iptv &iptv & * Þ z Ú 2 Ú /¶#Ê-· òf% ³ · "/¶#Ê-j$v2 z ò"f$v# leading...
TRANSCRIPT
IPTV &IPTV &
([email protected])C S
© 2008 Cisco Systems, Inc. All rights reserved. 1
Cisco Systems Korea
IPTV
© 2008 Cisco Systems, Inc. All rights reserved. 2
© 2008 Cisco Systems, Inc. All rights reserved. 3
IP platform p2007~ 2011 -To-TV 10
-To-PC 4To PC 4
© 2008 Cisco Systems, Inc. All rights reserved. 4
: http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-481374.html
EB/mo
© 2008 Cisco Systems, Inc. All rights reserved. 5
: http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-481374.html
Access AggregationDistributed Edge Core
AcquisitionNetworkSuperRegional
Business
Content Owner
Super HE
BRAS
Regional HE
Residential IPContent Network
External Partners
BRAS
RGMPLS PE
Polic Se e s
Internal Enterprise/NOC
RGPolicy Servers
Untrusted TrustedMostly TrustedInternet Peering
Internet
© 2008 Cisco Systems, Inc. All rights reserved. 6
Untrusted
!!!
- SP
- TV IP
© 2008 Cisco Systems, Inc. All rights reserved. 7
IPTV
© 2008 Cisco Systems, Inc. All rights reserved. 8
IPTV
IPTV DoS, IP Spoffing
SP .
CAS, DRM
© 2008 Cisco Systems, Inc. All rights reserved. 9
IPTV 4
IP SIP SourceGuard
IP SourceGuard
DHCPAuthorization Guard
DHCPA th i ti
Authorization
Authorization
Data CenterProtection
© 2008 Cisco Systems, Inc. All rights reserved. 10
Protection
- CAS/DRM
© 2008 Cisco Systems, Inc. All rights reserved. 11
HE ?
IP , uRPFIP , uRPF , DDoS
??
© 2008 Cisco Systems, Inc. All rights reserved. 12
자료출처 : 2008.01 / KISA인터넷침해사고 동향 및 분석 월보
HE - DoS
Cisco Guard/Detector DDoS
••• (Static BGP)
© 2008 Cisco Systems, Inc. All rights reserved. 13
( )•
Leading Practice CategoryLeading Practice Category ExamplesExamples Protects Against ThreatsProtects Against ThreatsLeading Practice CategoryLeading Practice Category ExamplesExamples Protects Against ThreatsProtects Against Threats
Disable Unnecessary Disable Unnecessary ServicesServices
ICMP redirects, CDP, IP ICMP redirects, CDP, IP Source RoutingSource Routing
Reconnaissance, DenialReconnaissance, Denial--ofof--Service Service
Control Device AccessControl Device Access TACACS+, Radius, Password TACACS+, Radius, Password EncryptionEncryption Unauthorized AccessUnauthorized Access
Di bl d i t fDi bl d i t f R i D i lR i D i l ffSecure Ports and InterfacesSecure Ports and Interfaces Disable unused interfaces, Disable unused interfaces, VLAN PruningVLAN Pruning
Reconnaissance, DenialReconnaissance, Denial--ofof--Service Service
Secure Routing InfrastructureSecure Routing Infrastructure MD5 Authentication, Route MD5 Authentication, Route FilFil DenialDenial--ofof--ServiceServiceSecure Routing InfrastructureSecure Routing Infrastructure FiltersFilters DenialDenial ofof Service Service
Secure Switching Secure Switching InfrastructureInfrastructure Port Security, Storm ControlPort Security, Storm Control DenialDenial--ofof--Service Service
Control Resource ExhaustionControl Resource ExhaustionControl Plane Policing Control Plane Policing
(CoPP), Hardware(CoPP), Hardware--based based Rate LimitersRate Limiters
DenialDenial--ofof--Service Service
© 2008 Cisco Systems, Inc. All rights reserved. 14
Policy EnforcementPolicy Enforcement uRPFuRPF IP Spoofing, DenialIP Spoofing, Denial--ofof--Service Service
SourceDA = 239.244.244.1
-Source
NetworkEngineer
SA = 10.0.1.1
ip access-list extended source
E0
ppermit igmp any any 6 ! IGMPv2 reportspermit igmp any any 7 ! IGMPv2 leave…… ……deny igmp any any ! Queries, PIMv1, DVMRP, …deny pim any any ! Hello, Join/Prune, BSRdeny ip any 224.0.0.0/8 ! Source
….. ……permit ip any any
© 2008 Cisco Systems, Inc. All rights reserved. 15
- Source ACL - IGMP Join Filtering
max
Tota
l M
emor
yili
zatio
n
Gasp!unlimited
MP/
MLD
nt
ries
IGMP/MLDTable
MemoryResourcesIGMP
?CPU/
0
time
T M Ut
t1 t20
time
IGM E
t1 t2 tn tn
Other Processes
CPU/
MaliciousIGMP/MLD Reports
Valid PeriodicIGMP/MLD Reports
timetime
IGMP/MLD
IGMP/MLD table size can be limited globally or per interface.IPv4 IGMP Limit 12.2(15)T:ip igmp limit <1-64000>IPv6 MLD Limit 12 4(2)T:
© 2008 Cisco Systems, Inc. All rights reserved. 16
IPv6 MLD Limit 12.4(2)T:ip mld limit <1-64000>
G l FGoal Features
Subscriber Identification DHCP Option 60, DHCP Option 82p , p
Subscriber Authentication PPPoE or Web Portal (Using Radius)
Subscriber IsolationMAC Forced Forwarding on DSLAM
Private VLAN/PVLAN Edge on Switch
Rogue DHCP Server DHCP Snooping
IP address spoofing DHCP Snooping + IP Source Guard (IPSG) on IP address spoofing p g ( )Switch
Limiting No. of Channels/IGMP/Multicast states
IGMP State limits/max-groups & Multicast limits on Switch
© 2008 Cisco Systems, Inc. All rights reserved. 17
- IP Source Guard
Ci IP S G dCisco IP Source Guard
- DHCP Snooping Port ACL p g- IP Spoofing
DHCP ResponsesDHCP Requests
P3P1DHCP Request
DHCP Response
DHCP ServerDHCP Snooping Function
TrustedUntrustedP3P1DHCP Request
© 2008 Cisco Systems, Inc. All rights reserved. 18
© 2008 Cisco Systems, Inc. All rights reserved. 19
?
