SlideShare ist ein Scribd-Unternehmen logo

How To Process And Solve Network Security In ISP

Kae Hsu
Kae Hsu
TechnologieNews & Politik
1 von 30
Downloaden Sie, um offline zu lesen
ISP對網路安全問題之處理與解決方式 - 7th TWNIC OPM 2006/11/23, Taipei 許至凱 支援群工程處通訊網路部 kae@du.net.tw
Agenda http://www.seed.net.tw ISP security profile Control plane security Data plane security Reference 2
ISP security profile http://www.seed.net.tw Two positions to implement security Physical position Logical position On logical position level, deploy security mechanism on: Control plane Data plane 3
ISP security profile http://www.seed.net.tw Control plane Data plane management routing protocol Control plane Data plane IP/MPLS packets 4
Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the routing information secured Event logging 5
Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the un-authorized traffic away Router ACL » telnet/ssh/IGP/BGP Out-of-band management Rate limit the traffic forward to control plane ICMP/UDP Use AAA when accessing the router Authentication Authorization Auditing 6
Control plane security http://www.seed.net.tw Security issues on ISP router Keep the routing information secured Authenticated routing exchange MD5 Authenticated the route prefix RADB Bogon list » Cymru Bogon list » CompleteWhois Bogon list Authenticated the routes prefix number BGP prefix limitation 7
Control plane security http://www.seed.net.tw RADB 8
Control plane security http://www.seed.net.tw RADB 9
Control plane security http://www.seed.net.tw RADB > whois -h whois.radb.net 139.175/16 route: 139.175.0.0/16 descr: Digital United Inc. (seednet) No. 220, Gangchi road, Nei-Hu district, Taipei, Taiwan, 11444 origin: AS4780 admin-c: KH54-AP tech-c: KH54-AP notify: cn@du.net.tw mnt-by: MAINT-AS4780 changed: jzs@du.net.tw 20031009 changed: kae@du.net.tw 20060605 #02:46:26(UTC) source: RADB 10
Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 11
Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 12
Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 13
Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 14
Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 15
Control plane security http://www.seed.net.tw BGP prefix limitation 16
Control plane security http://www.seed.net.tw Security issues on ISP router Event logging Router event Log everything crucial in your router Log server Routing event IGP event » LSAs history » Routes add/withdrawn history BGP event » Routes add/withdrawn 17
Control plane security http://www.seed.net.tw Router event Log everything crucial in your router Log server Nov 21 06:25:27: %SONET-4-ALARM: POS2/3: SLOS Nov 21 06:25:29: %LINK-3-UPDOWN: Interface POS2/3, changed state to down Nov 21 06:25:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to down Nov 21 06:26:42: %SONET-4-ALARM: POS2/3: SLOS cleared Nov 21 06:26:44: %LINK-3-UPDOWN: Interface POS2/3, changed state to up Nov 21 06:26:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to up Log server 18
Control plane security http://www.seed.net.tw Routing event IGP event » LSAs history » Routes add/withdrawn history LS A Area 0 Local area A ABR LS RIP ASBR A LS LS LS A A A LS LSA log 19 Log server
Control plane security http://www.seed.net.tw Routing event BGP event » Routes add/withdrawn AS200 AS300 AS100 BGP update log 20 Log server
Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow Prevent denied of service attack 21
Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow from Internet Source address from Bogon list Source address spoofing to Internet Source address spoofing Unicast Reverse Path Forwarding (uRPF) 22
Data plane security http://www.seed.net.tw Security issues in ISP network Prevent denied of service attack Black hole Drop packets from some BGP nodes Sink hole Redirect packets to special node 23
Data plane security http://www.seed.net.tw Black hole DDoS attack happened!!! AS200 AS100 AS300 24
Data plane security http://www.seed.net.tw Black hole Drop packets from some BGP nodes AS200 AS100 AS300 25
Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 DDoS attack happened!!! 26
Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 Sent some commands to border router 27
Data plane security http://www.seed.net.tw Sink hole Redirect packets to special node AS200 AS100 AS300 28
Reference http://www.seed.net.tw Books ISP Essentials http://www.ciscopress.com/title/1587050412 Papers “Operational Security Current Practices” http://www.ietf.org/internet-drafts/draft- ietf-opsec-current-practices-07.txt Web sites http://www.nanog.org/subjects.html#S http://www.cymru.com/Bogons/ http://www.completewhois.com/bogons/ 29
Questions & Comments? sees your needs

