Campus LAN at NKN Member Institutions



Similar documents
IINS Implementing Cisco Network Security 3.0 (IINS)

Implementing Cisco IOS Network Security

Cisco Certified Security Professional (CCSP)

Security Technology White Paper

Cisco Certified Network Expert (CCNE)

Gigabit Content Security Router

CISCO IOS NETWORK SECURITY (IINS)

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

Configuring the Transparent or Routed Firewall

Gigabit SSL VPN Security Router

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

CTS2134 Introduction to Networking. Module Network Security

Tim Bovles WILEY. Wiley Publishing, Inc.

Securing Cisco Network Devices (SND)

Chapter 8 Security Pt 2

Gigabit Multi-Homing VPN Security Router

Network Security. Ensuring Information Availability. Security

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

SEC , Cisco Systems, Inc. All rights reserved.

State of Texas. TEX-AN Next Generation. NNI Plan

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Solutions for LAN Protection

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Recommended IP Telephony Architecture

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

Secure Networks for Process Control

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Cisco Actualtests Exam Questions & Answers

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

SSVVP SIP School VVoIP Professional Certification

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Chapter 1 The Principles of Auditing 1

CMPT 471 Networking II

RFC 2547bis: BGP/MPLS VPN Fundamentals

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

How To Understand and Configure Your Network for IntraVUE

Building Secure Network Infrastructure For LANs

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Firewall August, 2003

Introduction of Quidway SecPath 1000 Security Gateway

DDoS Overview and Incident Response Guide. July 2014

Networking 4 Voice and Video over IP (VVoIP)

CCNP: Implementing Secure Converged Wide-area Networks

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

MPLS VPN Security BRKSEC-2145

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

RuggedCom Solutions for

Strategies to Protect Against Distributed Denial of Service (DD

Security Toolsets for ISP Defense

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

TABLE OF CONTENTS NETWORK SECURITY 2...1

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Developing Network Security Strategies

CCIE Security Written Exam ( ) version 4.0

Seven Pillars of Carrier Grade Security in the AT&T Global IP/MPLS Network

Broadband Network Architecture

Introduction to MPLS-based VPNs

Local Area Networks. LAN Security and local attacks. TDC 363 Winter 2008 John Kristoff - DePaul University 1

Cisco Catalyst 3750 Metro Series Switches

Chapter 1 Network Security

Cisco Network Foundation Protection Overview

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

(d-5273) CCIE Security v3.0 Written Exam Topics

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Network Security Auditing April 2015

McAfee Network Security Platform Administration Course

How Cisco IT Protects Against Distributed Denial of Service Attacks

Security Awareness. Wireless Network Security

HP VSR1000 Virtual Services Router Series

"Charting the Course...

Internet Resiliency and Recovery

Chapter 9 Monitoring System Performance

About Firewall Protection

IT Security Standard: Network Device Configuration and Management

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Multi-Homing Dual WAN Firewall Router

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Data Sheet. DPtech Anti-DDoS Series. Overview

Firewall VPN Router. Quick Installation Guide M73-APO09-380

co Characterizing and Tracing Packet Floods Using Cisco R

FortiDDos Size isn t everything

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Transcription:

Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1

Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and L3) NMS Good Collaboration ( National / International) Good Internet Governance Scientists/ Researchers 1/7/2015 3 rd Annual workshop 2

Various Components Campus network best practice Different Layers function Firewall/IPS AAA/ DHCP/ DNS Server Farm Security Best practices IPV4 & IPv6 VPN Services Gateway Services 1/7/2015 3 rd Annual workshop 3

USERS USERS Typical Campus Network Architecture NKN Link 1 NKN LINK 2 Edge Router Outer Switch Edge Router Firewall with IPS-active Firewall with IPS- Standby DHCP server core switch 3 rd F 2 nd F Sever Switch 10G Fibre Distribution switch 1 st F Gnd F 10G backbone 3 rd F 2 nd F Distribution 1 st F Switch CAT 6a / 7 Gnd F 1/7/2015 3 rd Annual workshop 1G Fibre 4

Security Devices Firewall/IPS integrated Stateful Inspection Firewall Maximizes network security with clear, deterministic L3/L4 policies Reputation-based Intrusion Prevention.Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7. Zero-Day Protection with Anomaly Detection The Adoption and use of IPv6 Remote Access VPN solution, provide VPN client and clientless access. 1/7/2015 3 rd Annual workshop 5

Some of the Best Practices Campus Security Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard Use SSH to access devices instead of Telnet Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices Enable SYSLOG to a server. Collect and archive log When using SNMP use SNMPv3 Configure access-lists to limit who all can access management and CLI services Enable control plane protocol authentication where it is available 1/7/2015 3 rd Annual workshop 6

