Security Challenges & Remedies for the Telecoms Operator and its Customers

Transcription

1 Security Challenges & Remedies for the Telecoms Operator and its Customers Nikos Xanthopoulos Senior Product Manager, Voice & Data Services Tassos Chatzithomaoglou IP Engineering Manager March 2015

2 1 st part... Nikos Xanthopoulos Senior Product Manager, Voice & Data Services

3 Top emerging cyber-threats Malicious Code: Worms/Trojans Web-based attacks Web application / injection attacks Botnets & DoS attacks Phishing & Cyber espionage Data Breaches Information Leakage Physical damage/theft/loss Identity theft/fraud Source: ENISA Threat Landscape 2014

4 since since since since DDoS Attack Trends Total DDoS attacks increased 57% Q Average Peak DDoS bandwidth increased 52% Q Average DDoS duration increased 28% Q DDoS attacks increase 51% application 58% infrastructure Q Industries attacked most often: Gaming: 35% Software & Technology: 27% Internet & Telecom: 11% Media & Entertainment: 10% Financial Services: 7% Source: Akamai Q Internet Security Report

5 Who should care? e-commerce sites Web banking sites Web ordering & logistics Online booking Web portals

6 Why should I care? Lose money Lose trust Website/Applications/Services NOT available You can t serve your customers/partners Customer dissatisfaction Competitive disadvantage

7 Forthnet security services portfolio DDoS protection & IPS/IDS Antivirus Managed Firewall Antispam Managed Perimeter Security (on roadmap) Anti-fraud

8 Network-based DDoS protection service Applicable for Internet LL & Data Center customers Mitigation Main Features Fully managed service by Forthnet. 24hour monitoring of customer networks. Detection and protection from volumetric network attacks (Layer 3 & 4). Automatic mitigation in case of an attack. Protection policy and response times guaranteed by SLA. Automatic periodical renewal of the signatures used (via Atlas).

9 Extra on-premise DDoS protection & IPS/IDS Extra Features Real time protection & mitigation on customer premise. Protection also from Application Layer (Layer 7) attacks & malware, botnets, worms etc. Network DDoS protection utilization for volumetric attacks with Cloud Signaling. CPE & vendor services can be provided as CAPEX & OPEX.

10 Total solution Block volumetric attacks at core Block application-layer attacks at the edge IDMS/CP Internet Mitigation Core Routers DC Routers Firewalls IDS/IPS Data Center or Customer s Premise IDMS/TMS

11 Managed Perimeter Security (on roadmap) Firewall VPN Load Balancing Data Leak Prevention Anti-virus URL filtering Anti-spam Application control IPS

12 Forthnet anti-fraud platform Types of telecommunication fraud: o International Revenue Share Fraud (IRSF) o Payment Fraud o Premium Rate Service o Service Abuse o Interconnect Bypass Methods of telecommunication fraud: o PBX Hacking o VoIP Hacking o Subscription Fraud o Account Takeover / Identity Take Over o Exploitation of network weakness Rules & customer profile CDRs & historical data Alert Generation by Incident Management

13 In summary Cyber attacks increase exponentially Firewalls are not enough Be aware! Protect your business Choose the right partners

14 Thank you

15 2 nd part... Tassos Chatzithomaoglou IP Engineering Manager

16 Security Incident Management Preparation Prepare/Profile the network Create/Get & test tools Prepare & test procedures Create/Train security team Practice frequently Use a runbook and a knowledge base Identification How do you know about the incident? What tools can you use? What s your process for communication? What kind of incident is it? Traceback Where is the incident s origin? Where and how is it affecting the network? Reaction What options do you have to remedy? Which option is the best under the circumstances? Which services/customers will be affected? Lessons Learned What was done to fix the incident? Can anything be done to prevent it? How can it be less painful in the future? Action

17 Be Prepared Credentials & Identity Management Network Management Devices & Users Management Configuration Management Basic Network Monitoring Syslog/SNMP Monitoring SNMP Probing Routing Table Monitoring Advanced Network Monitoring & Telemetry Flows Collection & Reporting Packets Collection & Reporting Penetration Testing & Vulnerability Scanning

