SP Security Empowerment Materials
DRAFT 2.0
The following materials will help SPs, Hosting Centers, and Operators of any large network get details on a wide range of SP Security techniques. Many of these techniques are taking advantage of technologies that already exist in the network – it just takes a bit of time to empower yourself and deploy them. Most of these techniques are different from traditional enterprise approaches to security – using the tools of forwarding, QOS, and other technologies used to glue the Internet together to protect the Internet. Many of the links are to materials with a Video on Demand (i.e. the NANOG Sessions and Cisco Powersessions). These help you hear from people who are doing the technique and/or created the technique – many from large networks themselves.
STEP 1: Join Communities of People Working Together to Mitigate Miscreant Activities
Security on an SP’s Network is not something you can do alone. Effective security mitigation and prevention dictates the need to collaborate and work with peers all over the planet. Prior to September 2002, there were not any SP Security communities who worked with each other to mitigate threats. Today there are several groups – each evolving specialties.
It is strongly encouraged for all SPs to join and activity participate in these mitigation communities. In fact, not doing so is viewed as putting their SP business at severe risk to revenue disrupting events.
NSP-SEC
NSP-SEC is one of the best inter-provide mitigation forums active today. It is a community that is more than a mailing list, with secure line of communication and regular meetings. Details for NSP-SEC are listed here:
http://puck.nether.net/mailman/listinfo/nsp-security
NSP-SEC’s Charter
“Cyber defenders, ever vigilant, ever responsive.” -Marjorie Gilbert, 2003
The nsp-security [NSP-SEC] forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. The list has helped mitigate attacks and will continue to do so.
Who Qualifies for NSP-SEC Membership?
Step one is to insure you meet the qualifications for NSP-SEC. Some common questions to ask yourself are:
- Do you work for some type of IP transit provider, huge multi-homed content provider, or service provider?
- Does your job include Operational Security?
- Are you willing to offer free services, data, forensic, and other monitoring data to the NSP community?
- Do you have authorization to actively mitigate incidents in your network? Do you actually log into a router and do something to mitigate an attack or call someone to task them to do the work?
- Do you have the time for a real-time NSP mitigation forum?
If yes, then you might fit the expectations to be on the NSP-SEC Mitigation or Discussion Forums.
How to Join NSP-SEC?
Joining NSP-SEC is not simple – requiring layers of trust to be built with members of the community. Trust is built by working with members of the community. The challenge is finding out who is part of NSP-SEC so you can stat building a trust relationship. The following are guidelines that are known to build trust relationships to get on NSP-SEC. It is a path which will benefit the SP Security operator (or just a normal SP Engineer).
- SP Security Contacts for all your Upstream SPs. Many of the large SP’s in the world are already part of the NSP-SEC community. So insuring you have the SP Security contact information for all your upstreams is a way to built trust relationships. Besides, you need to have this information in case there is a critical security incident.
- DSHIELD Membership. DSHIELD (see below) is a community which actively analysis and mitigates issues on the Internet. It is another sphere of trust with members who intersect with the NSP-SEC world.
- NSP-SEC BOFs. Meeting people in person is perhaps the best way to get to know other NSP-SEC members. For that reason, NSP-SEC has BOF sessions at NANOG (www.nanog.org), RIPE (www.ripe.net), and APRICOT (www.apricot.net).
- Drone Armies. Drone Armies offers a different and broader community mix as compared to NSP-SEC. There may be more people who know you on Drone-Armies than on NSP-SEC. Yet, there are a lot of NSP-SEC members on Drone-Armies (and visa-versa).
- National CERTs. Meet your national CERT. Know the members, actively participate, and promote their activities. Many National CERTS are on NSP-SEC.
DSHIELD
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service. If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, write your own, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required. Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.
Distributed Detection Systems Individuals and Organizations can participate:
Dshield – www.dshield.org
MYNETWATCHMAN
he primary issue in internet security is not that hackers troll the Internet, but rather that the Internet is chock full of insecure systems which are easily compromised, providing means for hackers to perform untraceable, indirect attacks. The only profound way to improve Internet security is to reduce the number compromised systems and minimize the amount of time that a system remains in a compromised state. (Click here to learn more about the myNetWatchman Vision.) myNetWatchman achieves its goals through:
- Security Event Aggregator
- Centralized, web-based firewall log analyzer
- Fully automated abuse escalation/management system
www.mynetwatchman.com
DRONE-ARMIES
Drone-Armies’s mission brings together NSPs, Big Enterprises, Security Solutions vendors, Operating System Vendors, Networking Vendors, and Researchers together is an aggressive mitigation forum. It is a parallel forum to NSP-SEC. While NSP-SEC’s membership community focuses on the SP operational security community, Drone Armies focuses on the strength of the synergy of diversity to mitigate threats – combining host protection interest – system protection interest – and network protection interest. The nature of the community tends to focus on BOTNET and Trojan/Worm/Virus disruption.
https://linuxbox.org/cgi-bin/mailman/listinfo/da
How to Join Drone Armies?
