Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 3 rd - - PowerPoint PPT Presentation

campus lan at nkn member
SMART_READER_LITE
LIVE PREVIEW

Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 3 rd - - PowerPoint PPT Presentation

Oct 22, 2022 229 likes •519 views

Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 3 rd Annual workshop 1/7/2015 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and L3) NMS

slide-1
SLIDE 1

1/7/2015 3rd Annual workshop 1

Campus LAN at NKN Member Institutions

RS MANI rsm@nkn.in

slide-2
SLIDE 2

1/7/2015 3rd Annual workshop 2

Efficient utilization

Come from:

– Good Campus LAN

  • Speed

Segregation of LANs

  • QoS

Resilient

  • Access Controls ( L2 and L3)
  • NMS

– Good Collaboration ( National / International) – Good Internet Governance Scientists/ Researchers

slide-3
SLIDE 3

1/7/2015 3rd Annual workshop 3

Various Components

  • Campus network best practice
  • Different Layers function
  • Firewall/IPS
  • AAA/ DHCP/ DNS
  • Server Farm
  • Security Best practices IPV4 & IPv6
  • VPN Services
  • Gateway Services
slide-4
SLIDE 4

1/7/2015 3rd Annual workshop 4

NKN LINK 2 NKN Link 1 Edge Router Firewall with IPS-active Distribution Switch USERS 1st F 2nd F 3rd F

Typical Campus Network Architecture

Sever Switch CAT 6a / 7 Gnd F Edge Router core switch Outer Switch Firewall with IPS- Standby Distribution switch USERS 1st F 2nd F 3rd F Gnd F 10G backbone 10G Fibre 1G Fibre DHCP server

slide-5
SLIDE 5

1/7/2015 3rd Annual workshop 5

Security Devices

  • Firewall/IPS integrated Stateful Inspection Firewall
  • Maximizes network security with clear,

deterministic L3/L4 policies

  • Reputation-based Intrusion Prevention .Identify the

source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.

  • Zero-Day Protection with Anomaly Detection
  • The Adoption and use of IPv6
  • Remote Access VPN solution, provide VPN client

and clientless access.

slide-6
SLIDE 6

1/7/2015 3rd Annual workshop 6

Some of the Best Practices Campus Security

  • Switch should support Dynamic port security, DHCP

Dynamic ARP inspection, IP source guard

  • Use SSH to access devices instead of Telnet
  • Enable AAA and roles-based access control

(RADIUS/TACACS+) for the CLI on all devices

  • Enable SYSLOG to a server. Collect and archive log
  • When using SNMP use SNMPv3
  • Configure access-lists to limit who all can access

management and CLI services

  • Enable control plane protocol authentication where

it is available

slide-7
SLIDE 7

1/7/2015 3rd Annual workshop 7

Layer 2 Snoop Attack

Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb

Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy

Only Three MAC Addresses Allowed

  • n the Port:

Shutdown

400,000 Bogus MACs per Second

Problem: Solution:

slide-8
SLIDE 8

1/7/2015 3rd Annual workshop 8

DHCP Snooping

  • DHCP requests (discover) and responses (offer) tracked
  • Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP

server

  • Deny responses (offers) on non trusted interfaces; stop malicious or

errant DHCP server

DHCP Server

1000s of DHCP Requests to Overrun the DHCP Server

1 2

slide-9
SLIDE 9

1/7/2015 3rd Annual workshop 9

AAA server

Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric Supports Compliance Enables corporate governance through consistent access policy for all users and devices Strengthens Security Reduces IT overhead through centralized identity management and integrated policy enforcement Increases Efficiency

slide-10
SLIDE 10

1/7/2015 3rd Annual workshop 10

Multi-Homing

  • Basic requirement

– IP numbers to be owned ( V4 or V6) – ASN number ( 16 Bit or 32 Bit) – Service Providers capable of doing BGP – Router Capable BGP and Holding the routes – Trained Manpower

slide-11
SLIDE 11

1/7/2015 3rd Annual workshop 11

slide-12
SLIDE 12

1/7/2015 3rd Annual workshop 12

  • An IP network infrastructure delivering

private network services over a public infrastructure

– Use a layer 3 backbone – Scalability, easy provisioning – Global as well as non-unique private address space – QoS – Controlled access – Easy configuration

