Cisco Network Foundation Protection Overview



Similar documents
Service Provider Solutions. DDoS Protection Solution. Enabling Clean Pipes Capabilities

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

How Cisco IT Protects Against Distributed Denial of Service Attacks

IINS Implementing Cisco Network Security 3.0 (IINS)

Cisco IOS Flexible NetFlow Technology

Hunting down a DDOS attack

Security Toolsets for ISP Defense

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Implementing Cisco IOS Network Security

How To Block A Ddos Attack On A Network With A Firewall

State of Texas. TEX-AN Next Generation. NNI Plan

CISCO IOS NETWORK SECURITY (IINS)

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Service Description DDoS Mitigation Service

Introducing FortiDDoS. Mar, 2013

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Security Technology White Paper

Network Performance Monitoring at Minimal Capex

Configuring Denial of Service Protection

Strategies to Protect Against Distributed Denial of Service (DD

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

TDC s perspective on DDoS threats

DDoS Mitigation Techniques

Cisco Integrated Services Routers Performance Overview

MPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems

Approaches for DDoS an ISP Perspective.

Campus LAN at NKN Member Institutions

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

Overview. Firewall Security. Perimeter Security Devices. Routers

Take the NetFlow Challenge!

Putting the Tools to Work DDOS Attack

Cisco Certified Security Professional (CCSP)

IPv6 Fundamentals, Design, and Deployment

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

MPLS VPN Security BRKSEC-2145

Gaining Operational Efficiencies with the Enterasys S-Series

Troubleshooting an Enterprise Network

DDoS attacks in CESNET2

CISCO DDOS PROTECTION SOLUTION DELIVERING CLEAN PIPES CAPABILITIES FOR SERVICE PROVIDERS AND THEIR CUSTOMERS

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

FortiDDos Size isn t everything

Network Security. Ensuring Information Availability. Security

Radware s Attack Mitigation Solution On-line Business Protection

Voice Over IP (VoIP) Denial of Service (DoS)

How Network Transparency Affects Application Acceleration Deployment

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

Kaspersky DDoS Prevention

Flow Based Traffic Analysis

IP Network Traffic Plane Security Concepts

Introduction of Intrusion Detection Systems

Flow Analysis Versus Packet Analysis. What Should You Choose?

- Introduction to PIX/ASA Firewalls -

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

SEC , Cisco Systems, Inc. All rights reserved.

Safeguards Against Denial of Service Attacks for IP Phones

DEFENSE NETWORK FAQS DATA SHEET

Reducing the impact of DoS attacks with MikroTik RouterOS

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

SECURING APACHE : DOS & DDOS ATTACKS - I

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

DDoS Protection Technology White Paper

Lab Configure IOS Firewall IDS

Secure networks are crucial for IT systems and their

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Why Is MPLS VPN Security Important?

CS 356 Lecture 16 Denial of Service. Spring 2013

CaptIO Policy-Based Security Device

Chapter 1 The Principles of Auditing 1

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

MPLS VPN Security in Service Provider Networks. Peter Tomsu Michael Behringer Monique Morrow

OpenDaylight Project Proposal Dynamic Flow Management

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

CCNA Security 1.1 Instructional Resource

Brocade NetIron Denial of Service Prevention

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

CiscoWorks Internetwork Performance Monitor 4.0

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

DDoS Mitigation via Regional Cleaning Centers

MPLS VPN Security Best Practice Guidelines

Course Contents CCNP (CISco certified network professional)

Voice over IP Security

ACL Compliance Director FAQ

NGN Next Generation Nightmare? What telco 2.0 really means

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

BGP DDoS Mitigation. Gunter Van de Velde. Sr Technical Leader NOSTG, Cisco Systems. May Cisco and/or its affiliates. All rights reserved.

