Cisco安全技术交流胶片-运营商的网络安全体系解决方案课件

1、 运营商的网络安全体系解决方案之 clean pipe service solution目录什么是Clean pipeClean pipe 技术实现Clean pipe 部署模式Clean pipe 服务实例目录什么是Clean pipeClean pipe 技术实现Clean pipe 部署模式Clean pipe 服务实例Internet DDoS 攻击的最新趋势目前已有超过8亿人使用internet. eCommerce使得对互联网的前所未有的依赖性宽带连接使越来越多的家庭PC上网, 而这些家庭PC缺少安全措施, 容易被利用大多数攻击同时来自多个国家, 更难以追查和防范.DDoS 影响着

2、所有类型的网络业务: 银行业, 医疗, 政府, 制造业, 零售, 度假休闲, 体育网站, 网络游戏用来进行勒索的攻击在增加: 去年为4%, 今年到了16%, 勒索的数额从1万美元到数百万美元BOTNETS 使DDOS攻击更容易CE 受攻击设备: 服务器, 防火墙, 路由器僵尸电脑控制者Last MileConnectionISP出租BOTNET!BOTNET 是一个由被入侵并控制了的僵尸电脑组成的网络, 在中央控制电脑的指挥下, 能对任何目标发起攻击.BOTNETs 能发动多种DDOS攻击: ICMP Attacks, TCP Attacks, and UDP Attacks, http ov

3、erload 小的 BOTNET 大约控制上千台电脑, 大的可能控制多达数万台.BOTNET的数量和规模都在增加中.DDoS攻击影响的网络层面应用 /服务器攻击将耗尽计算机的TCP/HTTP资源, 使应用停顿, 服务器停止对正常业务的响应.带宽攻击流量将充满网络带宽从而阻挡了正常流量 网络架构攻击的目标可能是网络路由设备, DNS/DHCP 服务器等, 破坏网络连接.间接破坏被做为攻击源的主机也间接受到影响“是网络安全防护系统的一部分, 能够在发生DDOS攻击时, 保证正常业务和关键部件的可用性”777 2003 Cisco Systems, Inc. All rights reserved.

4、Presentation_IDClean Pipes: DDoS攻击防护方案 Clean pipes 是一个保护用户数据流和网络连接, 防止受到DDoS攻击的安全方案, 其基本的目标是在应用系统受到安全威胁时去掉恶意的攻击流量, 只传送正常应用的流量. “Clean Pipes” 功能描述和定义阶段二: 攻击检测DetectionPeeringPointCore RouterEnterpriseHosting providerBGP securityRTBH, uRPFRTRL / QPPBRACL, iACL, CoPPStack protection,Sink holesuRPF ingr

5、essAnd egress filteringDetectionPeeringPoint3rd party detector3rd party detectorDetectionDetectionNetflowNetflowNetflowNetflowNetflowNetflowIDS/IPSCiscoDetector阶段三: 攻击缓解 MitigationPeeringPointCore RouterEnterpriseHosting ProviderBGP securityRTBH, uRPFRTRL / QPPBRACL, iACL, CoPPStack protection,Sink

6、holesuRPF ingressAnd egress filteringDetectionPeeringPointdetectordetecorDetectionDetectionNetflowNetflowNetflowNetflowNetflowCisco GuardPacket inspectionAnd cleaningTrafficRe-injectionIDS/IPSCiscoDetectorCleaningCenterTrafficdiversionClean pipe 操作流程主动的异常监测流量异常? 学习正常流量特征,建立策略基础将相关流量转移到清洁中心是否为合法数据丢弃将

7、合法数据重新注入网络Defend& LearnDetectionDiversionCleaningRe-InjectionYesYesNoNoDefense/Learning阶段 Defense: 采用NFP, 保护网络基础架构.Learning: 是建立正常流量模型, 其目的是需要知道:1) 对于一个用户来说, 什么是好的流量2) 攻击流量的特性Defense 基础: Network Foundation Protection对网络架购的保护, 保证业务提供的连续性控制平面数据平面Defense-in-depth protection for routing control planeTec

