Firewall on Demand Multidomain
|
|
- Verity Porter
- 7 years ago
- Views:
Transcription
1 Firewall on Demand Multidomain S E C U R I T Y V I A B G P F L O W S P E C & A W E B P L A T F O R M Leonidas Poulopoulos GRNET NOC Wayne Routly DANTE Jeffrey Haas JUNIPER Firewall on Demand Multidomain Internet2 Global Summit, Apr
2 Firewall on Demand S E C U R I T Y V I A B G P F L O W S P E C & A W E B P L A T F O R M L e o n i d a s P o u l o p o u l o s l e o p o u n o c. g r n e t. g r G R N E T N O C (@l e o p o u l ) Firewall on Demand Multidomain Internet2 Global Summit, Apr
3 GRNET NOC Staff: 15 Network: 120 devices (40 routers/80 switches) Juniper-based network Presence: 90 cities Clients: ~100 Upstream: GÉANT Firewall on Demand Multidomain 3 Internet2 Global Summit, Apr
4 DDoS Illustrated DDoS attack launched from compromised systems (bots) IX UPSTREAM NREN Victim DDoS attack traffic consumes network capacity DDoS attack targets applications and services Firewall on Demand Multidomain 4 Internet2 Global Summit, Apr
5 DDoS facts 400 Gbps 309 < Source: Arbor Networks Inc. & Cloudflare Firewall on Demand Multidomain 5 Internet2 Global Summit, Apr
6 Staying alive acls, firewall filters RTBH BGP flowspec Firewall on Demand Multidomain 6 Internet2 Global Summit, Apr
7 BGP FLOWSPEC IETF AND JUNIPER ROADMAP Jeffrey Haas
8 BGP FLOWSPEC BGP Flowspec was originally defined in RFC 5575 and has been part of JUNOS since version 7.3. It permits layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intradomain and inter-domain basis. Flowspec was originally defined to assist in mitigation of DDoS attacks. Deployments may use native configuration to distribute the filters. Several DDoS mitigation environments will generate the filters in support of their detection and mitigation tools. 8 Copyright 2014 Juniper Networks, Inc.
9 CURRENT IETF WORK draft-ietf-idr-bgp-flowspec-oid Formally permits IBGP origination of BGP flowspec routes without requiring a longest-match for validation. In practice, operators have been using policy knobs to permit similar behaviors for nonebgp originated flowsec. draft-haas-idr-flowspec-redirect-rt-bis Clarifies some issues in RFC 5575 for the Redirect to VRF Route- Target. As currently documented, it s not possible to have a fully compatible BGP Flowspec implementation. 9 Copyright 2014 Juniper Networks, Inc.
10 CURRENT IETF WORK draft-ietf-idr-flowspec-redirect-ip adds some exciting features to BGP flowspec: Permit redirection of traffic to a specific IP address rather than requiring tunneling via VRF. Permit the copying of traffic in a similar fashion. Some issues with the feature encoding and precedence of rules are being worked out currently. New draft expected soon. draft-ietf-idr-flow-spec-v6 Provide for support for IPv6 in flowspec. Necessary changes include: (Limited) Support for Next Header. Flow Label support Ambiguous case of Traffic Class with regard to ECN still under debate. 10 Copyright 2014 Juniper Networks, Inc.
11 JUNIPER ROADMAP 15.1 Flowspec ISSU/NSR support, draft-oid validation rules 15.2 (tentative) Redirect-IP Future: IPv6 Flowspec support 11 Copyright 2014 Juniper Networks, Inc.
12 INTO THE REALM OF SPECULATIVE FICTION BGP Flowspec provides a convenient encoding mechanism to permit Layer3+ traffic filters be distributed. Future facing work, such as Software Defined Networking (SDN), Service Chaining/Network Function Virtualization or Interface to the Routing System (I2RS) may be able to leverage flowspec as a mechanism to distribute custom forwarding behaviors. 12 Copyright 2014 Juniper Networks, Inc.
