Securing Networks with Juniper Networks
|
|
- Janis Hensley
- 8 years ago
- Views:
Transcription
1 Securing Networks with Juniper Networks Juniper Security Features Jean-Marc Uzé Liaison Research, Education and Government Networks and Institutions, EMEA TF-CSIRT Meeting, 26/09/02 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 2 1
2 Cyber Attacks Increasing Frequency Over 4,000 Distributed DoS attacks a week Sophistication Distributed DoS attacks hard to detect & stop Network elements recently targeted Impact Yahoo, ebay, Microsoft make headlines Cloud 9 (UK) ISP out of business Packet Sniffers IP Spoofing Denial of Service Attacks Automated Scanning Tools Distributed Denial of Service Attacks Script Attacks Self-Propagating Automated Distributed Attacks Host Based Attacks Network Based Attacks Attacks Target Network Source: Published CERT figures Juniper Networks, Inc. Copyright Today s Security Compromises Attack Starts Tracing Blocking Attack Ends Performance SLA Target Partial Enable security at specific points on the network As platforms, interfaces or software allow Does not provide reliable security Time Reactive Security enabled after attack is detected High operational effort Performance SLAs affected Juniper Networks, Inc. Copyright
3 Ubiquitous Security Without Compromise Juniper Networks: Single Image, Security on All Interfaces Continuous Juniper Networks: Low impact turn it on it, leave it on Economical Juniper Networks: Included in the basic platform Proven Juniper Networks: Shipping since 2000 and in use in production networks around the world Let s You, Rather Than Your Equipment, Dictate Your Network Security Policy. Juniper Networks, Inc. Copyright Protecting and Enabling Revenues Customer Retention Increased customer satisfaction Match competitive security service offerings New Services Lawful Intercept Intrusion Detection Services High Speed Encrypted VPNs Attack Resistant Web Hosting Denial of Service Protection/Control Spoofing Protection Juniper Networks, Inc. Copyright
4 JUNOS Security Related Features User Administration Tacas+/Radius Protocol Authentication H/W Based Packet Filtering Individual Command Authorization Traffic Policing Firewall Syslogs/MIB H/W Based Router Protection Port-Mirroring IPSEC Encryption (Control and Transit traffic) Unicast RPF Radius Support for PPP/CHAP SNMPv3 JUNOS 3.x 1998 JUNOS 4.x JUNOS 5.x Juniper Networks, Inc. Copyright Juniper Security Features at a Glance Examples of Available Safeguards Prevention Infrastructure Protection 1. Hardware based router protection Customer Protection 3. IPSEC encryption of customer traffic 2. IPSEC encryption of Control Traffic 4. Source address verification Detection 5. Real time traffic analysis (port mirroring) for Lawful Intercept, IDS 6. Real-time DDOS attack identification Suppression 7. I/O filters to block attack flows 8. Rate limiting 9. Hitless filter implementation Juniper Networks, Inc. Copyright
5 Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 9 System Architecture Junos Internet Software Update Internet I/O Card Forwarding Table Forwarding Table Switch Fabric Processor II I/O Card Routing Engine Maintains routing table and constructs forwarding table using knowledge of the network Packet Forwarding Engine Receives packet forwarding table from Routing Engine Copies packets from an input interface to an output interface Conducts incremental table updates without forwarding interruption Juniper Networks, Inc. Copyright
6 IP II ASIC Overview Internet Processor II Leverages proven, predictable ASIC forwarding technology of Internet Processor Provides breakthrough technology to support performance-based, enhanced Services Security and bandwidth control (I.e. filtering) at speed Visibility into network operations at speed Delivers performance WITH services Supported on all interfaces Juniper Networks, Inc. Copyright Filtering IP-II enables significant functionality with applications to network management Security Monitoring Accounting Filter Specification filter my-filter ip { rule 10 { protocol tcp ; source-address /24 ; port [ smtp ftp-data ]; action { reject tcp-reset ; Multiple rules may be specified. IP TCP All Packets Handled By Router Ver IHL ToS Total Len ID Fragmentation TTL Proto Hdr Checksum Source Address Destination Address Source Port Dest Port Sequence Number Acknowledgement Number Offset Flags Window Checksum Urgent Pointer Filters can act on highlighted fields, as well as incoming interface identifier and presence of IP options IP-II Packet Handling Programs Compile Microcode Log, syslog Count, Sample, Forwarding-class, Loss-priority, Policer Filters and route lookup are part of same program Juniper Networks, Inc. Copyright Forward Silent Discard TCP Reset Or ICMP Unreachable Routing Instance 6