Empfohlen

Show Version Command on a Router
Show Version Command on a RouterShow Version Command on a Router
Show Version Command on a RouterYaser Rahmati
 
Video recording system vrs 2017
Video recording system vrs 2017Video recording system vrs 2017
Video recording system vrs 2017Alexander-admin
 
FEGTS IP Training - Network Diagnostic Introduction
FEGTS IP Training - Network Diagnostic IntroductionFEGTS IP Training - Network Diagnostic Introduction
FEGTS IP Training - Network Diagnostic IntroductionKae Hsu
 
Network and TCP performance relationship workshop
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshopKae Hsu
 
Botnets & DDoS Introduction
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS IntroductionKae Hsu
 
How internet works and how messages are transferred in Internet
How internet works and how messages are transferred in InternetHow internet works and how messages are transferred in Internet
How internet works and how messages are transferred in Internetpagetron
 
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'Rawnet Lightning talk - 'A Day in the Life of an Account Manager'
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'Rawnet
 
A review of Concrete 5 and what is new in version 5.7
A review of Concrete 5 and what is new in version 5.7A review of Concrete 5 and what is new in version 5.7
A review of Concrete 5 and what is new in version 5.7Rawnet
 

Empfohlen

Show Version Command on a Router
Show Version Command on a RouterShow Version Command on a Router
Show Version Command on a RouterYaser Rahmati
 
Video recording system vrs 2017
Video recording system vrs 2017Video recording system vrs 2017
Video recording system vrs 2017Alexander-admin
 
FEGTS IP Training - Network Diagnostic Introduction
FEGTS IP Training - Network Diagnostic IntroductionFEGTS IP Training - Network Diagnostic Introduction
FEGTS IP Training - Network Diagnostic IntroductionKae Hsu
 
Network and TCP performance relationship workshop
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshopKae Hsu
 
Botnets & DDoS Introduction
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS IntroductionKae Hsu
 
How internet works and how messages are transferred in Internet
How internet works and how messages are transferred in InternetHow internet works and how messages are transferred in Internet
How internet works and how messages are transferred in Internetpagetron
 
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'Rawnet Lightning talk - 'A Day in the Life of an Account Manager'
Rawnet Lightning talk - 'A Day in the Life of an Account Manager'Rawnet
 
A review of Concrete 5 and what is new in version 5.7
A review of Concrete 5 and what is new in version 5.7A review of Concrete 5 and what is new in version 5.7
A review of Concrete 5 and what is new in version 5.7Rawnet
 
Web 101 by Jennifer Lill
Web 101 by Jennifer LillWeb 101 by Jennifer Lill
Web 101 by Jennifer LillJennifer Lill
 
4byte As Number Migration Suggestion
4byte As Number Migration Suggestion4byte As Number Migration Suggestion
4byte As Number Migration SuggestionKae Hsu
 
Rawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web ComponentsRawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web ComponentsRawnet
 
Rawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - ElasticsearchRawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - ElasticsearchRawnet
 
Toward The Semantic Deep Web
Toward The Semantic Deep WebToward The Semantic Deep Web
Toward The Semantic Deep WebSamiul Hoque
 
4 byte AS number workshop material
4 byte AS number workshop material4 byte AS number workshop material
4 byte AS number workshop materialKae Hsu
 
Rawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design InspirationRawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design InspirationRawnet
 
Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'Rawnet
 
Noisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networksNoisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networksMichael Stumpf
 
