connect • communicate • collaborate

GÉANT: A Defense in Depth

Approach to Securing a 100 Gb/s

Network

Wayne Routly, DANTE

Summer 2012 ESCC/Internet2

Joint Techs

San Francisco , July 2012

connect • communicate • collaborate

Agenda

GÉANT : Who What How

Defence in Depth - A Layered Approach

NSHaRP & Netreflex

– Technologies & Services

NfSen

– Community Based Solutions

Splunk

– Commercial Systems

Network Aspects

– Baseline Security Aspects

In Conclusion

2

connect • communicate • collaborate

GÉANT : Who What How

State of the Art Pan-European Network

…..Transit Network….ISP

18 Physical Pops

40 Gb/s links -> 100Gb/s

TB of Data shifted

10 Million+ IPs

100 Workstations

Unusual Traffic

Truly Global

Interconnects

NRENs - 38

Commercial & Commodity Traffic

3

connect • communicate • collaborate

Defence in Depth - A Layered Approach

Independent Layers – Greater Control

Avoid Eggs in Basket Approach - Mix of Technologies

Scalable

connect • communicate • collaborate

NSHaRP

Mechanism to Quickly and Effectively

inform affected users

Adds Value - Serves as an extension to NRENs CERT

An Automated Incident Notification & Handling System

Extends NRENs detection and mitigation capability to GEANT borders

Innovative and Unique - Caters for different types of requirements

Supported with GEANT NOC TTS

connect • communicate • collaborate

NSHaRP - Netreflex

Netreflex 2.5 (2.9)

BGP, IS-IS & Netflow Mashup

– Path Through Network

Anomaly Detection & Alerting

– Diverse Pallet

Ability to create profiles…..lots of profiles

– New Peering's

Expandable Anomaly Type capability

– New Event Types

Can also be used by the NOC

– Traffic Analysis

connect • communicate • collaborate

Netreflex – Anomaly Detection

connect • communicate • collaborate

Netreflex – Anomaly Analysis

connect • communicate • collaborate

NfSen – Netflow Sensor

A graphical web based front end for nfdump.

Display your netflow data: Flows, Packets and Bytes using RRD (Round

Robin Database).

Easily navigate through the netflow data.

Process the netflow data within the specified time span.

Create history as well as continuous profiles.

Set alerts, based on various conditions.

Write your own plugins to process netflow data on a regular interval.

connect • communicate • collaborate

NfSen – Graphing Netflow

Graph Flows from Multiple Routers

View Time Slice / Window

Protocol / Packet / Flows

Analyse Flows (Incidents)

Dimensional

Near Zero Day Analysis

connect • communicate • collaborate

NfSen – Alerting

connect • communicate • collaborate

Splunk – Log Level Analytics

Project Completion September 2012

Provide Visibility of Low “Noise” Events

Non Netflow

Trends

Consolidate Logging

Across Departments

Across Roles

Reporting Aspects

Big Picture

Today vs. Yesterday

connect • communicate • collaborate

Network Layer Protections

IP Network Segmentation

Zones (IPv4 & IPv6)

Standardised Firewall Filters

Rapid Deployment

Security Baseline – Day 1

Access Control

– Radius-Based Authentication

– Restrict Protocols (Management)

Penetration Testing

– Confirm Best Practice

GEANT

DANTE

POR

T 44

3

POR

T 13

9

PO

RT

22

PENETRATION TESTING

connect • communicate • collaborate

In Conclusion

GÉANT : Who What How

Why Defence in Depth?

1st Layer

NSHaRP & Netreflex

2nd Layer

NfSen

3rd Layer

Splunk

4th Layer

Network Layer Protections

connect • communicate • collaborate

Questions?