7 JUNOS Internet Software Common software across entire product line leverages stability, interoperability, and a wide range of features Purpose built for Internet scale Modular design for high reliability Best-in-class routing protocol implementations Foundation for new services with MPLS traffic engineering Protocols Interface Mgmt Chassis Mgmt SNMP Operating System Security Juniper Networks, Inc. Copyright Traffic Framework Management, Control and Data planes Source, Destination and Type Router Management Router Management Routing Control Routing Control ICMP Notification ICMP Notification User Data User Data Juniper Networks, Inc. Copyright
8 Tools Prevent, Detect, Control Traffic Forward Redirect Monitor Sample Count Log Mark Limit Discard Route Control Import filters Export filters Mark Limit Announcements Prefixes Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 8
9 JUNOS Default to Secure Does not forward directed broadcasts Remote management access to the router is disabled. It must be explicitly enabled telnet, ftp, ssh No SNMP set support for editing configuration data Default Martian addresses Juniper Networks, Inc. Copyright Secure Shell Ssh v1 / v2 Communicating with the Router Support connexion limit + rate limit against SYN flood DoS attacks on the ssh port OpenSSH since JUNOS 5.4 Secure Copy Protocol (SCP) Uses the ssh encryption and authentication infrastructure to securely copy files between hosts Central Authentification TACACS + / RADIUS User classes with specific privileges File Records and Command Events Juniper Networks, Inc. Copyright
10 Hardware-Based Router Protection Router s control plane is complex and intelligence Need to be CPU based Protocols need processing power for fast updates and to minimize convergence time. Attacks launched at routers include sending: Forged routing packets (BGP,OSPF,RIP,etc..) Bogus management traffic (ICMP, SNMP, SSH,etc) Attacker can easily launch high speed attacks Rates in excess of 40M/second CPU based filtering unable to keep up Attacks consume CPU resources needed for control traffic. Danger of protocol time-outs, leading to network instabilities. Juniper Networks, Inc. Copyright Hardware Based Router Protection Hardware based filtering advantages Hardware drops attack ( untrusted ) traffic CPU free to process trusted control traffic One filter applied to the loopback Protects the router and all interfaces Provides ease of management No need to configure additional filters when adding new interfaces Juniper Networks, Inc. Copyright
11 Hardware Based Router Protection Define trusted source addresses Define protocols and ports that need to communicate Accept desired traffic and discard everything else One filter applied to the loopback interface protects router and all interfaces firewall { filter protect-re { term established { from { protocol tcp; tcp-established; then accept; term trusted-traffic { from { source-address { /24; /24; /24; /24; /24; protocol [icmp tcp ospf udp]; destination-port [bgp domain ftp ftpdatasnmp ssh ntp] ; then accept; term default { then { log; discard; Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 22 11
12 IPSec Encryption of Control Traffic Encrypt Control Traffic Between Routers Encryption uses ESP in Transport Mode ESP Provides Secure Communication for critical control/routing traffic Protects from attacks against control plane Juniper Networks, Inc. Copyright IPSec Encryption of Customer Traffic Encryption Services PIC provides capabilities to other interfaces on the router for Encryption and Key Exchange (IKE) Provides high-bandwidth encryption for transit traffic at 800 Mbps (half-duplex) Applied via the Packet Forwarding Engine offload the encryption and decryption tasks from Routing Engine processor Delivers Private and Secure communication of mission-critical customer traffic Provides up to 1,000 tunnels per PIC Can Scale Using Multiple PICs Juniper Networks, Inc. Copyright
13 IPSec Encryption of Customer Traffic Crypto PIC highlights: Tunnel/Transport Mode Tunnel mode for data traffic Authentication Algorithms MD5 SHA-1 Encryption Algorithms DES 3-DES IKE Features Support for automated key management using Diffie-Hellman key establishment Main/Aggressive mode supported for IKE SA setup Quick Mode supported for IPSec SA setup Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 26 13
14 Source Address Verification Why it is needed: IP address spoofing is a technique used in DOS attacks Attacker pretends to be someone else Makes it difficult to trace back the attacks Common Operating Systems let users spoof machine s IP address access (UNIX, LINUX, Windows XP) How it is done: Route table look-up performed on IP source address Router determines if traffic is arriving on expected path traffic is accepted normal destination based look up is performed If traffic is not arriving on a the expected path then it is dropped Juniper Networks, Inc. Copyright Source Address Verification Juniper Solution urpf can be configured per-interface/sub-interface Supports both IPv4 and IPv6 Packet/Byte counters for traffic failing the urpf check Additional filtering available for traffic failing check: police/reject Can syslog the rejected traffic for later analysis Two modes available: Active-paths: urpf only considers the best path toward a particular destination Feasible-paths: urpf considers all the feasible paths. This is used where routing is asymmetrical. Juniper Networks, Inc. Copyright