4 Byte As Ns Test Scenarios
4 Byte As Ns Test Scenarios4 Byte As Ns Test Scenarios
4 Byte As Ns Test ScenariosKae Hsu
 
20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFV20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFVKae Hsu
 
Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet
 
Network Design in Cloud-ready IDC
Network Design in Cloud-ready IDCNetwork Design in Cloud-ready IDC
Network Design in Cloud-ready IDCKae Hsu
 
CDN and ISP Operation
CDN and ISP OperationCDN and ISP Operation
CDN and ISP OperationKae Hsu
 
How Internet Works
How Internet WorksHow Internet Works
How Internet WorksKae Hsu
 
Redundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpointRedundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpointKae Hsu
 
Rawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' reviewRawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' reviewRawnet
 
Multimedia- How Internet Works
Multimedia- How Internet WorksMultimedia- How Internet Works
Multimedia- How Internet Workssambhenilesh
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingRozitarmizi Mohammad
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding FirewallsLikan Patra
 
WebWay at a glance
WebWay at a glanceWebWay at a glance
WebWay at a glancechris_carter_brennan01
 

Weitere ähnliche Inhalte

Andere mochten auch

Web 101 by Jennifer Lill
Web 101 by Jennifer LillWeb 101 by Jennifer Lill
Web 101 by Jennifer LillJennifer Lill
 
4byte As Number Migration Suggestion
4byte As Number Migration Suggestion4byte As Number Migration Suggestion
4byte As Number Migration SuggestionKae Hsu
 
Rawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web ComponentsRawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web ComponentsRawnet
 
Rawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - ElasticsearchRawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - ElasticsearchRawnet
 
Toward The Semantic Deep Web
Toward The Semantic Deep WebToward The Semantic Deep Web
Toward The Semantic Deep WebSamiul Hoque
 
4 byte AS number workshop material
4 byte AS number workshop material4 byte AS number workshop material
4 byte AS number workshop materialKae Hsu
 
Rawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design InspirationRawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design InspirationRawnet
 
Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'Rawnet
 
Noisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networksNoisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networksMichael Stumpf
 
4 Byte As Ns Test Scenarios
4 Byte As Ns Test Scenarios4 Byte As Ns Test Scenarios
4 Byte As Ns Test ScenariosKae Hsu
 
20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFV20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFVKae Hsu
 
Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet
 
Network Design in Cloud-ready IDC
Network Design in Cloud-ready IDCNetwork Design in Cloud-ready IDC
Network Design in Cloud-ready IDCKae Hsu
 
CDN and ISP Operation
CDN and ISP OperationCDN and ISP Operation
CDN and ISP OperationKae Hsu
 
How Internet Works
How Internet WorksHow Internet Works
How Internet WorksKae Hsu
 
Redundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpointRedundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpointKae Hsu
 
Rawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' reviewRawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' reviewRawnet
 
Multimedia- How Internet Works
Multimedia- How Internet WorksMultimedia- How Internet Works
Multimedia- How Internet Workssambhenilesh
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingRozitarmizi Mohammad
 

Andere mochten auch (19)

Web 101 by Jennifer Lill
Web 101 by Jennifer LillWeb 101 by Jennifer Lill
Web 101 by Jennifer Lill
 
4byte As Number Migration Suggestion
4byte As Number Migration Suggestion4byte As Number Migration Suggestion
4byte As Number Migration Suggestion
 
Rawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web ComponentsRawnet Lightning Talk - Web Components
Rawnet Lightning Talk - Web Components
 
Rawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - ElasticsearchRawnet Lightning Talk - Elasticsearch
Rawnet Lightning Talk - Elasticsearch
 
Toward The Semantic Deep Web
Toward The Semantic Deep WebToward The Semantic Deep Web
Toward The Semantic Deep Web
 
4 byte AS number workshop material
4 byte AS number workshop material4 byte AS number workshop material
4 byte AS number workshop material
 
Rawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design InspirationRawnet Lightning Talk - Design Inspiration
Rawnet Lightning Talk - Design Inspiration
 
Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'Rawnet Lightning Talk - 'What is an idea & how do you create them?'
Rawnet Lightning Talk - 'What is an idea & how do you create them?'
 
Noisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networksNoisy information transmission through molecular interaction networks
Noisy information transmission through molecular interaction networks
 
4 Byte As Ns Test Scenarios
4 Byte As Ns Test Scenarios4 Byte As Ns Test Scenarios
4 Byte As Ns Test Scenarios
 
20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFV20th TWNIC OPM IPv6 Support by SDN & NFV
20th TWNIC OPM IPv6 Support by SDN & NFV
 
Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.
 
Network Design in Cloud-ready IDC
Network Design in Cloud-ready IDCNetwork Design in Cloud-ready IDC
Network Design in Cloud-ready IDC
 
CDN and ISP Operation
CDN and ISP OperationCDN and ISP Operation
CDN and ISP Operation
 
How Internet Works
How Internet WorksHow Internet Works
How Internet Works
 
Redundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpointRedundant Internet service provision - customer viewpoint
Redundant Internet service provision - customer viewpoint
 
Rawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' reviewRawnet Lightning talk - 'Thinking, Fast and Slow' review
Rawnet Lightning talk - 'Thinking, Fast and Slow' review
 
Multimedia- How Internet Works
Multimedia- How Internet WorksMultimedia- How Internet Works
Multimedia- How Internet Works
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networking
 

Ähnlich wie How To Process And Solve Network Security In ISP

Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding FirewallsLikan Patra
 
Java Abs Packet Sniffer Tool
Java Abs Packet Sniffer ToolJava Abs Packet Sniffer Tool
Java Abs Packet Sniffer Toolncct
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesPraetorian
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneetguest575e9c
 
CSFI_ATC_Cyber_Security_Project
CSFI_ATC_Cyber_Security_ProjectCSFI_ATC_Cyber_Security_Project
CSFI_ATC_Cyber_Security_ProjectBen Othman
 
2017 Heli-Expo - Helicopter FDM Research.
2017 Heli-Expo - Helicopter FDM Research.2017 Heli-Expo - Helicopter FDM Research.
2017 Heli-Expo - Helicopter FDM Research.IHSTFAA
 
PLNOG 9: Piotr Wojciechowski - Multicast Security
PLNOG 9: Piotr Wojciechowski - Multicast Security PLNOG 9: Piotr Wojciechowski - Multicast Security
PLNOG 9: Piotr Wojciechowski - Multicast Security PROIDEA
 
Cisco Virtualized Network Services
Cisco Virtualized Network ServicesCisco Virtualized Network Services
Cisco Virtualized Network ServicesSoumen Chatterjee
 
RGNet Ver.1.0.pptx
RGNet Ver.1.0.pptxRGNet Ver.1.0.pptx
RGNet Ver.1.0.pptxVeenitTomar2
 
Skywave IoT presentation
Skywave IoT presentationSkywave IoT presentation
Skywave IoT presentationIan Skerrett
 
Free OpManager training Part 2- Monitoring Server Performance
Free OpManager training Part 2- Monitoring Server PerformanceFree OpManager training Part 2- Monitoring Server Performance
Free OpManager training Part 2- Monitoring Server PerformanceManageEngine, Zoho Corporation
 
Monitoring network performance- Part 3_Free OpManager training
Monitoring network performance- Part 3_Free OpManager training Monitoring network performance- Part 3_Free OpManager training
Monitoring network performance- Part 3_Free OpManager training ManageEngine, Zoho Corporation
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)ChinaNetCloud
 

Ähnlich wie How To Process And Solve Network Security In ISP (20)

Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding Firewalls
 
WebWay at a glance
WebWay at a glanceWebWay at a glance
WebWay at a glance
 
Java Abs Packet Sniffer Tool
Java Abs Packet Sniffer ToolJava Abs Packet Sniffer Tool
Java Abs Packet Sniffer Tool
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneet
 
CSFI_ATC_Cyber_Security_Project
CSFI_ATC_Cyber_Security_ProjectCSFI_ATC_Cyber_Security_Project
CSFI_ATC_Cyber_Security_Project
 
2017 Heli-Expo - Helicopter FDM Research.
2017 Heli-Expo - Helicopter FDM Research.2017 Heli-Expo - Helicopter FDM Research.
2017 Heli-Expo - Helicopter FDM Research.
 