13 BGP community flow vs. RTBH vs. ACLs ACLS Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration BGP RTHB Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI Firewall on Demand Multidomain 13 Internet2 Global Summit, Apr
14 Firewall on Demand NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS GRANULARITY: Per-flow level ACTION: Drop, rate-limit, redirect SPEED: 1-2 orders of magnitude quicker EFFICIENCY: closer to the source, multi-domain AUTOMATION: integration with other systems MANAGEABILITY: status tracking, web interface Firewall on Demand Multidomain 14 Internet2 Global Summit, Apr
15 FoD Architecture Shibboleth Django MVC User Interface Long Polling (Gevent) Job Queue (Celery/Beanstalk) OPEN SOURCE Caching Layer (Memcached) Network Config to XML proxy (nxpy) Python NETCONF client (ncclient) NETCONF ebgp ebgp ibgp ibgp Firewall on Demand Multidomain 15 Internet2 Global Summit, Apr
16 FoD Screenshots more during demo Firewall on Demand Multidomain 16 Internet2 Global Summit, Apr
17 How it works Single domain Customer s NOC logs in web tool (shibboleth) & describes flows and actions Destination validated against customer s IP space A dedicated router is configured (NETCONF) to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire Firewall on Demand Multidomain 17 FoD UPSTREAM IX GRNET Client Client Web ebgp NETCONF ibgp Internet2 Global Summit, Apr
18 GRNET FoD usage examples 2.5years 20Tbytes 100rules 40users 20peers Firewall on Demand Multidomain 18 Internet2 Global Summit, Apr
19 What now? Idea! BGP is by nature MULTIDOMAIN Deploy FoD in a MULTIDOMAIN Environment GÉANT and its peering NRENs Firewall on Demand Multidomain 19 Internet2 Global Summit, Apr
20 Firewall on Demand A Multi-Domain Implementation Wayne Routly Security Manager DANTE connect communicate collaborate
21 GÉANT : Who What How Pan-European Network..Transit Network.ISP 30 Physical Pops 50,000 km network infrastructure on 44 routes 100Gb/s 100s TB of Data 15+ Million IPs 100+ Workstations Truly Global (50 million users) 10,000 institutions Interconnects European NRENs - 40 Commercial & Commodity Traffic connect communicate collaborate 21
22 Today Little bit of DDoS on the side.. NTP, DNS, SMTP. Amplification Attacks 2k DDoS Events (183 pm) 298 vs k in 2014, average 300 connect communicate collaborate 22
23 Today DDoS Events CyNet Target: The University of Cyprus ( Port Ranges: 0, 2070 and 3475 Multiple Source IP s and source AS s. Attack peak: Over 13G over 1G link connect communicate collaborate 23
24 Today DDoS Events CyNet [2] Destination AS 3268 Traffic Date Seen Dst IP Addr Flows (%) Packets (%) Bytes (%) : x.x (97.2) M(99.2) G(99.5) : x.x 129( 0.1) ( 0.0) M( 0.0) : x.x 128( 0.1) ( 0.1) 12.3 M( 0.0) : x.x 114( 0.1) 57000( 0.0) 10.5 M( 0.0) : x.x 90( 0.1) ( 0.1) M( 0.1) : x.x 81( 0.1) 40500( 0.0) 8.7 M( 0.0) Destination ports for x.x Date Seen Dst Port Flows (%) Packets (%) Bytes (%) : (37.8) M(32.7) G(35.3) : (37.1) M(59.0) G(57.1) : (23.8) 31.3 M( 7.1) 39.2 G( 7.6) : ( 1.1) 4.3 M( 1.0) M( 0.0) : ( 0.1) ( 0.1) 29.0 M( 0.0) : ( 0.0) ( 0.0) 16.7 M( 0.0) : ( 0.0) ( 0.0) 6.4 M( 0.0) connect communicate collaborate 24
25 Today DDoS Events GRNET DNS Amplification Attack Target: GRNET Port Ranges: 53 (DNS) Multiple Source IP s & Source AS s. Attack peak: 20G over 10G link Date first seen Dst IP Addr Flows (%) Packets (%) Bytes (%) : x 35531( 7.8) 36.1 M(11.3) 53.5 G(11.9) : x 34632( 7.6) 35.6 M(11.1) 52.6 G(11.7) : x 34469( 7.6) 35.3 M(11.1) 52.2 G(11.6) : x 49621(11.0) 31.8 M(10.0) 44.3 G( 9.9) : x 48220(10.6) 27.1 M( 8.5) 36.7 G( 8.2) : x 39278( 8.7) 26.1 M( 8.2) 36.5 G( 8.1) connect communicate collaborate 25
26 Uhm..Now What connect communicate collaborate
27 Today Security Changes - Audits connect communicate collaborate
28 Strategy security solutions that simplify the improvement of the security status quo connect communicate collaborate 28
29 Requirements - Defining It must be easy to use It must be ENHANCE security Must deliver MEASURABLE VALUE REDUNDANCY must be incorporated into existing processes accepted by all participants. conform to BEST PRACTICES & STANDARDS Must be SCALABLE. connect communicate collaborate 29