8、hnologies: Receive ACLs, control plane policing, iACLs, neighbor authentication, BGP best practicesDetects traffic anomalies & respond to attacks in real-timeTechnologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS toolsSecure and continuous management of Cisco IOS network infrastructureTechn

9、ologies:CPU & memory thresholding, dual export syslog, image verification, SSHv2, SNMPv3, security audit, CLI views管理平面在执行其他安全策略以前, 网络架构必须得到很好的保护 learning: 流量特征的学习和策略建立 对网络正常流量的了解是检测攻击的基础, 通过对网络流量的学习建立了正常流量的模型. 一个异常事件的发生是指与正常流量不同的流量特征出现. 步骤1, 建立策略. 此步骤是对基本的服务类型做出检测, 并决定调用哪些策略, 大约需要1个小时左右. 步骤2: 设置门限.

10、 基于调用的策略, 根据用户的流量特征设置阀值, 也就是定义流量的门限. 这个过程一般需要24小时.InjectDivertDefendDetectMitigateProactively looking for traffic anomalies二: 攻击检测阶段检测 DoS 攻击的多种手段Cisco Detector通过NetFlow收集和分析设备通过IDS/IPS系统发现攻击通过网络安全信息管理系统发现攻击通过SNMP对被保护目标的监测: 如CPU overload用户发现/被动方式目前主要方式1. 采用Cisco Detector 监测攻击可以是独立的硬件设备或6500/7600的模块.

11、 一般与防攻击设备Guard配合使用.采用流量镜像或分光器等将监控流量复制到detector. 根据用户或服务类型分为多个区域(zone).当detector发现攻击后, 能自动启动guard做攻击防护.什么是zone?Zone 是一个被监测/保护目标的单位, 可以是一个服务器, 一组服务器, 一个子网/网络Zone 一般是一个用户, 或一个用户的相同业务的服务器的集合. 多个zone可以被同时监测, 只要地址不重复.监测攻击当学习阶段完成后, 被保护区域进入监测阶段.监测策略会检查流量的异常情况.一个流量异常会触发guard启动保护.也可以人工定义是否要触发guard保护, 还是发送log或

12、notify.Detector 的流量过滤Server Farm Zone Under detectionSyslog Server启动 Guard防护GuardDetectorLogin via SSHGenerate SSH KeyIssue Protect CommandSession Terminated21341SSH Key is a one time exchange between the detector and the guard. One key per guard.2The Detector logs into every guard specified in conf

13、iguration. Order is determined by CLI entry.3The Detector issues the protect command for the zone under attack. It will try every guard in the list.2. 采用Netflow做攻击检测Netflow包含了对网络流量详细的记录. 根据源/目标地址, 端口号, 包大小, 流量等特征,可以发现流量的异常状况.目前有第三方厂家以Netflow为基础开发攻击检测系统, 并能自动启动Guard 防护.由于Netflow不分析所有的数据, 只记录包头情况, 有很好

14、的扩展性, 可以用于大流量的骨干网络.Cisco Netflow定义一个flow的7个参数: Source IP addressDestination IP addressSource portDestination portLayer 3 protocol typeType of Service (ToS) byte (Differentiated Services Code Point (DSCP)Input logical interface (ifIndex)282828Enable NetFlowTrafficTraditional Export & CollectorNetFlow

15、Export PacketsSNMP PollerNew SNMP MIB Interface第三方监测告警设备NetFlow 是IP网络流量分析和统计的标准之一NetFlow Sampling 抽样比例建议Ethernet 1:10Fast Ethernet/OC3 1:100Gig Ethernet 1:1000POS OC12/OC48 1:100010GE/POS OC192 1:50003. 采用其他第三方设备/软件监测对DDoS攻击的监测可以采用各种设备, 如防火墙, IDS/IPS等网络安全设备采用SNMP协议或其他协议监控网络流量的异常通过对服务器的CPU, 服务连接数或其他指