15 Source Address Verification /24 Data Center so-1/0/ /24 *[BGP/170] >via so-1/0/0/0.0 so-0/0/0.0 Attack with Source address= urpf /24 Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 30 15
16 Real-time Traffic Analysis Sampling and cflowd format export (v5 + v8) since JUNOS 5.4: Passive Monitoring PIC Application is primarly for secuity and traffic analysis Monitors IPv4 packets and flows over SONET on: OC-3c, OC-12c and OC-48c PPP or HDLC (Cisco) layer 2 encapsulations Generates cflowd v5 records for export to collector nodes IPSec or GRE tunnels can be used for exporting Juniper Networks, Inc. Copyright Real-time Traffic Analysis Juniper Port Mirroring capability Copy of sampled packet can be sent to arbitrary interface Any Interface and speed up to 100% of selected packets N number of ingress ports to single destination port Work in progress with IDS vendor Discussions ongoing with high-speed analytical security application developers (OC48) Juniper Networks, Inc. Copyright
17 Real-time Traffic Analysis Data Center Mirrored Traffic Intrusion Detection System Juniper Networks, Inc. Copyright Preparation Real-time DDoS Identification Pre-configure Destination Class Usage (DCU) on customerfacing ingress interfaces Accounting feature typically for billing Supported in JUNOS 4.3 (12/2000) and beyond Counts packets, bytes destined for each of up to 16 communities per interface Counters retrievable via SNMP Note: Source Class Usage is also supported (since JUNOS 5.4) During Attack Use BGP to announce victim s /32 host address with special community Trigger SNMP polling of DCU counters on all ingress interfaces Apply heuristic to identify likely attack sources Juniper Networks, Inc. Copyright
18 Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch Victim Network Attacker Network User Network NOC Attack Network User Network 35 Juniper Networks, Inc. Copyright 2002 Real-time DDoS Identification Attack Network Service Provider Attacker Network Switch /32 Community 100:100 Victim Network Attacker Network User Network NOC Attack Network Juniper Networks, Inc. Copyright 2002 User Network 36 18
19 Real-time DDoS Identification Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 38 19
20 I/O Filters To Block Attack Flows DOS attacks need to be detected and stopped Interface filters can be applied to block only attack flows Filters can be applied to any interface type Filters can be applied both on inbound and outbound /* apply the filter to the ingress point of the network */ so-0/2/2 { unit 0 { family inet { filter { input block-attack; address /30; /* This is the filter which blocks the attacks */ firewall { filter block-attack { term bad-guy { from { source-address { /32 protocol icmp; then { discard; log; Juniper Networks, Inc. Copyright Rate Limiting Suppression/Rate Limiting Advantages Protects router of customer by limiting traffic based on protocol/port/source and destination addresses Juniper Advantage Architectural reasons we perform Internet Processor ASIC not tied to an interface or release Behavior under attack Stable operation, routing and management traffic unaffected Juniper Networks, Inc. Copyright
21 Hitless Filter Implementation Can be applied immediately after identification of offending traffic Application of filters does not create short-term degraded condition as filters take effect Size and complexity of filter independent of forwarding performance Juniper Networks, Inc. Copyright Traffic Interruption During Filter Compilation Traffic flow All traffic gets drop During filter compilation Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright
22 No Interruption With Atomic Updates Traffic flow Attack traffic gets dropped Attack flow NOC operator applies or changes filters NOC Juniper Networks, Inc. Copyright Agenda Introduction Juniper Networks Routers Architecture Router Protection Encryption of Traffic Source Address Verification Real-time Traffic Analysis I/O Filters and Rate Limiting Summary 44 22
23 Next Steps On going Dialog with security team Ensuring existing security features are active Awareness of upcoming security issues Best Practices White Papers Security consulting and training Juniper Networks the Trusted Source Juniper Networks, Inc. Copyright Further References Juniper Networks Whitepapers Rate-limiting and Traffic-policing Features Fortifying the Core Visibility into Network Operations Minimizing the Effects of DoS Attacks Juniper Networks Router Security Available from Juniper Networks, Inc. Copyright
24 Thank You 24
Introduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationImplementing Secured Converged Wide Area Networks (ISCW) Version 1.0
COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.
