2. Agenda
http://www.seed.net.tw
ISP security profile
Control plane security
Data plane security
Reference
2
3. ISP security profile
http://www.seed.net.tw
Two positions to implement security
Physical position
Logical position
On logical position level, deploy security
mechanism on:
Control plane
Data plane
3
4. ISP security profile
http://www.seed.net.tw
Control plane
Data plane
management
routing protocol
Control plane
Data plane
IP/MPLS packets
4
5. Control plane security
http://www.seed.net.tw
Security issues on ISP router
Secured the router
Keep the routing information secured
Event logging
5
6. Control plane security
http://www.seed.net.tw
Security issues on ISP router
Secured the router
Keep the un-authorized traffic away
Router ACL
» telnet/ssh/IGP/BGP
Out-of-band management
Rate limit the traffic forward to control plane
ICMP/UDP
Use AAA when accessing the router
Authentication
Authorization
Auditing
6
7. Control plane security
http://www.seed.net.tw
Security issues on ISP router
Keep the routing information secured
Authenticated routing exchange
MD5
Authenticated the route prefix
RADB
Bogon list
» Cymru Bogon list
» CompleteWhois Bogon list
Authenticated the routes prefix number
BGP prefix limitation
7
17. Control plane security
http://www.seed.net.tw
Security issues on ISP router
Event logging
Router event
Log everything crucial in your router
Log server
Routing event
IGP event
» LSAs history
» Routes add/withdrawn history
BGP event
» Routes add/withdrawn
17
18. Control plane security
http://www.seed.net.tw
Router event
Log everything crucial in your router
Log server
Nov 21 06:25:27: %SONET-4-ALARM: POS2/3: SLOS
Nov 21 06:25:29: %LINK-3-UPDOWN: Interface POS2/3, changed state to down
Nov 21 06:25:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to down
Nov 21 06:26:42: %SONET-4-ALARM: POS2/3: SLOS cleared
Nov 21 06:26:44: %LINK-3-UPDOWN: Interface POS2/3, changed state to up
Nov 21 06:26:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface POS2/3, changed state to up
Log server
18
19. Control plane security
http://www.seed.net.tw
Routing event
IGP event
» LSAs history
» Routes add/withdrawn history
LS
A
Area 0
Local area
A
ABR LS RIP
ASBR
A
LS
LS
LS
A
A A
LS
LSA log
19
Log server
21. Data plane security
http://www.seed.net.tw
Security issues in ISP network
Prevent un-authenticated packet flow
Prevent denied of service attack
21
22. Data plane security
http://www.seed.net.tw
Security issues in ISP network
Prevent un-authenticated packet flow
from Internet
Source address from Bogon list
Source address spoofing
to Internet
Source address spoofing
Unicast Reverse Path Forwarding (uRPF)
22
23. Data plane security
http://www.seed.net.tw
Security issues in ISP network
Prevent denied of service attack
Black hole
Drop packets from some BGP nodes
Sink hole
Redirect packets to special node
23
24. Data plane security
http://www.seed.net.tw
Black hole
DDoS attack happened!!!
AS200
AS100 AS300
24
25. Data plane security
http://www.seed.net.tw
Black hole
Drop packets from some BGP nodes
AS200
AS100 AS300
25