16、标监测攻击.用户发现/被动方式启动Guard防护机制防护设备Guard的启动可以通过:网络部署的detector直接通知Guard基于netflow的某些第三方监测设备(如arbor)可以直接通知GuardIDS/IPS或其它方式发现攻击后, 通过网管系统可通过SSH script可以向guard发出启动指令在发现攻击后人工启动DDoS 攻击监测的网络部署NFbased3rd party detectorNF based 3rd party detectorIDS/IPSNF based3rd party detector地点设备CPE or IDCCisco Detector, IDS/IP

17、S, SNMPMANCisco Detector, IDS/IPSBackboneNetflowSP Peering EdgeNetflowIDS/IPSIPS in cisco ISRCisco Detector三:攻击缓解阶段Traffic diversion scrubbing and re-injectionInjectDivertDefendMitigateDetect步骤攻击缓解阶段3a. Divert: Guard用BGP向路由器宣告, 将去往被攻击客户的流量转移到guard.3b. 所有的去往目标的流量(攻击和非攻击)都被转移到guard.4. Guard将攻击流量丢弃, 同时

18、允许正常流量通过.Inject: 被清洁的流量重新注入网络到达目标.Cisco Detector和netflow设备持续观察.3rd party Detector攻击缓解工作过程区域1: WEB区域2: DNS区域3: E-Commerce 应用 InternetLegitimate Traffic正常流量攻击目标1. 检测非正常流量2. 启动保护 (自动/手动)RemoteHealthInjection（RHI） 3.将流量转移到Guard模块5. 将正常流量重新注入6. 到其他区域的流量没有受到影响BGP PeerO /24 110/2 via , 2d11h, GigabitEthern

19、et2B 28/32 20/0 via , 00:00:01 28 = zone, = Guard Module, = MSFCBGP announce 4. 攻击缓解(清洁)3.1 流量”清洁”Guard攻击流量清洁原理: Multi-Verification Process (MVP)ActiveVerificationStatisticalAnalysisLayer 7AnalysisRate LimitingLegitimate + attack traffic to targetDynamic & Static Filters监测恶意动作和发现攻击的流量及源/目标地址启动anti-s

20、poofing阻挡恶意流量动态增加访问列表阻挡攻击启动速率限制Legitimate traffic设备: Guard XT 和AGM ( Anomaly Guard Module)独立的Guard XT 5650IBM X345 Server Platform2 GE Fiber/Copper 10/100/GE Copper Mgmt 2U rack mount single/dual power supplyDual RAID hard drive2 Gb DDRAM1 Broadcom SiByte Network Processor76/65的AGM Single slot servi

21、ce moduleNo external interfaces uses line card or supervisor interfacesCat6k IOS support: 12.2(18)SXD3 or later7600 IOS support: 12.2(18)SXE or later 3 Broadcom SiByte Network ProcessorsMultiple AGMs per chassisGuard:通讯接口方式HTTPS (aka Web-based Management)Configuration & Operation, Attack ReportsFTP

22、Image Upgrade, Zone Configs Download & Upload, Attack Reports UploadSyslogEvent LoggingSNMPSystem StatusSSHConfiguration, OperationBGP*Announced Guard as best next-hop to attacked zone Data Path Diversion of Dirty Traffic to GuardData Path Re-injection of Cleaned Traffic from Guard* For AGM, the 760

23、0/Cat6ks Supervisor Engine originates BGP update messages“清洁中心”是一组存在于服务供应商网络中的Guard或AGM流量清洁设备的集合扩展性 使用多个guard提供高性能可靠性 多个guard可以提供 N+1 冗余经济性 一个清洁中心可以为多个用户服务达到高效率灵活性 DDoS 攻击可以被引导到清洁中心集中处理清洁中心设计考虑事项清洁性能需求部署位置 扩展性-负载均衡高可用性冗余配置性能需求部署模式专用的设备为特定的用户共享部署, 对受攻击的用户专用防护共享部署, 对受攻击的用户共享防护CapEx for SPHighLow Very

24、LowService Fee for CustomersHighHigh/MediumLowHighlights Dedicated service from subscriber standpoint Guaranteed cleaning capacity per agreement between SP and customer Customized baseline by learning Add Guards as new customers sign up the service Policy & zone configs for the customer stored on th

