Http:// Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC...
-
Upload
edward-palmer -
Category
Documents
-
view
215 -
download
0
Transcript of Http:// Firewall on Demand A multidomain approach Leonidas Poulopoulos, Yannis Mitsos – GRNET NOC...
http://www.grnet.gr
Firewall on Demand A multidomain approach
Leonidas Poulopoulos , Yannis Mitsos – GRNET NOC
Firewall on Demand workshopTF-MSP meeting 27-28 November 2014
Network threats
Scan
OpenDNS
brutef
orce
network-
scan
Commercial
aim
DDOSDOS
other
TOR-EX
IT-NODE
OpenNTP
0
10
20
30
40
50
60
Incidents per category per year
20142013
• GRNET Cloud IaaS
GRNET - Rapid Anomaly Detection Python tool - rady
Volumetric Packets(WP-pingback)
Consequences
• Performance degradation– GÉANT Backbone– NRENs
• Outages• Services malfunction• Resources– Human– Equipment
Mitigation Techniques though time
acls, firewall filters
RTBH
BGP flowspec
The BGP way
• Well established model of trust• Stable and robust
– Powers the internet
• Remote triggered black-hole routing
• BGP flow specification– “My name is Wall, Fire Wall”
Who are you BGP Flowspec?
• BGP Flowspec defined in RFC 5575• Layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intra-
domain and inter-domain basis• Match
– source/dest prefix– source/dest port– ICMP type/code– packet size– DSCP– TCP flag– fragment type– Etc
• Actions– accept– discard– rate-limit– sample– redirect– etc
A firewall filter over BGP???
• Propagates wherever BGP flow spec is enabled– Currently supported by Juniper
• To the very ends of the network• To peering networks
– Downstream– Upstream
Ideas!• Apply to a single point and let it propagate to my borders• Sounds like attacks are now mitigated closer to source!!!
– YES!!!!• Seems that it is more granular than RTBH
– YES!!!!• Can we automate this?? Can we go from RFC to tool?
– Have already done this!!!
Can you remind me why we need BGP flowspec?
• Distributed across the network• Closer to the source• Fine-grained even on
core/backbone networks • Multidomain easy
propagation towards the upstream via BGP• Easy automation &
integration
ACLS
• Flowspec: enhancement of RTBH• Does not affect all traffic to
victim• Less coarse• More actions• Separate NLRI
BGP RTHB
Firewall on Demand – from RFC to tool
DEVELOPED BY: GRNETGRANULARITY: Per-flow level
ACTION: Drop, rate-limit, redirect
SPEED: 1-2 orders of magnitude quicker
EFFICIENCY: closer to the source, multi-domain
AUTOMATION: integration with other systems
MANAGEABILITY: status track, web interface
NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS
GRNET setup
GEANTGRNET
Flowspec
Flowspec
Flowspec
Flowspec
Victim
FoD
ACL
ACL
How does it work?
• Customer’s NOC logs in web tool & describes flows and actions
• Destination validated against customer’s IP space
• A dedicated router is configured to advertise the route via BGP flowspec
• Dynamic firewall filters are implemented on all routers
• Attack is mitigated upon entrance
• End of attack: Removal via the tool, or auto-expire Web
NETCONF
eBGP
iBGP
UPSTREAM
NREN
Client Client
IX
FoD
Have you tried it in production?
• GRNET network in production since 2011
3years 21Tbytes 100rules 40users 20peers
Time to go multidomain
fod.geant.net
FoD recipe
• 1 central FoD instance• BGP flowspec enabled in GÉANT routers• 3 flavors– NREN without BGP flowspec supporting
equipment– NREN with BGP flowspec equipment that uses
local FoD– NREN with BGP flowspec equipment that uses
GEANT’s FoD
Phase 1 tests
GÉANT
CARNet
Victim
GRNET
Flowspec
Flowspec
FoD
Flowspec
Attacker
Click Apply
6 seconds later…
FoD Application Architecture
User Interface
Django MVC Long Polling (Gevent)
Job Queue (Celery/Beanstalk)
Caching Layer(Memcached)
Network Config to XML proxy (nxpy)
Python NETCONF client(ncclient)
NETCONFeBGP
eBGP
iBGP
iBGP
Shibboleth/eduGAIN
• https://code.grnet.gr/projects/flowspy• http://flowspy.readthedocs.org
OPEN SOURCE
Under the hood
• Django application– 1.4 – Debian Wheezy system packages
• Application server– Gunicorn
• HTTP server– Apache Proxy module
• Database– MySQL
• Caching– Memcached
• Job scheduler– Celeryd
• Que– Beanstalkd
• Network client– Ncclient - NETCONF
Installation and monitoring
• Extensively tested on Debian Wheezy– Using system packages
• Done in ~ 30 mins• Monitored components– Host checks– Service checks• Apache (check_http)• Gunicorn (check_mk)• Celeryd (check_mk)
Joining FoD
• Shibboleth attributes:– email (maps to HTTP_EMAIL)– persistent-nameid or persistent-id or targeted-id (all map
to HTTP_REMOTE_USER)• A valid institution/peer with active subnets
Support
• GRNET will actively support FoD• Same codebase• Small changes in single and multidomain– Shibboleth vs. eduGAIN
• Full installation documentation of multidomain flavor will be provided by the end of Nov 2014
http://www.grnet.gr
Thank you