To apply, please sign up via:
https://linuxbox.org/cgi-bin/mailman/listinfo/mwp
MWP – Malware Providers
MWP is a mitigation community specializes in detecting and reporting detected malware hosting(s). These include droppers trojans, phish, and other miscreant systems. The community is inclusive of a broad segment of the white hat community. Phishing detection/disruption is one of the general consequence of MWP’s detecting and reporting.
How to Join MWP?
To apply, please sign up via:
https://linuxbox.org/cgi-bin/mailman/listinfo/mwp
STEP 2: Deploy the Basics
TEAM CYMRU Templates and Tools
Team CYMRU provides configuration templates, security templates, and other services to help make the Internet a safer place to network. These can be found at:
http://www.cymru.com/
The Original Backscattered Traceback and Customer Triggered Remote Triggered Black Hole Techniques
http://www.secsup.org/Tracking/
http://www.secsup.org/CustomerBlackHole/
What is a BOTNET?
One of the best write ups is from a freeware tool gone commercial (I guess so they can scale).
http://swatit.org/bots/index.html
NANOG SP Security Seminars and Talks
The NANOG Coordination Committee actively works to product sessions and seminars to help foster security on the Internet. All sessions are taped and converted to VOD for all to use for their personal education. Over time, this effort has generated a valuable On-Line Tutorial for engineers and organzations seeking to learn more about running a more secure network.
NANOG Security Tutorial Series
Tutorial: Implementing a Secure Network Infrastructure (Part I)
Tutorial: ISP Security – Real World Techniques II – Secure the CPE Edge
Tutorial: ISP Security: Deploying and Using Sinkholes
Tutorial: Deploying IP Anycast
NANOG Security Sessions
A Day in the Security Life of a Service Provider—Qwest
http://www.nanog.org/mtg-0501/donsmith.html
Team Cymru Bogon Route Servers
http://www.nanog.org/mtg-0501/deitrich.html
Options for Blackhole and Discard Routing
http://www.nanog.org/mtg-0410/soricelli.html
ISP Security Toolkits
http://www.nanog.org/mtg-0410/battles.html
Botnets
http://www.nanog.org/mtg-0410/kristoff.html
What Will Stop Spam?
http://www.nanog.org/mtg-0410/stiles.html
DNSSEC Deployment: Big Steps Forward; Several Steps to Go
http://www.nanog.org/mtg-0410/crocker.html
Tracking Global Threats with the Internet Motion Sensor
http://www.nanog.org/mtg-0410/bailey.html
Implications of Securing Backbone Router Infrastructure
http://www.nanog.org/mtg-0405/mcdowell.html
Preparing RIR Allocation Data for Network Security Analysis Tasks
http://www.nanog.org/mtg-0405/trammell.html
Integrated Security for SNMP-Based Management
http://www.nanog.org/mtg-0405/hardaker.html
Watching Your Router Configurations and Detecting Those Exciting Little Changes
http://www.nanog.org/mtg-0310/rancid.html
Building a Web of Trust
http://www.nanog.org/mtg-0310/abley.html
The Relationship Between Network Security and Spam
http://www.nanog.org/mtg-0310/spam.html
Simple Router Security, What Every ISP Router Engineer Should Know and Practice
http://www.nanog.org/mtg-0310/routersec.html
Flawed Routers Flood University of Wisconsin Internet Time Server
http://www.nanog.org/mtg-0310/plonka.html
Trends in Denial of Service Attack Technology
http://www.nanog.org/mtg-0110/cert.html
Recent Internet Worms: Who Are the Victims, and How Good Are We at Getting the Word Out?
` http://www.nanog.org/mtg-0110/moore.html
DoS Attacks in the Real World
http://www.nanog.org/mtg-0110/irc.html
Diversion & Sieving Techniques to Defeat DDoS
http://www.nanog.org/mtg-0110/afek.html
DNS Damage – Measurements at a Root Server
http://www.nanog.org/mtg-0202/evi.html
Protecting the BGP Routes to Top Level DNS Servers
http://www.nanog.org/mtg-0206/bush.html
BGP Security Update
http://www.nanog.org/mtg-0206/barry.html
Industry/Government Infrastructure Vulnerability Assessment: Background and Recommendations
http://www.nanog.org/mtg-0206/avi.html
A National Strategy to Secure Cyberspace
http://www.nanog.org/mtg-0210/sachs.html
How to 0wn the Internet in Your Spare Time
http://www.nanog.org/mtg-0210/vern.html
ISP Security BOF I
http://www.nanog.org/mtg-0210/securebof.html
The Spread of the Sapphire/Slammer Worm
http://www.nanog.org/mtg-0302/weaver.html
ISP Security BOF II
http://www.nanog.org/mtg-0302/securebof.html
The BGP TTL Security Hack
http://www.nanog.org/mtg-0302/hack.html
Security Considerations for Network Architecture
http://www.nanog.org/mtg-0302/avi.html
Lack of Priority Queuing on Route Processors Considered Harmful
http://www.nanog.org/mtg-0302/gill.html
Interception Technology: The Good, The Bad, and The Ugly!
