efficient interfacing campus lan with nknworkshop.nkn.in/2013/images/presentation/final tutorial...

25-Oct-13 2nd Annual NKN Workshop ‹#›

Efficient Interfacing Campus LAN with NKN

RS MANI [email protected]


Efficient utilization

Come from:

– Good Campus LAN

• Speed Segregation of LANs

• QoS Resilient

• Access Controls ( L2 and L3)

• NMS

– Good Collaboration ( National / International)

– Good Internet Governance

Scientists/ Researchers


Various Components

• Campus network best practice

• Different Layers function

• Firewall/IPS

• AAA/ DHCP/ DNS

• Server Farm

• Security Best practices IPV4 & IPv6

• VPN Services

• Gateway Services


NKN LINK 2

NKN Link 1

Edge Router

Firewall with IPS-active

Distribution Switch U

SER

S

1st F

2nd F

3rd F

Typical Campus Network

Architecture

Sever Switch

CAT 6a / 7 Gnd F

Edge Router

core switch

Outer Switch

Firewall with IPS- Standby

Distribution switch U

SER

S

1st F

2nd F

3rd F

Gnd F

10G backbone

10G Fibre

1G Fibre

DHCP server


Security Devices

• Firewall/IPS integrated Stateful Inspection Firewall

• Maximizes network security with clear, deterministic L3/L4 policies

• Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.

• Zero-Day Protection with Anomaly Detection

• The Adoption and use of IPv6

• Remote Access VPN solution, provide VPN client and clientless access.


Some of the Best Practices Campus Security

• Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard

• Use SSH to access devices instead of Telnet

• Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices

• Enable SYSLOG to a server. Collect and archive log

• When using SNMP use SNMPv3

• Configure access-lists to limit who all can access management and CLI services

• Enable control plane protocol authentication where it is available

• Apply basic protections offered by implementing RFC2827 filtering on external edge inbound interfaces


Layer 2 Snoop Attack

Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb

Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy

Only Three MAC Addresses Allowed on the Port: Shutdown 400,000

Bogus MACs

per Second

Problem:

Solution:


DHCP Snooping

• DHCP requests (discover) and responses (offer) tracked

• Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server

• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server

DHCP

Server 1000s of DHCP Requests to Overrun the DHCP Server

1

2


AAA server

Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric

Supports Compliance

Enables corporate governance through consistent access policy for all users and devices

Strengthens Security

Reduces IT overhead through centralized identity management and integrated policy enforcement

Increases Efficiency


Multi-Homing

• Basic requirement

– IP numbers to be owned ( V4 or V6)

– ASN number ( 16 Bit or 32 Bit)

– Service Providers capable of doing BGP

– Router Capable BGP and Holding the routes

– Trained Manpower


• An IP network infrastructure delivering private network services over a public infrastructure

– Use a layer 3 backbone

– Scalability, easy provisioning

– Global as well as non-unique private address space

– QoS

– Controlled access

– Easy configuration

What is an MPLS-VPN?


NKN MPLS for CUG

State TN

NKN BACKBONE

State

Router

VLAN1-VPN Green

VLAN2-Blue

VLAN3-Red

LAN of #2 Each Sub-Interface

associated with different VPN

v

v

802.1Q

Contents of VPN Green

Contents of Blue

Contents of RED

Multi-VRF Video/ Audio

Intra-vpn Internet

DC

Cloud

Institute #1

VLAN1-VPN Green

VLAN2-Blue

LAN of #1

v

Institute #2


Layer 2 Extensions


VPLS Network

Physics

Dept

Institute #5

PE

Router

Mumbai

PE

Router Indore

PE

Router

PE

Router

Virtual Circuits / Pseudo wires

Physics Department

Institute # 3

Institute #4

Institute # 2

Institute # 1


#4

#3 #2 VC Equipment

#5 #7

#8 #9

VC Equipment

#6 #10

#11

VC Equipment

End to End QoS


C

A B

D

MPLS VPNs • Many QoS-enabled islands • No interprovider QoS

A B

D

E C

The Internet • Richly interconnected providers • No QoS

C

A B

E

Goal: richly connected AND QoS-enabled

D

Inter Service Provider QoS


Defense Depth and Breadth Security

Internet

Internet

Enterprise Network

NKN Core Network

E-mail, Web Servers

X

X Remote Access

Systems

Internal Assets, Servers

Transit

Transit

X

X

X

AS1

AS2

AS3

Network Operations Center (NOC)