Layer 2 Snoop Attack 400,000 Bogus MACs per Second 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only Three MAC Addresses Allowed on the Port: Shutdown Problem: Solution: Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap 1/7/2015 3 rd Annual workshop 7

DHCP Snooping 1 1000s of DHCP Requests to Overrun the DHCP Server 2 DHCP Server DHCP requests (discover) and responses (offer) tracked Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server 1/7/2015 3 rd Annual workshop 8

AAA server Supports Compliance Enables corporate governance through consistent access policy for all users and devices Strengthens Security Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric Increases Efficiency Reduces IT overhead through centralized identity management and integrated policy enforcement 1/7/2015 3 rd Annual workshop 9

Multi-Homing Basic requirement IP numbers to be owned ( V4 or V6) ASN number ( 16 Bit or 32 Bit) Service Providers capable of doing BGP Router Capable BGP and Holding the routes Trained Manpower 1/7/2015 3 rd Annual workshop 10

1/7/2015 3 rd Annual workshop 11

What is an MPLS-VPN? An IP network infrastructure delivering private network services over a public infrastructure Use a layer 3 backbone Scalability, easy provisioning Global as well as non-unique private address space QoS Controlled access Easy configuration 1/7/2015 3 rd Annual workshop 12

1/7/2015 3 rd Annual workshop 13

NKN MPLS for CUG DC Cloud State Router NKN BACKBONE Each Sub-Interface associated with different VPN Institute #2 VLAN1-VPN Green VLAN2-Blue LAN of #2 v State TN VLAN3-Red LAN of #1 Contents of RED Institute #1 VLAN1-VPN Green v Contents of VPN Green Contents of Blue VLAN2-Blue Video/ Audio Intra-vpn Internet v Multi-VRF 802.1Q 1/7/2015 3 rd Annual workshop 14

Layer 2 Extensions 1/7/2015 3 rd Annual workshop 15

#3 #2 VC Equipment End to End QoS #4 #5 #7 #8 #9 VC Equipment #6 #10 #11 1/7/2015 3 rd Annual workshop 16 VC Equipment

Inter Service Provider QoS A C B D A C B E D MPLS VPNs Many QoS-enabled islands No interprovider QoS The Internet Richly interconnected providers No QoS A B C D E Goal: richly connected AND QoS-enabled 1/7/2015 3 rd Annual workshop 17

Defense Depth and Breadth Security Edge Network Operations Center (NOC) Transit Interface ACLs Unicast RPF Flexible packet matching IP option filtering Marking/rate-limiting Routing techniques ebgp techniques ICMP techniques Internet X X X X Edge Internet X Remote Access Systems E-mail, Web Servers Core Enterprise Network NKN Core Network Internal Assets, Servers 1/7/2015 3 rd Annual workshop 18 AS1 AS2 Receive ACLs AS3 CoPP ICMP techniques Transit QoS techniques Routing techniques Disable unused services Protocol specific filters Password security SNMP security Remote terminal access security System banners AAA Network telemetry Secure file systems

Using Strict Mode urpf to Battle BGP Trigger Community SRTBH on NKN Partner Edge BOTNETs ISP Target ISP ISP ISP NOC NKN Backbone urpf Strict On NKN Partner Edge Access POP Access POP Access POP Access POP Access POP NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner 1/7/2015 3 rd Annual workshop 19

Utilization of Few Members INSTITUTE-1 INSTITUTE-2 1/7/2015 3 rd Annual workshop 20

INSTITUTE-3 INSTITUTE-4 1/7/2015 3 rd Annual workshop 21

High Packet Per Sec DoS ATTACK 1/7/2015 3 rd Annual workshop 22

HIGH BANDWIDTH DoS ATTACK 1/7/2015 3 rd Annual workshop 23

GATEWAY STATS 1/7/2015 3 rd Annual workshop 24

RELAY SERVICE 1/7/2015 3 rd Annual workshop 25

DNS Cache Servers Reply NKN Cloud Reply Request The server IP is 14.139.5.5 (anycast) Contact us: support.dns@nkn.in 1/7/2015 3 rd Annual workshop 26

DNS Zone Servers Reply NKN Cloud Reply DNS Root Servers Institute Zone Reply transfer to NKN DNS Internet Domain.ac.in 1/7/2015 3 rd Annual workshop 27

Thank You & Happy NKN Project Implementation Unit National Knowledge Network National Informatics Centre 3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053 CONTACT NKN: 1800 111 555 piu@nkn.in support@nkn.in 1/7/2015 3 rd Annual workshop 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information