PLNOG 9: Piotr Wojciechowski - Multicast Security
PLNOG 9: Piotr Wojciechowski - Multicast Security PLNOG 9: Piotr Wojciechowski - Multicast Security
PLNOG 9: Piotr Wojciechowski - Multicast Security
 
Instant overview gokul_rajagopalan
Instant overview gokul_rajagopalanInstant overview gokul_rajagopalan
Instant overview gokul_rajagopalan
 
Cisco Virtualized Network Services
Cisco Virtualized Network ServicesCisco Virtualized Network Services
Cisco Virtualized Network Services
 
RGNet Ver.1.0.pptx
RGNet Ver.1.0.pptxRGNet Ver.1.0.pptx
RGNet Ver.1.0.pptx
 
Skywave IoT presentation
Skywave IoT presentationSkywave IoT presentation
Skywave IoT presentation
 
Free OpManager training Part 2- Monitoring Server Performance
Free OpManager training Part 2- Monitoring Server PerformanceFree OpManager training Part 2- Monitoring Server Performance
Free OpManager training Part 2- Monitoring Server Performance
 
Incident Response: SIEM
Incident Response: SIEMIncident Response: SIEM
Incident Response: SIEM
 
SIEM
SIEMSIEM
SIEM
 
Monitoring network performance- Part 3_Free OpManager training
Monitoring network performance- Part 3_Free OpManager training Monitoring network performance- Part 3_Free OpManager training
Monitoring network performance- Part 3_Free OpManager training
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 
Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)
 

Mehr von Kae Hsu

FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionKae Hsu
 
TWNIC 13th OPM session
TWNIC 13th OPM sessionTWNIC 13th OPM session
TWNIC 13th OPM sessionKae Hsu
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingKae Hsu
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingKae Hsu
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingKae Hsu
 

Mehr von Kae Hsu (6)

FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP Introduction
 
TWNIC 13th OPM session
TWNIC 13th OPM sessionTWNIC 13th OPM session
TWNIC 13th OPM session
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharing
 
r2
r2r2
r2
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharing
 
Suggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharingSuggestions for end users to deploy multihoming, load-balance and load-sharing
Suggestions for end users to deploy multihoming, load-balance and load-sharing
 

Kürzlich hochgeladen

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Kürzlich hochgeladen (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

