Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 3 rd Annual workshop 1/7/2015 1
Efficient utilization Come from: – Good Campus LAN • Speed Segregation of LANs • QoS Resilient • Access Controls ( L2 and L3) • NMS – Good Collaboration ( National / International) – Good Internet Governance Scientists/ Researchers 3 rd Annual workshop 1/7/2015 2
Various Components • Campus network best practice • Different Layers function • Firewall/IPS • AAA/ DHCP/ DNS • Server Farm • Security Best practices IPV4 & IPv6 • VPN Services • Gateway Services 3 rd Annual workshop 1/7/2015 3
Typical Campus Network NKN NKN Link 1 LINK 2 Architecture Edge Outer Edge Router Switch Router Firewall Firewall with IPS- Standby with IPS-active core switch DHCP server 3 rd F 2 nd F USERS 1 st F Distribution switch 10G Fibre Gnd F Sever Switch 10G 3 rd F backbone 2 nd F USERS Distribution 1 st F Switch Gnd F CAT 6a / 7 3 rd Annual workshop 1/7/2015 4 1G Fibre
Security Devices • Firewall/IPS integrated Stateful Inspection Firewall • Maximizes network security with clear, deterministic L3/L4 policies • Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7. • Zero-Day Protection with Anomaly Detection • The Adoption and use of IPv6 • Remote Access VPN solution, provide VPN client and clientless access. 3 rd Annual workshop 1/7/2015 5
Some of the Best Practices Campus Security • Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard • Use SSH to access devices instead of Telnet • Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices • Enable SYSLOG to a server. Collect and archive log • When using SNMP use SNMPv3 • Configure access-lists to limit who all can access management and CLI services • Enable control plane protocol authentication where it is available 3 rd Annual workshop 1/7/2015 6
Layer 2 Snoop Attack 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only Three MAC Addresses Allowed on the Port: Shutdown 400,000 Bogus MACs per Second Solution: Problem: Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy 3 rd Annual workshop 1/7/2015 7
DHCP Snooping 1 DHCP Server 1000s of DHCP Requests to Overrun the 2 DHCP Server • DHCP requests (discover) and responses (offer) tracked • Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server • Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server 3 rd Annual workshop 1/7/2015 8
AAA server Strengthens Supports Increases Security Compliance Efficiency Enables corporate Enforce consistent Reduces IT overhead governance through security policy, through centralized consistent access ensure endpoint identity management policy for all users health, deliver a and integrated policy and devices secure network enforcement fabric 3 rd Annual workshop 1/7/2015 9
Multi-Homing • Basic requirement – IP numbers to be owned ( V4 or V6) – ASN number ( 16 Bit or 32 Bit) – Service Providers capable of doing BGP – Router Capable BGP and Holding the routes – Trained Manpower 3 rd Annual workshop 1/7/2015 10
3 rd Annual workshop 1/7/2015 11
What is an MPLS-VPN? • An IP network infrastructure delivering private network services over a public infrastructure – Use a layer 3 backbone – Scalability, easy provisioning – Global as well as non-unique private address space – QoS – Controlled access – Easy configuration 3 rd Annual workshop 1/7/2015 12
3 rd Annual workshop 1/7/2015 13
NKN MPLS for CUG LAN of #2 State Each Sub-Interface Router associated with different VPN DC v Cloud Institute #2 NKN VLAN1-VPN Green VLAN2-Blue BACKBONE LAN of #1 VLAN3-Red State TN Contents of RED Institute #1 v VLAN1-VPN Green Contents of Blue VLAN2-Blue Contents of VPN Green Video/ Audio v Multi-VRF Intra-vpn 802.1Q Internet 3 rd Annual workshop 1/7/2015 14
Layer 2 Extensions 3 rd Annual workshop 1/7/2015 15
End to End QoS #2 #3 VC Equipment #4 #8 #9 #5 #7 VC Equipment #6 #10 #11 VC Equipment 3 rd Annual workshop 1/7/2015 16
Inter Service Provider QoS A B B A D C D C E MPLS VPNs The Internet • Many QoS-enabled islands • Richly interconnected providers • No interprovider QoS • No QoS B A D E C Goal: richly connected AND QoS-enabled 3 rd Annual workshop 1/7/2015 17
Defense Depth and Breadth Security Network Operations Edge Center (NOC) Transit Interface ACLs X AS2 Unicast RPF Flexible packet AS1 Internet matching IP option filtering Marking/rate-limiting Receive ACLs AS3 Routing techniques CoPP NKN Core eBGP techniques ICMP techniques Transit Network ICMP techniques QoS techniques Routing techniques Disable unused X Enterprise services Remote Access Network Protocol specific Systems X filters Core Password security Internet X SNMP security Remote terminal access security X Internal Assets, System banners Servers AAA Edge E-mail, Network telemetry Web Servers 3 rd Annual workshop 1/7/2015 18 Secure file systems
Using Strict Mode uRPF to Battle BOTNETs BGP Trigger Community Target – SRTBH on NKN ISP Partner Edge ISP ISP ISP uRPF Strict On NKN NOC Partner NKN Backbone Edge Access Access Access Access Access POP POP POP POP POP NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner 3 rd Annual workshop 1/7/2015 19
Utilization of Few Members INSTITUTE-1 INSTITUTE-2 3 rd Annual workshop 1/7/2015 20
INSTITUTE-3 INSTITUTE-4 3 rd Annual workshop 1/7/2015 21
High Packet Per Sec DoS ATTACK 3 rd Annual workshop 1/7/2015 22
HIGH BANDWIDTH DoS ATTACK 3 rd Annual workshop 1/7/2015 23
GATEWAY STATS 3 rd Annual workshop 1/7/2015 24
RELAY SERVICE 3 rd Annual workshop 1/7/2015 25
DNS Cache Servers NKN Cloud Reply Reply Request Request The server IP is 14.139.5.5 (anycast) Contact us: support.dns@nkn.in 3 rd Annual workshop 1/7/2015 26
DNS Zone Servers Reply Reply DNS Root NKN Cloud Servers Reply Zone Domain.ac.in Domain.ac.in Domain.ac.in Domain.ac.in Reply transfer to Institute DNS Internet NKN 3 rd Annual workshop 1/7/2015 27
Thank You & Happy NKN Project Implementation Unit National Knowledge Network National Informatics Centre 3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053 CONTACT NKN: 1800 111 555 piu@nkn.in support@nkn.in 3 rd Annual workshop 1/7/2015 28
Recommend
More recommend