//
Firewalls and Router ACLsFirewalls and Router ACLsNetwork Intrusion
DetectionNetwork Intrusion
Detection Security AgentsSecurity Agents
CCTVCCTV
Centralized Security and Policy Management
Centralized Security and Policy Management
Identity, AAA, Access Control Servers and
Identity, AAA, Access Control Servers and
Encryption and Virtual Private Networks (VPN’s)
Encryption and Virtual Private Networks (VPN’s)
© 2008 Cisco Systems, Inc. All rights reserved. 20
Policy ManagementPolicy Management Certificate AuthoritiesCertificate AuthoritiesPrivate Networks (VPN s)Private Networks (VPN s)
Cisco IP NGN
PRESENCE-PRESENCE- IPIPN
N PRESENCE-PRESENCE- IPIP erin
g
GAMINGGAMING DATACENTER
DATACENTER
BASED TELEPHONY
BASED TELEPHONY
WEB SERVICES
WEB SERVICES
MOBILE APPS
MOBILE APPS
CONTACT CENTER
CONTACT CENTER
PLIC
ATIO
NLA
YER
PLIC
ATIO
NLA
YER
GAMINGGAMING DATACENTER
DATACENTER
BASED TELEPHONY
BASED TELEPHONY
WEB SERVICES
WEB SERVICES
MOBILE APPS
MOBILE APPS
CONTACT CENTER
CONTACT CENTER
E R
ra
ffic
Engi
nee
APP
APP
Open Framework Open Framework L
A Y
Eag
emen
t Tr
Service Exchange
Service Exchange
SER
VIC
E LA
YER
SER
VIC
E LA
YER Service
ExchangeService
Exchange
for Enabling ‘Triple Play on the Move’(Data, Voice, Video,
for Enabling ‘Triple Play on the Move’(Data, Voice, Video, I O
N A
L
e
BW
Man
a
IntelligentIntelligentCustomerCustomer MultiserviceMultiserviceAccess /Access /LAYE
RLA
YER
IntelligentIntelligentCustomerCustomer MultiserviceMultiserviceAccess /Access /
Mobility)Mobility)
P E
R A
T
ice
Ass
uran
c
SECURITYte ge tEdgete ge tEdge
Custo eElement
Custo eElement
u t se ceCore
u t se ceCore
ccess /Aggregation
ccess /Aggregation
TransportTransport
ETW
OR
K L
ETW
OR
K L te ge t
Edgete ge tEdge
Custo eElement
Custo eElement
u t se ceCore
u t se ceCore
ccess /Aggregation
ccess /Aggregation
TransportTransport
O P
curit
y
ServSECURITY
+ +
© 2008 Cisco Systems, Inc. All rights reserved. 21
NE
NE
INTELLIGENT NETWORKINGINTELLIGENT NETWORKING
Sec
CISCO
- ( / / )
Cisco IP NGN
( / / )-
Cisco IP NGN -- /
--
© 2008 Cisco Systems, Inc. All rights reserved. 22
?
••
DPI
•••
© 2008 Cisco Systems, Inc. All rights reserved. 23
•( )
© 2008 Cisco Systems, Inc. All rights reserved. 24
DPI (Deep Packet Inspection) ?IP Packet Inspection & Control
- application -- traffic actioin
Bl k
Mark
tion
ubsc
ribe
r
pplic
atio
n
Block
Redirect
Set QoSwor
k C
ondi
t
SuAp Set QoS
Net
w
© 2008 Cisco Systems, Inc. All rights reserved. 25
• Deep Packet Inspection —IP Application
• Deep Packet Inspection —IP ApplicationIP Application
• Subscriber Awareness — IPIP Application
• Subscriber Awareness — IP
••• , • Application • , • Application
© 2008 Cisco Systems, Inc. All rights reserved. 26
••
C t t URLSelf-Service Security Anti-SpamContentFiltering
URLFiltering
Self Service Security Level and Content
Filter
Anti SpamAnti-Virus
Anti-X
AAABroadband Policy
Manager
SEF
Internet
Core
Service Control Engine
BRAS/BNGISG/SSG
Security Self-Service Patch
S
© 2008 Cisco Systems, Inc. All rights reserved. 27
StationWeb Portal
Server
Scan/Test SW Server
CISCO IP NGN
- + +--- /- /
DPI
-
DPI
- Revenue - URL Filtering, , ,
© 2008 Cisco Systems, Inc. All rights reserved. 28
© 2008 Cisco Systems, Inc. All rights reserved. 29
IPTV ,
,
,HE DDoS
, DPI, DPI
© 2008 Cisco Systems, Inc. All rights reserved. 30