What is an MPLS-VPN?

slide-13
SLIDE 13

1/7/2015 3rd Annual workshop 13

slide-14
SLIDE 14

1/7/2015 3rd Annual workshop 14

NKN MPLS for CUG

State TN

NKN BACKBONE

State Router

VLAN1-VPN Green VLAN2-Blue VLAN3-Red

LAN of #2

Each Sub-Interface associated with different VPN v v

802.1Q

Contents of VPN Green Contents of Blue Contents of RED

Multi-VRF Video/ Audio Intra-vpn Internet

DC Cloud Institute #1

VLAN1-VPN Green VLAN2-Blue

LAN of #1

v

Institute #2

slide-15
SLIDE 15

1/7/2015 3rd Annual workshop 15

Layer 2 Extensions

slide-16
SLIDE 16

1/7/2015 3rd Annual workshop 16

#4 #3 #2 VC Equipment #5 #7 #8 #9 VC Equipment #6 #10 #11 VC Equipment

End to End QoS

slide-17
SLIDE 17

1/7/2015 3rd Annual workshop 17

C A B D MPLS VPNs

  • Many QoS-enabled islands
  • No interprovider QoS

A B D E C The Internet

  • Richly interconnected providers
  • No QoS

C A B E Goal: richly connected AND QoS-enabled D

Inter Service Provider QoS

slide-18
SLIDE 18

1/7/2015 3rd Annual workshop 18

Defense Depth and Breadth Security

Internet Internet Enterprise Network NKN Core Network

E-mail, Web Servers

X X

Remote Access Systems Internal Assets, Servers

Transit Transit

X X X

AS1 AS2 AS3

Network Operations Center (NOC)

Core

Edge Edge

  • Interface ACLs
  • Unicast RPF
  • Flexible packet

matching

  • IP option filtering
  • Marking/rate-limiting
  • Routing techniques
  • eBGP techniques
  • ICMP techniques
  • Receive ACLs
  • CoPP
  • ICMP techniques
  • QoS techniques
  • Routing techniques
  • Disable unused

services

  • Protocol specific

filters

  • Password security
  • SNMP security
  • Remote terminal

access security

  • System banners
  • AAA
  • Network telemetry
  • Secure file systems
slide-19
SLIDE 19

1/7/2015 3rd Annual workshop 19

Using Strict Mode uRPF to Battle BOTNETs

Access POP Access POP Access POP Access POP Access POP

NKN Backbone

NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner

Target

ISP ISP ISP ISP

uRPF Strict On NKN Partner Edge

NOC

BGP Trigger Community – SRTBH on NKN Partner Edge

slide-20
SLIDE 20

1/7/2015 3rd Annual workshop 20

Utilization of Few Members

INSTITUTE-1 INSTITUTE-2

slide-21
SLIDE 21

1/7/2015 3rd Annual workshop 21

INSTITUTE-3 INSTITUTE-4

slide-22
SLIDE 22

1/7/2015 3rd Annual workshop 22

High Packet Per Sec DoS ATTACK

slide-23
SLIDE 23

1/7/2015 3rd Annual workshop 23

HIGH BANDWIDTH DoS ATTACK

slide-24
SLIDE 24

1/7/2015 3rd Annual workshop 24

GATEWAY STATS

slide-25
SLIDE 25

1/7/2015 3rd Annual workshop 25

RELAY SERVICE

slide-26
SLIDE 26

1/7/2015 3rd Annual workshop 26

DNS Cache Servers

The server IP is 14.139.5.5 (anycast)

Contact us: support.dns@nkn.in

NKN Cloud

Request Reply Request Reply

slide-27
SLIDE 27

1/7/2015 3rd Annual workshop 27

DNS Zone Servers

NKN Cloud

Domain.ac.in

Internet DNS Root Servers

Reply

DNS Institute

Reply

Domain.ac.in Zone transfer to NKN Domain.ac.in

Reply

Domain.ac.in

Reply

slide-28
SLIDE 28

1/7/2015 3rd Annual workshop 28

Thank You & Happy NKN

Project Implementation Unit National Knowledge Network National Informatics Centre 3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053

CONTACT NKN: 1800 111 555 piu@nkn.in support@nkn.in