More informationCisco Network Foundation Protection Overview
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationDOS ATTACK PREVENTION ON A JUNIPER M/T-SERIES ROUTER
DOS ATTACK PREVENTION ON A JUNIPER M/T-SERIES ROUTER 1. Introduction In this document, we intend to summarize the various denial of service attacks that a router is generally vulnerable to and the mechanisms
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More information7750 SR OS System Management Guide
7750 SR OS System Management Guide Software Version: 7750 SR OS 10.0 R4 July 2012 Document Part Number: 93-0071-09-02 *93-0071-09-02* This document is protected by copyright. Except as specifically permitted
More informationAPNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &
More informationCISCO IOS NETWORK SECURITY (IINS)
CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.
More informationLAB II: Securing The Data Path and Routing Infrastructure
LAB II: Securing The Data Path and Routing Infrastructure 8. Create Packet Filters a. Create a packet filter which will deny packets that have obviously bogus IP source addresses but permit everything
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationUnicast Reverse Path Forwarding
Unicast Reverse Path Forwarding This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing
More informationCisco CCNP 642 825 Implementing Secure Converged Wide Area Networks (ISCW)
Cisco CCNP 642 825 Implementing Secure Converged Wide Area Networks (ISCW) Course Number: 642 825 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: Cisco CCNP
More informationCSCI 454/554 Computer and Network Security. Topic 8.1 IPsec
CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why
More informationFirewalls. Pehr Söderman KTH-CSC Pehrs@kth.se
Firewalls Pehr Söderman KTH-CSC Pehrs@kth.se 1 Definition A firewall is a network device that separates two parts of a network, enforcing a policy for all traversing traffic. 2 Fundamental requirements
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationJUNOS Secure Template
JUNOS Secure Template Version 1.92, 03/30/2005 Stephen Gill E-mail: gillsr@cymru.com Published: 04/25/2001 Contents Credits... 2 Introduction... 2 Template... 4 References... 17 Credits Rob Thomas [robt@cymru.com]
More informationNetwork Security Fundamentals
APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationFederal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks
Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,
More informationGeneral Network Security
4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationOutput Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top
Output Interpreter You have chosen to display errors warnings general information, and helpful references. Headings are displayed for all supported commands that you submitted. SHOW RUNNING-CONFIG SECURITY
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationHunting down a DDOS attack
2006-10-23 1 Hunting down a DDOS attack By Lars Axeland +46 70 5291530 lars.axeland@teliasonera.com 2006-10-23 What we have seen so far What can an operator do to achieve core security What solution can
More informationOS/390 Firewall Technology Overview
OS/390 Firewall Technology Overview Washington System Center Mary Sweat E - Mail: sweatm@us.ibm.com Agenda Basic Firewall strategies and design Hardware requirements Software requirements Components of
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationWhat is a DoS attack?
CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) 294-8378 Email: guan@ee.iastate.edu October
More informationSolarWinds Certified Professional. Exam Preparation Guide
SolarWinds Certified Professional Exam Preparation Guide Introduction The SolarWinds Certified Professional (SCP) exam is designed to test your knowledge of general networking management topics and how
More informationVLAN und MPLS, Firewall und NAT,
Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin Departement Mathematik und Informatik, Universität Basel 6-1 Wiederholung Unterschied CSMA/CD und CSMA/CA? Was
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationVanguard Applications Ware IP and LAN Feature Protocols. Firewall
Vanguard Applications Ware IP and LAN Feature Protocols Firewall Notice 2008 Vanguard Networks. 25 Forbes Boulevard Foxboro, Massachusetts 02035 Phone: (508) 964-6200 Fax: 508-543-0237 All rights reserved
More informationReport of Independent Auditors
Ernst & Young LLP Suite 3300 370 17th Street Denver, Colorado 80202-5663 Tel: +1 720 931 4000 Fax: +1 720 931 4444 www.ey.com Report of Independent Auditors To the Management of NTT America, Inc.: We have
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationHögskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :
Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)
More informationACL Compliance Director FAQ
Abstract Cyber Operations, Inc., Cyber Operations, Inc. Copyright 2008 Cyber Operations, Inc. This document contains frequently asked questions about ACL Compliance Director with answers. Table of Contents...
