Transcript 20050719-Security-Cotter

Abilene Transit Security Policy
Joint Techs Summer ’05
Vancouver, BC, CA
Steve Cotter
Director, Network Services
[email protected]
Basic Premise
Policy determined by basic properties of a IP
network
• Control is at the edge
• Hosts determine when and where to send packets and
initiate flows
• This control often leads to vulnerabilities
• Hosts can become compromised
• Hosts may be used to compromise other hosts
• Can lead to large amounts of traffic sent to other hosts
As a backbone network, we view Abilene as a
‘pipe’ and not a controlling entity
2
Network Control
The Abilene backbone does have the means to apply
some control across the network:
• Possible to block traffic on some ports
• Possible to block all traffic from a particular IP addresses
Security Policy #1: Abilene does not unilaterally filter
traffic on a network wide basis unless the network
itself is under attack.
Scenario: Compromised hosts use port 135 to
propagate a virus to infect other hosts.
• Abilene would not unilateral block that port
• That function handled more efficiently at the edge
• Had the routers or switches themselves been under attack,
would have blocked that traffic immediately
3
Filtering Traffic
The Abilene backbone will filter traffic in some situations:
• If one or more hosts on a connector or peer were under attack
• If requested by an institution, peer or connector
([email protected], 317-278-6622)
Security Policy #2: Abilene will filter traffic to a connector or peer
if requested by that particular connector or peer network,
filtering the appropriate traffic through the connection in
question.
• Abilene will make every possible attempt to authenticate those
making requests for traffic filtering through interconnection
points.
• Abilene’s method for blocking this traffic is our BGP Discard
Routing procedure
4
Filtering Traffic
Abilene reserves the right to protect itself and its
connectors / peers from other connectors and peers.
• If a threat to the network exists through a particular
connector, Abilene reserves the right to filter that traffic
• Ultimately, Abilene could disconnect the offending connector
or peer
Security Policy #3: Abilene reserves the right to filter
all traffic or terminate any connection if it is under
attack.
• Every attempt will be made to contact the network in
question to discuss various options and alternatives.
5
Research and Education Information
Sharing Analysis Center (REN-ISAC)
The REN-ISAC supports higher education and the
research community by:
• Provides advanced security services to national supporting
networks
• Supports efforts to protect the national cyberinfrastructure by
participating in the formal sector ISAC infrastructure
Security Policy #4: Abilene will report all known
incidents of security threats to the REN-ISAC
• Determining what traffic is a security threat is a
network research problem. A measurement
infrastructure is part of Abilene’s network operations
(Abilene Observatory).
6
Data Collection
Abilene collects flow statistics on a sampling basis that
potentially could identify source and destination
addresses and ports
• This data is anonomyzed (11 lower order bits of all IP
addresses are zeroed out) before it is saved to disk
• For privacy reasons: Abilene does not collect data pertaining
to communications between identifiable hosts
• However, this information could identify compromised hosts
Security Policy #4: During times of security attacks,
the REN-ISAC can unanonomyze data, but only that
data related to the attack itself. The resulting data is
anonomyzed as soon as possible after the attack is
understood.
7
Data Analysis
Information derived from analysis of the flow data that
identifies specific institutions or hosts is treated as
confidential information.
Security Policy #5: Institutions may request specific
sources of cyber security attacks located on their
respective networks. Only security related information
we be reported to the institutions.
Abilene data is meant to supplement, not replace, data
collected by individual institutions or connectors.
Internet2 strongly encourages institutions to collect
their own data, potentially providing a greater degree
of specificity to particular security problems.
8
BGP Discard Routing
Connectors can advertise routes to Abilene via BGP for which all
traffic to those routes will be discarded by the Abilene routers.
This is useful during a DoS attack because the traffic can be
dropped before it crosses the link to the connector.
Here are a few important points:
• Discard routes will NOT be accepted for routes larger than a /24
• There is no way to place a limit on the number of discard routes
a connector can advertise. The limit on the total number of
routes a Connector can advertise is currently 3,000.
• Abilene's default policy is to not accept routes smaller than a
/27. There have been some exceptions made to this policy. For
those /28 and smaller routes, it will not be possible to announce
more specific discard routes.
9
Abilene Information
• For more Information:
• http://abilene.internet2.edu
• http://abilene.internet2.edu/observatory/
• http://abilene.internet2.edu/security/
• Or contact us at:
• [email protected]
• [email protected]
• [email protected]
10
11