security challenges & remedies for the telecoms … · ip engineering manager march 2015...
TRANSCRIPT
Nikos Xanthopoulos Senior Product Manager, Voice & Data Services
Tassos Chatzithomaoglou IP Engineering Manager
March 2015
Security Challenges & Remedies for the Telecoms Operator and its Customers
Top emerging cyber-threats
Source: ENISA Threat Landscape 2014
Malicious Code: Worms/Trojans Web-based attacks Web application / injection attacks
Botnets & DoS attacks Phishing & Cyber espionage
Data Breaches
Information Leakage Identity theft/fraud Physical damage/theft/loss
DDoS Attack Trends
Source: Akamai Q4 2014 Internet Security Report
Industries attacked most often:
Gaming: 35% Software & Technology: 27%
Internet & Telecom: 11% Media & Entertainment: 10%
Financial Services: 7%
DDoS attacks
increased 57% Q4 2013
sin
ce
Total DDoS bandwidth
increased 52% sin
ce
Q4 2013
Average Peak
51% application
infrastructure 58%
DDoS attacks increase
sin
ce
Q4 2013
DDoS duration increased 28%
Q4 2013
sin
ce
Average
Online booking
Who should care?
e-Commerce sites Web banking sites
Web ordering & logistics Web portals
Why should I care?
Website/Applications/Services NOT available
↓ You can’t serve your customers/partners
Lose money
Competitive disadvantage
Lose trust
Customer dissatisfaction
Forthnet security services portfolio
Managed Perimeter Security (on roadmap)
Managed Firewall Antispam
Antivirus
Anti-fraud
DDoS protection & IPS/IDS
Applicable for Internet LL & Data Center customers
Mitigation
Network-based DDoS protection service
Main Features
Fully managed service by Forthnet. 24hour monitoring of customer networks. Detection and protection from volumetric network attacks (Layer 3 & 4). Automatic mitigation in case of an attack. Protection policy and response times guaranteed by SLA. Automatic periodical renewal of the signatures used (via Atlas).
Extra on-premise DDoS protection & IPS/IDS
Extra Features
Real time protection & mitigation on customer premise. Protection also from Application Layer (Layer 7) attacks & malware, botnets, worms etc. Network DDoS protection utilization for volumetric attacks with Cloud Signaling. CPE & vendor services can be provided as CAPEX & OPEX.
Total solution
Block application-layer attacks at the edge
Block volumetric attacks at core
Internet
Core Routers DC Routers
Data Center
or
Customer’s
Premise
Firewalls
IDS/IPS
IDMS/TMS
IDMS/CP
Mitigation
Managed Perimeter Security (on roadmap)
Anti-spam
Firewall
Anti-virus
Load Balancing
Application control
URL filtering
IPS
Data Leak Prevention
VPN
Forthnet anti-fraud platform
CDRs & historical
data
Rules & customer
profile
Alert Generation
Incident
Management
by
Methods of telecommunication fraud:
o PBX Hacking o VoIP Hacking o Subscription Fraud o Account Takeover / Identity Take Over o Exploitation of network weakness
Types of telecommunication fraud:
o International Revenue Share Fraud (IRSF) o Payment Fraud o Premium Rate Service o Service Abuse o Interconnect Bypass
In summary
Cyber attacks increase
exponentially
Firewalls are not enough
Be aware! Protect your
business Choose the
right partners
Security Incident Management Preparation
Prepare/Profile the network Create/Get & test tools Prepare & test procedures Create/Train security team Practice frequently Use a runbook and a knowledge base
Identification How do you know about the incident? What tools can you use? What’s your process for communication? What kind of incident is it?
Traceback Where is the incident’s origin? Where and how is it affecting the network?
Reaction What options do you have to remedy? Which option is the best under the circumstances? Which services/customers will be affected?
Lessons Learned What was done to fix the incident? Can anything be done to prevent it? How can it be less painful in the future?
Actio
n
Be Prepared
Advanced Network Monitoring & Telemetry
Flows Collection & Reporting Packets Collection &
Reporting Penetration Testing & Vulnerability Scanning
Basic Network Monitoring
Syslog/SNMP Monitoring SNMP Probing Routing Table Monitoring
Network Management
Credentials & Identity Management
Devices & Users Management
Configuration Management
Allow only specific users to have access to network devices Access to network devices must be approved by specific authorized users and be recorded Each user must have a unique username/password for login Use a strict policy for password strength and frequent password changes Passwords should be delivered to users through encrypted means only (i.e. PGP) Each network device may have a local username/password defined too Different types of devices should have different local usernames/passwords All network devices should implement RBAC (Role Based Access Control)
Credentials & Identity Management
Device & User Management Use AAA on all network devices Use separate AAA server/process for infrastructure and customers Tacacs (RFC 1492, TCP, md5 encryption by default for packet payload) Radius (RFC 2865, UDP, md5 encryption by default only for password) RadSec or Radius on steroids (RFC 6614, TLSoTCP by default) Diameter (RFC 6733, TLSoTCP and DTLSoSCTP by default)
Allow only encrypted access: ssh, https, netconf over ssh (RFC 6242) Access to devices from external users should allowed only when using secure tunnels (i.e. IPSec, TLS) and two-factor authentication Use different roles per user and per device (advanced RBAC model)
Configuration Management
Automatic & manual backup per device or per group of devices
Configurations accessible though a web interface and/or API
Configuration access limited to users using a RBAC model
Support encryption of whole configuration or keywords related to security related entries in configurations
Support version control and comparison of archived configurations
Search configurations for specific patterns/keywords
Verify compliance with various security standards (i.e. PCI DSS)
Send email alerts with configuration changes Store other useful data besides configurations Assist in network automation
Some network devices support local archiving of configuration changes (beware of security related entries being exposed in cleartext)
Syslog/SNMP Monitoring Use multiple
(geographically dispersed) collectors
Use multiple processes/threads
for command parallelization
Send data over a secure transport (i.e.
