Efficient Interfacing Campus LAN with NKN RS MANI rsm@nkn.in 2 nd - - PowerPoint PPT Presentation

25-Oct-13 2nd Annual NKN Workshop ‹#›

Efficient Interfacing Campus LAN with NKN

RS MANI rsm@nkn.in

25-Oct-13 2nd Annual NKN Workshop ‹#›

Efficient utilization

Come from:

– Good Campus LAN

• Speed

Segregation of LANs

• QoS

Resilient

• Access Controls ( L2 and L3)
• NMS

– Good Collaboration ( National / International) – Good Internet Governance Scientists/ Researchers

25-Oct-13 2nd Annual NKN Workshop ‹#›

Various Components

• Campus network best practice
• Different Layers function
• Firewall/IPS
• AAA/ DHCP/ DNS
• Server Farm
• Security Best practices IPV4 & IPv6
• VPN Services
• Gateway Services

25-Oct-13 2nd Annual NKN Workshop ‹#›

Various Components

• Campus network best practice
• Different Layers function
• Firewall/IPS
• AAA/ DHCP/ DNS
• Server Farm
• Security Best practices IPV4 & IPv6
• VPN Services
• Gateway Services

25-Oct-13 2nd Annual NKN Workshop ‹#›

NKN LINK 2 NKN Link 1 Edge Router Firewall with IPS-active Distribution Switch USERS 1st F 2nd F 3rd F

Typical Campus Network Architecture

Sever Switch CAT 6a / 7 Gnd F Edge Router core switch Outer Switch Firewall with IPS- Standby Distribution switch USERS 1st F 2nd F 3rd F Gnd F 10G backbone 10G Fibre 1G Fibre DHCP server

25-Oct-13 2nd Annual NKN Workshop ‹#›

Security Devices

• Firewall/IPS integrated Stateful Inspection Firewall
• Maximizes network security with clear,

deterministic L3/L4 policies

• Reputation-based Intrusion Prevention .Identify the

source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.

• Zero-Day Protection with Anomaly Detection
• The Adoption and use of IPv6
• Remote Access VPN solution, provide VPN client

and clientless access.

25-Oct-13 2nd Annual NKN Workshop ‹#›

Some of the Best Practices Campus Security

• Switch should support Dynamic port security, DHCP

Dynamic ARP inspection, IP source guard

• Use SSH to access devices instead of Telnet
• Enable AAA and roles-based access control

(RADIUS/TACACS+) for the CLI on all devices

• Enable SYSLOG to a server. Collect and archive log
• When using SNMP use SNMPv3
• Configure access-lists to limit who all can access

management and CLI services

• Enable control plane protocol authentication where

it is available

25-Oct-13 2nd Annual NKN Workshop ‹#›

Layer 2 Snoop Attack

Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb

Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy

Only Three MAC Addresses Allowed

• n the Port:

Shutdown

400,000 Bogus MACs per Second

Problem: Solution:

25-Oct-13 2nd Annual NKN Workshop ‹#›

DHCP Snooping

• DHCP requests (discover) and responses (offer) tracked
• Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP

server

• Deny responses (offers) on non trusted interfaces; stop malicious or

errant DHCP server

DHCP Server

1000s of DHCP Requests to Overrun the DHCP Server

1 2

25-Oct-13 2nd Annual NKN Workshop ‹#›

AAA server

Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric Supports Compliance Enables corporate governance through consistent access policy for all users and devices Strengthens Security Reduces IT overhead through centralized identity management and integrated policy enforcement Increases Efficiency

25-Oct-13 2nd Annual NKN Workshop ‹#›

Multi-Homing

• Basic requirement

– IP numbers to be owned ( V4 or V6) – ASN number ( 16 Bit or 32 Bit) – Service Providers capable of doing BGP – Router Capable BGP and Holding the routes – Trained Manpower

25-Oct-13 2nd Annual NKN Workshop ‹#›

25-Oct-13 2nd Annual NKN Workshop ‹#›

• An IP network infrastructure delivering

private network services over a public infrastructure

– Use a layer 3 backbone – Scalability, easy provisioning – Global as well as non-unique private address space – QoS – Controlled access – Easy configuration

What is an MPLS-VPN?

