1/7/2015 3rd Annual workshop 1

Campus LAN at NKN Member Institutions

RS MANI rsm@nkn.in

1/7/2015 3rd Annual workshop 2

Efficient utilization

Come from:

– Good Campus LAN

• Speed Segregation of LANs

• QoS Resilient

• Access Controls ( L2 and L3)

• NMS

– Good Collaboration ( National / International)

– Good Internet Governance

Scientists/ Researchers

1/7/2015 3rd Annual workshop 3

Various Components

• Campus network best practice

• Different Layers function

• Firewall/IPS

• AAA/ DHCP/ DNS

• Server Farm

• Security Best practices IPV4 & IPv6

• VPN Services

• Gateway Services

1/7/2015 3rd Annual workshop 4

NKN LINK 2

NKN Link 1

Edge Router

Firewall with IPS-active

Distribution Switch U

SER

S

1st F

2nd F

3rd F

Typical Campus Network

Architecture

Sever Switch

CAT 6a / 7 Gnd F

Edge Router

core switch

Outer Switch

Firewall with IPS- Standby

Distribution switch U

SER

S

1st F

2nd F

3rd F

Gnd F

10G backbone

10G Fibre

1G Fibre

DHCP server

1/7/2015 3rd Annual workshop 5

Security Devices

• Firewall/IPS integrated Stateful Inspection Firewall

• Maximizes network security with clear, deterministic L3/L4 policies

• Reputation-based Intrusion Prevention .Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, threat protection up to Layer 7.

• Zero-Day Protection with Anomaly Detection

• The Adoption and use of IPv6

• Remote Access VPN solution, provide VPN client and clientless access.

1/7/2015 3rd Annual workshop 6

Some of the Best Practices Campus Security

• Switch should support Dynamic port security, DHCP Dynamic ARP inspection, IP source guard

• Use SSH to access devices instead of Telnet

• Enable AAA and roles-based access control (RADIUS/TACACS+) for the CLI on all devices

• Enable SYSLOG to a server. Collect and archive log

• When using SNMP use SNMPv3

• Configure access-lists to limit who all can access management and CLI services

• Enable control plane protocol authentication where it is available

1/7/2015 3rd Annual workshop 7

Layer 2 Snoop Attack

Port Security Limits MAC Flooding Attack and Locks Down Port and Sends an SNMP Trap

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb

Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a Hub and Eliminating Privacy

Only Three MAC Addresses Allowed on the Port: Shutdown 400,000

Bogus MACs

per Second

Problem:

Solution:

1/7/2015 3rd Annual workshop 8

DHCP Snooping

• DHCP requests (discover) and responses (offer) tracked

• Rate-limit requests on trusted interfaces; limits DoS attacks on DHCP server

• Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP server

DHCP

Server 1000s of DHCP Requests to Overrun the DHCP Server

1

2

1/7/2015 3rd Annual workshop 9

AAA server

Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric

Supports Compliance

Enables corporate governance through consistent access policy for all users and devices

Strengthens Security

Reduces IT overhead through centralized identity management and integrated policy enforcement

Increases Efficiency

1/7/2015 3rd Annual workshop 10

Multi-Homing

• Basic requirement

– IP numbers to be owned ( V4 or V6)

– ASN number ( 16 Bit or 32 Bit)

– Service Providers capable of doing BGP

– Router Capable BGP and Holding the routes

– Trained Manpower

1/7/2015 3rd Annual workshop 11

1/7/2015 3rd Annual workshop 12

• An IP network infrastructure delivering private network services over a public infrastructure

– Use a layer 3 backbone

– Scalability, easy provisioning

– Global as well as non-unique private address space

– QoS

– Controlled access

– Easy configuration

What is an MPLS-VPN?

1/7/2015 3rd Annual workshop 13

1/7/2015 3rd Annual workshop 14

NKN MPLS for CUG

State TN

NKN BACKBONE

State

Router

VLAN1-VPN Green

VLAN2-Blue

VLAN3-Red

LAN of #2 Each Sub-Interface

associated with different VPN

v

v

802.1Q

Contents of VPN Green

Contents of Blue

Contents of RED

Multi-VRF Video/ Audio

Intra-vpn Internet

DC

Cloud

Institute #1

VLAN1-VPN Green

VLAN2-Blue

LAN of #1

v

Institute #2

1/7/2015 3rd Annual workshop 15

Layer 2 Extensions

1/7/2015 3rd Annual workshop 16

#4

#3 #2 VC Equipment

#5 #7

#8 #9

VC Equipment

#6 #10

#11

VC Equipment

End to End QoS

1/7/2015 3rd Annual workshop 17

C

A B

D

MPLS VPNs • Many QoS-enabled islands • No interprovider QoS

A B

D

E C

The Internet • Richly interconnected providers • No QoS

C

A B

E

Goal: richly connected AND QoS-enabled

D

Inter Service Provider QoS

1/7/2015 3rd Annual workshop 18

Defense Depth and Breadth Security

Internet

Internet

Enterprise Network

NKN Core Network

E-mail, Web Servers

X

X Remote Access

Systems

Internal Assets, Servers

Transit

Transit

X

X

X

AS1

AS2

AS3

Network Operations Center (NOC)

Core

Edge

Edge

Interface ACLs

Unicast RPF

Flexible packet

matching

IP option filtering

Marking/rate-limiting

Routing techniques

eBGP techniques

ICMP techniques

Receive ACLs

CoPP

ICMP techniques

QoS techniques

Routing techniques

Disable unused

services

Protocol specific

filters

Password security

SNMP security

Remote terminal

access security

System banners

AAA

Network telemetry

Secure file systems

1/7/2015 3rd Annual workshop 19

Using Strict Mode uRPF to Battle BOTNETs

Access

POP

Access

POP

Access

POP

Access

POP

Access

POP

NKN Backbone

NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner NKN Partner

Target

ISP ISP

ISP

ISP

uRPF Strict

On NKN

Partner

Edge

NOC

BGP Trigger Community

– SRTBH on NKN

Partner Edge

1/7/2015 3rd Annual workshop 20

Utilization of Few Members

INSTITUTE-1

INSTITUTE-2

1/7/2015 3rd Annual workshop 21

INSTITUTE-3

INSTITUTE-4

1/7/2015 3rd Annual workshop 22

High Packet Per Sec DoS ATTACK

1/7/2015 3rd Annual workshop 23

HIGH BANDWIDTH DoS ATTACK

1/7/2015 3rd Annual workshop 24

GATEWAY STATS

1/7/2015 3rd Annual workshop 25

RELAY SERVICE

1/7/2015 3rd Annual workshop 26

DNS Cache Servers

The server IP is 14.139.5.5 (anycast)

Contact us: support.dns@nkn.in

NKN Cloud

Request

Reply

Request

Reply

1/7/2015 3rd Annual workshop 27

DNS Zone Servers

NKN Cloud

Domain.ac.in

Internet

DNS Root Servers

Reply

DNS Institute

Reply Domain.ac.in Zone transfer to

NKN

Domain.ac.in

Reply

Domain.ac.in

Reply

1/7/2015 3rd Annual workshop 28

Thank You & Happy NKN

Project Implementation Unit National Knowledge Network National Informatics Centre

3rd Floor, Block III, Delhi IT Park, Shastri Park, New Delhi - 110053

CONTACT NKN: 1800 111 555 piu@nkn.in

support@nkn.in