INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January 25 2007 REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.

Slides:

Advertisements

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Advertisements

Network Systems Sales LLC

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

The U.S. Coast Guard’s Role in Cybersecurity

DHS, National Cyber Security Division Overview

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.

Firewalls and Intrusion Detection Systems

1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.

Version 3.0 DEFCON 10 August 2002 Anatomy of Denial of Service Mitigation Testing.

The Six Centripetal Forces for Successful Global Software Telecommunication Infrastructure Collaborative Technology.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

(Geneva, Switzerland, September 2014)

Arbor Multi-Layer Cloud DDoS Protection

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Security Professionals Conference May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

Chapter 6: Packet Filtering

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

– Chapter 5 – Secure LAN Switching

1 © 2003 Cisco Systems, Inc. All rights reserved. CIAG-HLS Security For Infrastructure Protection: Public-Private Partnerships KEN WATSON 15 OCT.

INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.

Salsa Bits: A few things that the analysts aren't talking about... December 2006.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Access Control List (ACL)

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

I-Path : Network Transparency Project Shigeki Goto* Akihiro Shimoda*, Ichiro Murase* Dai Mochinaga**, and Katsushi Kobayashi*** 1 * Waseda University **

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.

© 2006 Property of Lancope. Proprietary and Confidential. Lancope and Emory University: Illuminating (and Securing) the Network Andy Wilson Senior Systems.

FOR INTERNAL USE ONLY [Your business] exceeds with COLT Network Response to DDoS attacks – TNC 2006 Nicolas FISCHBACH Senior Manager, Network Engineering.

NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC

1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

CompTIA Security+ Study Guide (SY0-401)

CompTIA Security+ Study Guide (SY0-401)

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

* Essential Network Security Book Slides.

i-Path : Network Transparency Project

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; Specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks. Supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC Security Efforts Information products –Daily Weather Report –Daily Darknet Reports –Alerts –Notifications –Monitoring views Incident response 24x7 Watch Desk Cybersecurity Contact Registry Tool development Security infrastructures work in specific communities, e.g. grids Participation in other higher education efforts

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Complementary Relationships REN-ISAC has core complimentary relationships with: –EDUCAUSE –Internet2 –EDUCAUSE and Internet2 Security Task Force –IU Global NOC and Abilene network engineering –IU Advanced Network Management Lab –IU Information Technology Security Office –US Department of Homeland Security & US-CERT –IT-ISAC –ISAC Council –SALSA

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Complementary Relationships US Department of Homeland Security - Information Analysis and Infrastructure Protection Directorate has the objective to implement the national strategy and to promote public/private partnerships for information sharing and analysis – ISACs. ISACs are encouraged in each critical sector of national security and the economy, e.g. IT, water, agriculture, energy, transportation, finance, etc. ISAC Council is a body of the private sector ISACs that promotes cooperation, sharing, and relation to DHS. National Cyber Security Partnership is a public-private collaboration focused on strategies and actions to assist the DHS National Cyber Security Division in implementation of the President ’ s National Strategy to Secure Cyberspace.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Information Resources Network instrumentation Router NetFlow, BGP, and SNMP data (Peakflow SP) Router ACL counters Darknet Global NOC operational monitoring systems Daily cybersecurity status calls with ISACs and US-CERT Vetted/closed network security collaborations Backbone and member security and network engineers Vendors, e.g. monthly ISAC calls with vendors Security mailing lists, e.g. EDUCAUSE, etc. Members – related to incidents on local networks

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Internet2 NetFlow Policy REN-ISAC & Internet2 NetFlow data policy agreement, highlights: –Data is anonymized to /21. Under perceived threat and at the request of involved institutions the REN-ISAC can selectively turn off anonymization. –Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly. –Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized. –TransPAC2 has adopted the Internet2 NetFlow Policy.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January NetFlow Analysis – Traffic Grapher IU ANML developed tool. Graph netflow by source and destination IP port numbers, IP addresses and networks (in CIDR format), and AS numbers. ICMP, TCP or UDP. Optimized performance.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Traffic on Common and Threat Vector Ports Utilize Traffic Grapher to provide public views of Internet2 traffic on common application and threat vector ports. Also utilize ACL counters in routers to collect and publish similar views.