25-Oct-13 2nd Annual NKN Workshop ‹#›

25-Oct-13 2nd Annual NKN Workshop ‹#›

NKN MPLS for CUG

State TN

NKN BACKBONE

State Router

VLAN1-VPN Green VLAN2-Blue VLAN3-Red

LAN of #2

Each Sub-Interface associated with different VPN v v

802.1Q

Contents of VPN Green Contents of Blue Contents of RED

Multi-VRF Video/ Audio Intra-vpn Internet

DC Cloud Institute #1

VLAN1-VPN Green VLAN2-Blue

LAN of #1

v

Institute #2

25-Oct-13 2nd Annual NKN Workshop ‹#›

Layer 2 Extensions

25-Oct-13 2nd Annual NKN Workshop ‹#›

VPLS Network

Physics Dept Institute #5

PE Router Mumbai PE Router Indore PE Router PE Router

Virtual Circuits / Pseudo wires

Physics Department Institute # 3 Institute #4 Institute # 2 Institute # 1

25-Oct-13 2nd Annual NKN Workshop ‹#›

#4 #3 #2 VC Equipment #5 #7 #8 #9 VC Equipment #6 #10 #11 VC Equipment

End to End QoS

25-Oct-13 2nd Annual NKN Workshop ‹#›

C A B D MPLS VPNs

• Many QoS-enabled islands
• No interprovider QoS

A B D E C The Internet

• Richly interconnected providers
• No QoS

C A B E Goal: richly connected AND QoS-enabled D

Inter Service Provider QoS

25-Oct-13 2nd Annual NKN Workshop ‹#›

Defense Depth and Breadth Security

Internet Internet Enterprise Network NKN Core Network

E-mail, Web Servers

X X

Remote Access Systems Internal Assets, Servers

Transit Transit

X X X

AS1 AS2 AS3

Network Operations Center (NOC)

Core

Edge Edge

• Interface ACLs
• Unicast RPF
• Flexible packet

matching

• IP option filtering
• Marking/rate-limiting
• Routing techniques
• eBGP techniques
• ICMP techniques
• Receive ACLs
• CoPP
• ICMP techniques
• QoS techniques
• Routing techniques
• Disable unused

services

• Protocol specific

filters

• Password security
• SNMP security
• Remote terminal

access security

• System banners
• AAA
• Network telemetry
• Secure file systems

25-Oct-13 2nd Annual NKN Workshop ‹#›

Using Strict Mode uRPF to Battle BOTNETs

Access POP Access POP Access POP Access POP Access POP

NKN Backbone

NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner

Target

ISP ISP ISP ISP

uRPF Strict On NKN Partner Edge

NOC

BGP Trigger Community – SRTBH on NKN Partner Edge

25-Oct-13 2nd Annual NKN Workshop ‹#›

Utilization of Few Members

INSTITUTE-1 INSTITUTE-2

25-Oct-13 2nd Annual NKN Workshop ‹#›

INSTITUTE-3 INSTITUTE-4

25-Oct-13 2nd Annual NKN Workshop ‹#›

High Packet Per Sec DoS ATTACK

25-Oct-13 2nd Annual NKN Workshop ‹#›

HIGH BANDWIDTH DoS ATTACK

25-Oct-13 2nd Annual NKN Workshop ‹#›

Address Overload Crisis

25-Oct-13 2nd Annual NKN Workshop ‹#›

Government’s Role

• Understand the Countries requirement
• Understand the Regional needs.
• Increase awareness,
• Encourage deployment
• Create joint programs in the region with similar

requirements.