25、e dedicated Guard Dedicated service from subscriber standpoint Guaranteed cleaning capacity per agreement between SP and customer Customized baseline by learning Add new Guards when the predefined over-subscription ratio exceeds Policy & zone configs uploaded to a dedicated Guard when he is under at

26、tack Shared service from subscriber standpoint Best-effort cleaning capacity Baseline based on default templates. Optional manual threshold tuning for more precise mitigation Potentially insufficient cleaning capacity if multiple users are under attack at the same timeApplicable DDoS Protection Mode

27、ls Managed NetworkManaged HostingManaged PeeringManaged NetworkManaged HostingManaged PeeringManaged NetworkManaged HostingManaged PeeringInfrastructure部署地点建议 尽量靠近网络入口位置减少流量转移/注入的跳数，以减少时延保证流量转移和重注入的路径有足够的带宽在多清洁中心的部署中，要保证每个清洁中心到每个被保护的客户的带宽清洁中心需要独立管理，可以考虑采用和骨干网不同的AS扩展性: 负载均衡在清洁中心采用guard集群或AGM集群的方式，提供数

28、G的保护能力。Guard/AGM之间负载均衡前端路由器上需要启动BGP maximum-path前端路由器上启动IP CEF load-sharing per source-destination IP address pair 最多8个Guard负载均衡（BGP限制）在一台7600/Cat6500上 AGM的数量限制 ：ChassisMaximum Tested # of AGMsRealistic Maximum # of AGMs(Active & Standby Supervisors, Line Card for Guard Bandwidth)Dedicated 7609/Cat6

29、509 Chassis 86Dedicated with 7613/Cat6513 Chassis 1010 高可用性考虑清洁中心接入路由设备采用 NSF & SSO 高可用性N+1 Guards 其中一个做为备份, hot standby状态冗余的 AGMsActive/active mode: 每个AGM都为活动状态, 流量被均衡处理Active/standby mode: 备份状态, 一个Guard的优先级较高当一个清洁中心出现问题时, 采用Anycast将可疑流量 自动转移到其他清洁中心.3.2 流量转移和注入流量转移 Diversion , 注入Injection流量转移可以采用Ci

30、scoDetector或其他第三方设备, 可以是自动或手动触发. 运营商可以选择触发方式.可以转移到一个以上的清洁中心. 当攻击消失时, 流量转移可以解除.Diversion: 将去往被攻击目标的流量重路由到一个攻击缓解的清洁中心, 以便在清洁中心中处理, 丢弃攻击流量和分辨正常业务.Injection: 正常业务流量经过轻洁后, 被重新注入网络, 到达目标.流量转移的模式L2 DiversionDivert-from router, Inject-to router and guard on same LANL3 (Short) Diversion: IP CoreDivert-from r

31、outer and guard directly connectedDiversion in an MPLS coreLong Diversion (IP or MPLS)Traffic diverted to distributed cleaning centers not directly connected to divert-from router流量重注入injection 模式L2 injectionInject-to router and guard on same LANPBR based injectionGRE Injection: IP CoreGRE tunnel or

32、iginated on guard, terminated on CPEVRF Injection: MPLS coreTraffic injected into a separate “inject” VRFOther tunneling techniquesmGRE, L2TPv3 and VLAN basedL2 Diversion / ReinjectionInternetZoneNOCBGP Update toRe-route ALL zoneTraffic to guard1Next hop to zoneSet as R2 or R3Guard in same VLANAs R1

33、, so traffic Forwarded using L23Route to Zone willHave next hop setAs guard2Guard re-injects cleanTraffic towards zoneTo either R2 or R34R1R2R3Short Diversion / GRE ReinjectionInternetZoneBGP Update toRe-route ALL zoneTraffic to guard1Route to Zone willHave next hop setAs guardGuard re-injects clean