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationJuniper Networks Certified Internet Associate (JNCIA-Junos) Exam. http://www.examskey.com/jn0-101.html
Juniper JN0-101 Juniper Networks Certified Internet Associate (JNCIA-Junos) Exam TYPE: DEMO http://www.examskey.com/jn0-101.html Examskey Juniper JN0-101 exam demo product is here for you to test the quality
More informationMPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net
MPLS Layer 3 and Layer 2 VPNs over an IP only Core Rahul Aggarwal Juniper Networks rahul@juniper.net Agenda MPLS VPN services and transport technology Motivation for MPLS VPN services over an IP only core
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationCisco Configuring Commonly Used IP ACLs
Table of Contents Configuring Commonly Used IP ACLs...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...3 Configuration Examples...3 Allow a Select Host to Access the Network...3 Allow
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationSecurizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei Firewall
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationNetwork Security. Lecture 3
Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationHow To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address
Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationConfiguring IPSec VPN Tunnel between NetScreen Remote Client and RN300
Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.
More informationFirewall Implementation
CS425: Computer Networks Firewall Implementation Ankit Kumar Y8088 Akshay Mittal Y8056 Ashish Gupta Y8410 Sayandeep Ghosh Y8465 October 31, 2010 under the guidance of Prof. Dheeraj Sanghi Department of
More informationChapter 8 Router and Network Management
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationProtocol Security Where?
IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos
More informationANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239
ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239 Check Point Firewall Software and Management Software I. Description of the Item Up gradation, installation and commissioning of Checkpoint security gateway
More informationIPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationRouter Security - Approaches and Techniques You Can Use Today
Router Security - Approaches and Techniques You Can Use Today Neal Ziring System and Network Attack Center Information Assurance Directorate National Security Agency 1 Introduction and Outline GOAL: Define
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationAbstract. Introduction. Section I. What is Denial of Service Attack?
Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss
More information7450 ESS OS System Management Guide. Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: 93-0101-09-01 *93-0101-09-01*
7450 ESS OS System Management Guide Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: 93-0101-09-01 *93-0101-09-01* This document is protected by copyright. Except as specifically
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationVPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
VPNs Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationNetwork provider filter lab
Network provider filter lab Olof Hagsand Pehr Söderman KTH CSC Group Nr Name 1 Name 2 Name 3 Name 4 Date Instructor s Signature Table of Contents 1 Goals...3 2 Introduction...3 3 Preparations...3 4 Lab
More informationNetwork Configuration Example
Network Configuration Example Configuring Security Options for BGP with TCP Published: 2014-01-10 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationConfiguring Flexible NetFlow
CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields
More informationExecutive Summary and Purpose
ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on
More informationSecuring a Core Network
Securing a Core Network Manchester, 21 Sep 2004 Michael Behringer Christian Panigl Session Number Presentation_ID 325_mbehring 2001, 2003 Cisco Systems, Inc. All
More informationVirtual Private Networks
Virtual Private Networks Jonathan Reed jdreed@mit.edu MIT IS&T VPN Release Team Overview Basic Networking Terms General Concepts How the VPN works Why it s useful What to watch out for Q&A Networking 101
More informationIncrease Simplicity and Improve Reliability with VPLS on the MX Series Routers
SOLUTION BRIEF Enterprise Data Center Interconnectivity Increase Simplicity and Improve Reliability with VPLS on the Routers Challenge As enterprises improve business continuity by enabling resource allocation
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationTutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia
Tutorial: Options for Blackhole and Discard Routing Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia Caveats and Assumptions The views presented here are those of the authors and they do not
More informationLoad Balance Router R258V
Load Balance Router R258V Specification Hardware Interface WAN - 5 * 10/100M bps Ethernet LAN - 8 * 10/100M bps Switch Reset Switch LED Indicator Power - Push to load factory default value or back to latest
More informationathenahealth Interface Connectivity SSH Implementation Guide
athenahealth Interface Connectivity SSH Implementation Guide 1. OVERVIEW... 2 2. INTERFACE LOGICAL SCHEMATIC... 3 3. INTERFACE PHYSICAL SCHEMATIC... 4 4. SECURE SHELL... 5 5. NETWORK CONFIGURATION... 6
More informationNetwork Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer
Network Security Chapter 13 Internet Firewalls Network Security (WS 2002): 13 Internet Firewalls 1 Introduction to Network Firewalls (1)! In building construction, a firewall is designed to keep a fire
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More information