30 GÉANT Security Complete Security Solution - NSHaRP It is a mechanism to quickly and effectively inform affected users of incidents detected transiting the GÉANT network dynamically. It adds value by serving as an extension to an NRENs CERT, by adding visibility to incidents targeting or originating from your network Innovative and Unique - Caters for different types of requirements.is a process that will enhance GÉANT backbone security and will extend the NRENs ability to protect their infrastructure. connect communicate collaborate 30
31 Firewall on Demand But Why? better tools to mitigate transitory attacks and anomalies Better in terms of Granularity: Per-flow level Source/Dest IP/Ports, protocol type, DSCP, TCP flag Action: Drop, rate-limit, redirect Speed: More responsive (Seconds / Minutes vs. Hours / Days) Efficiency: Closer to the source, Multi Domain Automation: Integration with other systems (NSHaRP) Manageability connect communicate collaborate 31
32 Firewall on Demand Tomorrow NSHaRP Customer or GN NOC logs into web tool and describes flows and actions Flow destination is validated against the customer s IP space Dedicated router is configured to advertise the route via BGP flowspec ibgp propagates the tuples to all GEANT routers. Dynamic firewall filters are implemented on all routers Attack is mitigated (dropped, rated-limited) upon entrance End of attack: Removal via the tool, or auto-expire NREN A Credit: Andreas Polyrakis, GRNET FoD LEVEL3 GEANT NREN B Customer connect communicate collaborate 32
33 Firewall on Demand Roadmap Phase 1 - Test Flow Spec on GN Athens Router - Test Propagation to GN Gateways Phase 2 - Deploy Flow Spec Server - Web Interface - Pilot Phase 2 (b) - Processes - API - Production Service Today 6 Months 12 Months connect communicate collaborate 33
34 GÉANT Tests GÉANT Flowspec CARNet Attacker Flowspec Flowspec GRNET FoD Victim Click Apply 6 seconds later Firewall on Demand Multidomain 34 Internet2 Global Summit, Apr
35 FoD multidomain principles FoD setup & deploy by every interested domain/nren Multidomain FoD deployed in GÉANT Multidomain FoD authentication: edugain Multidomain FoD authorization: peer address space GÉANT accepts BGP flowspec rules from domains Policies/filters per peering based on rule dest. addr. User belongs to a domain/institution/nren :: Peer Peer is assigned an administrative IPv4 address space Rule creation with destination address/network only inside the user s Peer assigned address space Firewall on Demand Multidomain 35 Internet2 Global Summit, Apr
36 FoD multidomain deployment scenarios Possible mitigation with RTBH, ACL ACL Flowspec RTBH GÉANT Flowspec NREN Victim Flowspec Flowspec m FoD Flowspec Flowspec FoD Legitimate Traffic Flows Malicious Traffic Flows Flow spec rule propagation BGP Peering Flow spec rules Firewall on Demand platform Flowspec NREN Flowspec Flowspec FoD Firewall on Demand Multidomain 36 Internet2 Global Summit, Apr
37 Current Status GRNET in production since end of 2011 Tests: Multihop BGP peering with PSNC Interest/Evaluation from BELNET GÉANT BGP flowspec enabled in all core devices Successful tests between GRNET and GÉANT Multiple scenarios tested Iperf between Croatia and Greece Gone in 6 seconds In production by April 2015 Firewall on Demand Multidomain 37 Internet2 Global Summit, Apr
38 Extensions FoD {single,multi}-domain interfaces to other tools/platforms REST API XMPP client/server ØMQ extensions Filter counters/graphs NETCONF Juniper UtilityMIB Ipv6 support (Whenever available) Firewall on Demand Multidomain 38 Internet2 Global Summit, Apr
39 Can I deploy/try/test it? Open source project FoD : Docs: Ask for a demo account PEER WITH US! Firewall on Demand Multidomain 39 Internet2 Global Summit, Apr
40 Demo time attaaaaack! Firewall on Demand Multidomain 40 Internet2 Global Summit, Apr
41 Questions? 42: The Answer to the Ultimate Question of Life, The Universe, and Everything. Douglas Adams, The Hitchhiker's Guide to the Galaxy Firewall on Demand Multidomain 41 Internet2 Global Summit, Apr
42 Thank you Leonidas Poulopoulos GRNET NOC Wayne Routly DANTE Jeffrey Haas JUNIPER Firewall on Demand Multidomain Internet2 Global Summit, Apr
Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand
Attacks Against the Cloud: A Mitigation Strategy C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L O N D E M A N D A l e x Z a c h a r i s a z a h a r i s @ a d m i n. g r n e t. g r G R N E
More informationFirewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos
Firewall-on-Demand GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF Leonidas Poulopoulos 1 leopoul@nocgrnetgr 1 NOC/Greek Research and Technology Network
More informationTraffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec Leonardo Serodio leonardo.serodio@alcatel-lucent.com May 2013 Distributed Denial of Service (DDoS) Attacks DDoS attack traffic consumes
More informationFireCircle: GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF
FireCircle: GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF Leonidas Poulopoulos Network Applications Developer (leopoul@noc.grnet.gr) Michalis Mamalis Network
More informationHow To Protect Gante From Attack On A Network With A Network Security System
NSHaRP: Network Security Handling and Response Process Wayne Routly, DANTE TF-CSIRT Technical Seminar Malahide.ie, 03 June 2011 Contents GEANT : Who What How GEANT : Security Protecting GEANT Users A Security
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationF5 Silverline DDoS Protection Onboarding: Technical Note
F5 Silverline DDoS Protection Onboarding: Technical Note F5 Silverline DDoS Protection onboarding F5 Networks is the first leading application services company to offer a single-vendor hybrid solution
More informationFirewall on Demand User Guide. February 2016
Firewall on Demand User Guide February 2016 Contents Introduction FoD Capabilities FoD Requirements, Constraints and Limitations Eligibility and How to Subscribe How To Use Firewall on Demand - Introduction
More informationScalable DDoS mitigation using BGP Flowspec
Scalable DDoS mitigation using BGP Flowspec Wei Yin TAY Consulting Systems Engineer Cisco Systems 2010 Cisco and/or its affiliates. All rights reserved. Goals of DDoS Mi,ga,on Problem descrip,on Tradi,onal
More informationDDoS Mitigation Strategies
DDoS Mitigation Strategies Internet2 Security Working Group 23 Feb 2016 Mark Beadles Information Security Officer mbeadles@oar.net Kevin Nastase Network Security Engineer knastase@oar.net www.oar.net Slide
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationIPv6 over IPv4/MPLS Networks: The 6PE approach
IPv6 over IPv4/MPLS Networks: The 6PE approach Athanassios Liakopoulos Network Operation & Support Manager (aliako@grnet.gr) Greek Research & Technology Network (GRNET) III Global IPv6 Summit Moscow, 25
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationStrategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate
More informationSDN CONTROLLER. Emil Gągała. PLNOG, 30.09.2013, Kraków
SDN CONTROLLER IN VIRTUAL DATA CENTER Emil Gągała PLNOG, 30.09.2013, Kraków INSTEAD OF AGENDA 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net ACKLOWLEDGEMENTS Many thanks to Bruno Rijsman for his
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationF5 BIG DDoS Umbrella. Configuration Guide
F5 BIG DDoS Umbrella Configuration Guide Jeff Stathatos September 2014 Table of Contents F5 BIG DDoS Umbrella... 1 Configuration Guide... 1 1. Introduction... 3 1.1. Purpose... 3 1.2. Limitations... 3
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationDDoS attacks in CESNET2
DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationMPLS multi-domain services MD-VPN service
MPLS multi-domain services MD-VPN service Xavier Jeannin, RENATER Tomasz Szewczyk / PSNC Training and Workshops for advancing NRENs 8-11 Sept 2014 Chisinau, Moldova MPLS brief overview Original purpose:
More informationDDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques
DDoS Attacks An open-source recipe to improve fast detection and automate mitigation techniques Vicente De Luca Sr. Network Engineer vdeluca@zendesk.com AS21880 / AS61186 Introduction Tentative to solve:
More informationRFC 2547bis: BGP/MPLS VPN Fundamentals
White Paper RFC 2547bis: BGP/MPLS VPN Fundamentals Chuck Semeria Marketing Engineer Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2001 or 888 JUNIPER www.juniper.net
More informationTen Things to Look for in an SDN Controller