• Facilitate the adoption of IPv6
• Create Test Beds
• Showcase few case studies
• Participate in World Forums

25-Oct-13 2nd Annual NKN Workshop ‹#›

Transition Plan

• Awareness program
• Assessment program
• Acquire IPv6 numbers
• Testing of IPv6
• Acceptance Test
• Deployment of IPV6

25-Oct-13 2nd Annual NKN Workshop ‹#›

IPv6

IPV4 Address (Present) IPV6 Address (Future)

• Total Addresses = 232 = 4 billion

Total Addresses = 2128 = 340 billion, billion, billion, billion

25-Oct-13 2nd Annual NKN Workshop ‹#›

First Hop Security

RS RS RA RA

ICMP Type = 133 (RS) Src = link-local address (FE80::1/10) Dst = all-routers multicast address (FF02::2) Query = please send RA ICMP Type = 134 (RA) Src = link-local address (FE80::2/10) Dst = all-nodes multicast address (FF02::1) Data = options, subnet prefix, lifetime, autoconfig flag

25-Oct-13 2nd Annual NKN Workshop ‹#›

First Hop Security

RS RS RA1 RS RA2

Attacker (R2)

Default Router: R1 and R2

Router (R1)

25-Oct-13 2nd Annual NKN Workshop ‹#›

6PE – Enabling core with IPv6

25-Oct-13 2nd Annual NKN Workshop ‹#›

WATCH OUT ??

Network Infrastructure: Routers Bandwidth Shapers Switches Layer2 Layer3 Data centre Devices : Load Balancers Firewall IPS/IDS Virtual Machines ( VMWARE/ ZEN) Blade management consoles IP KVM Clients: PC’s on the LAN Server If any Proxy/ UTM Network Printers Display System Antivirus/ HIPS

25-Oct-13 2nd Annual NKN Workshop ‹#›

WATCH OUT ??

Infrastructure: Power/Infra management S/W UPS management Console Building Management System Access Control System Cameras Digital Video Recorders Wifi Systems: WIFI controllers Software Stacks: Windows/Linux/Solaris/ AIX IIS6 & above / Apache 2 & above AAA server Bind 9.5 & above Database ( Transaction Log ) Logging Server ( Syslog / Special tools like Web trends)

25-Oct-13 2nd Annual NKN Workshop ‹#›

Security IPv6

Specific IPv6 Issues

IPv4 Vulnerabilities IPv6 Vulnerabilities

Specific IPv4 Issues

25-Oct-13 2nd Annual NKN Workshop ‹#›

• It quite same as the IPv4…
• Can we address all the drawbacks of IPv4 with respect to

Security?

• With new innovations is it possible for the security

agencies to keep track ?

• Borderless Domain: Making life of tracking much more

difficult.

• Need for strong international collaboration to resolve

inter border issues.

• Legal Interception needs to be ready in place before the

vast scale deployment starts.

IPv6 National Concern?

25-Oct-13 2nd Annual NKN Workshop ‹#›

FINALLY :-- SAME ISSUES WITH IPv6 ( HACKING TOOLS )

► Packet forgers

►Scapy6 ►SendIP ►Packit ►Spak6

► Complete tool ► Scanners

►IPv6 security scanner ►Halfscan6 ►Nmap ►Strobe ►Netcat

► DoS Tools

►6tunneldos ►4to6ddos ►Imps6-tools

►http://www.thc.org/thc-ipv6/

► Sniffers/packet capture

►Snort ►TCPdump ►Sun Solaris snoop ►COLD ►Wireshark ►Analyzer ►Windump ►WinPcap

25-Oct-13 2nd Annual NKN Workshop ‹#›

What all can you start:

IPv6 MAIL MX LDAP DNS ZONE DNSSEC Storage On Cloud DR Strategy Consulting VPN L2/L3 Routing Table Relay SMS GW Mirror

25-Oct-13 2nd Annual NKN Workshop ‹#›

Coming Soon

DDOS VOD Social Network WebStreaming URL Filtering Collab Cad NMS Security VAT ISO 2700X

25-Oct-13 2nd Annual NKN Workshop ‹#›

Thank You & Happy NKN

Project Implementation Unit National Knowledge Network National Informatics Centre 3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053

CONTACT NKN: 1800 111 555 piu@nkn.in