How To Process And Solve Network Security In ISP

  • 1. ISP對網路安全問題之處理與解決方式 - 7th TWNIC OPM 2006/11/23, Taipei 許至凱 支援群工程處通訊網路部 kae@du.net.tw
  • 2. Agenda http://www.seed.net.tw ISP security profile Control plane security Data plane security Reference 2
  • 3. ISP security profile http://www.seed.net.tw Two positions to implement security Physical position Logical position On logical position level, deploy security mechanism on: Control plane Data plane 3
  • 4. ISP security profile http://www.seed.net.tw Control plane Data plane management routing protocol Control plane Data plane IP/MPLS packets 4
  • 5. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the routing information secured Event logging 5
  • 6. Control plane security http://www.seed.net.tw Security issues on ISP router Secured the router Keep the un-authorized traffic away Router ACL » telnet/ssh/IGP/BGP Out-of-band management Rate limit the traffic forward to control plane ICMP/UDP Use AAA when accessing the router Authentication Authorization Auditing 6
  • 7. Control plane security http://www.seed.net.tw Security issues on ISP router Keep the routing information secured Authenticated routing exchange MD5 Authenticated the route prefix RADB Bogon list » Cymru Bogon list » CompleteWhois Bogon list Authenticated the routes prefix number BGP prefix limitation 7
  • 8. Control plane security http://www.seed.net.tw RADB 8
  • 9. Control plane security http://www.seed.net.tw RADB 9
  • 10. Control plane security http://www.seed.net.tw RADB > whois -h whois.radb.net 139.175/16 route: 139.175.0.0/16 descr: Digital United Inc. (seednet) No. 220, Gangchi road, Nei-Hu district, Taipei, Taiwan, 11444 origin: AS4780 admin-c: KH54-AP tech-c: KH54-AP notify: cn@du.net.tw mnt-by: MAINT-AS4780 changed: jzs@du.net.tw 20031009 changed: kae@du.net.tw 20060605 #02:46:26(UTC) source: RADB 10
  • 11. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 11
  • 12. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 12
  • 13. Control plane security http://www.seed.net.tw Bogon list » Cymru Bogon list 13
  • 14. Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 14
  • 15. Control plane security http://www.seed.net.tw Bogon list » CompleteWhois Bogon list 15
  • 16. Control plane security http://www.seed.net.tw BGP prefix limitation 16
  • 17. Control plane security http://www.seed.net.tw Security issues on ISP router Event logging Router event Log everything crucial in your router Log server Routing event IGP event » LSAs history » Routes add/withdrawn history BGP event » Routes add/withdrawn 17
  • 18. Control plane security http://www.seed.net.tw Router event Log everything crucial in your router Log server Nov 21 06:25:27: %SONET-4-ALARM: POS2/3: SLOS Nov 21 06:25:29: %LINK-3-UPDOWN: Interface POS2/3, changed state to down Nov 21 06:25:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to down Nov 21 06:26:42: %SONET-4-ALARM: POS2/3: SLOS cleared Nov 21 06:26:44: %LINK-3-UPDOWN: Interface POS2/3, changed state to up Nov 21 06:26:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to up Log server 18
  • 19. Control plane security http://www.seed.net.tw Routing event IGP event » LSAs history » Routes add/withdrawn history LS A Area 0 Local area A ABR LS RIP ASBR A LS LS LS A A A LS LSA log 19 Log server
  • 20. Control plane security http://www.seed.net.tw Routing event BGP event » Routes add/withdrawn AS200 AS300 AS100 BGP update log 20 Log server
  • 21. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow Prevent denied of service attack 21
  • 22. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent un-authenticated packet flow from Internet Source address from Bogon list Source address spoofing to Internet Source address spoofing Unicast Reverse Path Forwarding (uRPF) 22
  • 23. Data plane security http://www.seed.net.tw Security issues in ISP network Prevent denied of service attack Black hole Drop packets from some BGP nodes Sink hole Redirect packets to special node 23
  • 24. Data plane security http://www.seed.net.tw Black hole DDoS attack happened!!! AS200 AS100 AS300 24
  • 25. Data plane security http://www.seed.net.tw Black hole Drop packets from some BGP nodes AS200 AS100 AS300 25
  • 26. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 DDoS attack happened!!! 26
  • 27. Data plane security http://www.seed.net.tw Sink hole DDoS attack happened!!! AS200 AS100 AS300 Sent some commands to border router 27
  • 28. Data plane security http://www.seed.net.tw Sink hole Redirect packets to special node AS200 AS100 AS300 28
  • 29. Reference http://www.seed.net.tw Books ISP Essentials http://www.ciscopress.com/title/1587050412 Papers “Operational Security Current Practices” http://www.ietf.org/internet-drafts/draft- ietf-opsec-current-practices-07.txt Web sites http://www.nanog.org/subjects.html#S http://www.cymru.com/Bogons/ http://www.completewhois.com/bogons/ 29
  • 30. Questions & Comments? sees your needs