Ten Things to Look for in an SDN Controller Executive Summary Over the last six months there has been significant growth in the interest that IT organizations have shown in Software-Defined Networking
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationOpenDaylight Project Proposal Dynamic Flow Management
OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table
More information21.4 Network Address Translation (NAT) 21.4.1 NAT concept
21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially
More informationAgenda. NRENs, GARR and GEANT in a nutshell SDN Activities Conclusion. Mauro Campanella Internet Festival, Pisa 9 Oct 2015 2
Agenda NRENs, GARR and GEANT in a nutshell SDN Activities Conclusion 2 3 The Campus-NREN-GÉANT ecosystem CAMPUS networks NRENs GÉANT backbone. GÉANT Optical + switching platforms Multi-Domain environment
More informationIPv6 network management. 6DEPLOY. IPv6 Deployment and Support
IPv6 network management 6DEPLOY. IPv6 Deployment and Support 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco 10/28/2010 IPv6
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationCisco Configuring Commonly Used IP ACLs
Table of Contents Configuring Commonly Used IP ACLs...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...3 Configuration Examples...3 Allow a Select Host to Access the Network...3 Allow
More informationDDOS in academic Networks. Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014
DDOS in academic Networks Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014 Academic networks? Real Target for DDOS? Lesson learned; DDOS @RedIRIS Mitigation Projects
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationIPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58
IPV6 FRAGMENTATION The Case For Deprecation Ron Bonica NANOG58 BACKGROUND 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net STATUS QUO In order to send a packet larger than the PMTU, an IPv6 node
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationSoftware-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe
Software-Defined Networking for the Data Center Dr. Peer Hasselmeyer NEC Laboratories Europe NW Technology Can t Cope with Current Needs We still use old technology... but we just pimp it To make it suitable
More informationFlow processing and the rise of the middle.
Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio Honda, Laurent Mathy, Costin Raiciu, Olivier Bonaventure, and Felipe Huici. Part 1 Today s Internet Protocol
More informationMany network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.
RimApp RoadBLOCK goes beyond simple filtering! Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes. However, traditional
More informationIPv6 network management. Where and when?
IPv6 network management 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco Munechika Sumikawa, Hitachi Patrick Paul, 6WIND 2 Agenda
More informationDDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna
DDOS Mi'ga'on in RedIRIS SIG- ISM. Vienna Index Evolu'on of DDOS a:acks in RedIRIS Mi'ga'on Tools Current DDOS strategy About RedIRIS Spanish Academic & research network. Universi'es, research centers,.
More informationReducing the impact of DoS attacks with MikroTik RouterOS
Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP
More informationQuidway MPLS VPN Solution for Financial Networks
Quidway MPLS VPN Solution for Financial Networks Using a uniform computer network to provide various value-added services is a new trend of the application systems of large banks. Transplanting traditional
More informationLinux MDS Firewall Supplement
Linux MDS Firewall Supplement Table of Contents Introduction... 1 Two Options for Building a Firewall... 2 Overview of the iptables Command-Line Utility... 2 Overview of the set_fwlevel Command... 2 File
More informationHow To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address
Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and
More informationIP interconnect interface for SIP/SIP-I
Page INTERCONNECT SPECIFICATION Public 1 (7) IP interconnect interface for SIP/SIP-I 0 Document history... 2 1 Scope... 2 2 References... 2 3 Definitions/Acronyms... 3 4 IP Interconnect specification...
