Nikos Xanthopoulos Senior Product Manager, Voice & Data Services

Tassos Chatzithomaoglou IP Engineering Manager

March 2015

Security Challenges & Remedies for the Telecoms Operator and its Customers

Nikos Xanthopoulos Senior Product Manager, Voice & Data Services

1st part...

Top emerging cyber-threats

Source: ENISA Threat Landscape 2014

Malicious Code: Worms/Trojans Web-based attacks Web application / injection attacks

Botnets & DoS attacks Phishing & Cyber espionage

Data Breaches

Information Leakage Identity theft/fraud Physical damage/theft/loss

DDoS Attack Trends

Source: Akamai Q4 2014 Internet Security Report

Industries attacked most often:

Gaming: 35% Software & Technology: 27%

Internet & Telecom: 11% Media & Entertainment: 10%

Financial Services: 7%

DDoS attacks

increased 57% Q4 2013

sin

ce

Total DDoS bandwidth

increased 52% sin

ce

Q4 2013

Average Peak

51% application

infrastructure 58%

DDoS attacks increase

sin

ce

Q4 2013

DDoS duration increased 28%

Q4 2013

sin

ce

Average

Online booking

Who should care?

e-Commerce sites Web banking sites

Web ordering & logistics Web portals

Why should I care?

Website/Applications/Services NOT available

↓ You can’t serve your customers/partners

Lose money

Competitive disadvantage

Lose trust

Customer dissatisfaction

Forthnet security services portfolio

Managed Perimeter Security (on roadmap)

Managed Firewall Antispam

Antivirus

Anti-fraud

DDoS protection & IPS/IDS

Applicable for Internet LL & Data Center customers

Mitigation

Network-based DDoS protection service

Main Features

Fully managed service by Forthnet. 24hour monitoring of customer networks. Detection and protection from volumetric network attacks (Layer 3 & 4). Automatic mitigation in case of an attack. Protection policy and response times guaranteed by SLA. Automatic periodical renewal of the signatures used (via Atlas).

Extra on-premise DDoS protection & IPS/IDS

Extra Features

Real time protection & mitigation on customer premise. Protection also from Application Layer (Layer 7) attacks & malware, botnets, worms etc. Network DDoS protection utilization for volumetric attacks with Cloud Signaling. CPE & vendor services can be provided as CAPEX & OPEX.

Total solution

Block application-layer attacks at the edge

Block volumetric attacks at core

Internet

Core Routers DC Routers

Data Center

or

Customer’s

Premise

Firewalls

IDS/IPS

IDMS/TMS

IDMS/CP

Mitigation

Managed Perimeter Security (on roadmap)

Anti-spam

Firewall

Anti-virus

Load Balancing

Application control

URL filtering

IPS

Data Leak Prevention

VPN

Forthnet anti-fraud platform

CDRs & historical

data

Rules & customer

profile

Alert Generation

Incident

Management

by

Methods of telecommunication fraud:

o PBX Hacking o VoIP Hacking o Subscription Fraud o Account Takeover / Identity Take Over o Exploitation of network weakness

Types of telecommunication fraud:

o International Revenue Share Fraud (IRSF) o Payment Fraud o Premium Rate Service o Service Abuse o Interconnect Bypass

In summary

Cyber attacks increase

exponentially

Firewalls are not enough

Be aware! Protect your

business Choose the

right partners

Thank you

2nd part...

Tassos Chatzithomaoglou IP Engineering Manager

Security Incident Management Preparation

Prepare/Profile the network Create/Get & test tools Prepare & test procedures Create/Train security team Practice frequently Use a runbook and a knowledge base

Identification How do you know about the incident? What tools can you use? What’s your process for communication? What kind of incident is it?

Traceback Where is the incident’s origin? Where and how is it affecting the network?

Reaction What options do you have to remedy? Which option is the best under the circumstances? Which services/customers will be affected?

Lessons Learned What was done to fix the incident? Can anything be done to prevent it? How can it be less painful in the future?

Actio

n

Be Prepared

Advanced Network Monitoring & Telemetry

Flows Collection & Reporting Packets Collection &

Reporting Penetration Testing & Vulnerability Scanning

Basic Network Monitoring

Syslog/SNMP Monitoring SNMP Probing Routing Table Monitoring

Network Management

Credentials & Identity Management

Devices & Users Management

Configuration Management

Allow only specific users to have access to network devices Access to network devices must be approved by specific authorized users and be recorded Each user must have a unique username/password for login Use a strict policy for password strength and frequent password changes Passwords should be delivered to users through encrypted means only (i.e. PGP) Each network device may have a local username/password defined too Different types of devices should have different local usernames/passwords All network devices should implement RBAC (Role Based Access Control)

Credentials & Identity Management

Device & User Management Use AAA on all network devices Use separate AAA server/process for infrastructure and customers Tacacs (RFC 1492, TCP, md5 encryption by default for packet payload) Radius (RFC 2865, UDP, md5 encryption by default only for password) RadSec or Radius on steroids (RFC 6614, TLSoTCP by default) Diameter (RFC 6733, TLSoTCP and DTLSoSCTP by default)

Allow only encrypted access: ssh, https, netconf over ssh (RFC 6242) Access to devices from external users should allowed only when using secure tunnels (i.e. IPSec, TLS) and two-factor authentication Use different roles per user and per device (advanced RBAC model)

Advanced RBAC Model

User User Group Role OS

Device Device Group

Who?

What?

Where?