TLS/DTLS) and through an isolated (i.e.
management) channel
Implement a data retention policy
based on classification &
importance
Collect data from border routers,
firewalls, IDS/IPS, DNS Servers
Implement device/service grouping for
easier management
Send alerts with high
priority data immediately
Visualize as much as possible
Use separate collectors for infrastructure and customers
Separate frontend (provisioning) and
backend (collector/manager
/poller)
data
Capture
Storage
Analysis
Search Sharing
Privacy
Visualization
Routing Table Monitoring
RPKI (RFCs 6480,6483,6491,etc.) can be implemented in order to minimize route hijacking/spoofing
DDoS Statistics Largest attack measured was 26 Gbps 332 attacks over 1 Gbps, 36 attacks over 10 Gbps Attack targets were mostly retail customers, political parties, legal firms, news portals, financial institutions, IRC servers (!) Majority of attacks were based on DNS/NTP/SSDP Amplification and HTTP Flood
Amplification Factor (US-CERT)
DNS 28 to 54
NTP 557
SNMP 6
SSDP 31
CharGEN 359
26 Gbps
2 Gbps
Penetration Testing Web Application Penetration Testing
End-User Security Awareness Testing
Endpoint Penetration Testing
Mobile Device Penetration Testing
Network Penetration Testing
Password and Identity Cracking
Wireless Network Penetration Testing
SCADA Security Testing
Network Device Penetration Testing
Testing the Efficacy of IPS/IDS, Firewalls
Validating Vulnerabilities Identified by Scanners
Infrastructure Security
Management Plane
• OOB Mgmt
• RFC 1918 addresses
• MPLS L3 VPN
• iACLs
Control Plane
• CoPP
• iACLs
• Routing Security
Data Plane
• uRPF
• RTBH
• FlowSpec
• ACLs
• IDMS
• Firewalls
Redundancy & Anycast can help increasing Resiliency and Availability
something missing?
IPv Security Although IPv6 is supposed to offer increased security, this is not the whole truth Many security options are available, but few are supported or enabled by default There is a lot of on-going discussion on IETF’s 6man/opsec about IPv6 security, so expect many changes Keep in mind that a dual-stack network requires 4 areas to be secured:
IPv4 IPv6 IPv4 through/over IPv6 IPv6 through/over IPv4
CGNs can make life a lot harder due to additional complexity in user identification
Forthnet stats :
RFC 7123 (Security Implications of IPv6 on IPv4 Networks) RFC 6169 (Security Concerns with IP Tunneling) RFC 7359 (Layer 3 Virtual Private Network Tunnel Traffic Leakages in Dual-Stack Hosts/Networks) RFC 4942 (IPv6 Transition/Coexistence Security Considerations)
26% subscribers (1/3 is IPv6-only)
14% traffic
SDN Security
Controller
Applications Applications Applications
Switch Switch
Switch Switch
Switch Switch
Host Host
Northbound API (i.e. REST, Python, Java)
Southbound API (i.e. OpenFlow, NETCONF, PCEP)
Control Plane
Data Plane
SDN Security - The Bad Things Control Plane Vulnerabilities
The whole network is actually managed by a controller and some applications The whole network might collapse if something goes wrong on these Applications and controller are built on commodity computing platforms Vulnerabilities in these platforms will also affect the whole network
Possible effects after taking over the Controller/Applications
Modify/Insert/Delete content Spy on traffic Bypass security rules by driving traffic around Redirect traffic to compromised hosts for further exploitation Security depends more on virtual topology than physical A MITM attack becomes very-very attractive, making happy
And as if that were not enough… Both Northbound/Southbound APIs can also get compromised if not secured When nested applications or multiple organizations are involved, things can get messy
SDN Security – The Good Things Enforce a global/uniform security policy Check and maintain compliance with security standards Basic security rules can be applied on all devices Rapid response to threads Traffic redirection through an explicit security device is easier Tracking flows can help you isolate bad hosts faster
Hardening SDN
Apply OS hardening rules to controller and applications platforms Enforce RBAC policies for administration Implement a HA architecture on all critical parts Prefer an OOB network for control traffic Use authenticated/encrypted communication in all API calls Run frequent validation of flow policies Watch closely for new security architectures/frameworks
SDN Cleaner Infection: The end user clicks on a URL or attachment which downloads a rootkit. Breach: The rootkit begins executing a series of procedures to connect to the botnet control network. Watch: An SDN Application watches the traffic pattern from the infected host to the outside hosts. Detect: Based on the traffic flows the SDN Application detects that there is active malware on the infected host. React: The SDN Application initiates a quarantine directive to the SDN Controller based on these traffic flows. Respond: The SDN Controller creates a set of OpenFlow rules and pushes them down to the OpenFlow-enabled switch. Redirect: Infected host’s DNS and web traffic is redirected by the OpenFlow switch to a specific web server, which displays a web page with the necessary actions to be performed. Permit: Once the corrective actions have been performed, the rules are changed to the initial ones that allow the end host back into the network.