Core

Edge

Edge

Interface ACLs

Unicast RPF

Flexible packet

matching

IP option filtering

Marking/rate-limiting

Routing techniques

eBGP techniques

ICMP techniques

Receive ACLs

CoPP

ICMP techniques

QoS techniques

Routing techniques

Disable unused

services

Protocol specific

filters

Password security

SNMP security

Remote terminal

access security

System banners

AAA

Network telemetry

Secure file systems


Using Strict Mode uRPF to Battle BOTNETs

Access

POP

Access

POP

Access

POP

Access

POP

Access

POP

NKN Backbone

NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner

Target

ISP ISP

ISP

ISP

uRPF Strict

On NKN

Partner

Edge

NOC

BGP Trigger Community

– SRTBH on NKN

Partner Edge


Utilization of Few Members

INSTITUTE-1

INSTITUTE-2


INSTITUTE-3

INSTITUTE-4


High Packet Per Sec DoS ATTACK


HIGH BANDWIDTH DoS ATTACK


Address Overload Crisis


Government’s Role

Understand the Countries requirement Understand the Regional needs. Increase awareness, Encourage deployment Create joint programs in the region with similar

requirements. Facilitate the adoption of IPv6 Create Test Beds Showcase few case studies Participate in World Forums


Transition Plan

Awareness program

Assessment program

Acquire IPv6 numbers

Testing of IPv6

Acceptance Test

Deployment of IPV6


IPv6

IPV4 Address (Present)

IPV6 Address (Future)

• Total Addresses = 232 = 4 billion

Total Addresses = 2128 = 340 billion, billion, billion, billion


First Hop Security

RS

RS

RA

RA

ICMP Type = 133 (RS) Src = link-local address (FE80::1/10) Dst = all-routers multicast address (FF02::2) Query = please send RA

ICMP Type = 134 (RA) Src = link-local address (FE80::2/10) Dst = all-nodes multicast address (FF02::1) Data = options, subnet prefix, lifetime, autoconfig flag


First Hop Security

RS

RS

RA1

RS RA2

Attacker (R2)

Default Router: R1 and R2

Router (R1)


6PE – Enabling core with IPv6


WATCH OUT ?? Network Infrastructure:

Routers

Bandwidth Shapers

Switches Layer2

Layer3

Data centre Devices :

Load Balancers

Firewall

IPS/IDS

Virtual Machines (

VMWARE/ ZEN)

Blade management

consoles

IP KVM

Clients:

PC’s on the LAN

Server If any

Proxy/ UTM

Network Printers

Display System

Antivirus/ HIPS


WATCH OUT ?? Infrastructure:

Power/Infra management

S/W

UPS management

Console

Building Management

System

Access Control System

Cameras

Digital Video Recorders

Wifi Systems:

WIFI controllers

Software Stacks:

Windows/Linux/Solaris/ AIX

IIS6 & above / Apache 2 &

above

AAA server

Bind 9.5 & above

Database ( Transaction Log )

Logging Server ( Syslog /

Special tools like Web trends)


Security IPv6

Specific IPv6 Issues

IPv4 Vulnerabilities IPv6 Vulnerabilities

Specific IPv4 Issues


• It quite same as the IPv4…

• Can we address all the drawbacks of IPv4 with respect to Security?

• With new innovations is it possible for the security agencies to keep track ?

• Borderless Domain: Making life of tracking much more difficult.

• Need for strong international collaboration to resolve inter border issues.

• Legal Interception needs to be ready in place before the vast scale deployment starts.

IPv6 National Concern?


FINALLY :-- SAME ISSUES WITH IPv6 ( HACKING TOOLS )

► Packet forgers ►Scapy6

►SendIP

►Packit

►Spak6

► Complete tool

► Scanners ►IPv6 security scanner

►Halfscan6

►Nmap

►Strobe

►Netcat

► DoS Tools ►6tunneldos

►4to6ddos

►Imps6-tools ►http://www.thc.org/thc-ipv6/

► Sniffers/packet capture ►Snort

►TCPdump

►Sun Solaris snoop

►COLD

►Wireshark

►Analyzer

►Windump

►WinPcap

http://www.thc.org/thc-ipv6/




What all can you start:

IPv6

MAIL MX

LDAP DNS ZONE

DNSSEC

Storage On Cloud

DR Strategy

Consulting

VPN L2/L3

Routing Table

Relay

SMS GW

Mirror


Coming Soon

DDOS VOD

Social Network

WebStreaming

URL Filtering

Collab Cad

NMS Security VAT

ISO 2700X


Thank You & Happy NKN

Project Implementation Unit National Knowledge Network National Informatics Centre

3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053

CONTACT NKN: 1800 111 555 [email protected]

efficient interfacing campus lan with nknworkshop.nkn.in/2013/images/presentation/final tutorial...

Documents