Configuration Management

Automatic & manual backup per device or per group of devices

Configurations accessible though a web interface and/or API

Configuration access limited to users using a RBAC model

Support encryption of whole configuration or keywords related to security related entries in configurations

Support version control and comparison of archived configurations

Search configurations for specific patterns/keywords

Verify compliance with various security standards (i.e. PCI DSS)

Send email alerts with configuration changes Store other useful data besides configurations Assist in network automation

Some network devices support local archiving of configuration changes (beware of security related entries being exposed in cleartext)

Syslog/SNMP Monitoring Use multiple

(geographically dispersed) collectors

Use multiple processes/threads

for command parallelization

Send data over a secure transport (i.e.

TLS/DTLS) and through an isolated (i.e.

management) channel

Implement a data retention policy

based on classification &

importance

Collect data from border routers,

firewalls, IDS/IPS, DNS Servers

Implement device/service grouping for

easier management

Send alerts with high

priority data immediately

Visualize as much as possible

Use separate collectors for infrastructure and customers

Separate frontend (provisioning) and

backend (collector/manager

/poller)

data

Capture

Storage

Analysis

Search Sharing

Privacy

Visualization

Routing Table Monitoring

RPKI (RFCs 6480,6483,6491,etc.) can be implemented in order to minimize route hijacking/spoofing

DDoS Statistics Largest attack measured was 26 Gbps 332 attacks over 1 Gbps, 36 attacks over 10 Gbps Attack targets were mostly retail customers, political parties, legal firms, news portals, financial institutions, IRC servers (!) Majority of attacks were based on DNS/NTP/SSDP Amplification and HTTP Flood

Amplification Factor (US-CERT)

DNS 28 to 54

NTP 557

SNMP 6

SSDP 31

CharGEN 359

26 Gbps

2 Gbps

Penetration Testing Web Application Penetration Testing

End-User Security Awareness Testing

Endpoint Penetration Testing

Mobile Device Penetration Testing

Network Penetration Testing

Password and Identity Cracking

Wireless Network Penetration Testing

SCADA Security Testing

Network Device Penetration Testing

Testing the Efficacy of IPS/IDS, Firewalls

Validating Vulnerabilities Identified by Scanners

Infrastructure Security

Management Plane

• OOB Mgmt

• RFC 1918 addresses

• MPLS L3 VPN

• iACLs

Control Plane

• CoPP

• iACLs

• Routing Security

Data Plane

• uRPF

• RTBH

• FlowSpec

• ACLs

• IDMS

• Firewalls

Redundancy & Anycast can help increasing Resiliency and Availability

something missing?

IPv Security Although IPv6 is supposed to offer increased security, this is not the whole truth Many security options are available, but few are supported or enabled by default There is a lot of on-going discussion on IETF’s 6man/opsec about IPv6 security, so expect many changes Keep in mind that a dual-stack network requires 4 areas to be secured:

IPv4 IPv6 IPv4 through/over IPv6 IPv6 through/over IPv4

CGNs can make life a lot harder due to additional complexity in user identification

Forthnet stats :

RFC 7123 (Security Implications of IPv6 on IPv4 Networks) RFC 6169 (Security Concerns with IP Tunneling) RFC 7359 (Layer 3 Virtual Private Network Tunnel Traffic Leakages in Dual-Stack Hosts/Networks) RFC 4942 (IPv6 Transition/Coexistence Security Considerations)

26% subscribers (1/3 is IPv6-only)

14% traffic

SDN Security

Controller

Applications Applications Applications

Switch Switch

Switch Switch

Switch Switch

Host Host

Northbound API (i.e. REST, Python, Java)

Southbound API (i.e. OpenFlow, NETCONF, PCEP)

Control Plane

Data Plane

SDN Security - The Bad Things Control Plane Vulnerabilities

The whole network is actually managed by a controller and some applications The whole network might collapse if something goes wrong on these Applications and controller are built on commodity computing platforms Vulnerabilities in these platforms will also affect the whole network

Possible effects after taking over the Controller/Applications

Modify/Insert/Delete content Spy on traffic Bypass security rules by driving traffic around Redirect traffic to compromised hosts for further exploitation Security depends more on virtual topology than physical A MITM attack becomes very-very attractive, making happy

And as if that were not enough… Both Northbound/Southbound APIs can also get compromised if not secured When nested applications or multiple organizations are involved, things can get messy

SDN Security – The Good Things Enforce a global/uniform security policy Check and maintain compliance with security standards Basic security rules can be applied on all devices Rapid response to threads Traffic redirection through an explicit security device is easier Tracking flows can help you isolate bad hosts faster

Hardening SDN

Apply OS hardening rules to controller and applications platforms Enforce RBAC policies for administration Implement a HA architecture on all critical parts Prefer an OOB network for control traffic Use authenticated/encrypted communication in all API calls Run frequent validation of flow policies Watch closely for new security architectures/frameworks

SDN Cleaner Infection: The end user clicks on a URL or attachment which downloads a rootkit. Breach: The rootkit begins executing a series of procedures to connect to the botnet control network. Watch: An SDN Application watches the traffic pattern from the infected host to the outside hosts. Detect: Based on the traffic flows the SDN Application detects that there is active malware on the infected host. React: The SDN Application initiates a quarantine directive to the SDN Controller based on these traffic flows. Respond: The SDN Controller creates a set of OpenFlow rules and pushes them down to the OpenFlow-enabled switch. Redirect: Infected host’s DNS and web traffic is redirected by the OpenFlow switch to a specific web server, which displays a web page with the necessary actions to be performed. Permit: Once the corrective actions have been performed, the rules are changed to the initial ones that allow the end host back into the network.

In summary

Thank you