http://www.nanog.org/mtg-0306/schiller.html
The NIAC Vulnerability Disclosure Framework and What It Might Mean to the ISP Community
http://www.nanog.org/mtg-0306/duncan.html
Inter-Provider Coordination for Real-Time Tracebacks
http://www.nanog.org/mtg-0306/moriarity.html
ISP Security BOF III
http://www.nanog.org/mtg-0306/securitybof.html
S-BGP/soBGP Panel: What Do We Really Need and How Do We Architect a Compromise to Get It?
http://www.nanog.org/mtg-0306/sbgp.html
BGP Vulnerability Testing: Separating Fact from FUD
http://www.nanog.org/mtg-0306/franz.html
BGP Attack Trees – Real World Examples
http://www.nanog.org/mtg-0306/hares.html
NRIC Best Practices for ISP Security
http://www.nanog.org/mtg-0306/callon.html
RIPE SP Security Presentations
RIPE-46 BoF: NSP-SEC (Hank Nussbacher)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-nsp-sec.pdf
IRT Object in the RIPE Database (Ulrich Kiermayr)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-irt.pdf
Operational Security Requirements (George M. Jones)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-techsec-ops-security.pdf
Infrastructure Security (Nicholas Fischbach)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-fischbach.pdf
MPLS-Based Traffic Shunt PDF (Nicholas Fischbach)
http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-eof-fischbach.pdf
Address Space and AS Number Hijacking (Leslie Nobile, Leo Vegoda)
http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-nobile-vegoda.pdf
Managing a DoS Attack (Vincent Gillet, Jean-michel Valey)
http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-gillet.pdf
ETSI & Lawful Interception of IP Traffic (Jaya Baloo)
http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-etsi.pdf
Securing a Core Network: Tutorial (Michael Behringer)
http://www.ripe.net/ripe/meetings/ripe-49/presentations/ripe49-eof-security-tutorial.pdf
Cisco SP Security Powersession Series
Service Providers Power Session in Dulles, Virginia, on October 20 and 21, 2004
http://www.ciscotmme.com/go/securitypowersession/presentations.lasso
Powersession on Core Security (4-6 May 2004)
http://www.ciscoeventreg.net/go/networkers/agenda9.lasso
CPN Summit SP Security Materials (April 2004)
ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/
Sydney Australia SP Security Powersession
DAY 1: Thursday, December 1, 2005
11:00 – 12:00 – Identifying and Classifying Attacks and Security Incidents, Kunjal Trivedi, Product Manager, Cisco Systems, Inc.
13:00 – 14:00 – SP Control Place security – BGP
14:00 – 15:00 – DDoS Attack Methodology , Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.
15:30 – 17:00 – Protect the Infrastructure, Kunjal Trivedi, Product Manager, Cisco Systems, Inc. and Tony Kirkham, Network Consulting Engineer, Cisco
DAY 2: Friday, December 2, 2005
09:00 – 10:30 – How to Build a Security Operations Center, Barry Greene, Security Architect, Cisco Systems, Inc.
11:00 – 12:00 – Deploying Security Techniques –Using uRPF, rACLs, and other Tools as a Deployment Example, Tony Kirkham, Network Consulting Engineer, Cisco Systems, Inc.
13:00 – 14:00 – Principles of the Miscreants-Economic Theory, Cyberwar, Ego in Today’s Attacks, Barry Greene, Security Architect, Cisco Systems, Inc.
14:00 – 15:00 – Core Hiding – ISIS and Forwarding as a Security Tool, Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.
Cisco SP Security Materials
BGP ‘Attack Tree’ – Realities of BGP Security: Cisco’s CIAG Team moves beyond the armchair hypothesizing of BGP Security Risk and runs test again the industry’s multiple implementations of BGP
http://wwwin-people.cisco.com/sean/ciag-bgp-blackhatv2.pdf
Protecting Your Core: Infrastructure Protection Access Control Lists
Infrastructure Protection on Cisco IOS Software-based Platforms
(Giving Lots of Hardware Examples)