Upload
trandat
View
218
Download
2
Embed Size (px)
Citation preview
1/7/2015 3rd Annual workshop 2
Efficient utilization
Come from:
– Good Campus LAN
• Speed Segregation of LANs
• QoS Resilient
• Access Controls ( L2 and L3)
• NMS
– Good Collaboration ( National / International)
– Good Internet Governance
Scientists/ Researchers
1/7/2015 3rd Annual workshop 3
Various Components
• Campus network best practice
• Different Layers function
• Firewall/IPS
• AAA/ DHCP/ DNS
• Server Farm
• Security Best practices IPV4 & IPv6
• VPN Services
• Gateway Services
1/7/2015 3rd Annual workshop 4
NKN LINK 2
NKN Link 1
Edge Router
Firewall with IPS-active
Distribution Switch U
SER
S
1st F
2nd F
3rd F
Typical Campus Network
Architecture
Sever Switch
CAT 6a / 7 Gnd F
Edge Router
core switch
Outer Switch
Firewall with IPS- Standby
Distribution switch U
SER
S
1st F
2nd F
3rd F
Gnd F
10G backbone
10G Fibre
1G Fibre
DHCP server
1/7/2015 3rd Annual workshop 5
Security Devices
• Firewall/IPS integrated Stateful Inspection Firewall
• Maximizes network security with clear, deterministic L3/L4 policies
• Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.
• Zero-Day Protection with Anomaly Detection
• The Adoption and use of IPv6
• Remote Access VPN solution, provide VPN client and clientless access.
1/7/2015 3rd Annual workshop 6
Some of the Best Practices Campus Security
• Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard
• Use SSH to access devices instead of Telnet
• Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices
• Enable SYSLOG to a server. Collect and archive log
• When using SNMP use SNMPv3
• Configure access-lists to limit who all can access management and CLI services
• Enable control plane protocol authentication where it is available
1/7/2015 3rd Annual workshop 7
Layer 2 Snoop Attack
Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap
00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb
Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy
Only Three MAC Addresses Allowed on the Port: Shutdown 400,000
Bogus MACs
per Second
Problem:
Solution:
1/7/2015 3rd Annual workshop 8
DHCP Snooping
• DHCP requests (discover) and responses (offer) tracked
• Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server
• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server
DHCP
Server 1000s of DHCP Requests to Overrun the DHCP Server
1
2
1/7/2015 3rd Annual workshop 9
AAA server
Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric
Supports Compliance
Enables corporate governance through consistent access policy for all users and devices
Strengthens Security
Reduces IT overhead through centralized identity management and integrated policy enforcement
Increases Efficiency
1/7/2015 3rd Annual workshop 10
Multi-Homing
• Basic requirement
– IP numbers to be owned ( V4 or V6)
– ASN number ( 16 Bit or 32 Bit)
– Service Providers capable of doing BGP
– Router Capable BGP and Holding the routes
– Trained Manpower
1/7/2015 3rd Annual workshop 11
1/7/2015 3rd Annual workshop 12
• An IP network infrastructure delivering private network services over a public infrastructure
– Use a layer 3 backbone
– Scalability, easy provisioning
– Global as well as non-unique private address space
– QoS
– Controlled access
– Easy configuration
What is an MPLS-VPN?
1/7/2015 3rd Annual workshop 13
1/7/2015 3rd Annual workshop 14
NKN MPLS for CUG
State TN
NKN BACKBONE
State
Router
VLAN1-VPN Green
VLAN2-Blue
VLAN3-Red
LAN of #2 Each Sub-Interface
associated with different VPN
v
v
802.1Q
Contents of VPN Green
Contents of Blue
Contents of RED
Multi-VRF Video/ Audio
Intra-vpn Internet
DC
Cloud
Institute #1
VLAN1-VPN Green
VLAN2-Blue
LAN of #1
v
Institute #2
1/7/2015 3rd Annual workshop 15
Layer 2 Extensions
1/7/2015 3rd Annual workshop 16
#4
#3 #2 VC Equipment
#5 #7
#8 #9
VC Equipment
#6 #10
#11
VC Equipment
End to End QoS
1/7/2015 3rd Annual workshop 17
C
A B
D
MPLS VPNs • Many QoS-enabled islands • No interprovider QoS
A B
D
E C
The Internet • Richly interconnected providers • No QoS
C
A B
E
Goal: richly connected AND QoS-enabled
D
Inter Service Provider QoS
1/7/2015 3rd Annual workshop 18
Defense Depth and Breadth Security
Internet
Internet
Enterprise Network
NKN Core Network
E-mail, Web Servers
X
X Remote Access
Systems
Internal Assets, Servers
Transit
Transit
X
X
X
AS1
AS2
AS3
Network Operations Center (NOC)
Core
Edge
Edge
Interface ACLs
Unicast RPF
Flexible packet
matching
IP option filtering
Marking/rate-limiting
Routing techniques
eBGP techniques
ICMP techniques
Receive ACLs
CoPP
ICMP techniques
QoS techniques
Routing techniques
Disable unused
services
Protocol specific
filters
Password security
SNMP security
Remote terminal
access security
System banners
AAA
Network telemetry
Secure file systems
1/7/2015 3rd Annual workshop 19
Using Strict Mode uRPF to Battle BOTNETs
Access
POP
Access
POP
Access
POP
Access
POP
Access
POP
NKN Backbone
NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner
Target
ISP ISP
ISP
ISP
uRPF Strict
On NKN
Partner
Edge
NOC
BGP Trigger Community
– SRTBH on NKN
Partner Edge
1/7/2015 3rd Annual workshop 20
Utilization of Few Members
INSTITUTE-1
INSTITUTE-2
1/7/2015 3rd Annual workshop 21
INSTITUTE-3
INSTITUTE-4
1/7/2015 3rd Annual workshop 22
High Packet Per Sec DoS ATTACK
1/7/2015 3rd Annual workshop 23
HIGH BANDWIDTH DoS ATTACK
1/7/2015 3rd Annual workshop 24
GATEWAY STATS
1/7/2015 3rd Annual workshop 25
RELAY SERVICE
1/7/2015 3rd Annual workshop 26
DNS Cache Servers
The server IP is 14.139.5.5 (anycast)
Contact us: [email protected]
NKN Cloud
Request
Reply
Request
Reply
1/7/2015 3rd Annual workshop 27
DNS Zone Servers
NKN Cloud
Domain.ac.in
Internet
DNS Root Servers
Reply
DNS Institute
Reply Domain.ac.in Zone transfer to
NKN
Domain.ac.in
Reply
Domain.ac.in
Reply
1/7/2015 3rd Annual workshop 28
Thank You & Happy NKN
Project Implementation Unit National Knowledge Network National Informatics Centre
3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053
CONTACT NKN: 1800 111 555 [email protected]