34、Traffic towards zoneUsing pre-configuredGRE tunnel32R1R2R3NOCPreconfiguredGRE tunnel toEgress CPEmbehringTarget ()GuardattackPEPECPEPECPEPECPEVRF: InjectBGP: Im next hop for 1Redistributioninto MPLS core2re-routing to 34CleanRe-inject cleanTraffic on separateInterface in VRF inject5Cleaned trafficFo

35、rwarded to targetThrough egress PE6MPLS Diversion / ReinjectionMPLSCorembehringTarget ()Guard()attackPreconfiguredGRE tunnel toEgress CPEPEPECPELong Diversion (L3) / GRE InjectionBGP update settingNext hop for targetTo ALL traffic to targetRe-routed to guardRedistributionInto coreClean traffic injec

36、ted totarget on GRE tunnelReturn traffic from targetTo internet flows normallyRRNOC43215IPCorePBR InjectionInternetNOCBGP Update toRe-route ALL zoneTraffic to guard1Route to Zone willHave next hop setAs guardPBR applied on R1 interface to match IPAddress of zone and set next hop as R2Next hop to zon

37、eSet as R1R1 forwards traffic forZone to R2 based onConfigured PBR42Guard re-injects cleanTraffic towardsZone back to R13R1R2BGPIp access-list extended zoneA Permit ip any !Route-map injectPBR permit 10 Match ip address zoneA Set ip next-hop !Route-map injectPBR permit 20Interface gigabitethernet3/1

38、/1 Ip policy route-map injectPBRZoneDivert-from and Inject-toRouter is the same oneAGM: Single Chassis, Multiple AGM, One ZoneZone/24InternetStatic routesRedistributed into BGP with next-hopfor zone Set to lo0GRETraffic re-injectedUsing PBR/GRE2AGM 1AGM 2SUP 7202 Static RoutesTo zone insertedLo 015I

39、ncoming trafficLoad balanced betweenAGM 1 and AGM 243CISCO 7609Traffic for ZoneDiverted to lo0Equal cost load balancing and RedundancyAGM: Single Chassis, Dedicated AGM per ZoneInternetStatic routesRedistributed into BGP with next-hopSet for VLAN IPGRETraffic re-injectedUsing PBR/GRE2AGM 1AGM 2SUP 7

40、202 Static RoutesTo zone inserted15Incoming trafficLoad balanced betweenAGM 1 and AGM 243CISCO 7609Traffic for Zone1Diverted to AGM1No Load balancing or redundancyZone1Zone2AGM 2One Zone Multiple Cleaning CentersAGM 1AGM 2SUP 720Lo 1AGM 1SUP 720Lo 15454Zone/24InternetAnycast address Advertised asNex

41、t hop to zoneTraffic to zoneDiverted to nearestInstance of CCTraffic re-injectedInto multipoint GRETunnel terminated atEgress CE to zoneAnycast address Advertised asNext hop to zone2113MultipointGRELoad balancing andredundancyAGM 2Multiple Zones Multiple Cleaning CentersAGM 1AGM 2SUP 720Lo 1AGM 1SUP

42、 720Lo 15454Zone/24InternetTraffic to zoneDiverted to nearestInstance of CC2Anycast address Advertised asNext hop to zone1Anycast address Advertised asNext hop to zone1Traffic re-injectedInto multipoint GRETunnel terminated atEgress CE to zone3MultipointGREZone/24目录什么是Clean pipeClean pipe 技术实现Clean

43、pipe 部署模式Clean pipe 服务实例DDoS攻击防护: 4种典型部署模式Server Farms运营商网络CustomerCisco DetectorOut-of-bandTransoceanic PeerDownstream ISPInternetASBRCEASBRASBRPEASBRASBRASBRGuard XT/AGM清洁中心 2清洁中心 1Guard XT/AGM3rd party detectorSP SOCRR3. 用户网络 DDoS 防护1.IDC: DDoS 攻击防护4. 网络对等点 DDoS 攻击防护2. 网络架构 DDoS 攻击防护NetflowNetflow1. 保护IDC数据主机中心DetectorISCtays50Pr py SSPw p trcsrRICSTSCSSRouterSwitchInternal networkISP ISPGEthernetSwitchDNS ServersWeb, Chat, etc.