presentation transcript:

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director, Network Services

2 Basic Premise Policy determined by basic properties of a IP network Control is at the edge Hosts determine when and where to send packets and initiate flows This control often leads to vulnerabilities Hosts can become compromised Hosts may be used to compromise other hosts Can lead to large amounts of traffic sent to other hosts As a backbone network, we view Abilene as a ‘pipe’ and not a controlling entity

3 Network Control The Abilene backbone does have the means to apply some control across the network: Possible to block traffic on some ports Possible to block all traffic from a particular IP addresses Security Policy #1: Abilene does not unilaterally filter traffic on a network wide basis unless the network itself is under attack. Scenario: Compromised hosts use port 135 to propagate a virus to infect other hosts. Abilene would not unilateral block that port That function handled more efficiently at the edge Had the routers or switches themselves been under attack, would have blocked that traffic immediately

4 Filtering Traffic The Abilene backbone will filter traffic in some situations: If one or more hosts on a connector or peer were under attack If requested by an institution, peer or connector ) Security Policy #2: Abilene will filter traffic to a connector or peer if requested by that particular connector or peer network, filtering the appropriate traffic through the connection in question. Abilene will make every possible attempt to authenticate those making requests for traffic filtering through interconnection points. Abilene’s method for blocking this traffic is our BGP Discard Routing procedure

5 Filtering Traffic Abilene reserves the right to protect itself and its connectors / peers from other connectors and peers. If a threat to the network exists through a particular connector, Abilene reserves the right to filter that traffic Ultimately, Abilene could disconnect the offending connector or peer Security Policy #3: Abilene reserves the right to filter all traffic or terminate any connection if it is under attack. Every attempt will be made to contact the network in question to discuss various options and alternatives.

6 Research and Education Information Sharing Analysis Center (REN-ISAC) The REN-ISAC supports higher education and the research community by: Provides advanced security services to national supporting networks Supports efforts to protect the national cyberinfrastructure by participating in the formal sector ISAC infrastructure Security Policy #4: Abilene will report all known incidents of security threats to the REN-ISAC Determining what traffic is a security threat is a network research problem. A measurement infrastructure is part of Abilene’s network operations (Abilene Observatory).

7 Data Collection Abilene collects flow statistics on a sampling basis that potentially could identify source and destination addresses and ports This data is anonomyzed (11 lower order bits of all IP addresses are zeroed out) before it is saved to disk For privacy reasons: Abilene does not collect data pertaining to communications between identifiable hosts However, this information could identify compromised hosts Security Policy #4: During times of security attacks, the REN-ISAC can unanonomyze data, but only that data related to the attack itself. The resulting data is anonomyzed as soon as possible after the attack is understood.

8 Data Analysis Information derived from analysis of the flow data that identifies specific institutions or hosts is treated as confidential information. Security Policy #5: Institutions may request specific sources of cyber security attacks located on their respective networks. Only security related information we be reported to the institutions. Abilene data is meant to supplement, not replace, data collected by individual institutions or connectors. Internet2 strongly encourages institutions to collect their own data, potentially providing a greater degree of specificity to particular security problems.

9 BGP Discard Routing Connectors can advertise routes to Abilene via BGP for which all traffic to those routes will be discarded by the Abilene routers. This is useful during a DoS attack because the traffic can be dropped before it crosses the link to the connector. Here are a few important points: Discard routes will NOT be accepted for routes larger than a /24 There is no way to place a limit on the number of discard routes a connector can advertise. The limit on the total number of routes a Connector can advertise is currently 3,000. Abilene's default policy is to not accept routes smaller than a /27. There have been some exceptions made to this policy. For those /28 and smaller routes, it will not be possible to announce more specific discard routes.

10 Abilene Information For more Information: Or contact us at:

11