More informationChapter 9. IP Secure
Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationMONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES
APPLICATION NOTE MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES Exporting sflow to Collectors Through a Separate Virtual Routing Instance Copyright 2010, Juniper Networks,
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationIPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date
IPv4 and IPv6 Integration Formation IPv6 Workshop Location, Date Agenda Introduction Approaches to deploying IPv6 Standalone (IPv6-only) or alongside IPv4 Phased deployment plans Considerations for IPv4
More informationMPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs
A Silicon Valley Insider MPLS VPN Services PW, VPLS and BGP MPLS/IP VPNs Technology White Paper Serge-Paul Carrasco Abstract Organizations have been demanding virtual private networks (VPNs) instead of
More informationTransition to IPv6 in Service Providers
Transition to IPv6 in Service Providers Jean-Marc Uzé Director Product & Technology, EMEA juze@juniper.net UKNOF14 Workshop Imperial college, London, Sept 11 th, 2009 1 Agenda Planning Transition Transition
More informationCarrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable
Brocade Flow Optimizer Making SDN Consumable Business And IT Are Changing Like Never Before Changes in Application Type, Delivery and Consumption Public/Hybrid Cloud SaaS/PaaS Storage Users/ Machines Device
More informationNext Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?
Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6? - and many other vital questions to ask your firewall vendor Zlata Trhulj Agilent Technologies zlata_trhulj@agilent.com
More informationThe New Infrastructure Virtualization Paradigm, What Does it Mean for Campus?
The New Infrastructure Virtualization Paradigm, What Does it Mean for Campus? Jean-Marc Uzé Juniper Networks juze@juniper.net TNC2008, Brugge, May 19 th, 2008 Copyright 2008 Juniper Networks, Inc. www.juniper.net
More informationPowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions
Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Find your network example: 1. Basic network with and 2 WAN lines - click here 2. Add a web server to the LAN - click here 3. Add a web,
More informationSolution Brief. Combating Bots and Mitigating DDoS Attacks
Solution Brief Combating Bots and Mitigating DDoS Attacks Combating Bots and Mitigating DDoS Attacks Page Many of today s distributed denial of service (DDoS) 1 attacks are carried out by organized criminals
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationNetwork Security TCP/IP Refresher
Network Security TCP/IP Refresher What you (at least) need to know about networking! Dr. David Barrera Network Security HS 2014 Outline Network Reference Models Local Area Networks Internet Protocol (IP)
More informationJuniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net www.juniper.net
Juniper Networks and IPv6 Tim LeMaster Ipv6.juniper.net www.juniper.net IPv6 Leadership IPv6 supported in Junos since 2001 IPv6 supported in ScreenOS since 2004 First router to be IPv6 Certified by DoD/
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationDDoS Mitigation Solutions
DDoS Mitigation Solutions The Real Cost of DDOS Attacks Hosting, including colocation at datacenters, dedicated servers, cloud hosting, shared hosting, and infrastructure as a service (IaaS) supports
More informationThe Value of Flow Data for Peering Decisions
The Value of Flow Data for Peering Decisions Hurricane Electric IPv6 Native Backbone Massive Peering! Martin J. Levy Director, IPv6 Strategy Hurricane Electric 22 nd August 2012 Introduction Goal of this
More informationBGP: Border Gateway Protocol
LAB 8 BGP: Border Gateway Protocol An Interdomain Routing Protocol OBJECTIVES The objective of this lab is to simulate and study the basic features of an interdomain routing protocol called Border Gateway
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationDDoS Mitigation via Regional Cleaning Centers
SPRINT ATL RESEARCH REPORT RR04-ATL-013177 - JANUARY 2004 1 DDoS Mitigation via Regional Cleaning Centers Sharad Agarwal Travis Dawson Christos Tryfonas University of California, Berkeley Sprint ATL Kazeon
More informationBell Aliant. Business Internet Border Gateway Protocol Policy and Features Guidelines
Bell Aliant Business Internet Border Gateway Protocol Policy and Features Guidelines Effective 05/30/2006, Updated 1/30/2015 BGP Policy and Features Guidelines 1 Bell Aliant BGP Features Bell Aliant offers