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January

INDIANAUNIVERSITYINDIANAUNIVERSITY Warning and Response REN-ISAC Watch Desk –24 x 7 –Co-located and staffed with the Global Research NOC –+1 (317) Public reports to the U.S. higher education community regarding analysis at aggregate views. Private reports to institutions regarding active threat involving their institution. Daily Reports –REN-ISAC Weather Report –Darknet Report Public views from monitoring systems

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Infrastructure security, traffic analysis, managed DoS protection via intelligent netflow analysis –Network Anomaly Detection: DDoS, worms, network and bandwidth abuse –Integrated Mitigation seamless operation with a variety of DoS mitigation tools; filtering, rate-limiting, BGP blackholing, off-ramping/sinkholing, etc. –Analytics: peering evaluation, BGP routing –Reporting real-time and customized anomaly and traffic reports

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January –Customer-facing DoS Portal Gives customers a first-hand view of their traffic inside the service provider’s network; customers set their own thresholds and alerts –Fingerprint Sharing Share anomaly fingerprints with peers, customers, etc. for upstream DoS mitigation

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Threat Management System Arbor officially released the Arbor Peakflow SP TMS (Threat Management System) device in August 2006 First-and-only carrier-class service provider threat management device for multi-service converged networks SP now unifies network-wide intelligence (CP) and carrier-class threat management (TMS) to enable the following: 1.Secure your infrastructure from the full spectrum of threats: botnets, DNS attacks, DDoS, worms, phishing, SPAM, spyware, etc. 2.Manage your multi-service network by visualizing VoIP, web, mail, DNS, P2P, and IM traffic across your network 3.Rollout network-based security service offerings leveraging multiple security features on a single platform TMS adds a powerful mitigation component to SP as well as augments its flow-based detection and reporting with application-layer capabilities

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Why TMS? SP TMS technology addresses multi-service network infrastructure threats and visibility needs –Provide application-layer processing and analysis Layer 7 reporting of mission-critical applications: VoIP, IM, P2P, etc. Layer 7 packet scrubbing and mitigation –Address multiple security threats on a single platform –Fit specific operational needs of service providers SP TMS technology augments flow-based SP technologies –Provide comprehensive network-wide situational awareness augmented with more specific application-layer traffic reports –Detect and combat today’s and tomorrow’s infrastructure threats –Offer a seamless workflow to manage infrastructure threats –Secure and better understand IP VPN deployments

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Hardware OEM platform from Bivio Networks Contains 7 PowerPC processors connected by switch fabric –1 management processor and 6 application processors 2 Gbps mitigation performance in the current release 10Gbps performance available

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January TMS High Level Features Mitigation –Stop denial-of-service attacks –Leverage SP network-wide intelligence and single threat management console to address network threats TMS does not require peacetime learning TMS does not require accessing multiple UIs or CLIs Enhanced Application Monitoring –DNS alerting and reporting NetFlow V9 Flow Generation

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Mitigation Active Mitigation of DoS Attacks –Use BGP offramp to direct traffic to a TMS device –Re-inject traffic using GRE tunnels Attack Counter-Measures (In Processing Order) –Global exception list –Per mitigation filters –Zombie removal –TCP SYN authentication –DNS authentication –Baseline enforcement

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Mitigation (2) Global exception list –Global set of FCAP rules to explicitly pass/drop traffic independently of any specific mitigation Per mitigation filters –Set of FCAP rules specific to each mitigation for explicitly dropping or passing traffic –A mitigation is defined by a prefix/netmask Zombie removal –Detect hosts that are sending traffic at a higher than specified rate –When rate is exceeded all traffic from the host is dropped until it falls below the threshold. –Rates are per mitigation

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Mitigation (3) TCP SYN authentication –Used to block SYN flooding attacks by detecting spoofed connection attempts –Set globally –For new connections attempts, TMS issues a SYN-ACK with magic value –If the host completes the handshake, TMS knows the host is valid and puts into a white list for a specified period –Established connection is reset DNS authentication –Used to block DNS request floods from spoofed hosts –When TMS sees a new DNS request from a host it will drop the request –If the host re-transmits the request we mark the host as valid and let the request through

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Mitigation (4) Baseline enforcement –Use yesterday’s traffic patterns as indicator of good traffic Historical traffic rates for top 200 /24 sources of traffic Per protocol rates –If traffic deviates substantially from the historic rates, then TMS limits the offending traffic –Baselines are per mitigation

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January DNS Tracking New feature to monitor DNS request streams Deployed on a span port or off of a link tap at data-center Monitors DNS requests and generates alerts when request rates deviate from baseline

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January DNS Queries Track the top requested registered domain names over time Track the top requested fully qualified domain names over time Drilldown on the hosts making the most requests

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January Questions or Comments John Hicks Indiana University TransPAC2