Efficient Interfacing Campus LAN with NKN RS MANI rsm@nkn.in 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Efficient utilization Come from: – Good Campus LAN • Speed Segregation of LANs • QoS Resilient • Access Controls ( L2 and L3) • NMS – Good Collaboration ( National / International) – Good Internet Governance Scientists/ Researchers 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Various Components • Campus network best practice • Different Layers function • Firewall/IPS • AAA/ DHCP/ DNS • Server Farm • Security Best practices IPV4 & IPv6 • VPN Services • Gateway Services 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Various Components • Campus network best practice • Different Layers function • Firewall/IPS • AAA/ DHCP/ DNS • Server Farm • Security Best practices IPV4 & IPv6 • VPN Services • Gateway Services 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Typical Campus Network NKN NKN Link 1 LINK 2 Architecture Edge Outer Edge Router Switch Router Firewall Firewall with IPS- Standby with IPS-active core switch DHCP server 3 rd F 2 nd F USERS 1 st F Distribution switch 10G Fibre Gnd F Sever Switch 10G 3 rd F backbone 2 nd F USERS Distribution 1 st F Switch Gnd F CAT 6a / 7 2 nd Annual NKN Workshop 25-Oct-13 ‹#› 1G Fibre
Security Devices • Firewall/IPS integrated Stateful Inspection Firewall • Maximizes network security with clear, deterministic L3/L4 policies • Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7. • Zero-Day Protection with Anomaly Detection • The Adoption and use of IPv6 • Remote Access VPN solution, provide VPN client and clientless access. 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Some of the Best Practices Campus Security • Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard • Use SSH to access devices instead of Telnet • Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices • Enable SYSLOG to a server. Collect and archive log • When using SNMP use SNMPv3 • Configure access-lists to limit who all can access management and CLI services • Enable control plane protocol authentication where it is available 2 nd Annual NKN Workshop 25-Oct-13 ‹#› •
Layer 2 Snoop Attack 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only Three MAC Addresses Allowed on the Port: Shutdown 400,000 Bogus MACs per Second Solution: Problem: Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
DHCP Snooping 1 DHCP Server 1000s of DHCP Requests to Overrun the 2 DHCP Server • DHCP requests (discover) and responses (offer) tracked • Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server • Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
AAA server Strengthens Supports Increases Security Compliance Efficiency Enables corporate Enforce consistent Reduces IT overhead governance through security policy, through centralized consistent access ensure endpoint identity management policy for all users health, deliver a and integrated policy and devices secure network enforcement fabric 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Multi-Homing • Basic requirement – IP numbers to be owned ( V4 or V6) – ASN number ( 16 Bit or 32 Bit) – Service Providers capable of doing BGP – Router Capable BGP and Holding the routes – Trained Manpower 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
2 nd Annual NKN Workshop 25-Oct-13 ‹#›
What is an MPLS-VPN? • An IP network infrastructure delivering private network services over a public infrastructure – Use a layer 3 backbone – Scalability, easy provisioning – Global as well as non-unique private address space – QoS – Controlled access – Easy configuration 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
2 nd Annual NKN Workshop 25-Oct-13 ‹#›
NKN MPLS for CUG LAN of #2 State Each Sub-Interface Router associated with different VPN DC v Cloud Institute #2 NKN VLAN1-VPN Green VLAN2-Blue BACKBONE LAN of #1 VLAN3-Red State TN Contents of RED Institute #1 v VLAN1-VPN Green Contents of Blue VLAN2-Blue Contents of VPN Green Video/ Audio v Multi-VRF Intra-vpn 802.1Q Internet 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Layer 2 Extensions 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Physics Department Institute # 1 Institute #5 PE PE Router Router Mumbai Virtual Circuits / Pseudo wires PE Router VPLS Network Institute #4 PE Institute # 2 Router Indore Institute # 3 Physics Dept 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
End to End QoS #2 #3 VC Equipment #4 #8 #9 #5 #7 VC Equipment #6 #10 #11 VC Equipment 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Inter Service Provider QoS A B B A D C D C E MPLS VPNs The Internet • Many QoS-enabled islands • Richly interconnected providers • No interprovider QoS • No QoS B A D E C Goal: richly connected AND QoS-enabled 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Defense Depth and Breadth Security Network Operations Edge Center (NOC) Transit Interface ACLs X AS2 Unicast RPF Flexible packet AS1 Internet matching IP option filtering Marking/rate-limiting Receive ACLs AS3 Routing techniques CoPP NKN Core eBGP techniques ICMP techniques Transit Network ICMP techniques QoS techniques Routing techniques Disable unused X Enterprise services Remote Access Network Protocol specific Systems X filters Core Password security Internet X SNMP security Remote terminal access security X Internal Assets, System banners Servers AAA Edge E-mail, Network telemetry Web Servers 2 nd Annual NKN Workshop 25-Oct-13 ‹#› Secure file systems
Using Strict Mode uRPF to Battle BOTNETs BGP Trigger Community Target – SRTBH on NKN ISP Partner Edge ISP ISP ISP uRPF Strict On NKN NOC Partner NKN Backbone Edge Access Access Access Access Access POP POP POP POP POP NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Utilization of Few Members INSTITUTE-1 INSTITUTE-2 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
INSTITUTE-3 INSTITUTE-4 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
High Packet Per Sec DoS ATTACK 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
HIGH BANDWIDTH DoS ATTACK 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Address Overload Crisis 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Government’s Role Understand the Countries requirement Understand the Regional needs. Increase awareness, Encourage deployment Create joint programs in the region with similar requirements. Facilitate the adoption of IPv6 Create Test Beds Showcase few case studies Participate in World Forums 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Transition Plan Awareness program Assessment program Acquire IPv6 numbers Testing of IPv6 Acceptance Test Deployment of IPV6 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
IPv6 IPV4 Address IPV6 Address (Present) (Future) Total Addresses = 2 128 = 340 billion, • Total Addresses = 2 32 = 4 billion billion, billion, billion 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
First Hop Security ICMP Type = 134 (RA) Src = link-local address (FE80::2/10) RA Dst = all-nodes multicast address (FF02::1) Data = options, subnet prefix, lifetime, autoconfig flag RA RS ICMP Type = 133 (RS) Src = link-local address (FE80::1/10) Dst = all-routers multicast address (FF02::2) RS Query = please send RA 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
First Hop Security Router (R1) RA1 RA2 RS RS Attacker (R2) Default Router: R1 and R2 RS 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
6PE – Enabling core with IPv6 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
WATCH OUT ?? Network Infrastructure: Clients : Routers PC’s on the LAN Bandwidth Shapers Server If any Switches Layer2 Proxy/ UTM Layer3 Network Printers Data centre Devices : Display System Load Balancers Antivirus/ HIPS Firewall IPS/IDS Virtual Machines ( VMWARE/ ZEN) Blade management consoles IP KVM 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
WATCH OUT ?? Infrastructure: Software Stacks: Power/Infra management S/W Windows/Linux/Solaris/ AIX UPS management IIS6 & above / Apache 2 & Console above Building Management AAA server System Bind 9.5 & above Access Control System Database ( Transaction Log ) Cameras Logging Server ( Syslog / Digital Video Recorders Special tools like Web trends) Wifi Systems: WIFI controllers 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Security IPv6 IPv4 Vulnerabilities IPv6 Vulnerabilities Specific IPv6 Issues Specific IPv4 Issues 2 nd Annual NKN Workshop 25-Oct-13 ‹#›
Recommend
More recommend