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationNetwork Address Translation (NAT) Good Practice Guideline
Programme NPFIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG-0011.06 Prog. Director Chris Wilber Status Approved Owner James Wood Version 2.0 Author Mike Farrell
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationMPLS VPN Security Best Practice Guidelines
Security Best Practice Guidelines con 2006 May 24 2006 Monique Morrow and Michael Behringer Distinguished Consulting Engineer and Distinguished Systems Engineer Cisco Systems, Inc. mmorrow@cisco.com mbehring@cisco.com
More informationCS 457 Lecture 19 Global Internet - BGP. Fall 2011
CS 457 Lecture 19 Global Internet - BGP Fall 2011 Decision Process Calculate degree of preference for each route in Adj-RIB-In as follows (apply following steps until one route is left): select route with
More informationDREAMER and GN4-JRA2 on GTS
GTS Tech+Futures Workshop (Copenhagen) GTS Tech+Futures Workshop (Copenhagen) DREAMER and GN4-JRA2 on GTS CNIT Research Unit of Rome University of Rome Tor Vergata Outline DREAMER (Distributed REsilient
More informationGÉANT for HEAnet clients
GÉANT for HEAnet clients Guy Roberts GÉANT CTO Office HEAnet National Conference 12 th November 2015 Global R+E connectivity for Ireland HEAnet + GÉANT provide access for Irish R+E users to the world s
More informationSolution for Virtualization to Ensure Optimal Network Security Environment
Solution for Virtualization to Ensure Optimal Network Security Environment Shoji Kohira Kenji Mitsuhashi Shuji Yahiro Shinichi Ikeda The Internet became widely diffused once the Internet Protocol (IP)
More informationLinux MPS Firewall Supplement
Linux MPS Firewall Supplement First Edition April 2007 Table of Contents Introduction...1 Two Options for Building a Firewall...2 Overview of the iptables Command-Line Utility...2 Overview of the set_fwlevel
More informationExterior Gateway Protocols (BGP)
Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection
More informationHow Routers Forward Packets
Autumn 2010 philip.heimer@hh.se MULTIPROTOCOL LABEL SWITCHING (MPLS) AND MPLS VPNS How Routers Forward Packets Process switching Hardly ever used today Router lookinginside the packet, at the ipaddress,
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationCisco Which VPN Solution is Right for You?
Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2
More informationDESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER
DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER Sarita Sharma 1, Davender Saini 2 1 Student M. Tech. ECE (2013-2015) Gurgaon Institute of Technology Management (M.D.U)
More informationStep-by-Step Configuration
Step-by-Step Configuration Kerio Technologies C 2001-2003 Kerio Technologies. All Rights Reserved. Printing Date: December 17, 2003 This guide provides detailed description on configuration of the local
More informationAnomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool
Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politècnica de Catalunya (UPC) Ashish
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationGetting Started with Clearlogin A Guide for Administrators V1.01
Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality
More informationBuilding Trusted VPNs with Multi-VRF
Building Trusted VPNs with Introduction Virtual Private Networks (VPNs) have been a key application in networking for a long time. A slew of possible solutions have been proposed over the last several
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informations@lm@n Juniper Exam JN0-343 Juniper Networks Certified Internet Specialist (JNCIS-ENT) Version: 10.1 [ Total Questions: 498 ]
s@lm@n Juniper Exam JN0-343 Juniper Networks Certified Internet Specialist (JNCIS-ENT) Version: 10.1 [ Total Questions: 498 ] Topic 1, Volume A Question No : 1 - (Topic 1) How much overhead does the GRE
More informationNetwork Security through Software Defined Networking: a Survey
jerome.francois@inria.fr 09/30/14 Network Security through Software Defined Networking: a Survey Jérôme François, Lautaro Dolberg, Olivier Festor, Thomas Engel 2 1 Introduction 2 Firewall 3 Monitoring
More informationEnabling Solutions in Cloud Infrastructure and for Network Functions Virtualization
Enabling Solutions in Cloud Infrastructure and for Network Functions Virtualization Gateway Use Cases for Virtual Networks with MX Series Routers 1 Table of Contents Executive Summary... 3 Introduction...4
More information