Solution Brief. Secure and Assured Networking for Financial Services

How To Set Up Foglight Nms For A Proof Of Concept

Transcription:

Cisco Network Foundation Protection Overview June 2005 1

Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and services that enable users to secure their foundation. 2

What has Changed in the World of Security? Security represents the future of internetworking - a secure infrastructure forms the foundation for service delivery Internet has changed from an environment of implicit trust to one of pervasive distrust No packet can be trusted All packets must earn trust through a network device s ability to inspect and enforce policy Not enough to forward packets; packets must be classified properly and forwarded after applying the policy New unprecedented control of the network is required Technology opportunity enable customers to take control of their business Driven by business deliverables: Network availability, Quality of Service (QoS), and edge policy 3

Securing the Router: Plane-by-Plane Continuous service delivery requires methodical approach to protecting router planes Data Plane Ability to forward data Control Plane Ability to route Service Delivery Network availability and performance Cisco NFP Management Plane Ability to manage 4

Security Toolkit: A Proactive Approach Security Toolkit: One or more techniques used to respond to a security related threat Data Plane Protection Control Plane Protection Management Plane Protection L7 L6 L5 L4 L3 L2 L1 Select the right tool for the right job Step 1: Identify: Threat type Type of security plane protection Role in the network Step 2: Use the service segment perspective to determine toolkit placement 5

Cisco Network Foundation Protection: Enabling DDoS Protection (Clean Pipes) Protects infrastructure, enables continuous service delivery Data Plane Control Plane Detects traffic anomalies & respond to attacks in real-time Technologies: NetFlow, IP source tracker, ACLs, urpf, RTBH, QoS tools Defense-in-depth protection for routing control plane Technologies: Receive ACLs, control plane policing, routing protection Management Plane Secure and continuous management of Cisco IOS network infrastructure Technologies: CPU & memory thresholding, dual export syslog NetFlow, ACLs, urpf Customer CE NetFlow, IP source tracker, ACLs, urpf, RTBH, QoS tools, PE-PE encryption PE ASBR Core Internet ASBR Service Provider NetFlow, IP source tracker, ACLs, urpf, RTBH, QoS tools Control Plane & Management Plane Protection 6

Cisco NFP: Key Messages Security a proactive measure Reactive components help with tactical scenarios Toolkit approach for security The right tool for the right job Protect network elements on the Data, Control, and Management Planes Ensure service delivery Services such as VoIP and Clean Pipes require network availability and consistent performance 7

Cisco NFP: Features and Benefits Plane Data Plane Control Plane Management Plane Cisco IOS Services NetFlow IP source tracker Access control lists (ACLs) Unicast reverse path forwarding (urpf) Remotely triggered black holing (RTBH) QoS tools Receive ACLs Control plane policing Routing protection CPU & memory thresholding Dual export syslog Benefits Macro-level anomaly-based DDoS detection through counting the number of flows (instead of contents); provides rapid confirmation and isolation of attack Quickly and efficiently pinpoints the source interface an attack is coming from Protect edge routers from malicious traffic; explicitly permit the legitimate traffic that can be sent to the edge router's destination address Mitigates problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network Drops packets based on source IP address; filtering is at line rate on most capable platforms. Hundreds of lines of filters can be deployed to multiple routers even while the attack is in progress Protects against flooding attacks by defining QoS policies to limit bandwidth or drop offending traffic (identify, classify & rate limit) Control the type of traffic that can be forwarded to the processor Provides QoS control for packets destined to the control plane of the routers; ensures adequate bandwidth for high-priority traffic such as routing protocols MD5 neighbor authentication protects routing domain from spoofing attacks Redistribution protection safe-guards network from excessive conditions Overload protection (e.g. prefix limits) enhances routing stability Protects CPU & memory resources of IOS device against DoS attacks Syslog exported to dual collectors for increased availability 8

Resources Cisco NFP www.cisco.com/go/nfp Cisco IOS Software Release 12.3T: New Security Features and Hardware, Product Bulletin No. 2358 www.cisco.com/en/us/products/sw/iosswrel/ps5207/prod_bulletin 09186a00801d7229.html Control Plane Protection Documentation www.cisco.com/en/us/products/sw/iosswrel/ps1838/products_fea ture_guide09186a00801afad4.html 9

10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information