190 likes | 335 Views
Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan. Alberto Rivai arivai@cisco.com. About My Self. Bachelor degree in Electrical Engineering Master degree from Queensland University of Tech 7 years experience in Security related area
E N D
Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai arivai@cisco.com
About My Self • Bachelor degree in Electrical Engineering • Master degree from Queensland University of Tech • 7 years experience in Security related area • 2 years working experience in Manage Security Service Provider • CISSP (Certified Information System Security Professional) • Other vendor related certification
Goal • Provide techniques/task that any SP can do to improve their resistance to security issues. • These techniques can be done on any core routing vendor’s equipment. • Each of these techniques have proven to make a difference.
Current State • ISP is working alone to protect the infrastructure • SPs, CERTs, and "officials" in Indonesia are not yet aware that this group exist or are preventing these attacks from happening. • No collaboration • Point products approach • So how are they going to get "early warning" if they are not involved with the community doing to battle with the bad guys?
Z Z Z Z Z Z Z Z Z • Provider Infrastructure: • DNS, routers, and links Access Line DDoS VulnerabilitiesMultiple Threats and Targets Z Attack zombies: • Use valid protocols • Spoof source IP • Massively distributed • Variety of attacks • Entire Data Center: • Servers, security devices, routers • Ecommerce, web, DNS, email,…
List of things that Work • Prepare your NOC • Mitigation Communities • Point Protection on Every Device • Edge Protection • Remote triggered black hole filtering • Sink holes • Source address validation on all customer traffic • Total Visibility (Data Harvesting – Data Mining) • Security Event Management
The Executive Summary 7 7 7
PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice POST MORTEM IDENTIFICATION What was done? Can anything be done to prevent it? How can it be less painful in the future? How do you know about the attack? What tools can you use? What’s your process for communication? REACTION What options do you have to remedy? Which option is the best under the circumstances? CLASSIFICATION What kind of attack is it? TRACEBACK Where is the attack coming from? Where and how is it affecting the network? SP Security in the NOC - Prepare
NSP-SEC-D NSP-SEC-BR MWP Drone-Armies FUN-SEC NSP-SEC NSP-SEC-KR NSP-SEC-JP NationalCyber Teams Internet Storm Center Telecoms ISAC Hijacked NSP-SEC-TW NSP-SEC-CN FIRST/CERT Teams Other ISACs DSHIELD MyNetWatchman SANS Aggressive Collaboration iNOC-DBA
Point Protection Penetration DOS Interception Penetration Interception Penetration Interception AAA NOC ISP’sBackbone Remote Staff Office Staff
Edge Protection telnet snmp • Core routers individually secured PLUS • Infrastructure protection • Routers generally NOT accessible from outside “outside” “outside” Core
Destination Based RTBH Peer A IXP-W A Peer B IXP-E Upstream A D Upstream A B C Upstream B Upstream B E Target iBGP Advertises List of Black Holed Prefixes NOC G POP F
Sink Holes Peer A IXP-W Peer B IXP-E Remote Triggered Sink Hole Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream A Remote Triggered Sink Hole Upstream B Upstream B Remote Triggered Sink Hole Remote Triggered Sink Hole 171.68.19.0/24 Customer Remote Triggered Sink Hole Services Network POP Garbage packets flow to the closest Sink Hole 171.68.19.1 Remote Triggered Sink Hole Primary DNS Servers
ISP’s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24 96.0.20.0/24 96.0.21.0/24 Internet ISP 96.0.19.0/24 96.0.18.0/24 BCP 38 Filter Applied on Downstream Aggregation and NAS Routers BCP (Best Current Practice) 38 Ingress Packet Filtering /RFC3704 • Static access list on the edge of the network • Dynamic access list with AAA profiles • Unicast RPF • Cable Source Verify (MAC & IP) • IP Source Verify (MAC & IP)
Total Visibility Anomaly for DNS Queries Investigate the spike Thru’put Spike RTT Spike An identified cause of the outage Source: http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Security Event Management • SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. • Provides a holistic view of the networks.
Summary • We cannot provide early warning system if we dont cooperate with the people that fighting the bad guys • We can use the technology available to provide the Early warning system • Prepare the NOC is the #1 thing you need to do to prevent attacks. You cannot run around during an attack building and deploying tools and procedures. It is like the fire department going to a fire and then opening the operations manual for how to operate the fire engine. • Last but not least, Aggressive Collaboration and work together with the rest of the world