18 Credentials & Identity Management Allow only specific users to have access to network devices Access to network devices must be approved by specific authorized users and be recorded Each user must have a unique username/password for login Use a strict policy for password strength and frequent password changes Passwords should be delivered to users through encrypted means only (i.e. PGP) Each network device may have a local username/password defined too Different types of devices should have different local usernames/passwords All network devices should implement RBAC (Role Based Access Control)

19 Device & User Management Use AAA on all network devices Use separate AAA server/process for infrastructure and customers Tacacs (RFC 1492, TCP, md5 encryption by default for packet payload) Radius (RFC 2865, UDP, md5 encryption by default only for password) RadSec or Radius on steroids (RFC 6614, TLSoTCP by default) Diameter (RFC 6733, TLSoTCP and DTLSoSCTP by default) Allow only encrypted access: ssh, https, netconf over ssh (RFC 6242) Access to devices from external users should allowed only when using secure tunnels (i.e. IPSec, TLS) and two-factor authentication Use different roles per user and per device (advanced RBAC model)

20 Advanced RBAC Model User User Group Role OS Who? What? Where? Device Device Group

21 Configuration Management Automatic & manual backup per device or per group of devices Configurations accessible though a web interface and/or API Configuration access limited to users using a RBAC model Support encryption of whole configuration or keywords related to security related entries in configurations Support version control and comparison of archived configurations Search configurations for specific patterns/keywords Verify compliance with various security standards (i.e. PCI DSS) Some network devices support local archiving of configuration changes (beware of security related entries being exposed in cleartext) Send alerts with configuration changes Store other useful data besides configurations Assist in network automation

22 Syslog/SNMP Monitoring Visualization Privacy Sharing Capture Storage data Analysis Search Use multiple processes/threads for command parallelization Send data over a secure transport (i.e. TLS/DTLS) and through an isolated (i.e. management) channel Implement device/service grouping for easier management Separate frontend (provisioning) and backend (collector/manager /poller) Use multiple (geographically dispersed) collectors Collect data from border routers, firewalls, IDS/IPS, DNS Servers Send alerts with high priority data immediately Implement a data retention policy based on classification & importance Visualize as much as possible Use separate collectors for infrastructure and customers

23 Routing Table Monitoring RPKI (RFCs 6480,6483,6491,etc.) can be implemented in order to minimize route hijacking/spoofing

24 DDoS Statistics Largest attack measured was 26 Gbps 332 attacks over 1 Gbps, 36 attacks over 10 Gbps Attack targets were mostly retail customers, political parties, legal firms, news portals, financial institutions, IRC servers (!) Majority of attacks were based on DNS/NTP/SSDP Amplification and HTTP Flood 2 Gbps Amplification Factor (US-CERT) DNS 28 to 54 NTP 557 SNMP 6 26 Gbps SSDP 31 CharGEN 359

25 Penetration Testing Web Application Penetration Testing End-User Security Awareness Testing Endpoint Penetration Testing Mobile Device Penetration Testing Network Penetration Testing Password and Identity Cracking Wireless Network Penetration Testing SCADA Security Testing Network Device Penetration Testing Testing the Efficacy of IPS/IDS, Firewalls Validating Vulnerabilities Identified by Scanners

26 Infrastructure Security Management Plane OOB Mgmt RFC 1918 addresses MPLS L3 VPN iacls Control Plane CoPP iacls Routing Security Data Plane urpf RTBH FlowSpec ACLs IDMS Firewalls something missing? Redundancy & Anycast can help increasing Resiliency and Availability

27 IPv Security Although IPv6 is supposed to offer increased security, this is not the whole truth Many security options are available, but few are supported or enabled by default There is a lot of on-going discussion on IETF s 6man/opsec about IPv6 security, so expect many changes Keep in mind that a dual-stack network requires 4 areas to be secured: IPv4 IPv6 IPv4 through/over IPv6 IPv6 through/over IPv4 CGNs can make life a lot harder due to additional complexity in user identification Forthnet stats : 26% subscribers (1/3 is IPv6-only) 14% traffic RFC 7123 (Security Implications of IPv6 on IPv4 Networks) RFC 6169 (Security Concerns with IP Tunneling) RFC 7359 (Layer 3 Virtual Private Network Tunnel Traffic Leakages in Dual-Stack Hosts/Networks) RFC 4942 (IPv6 Transition/Coexistence Security Considerations)

28 SDN Security Control Plane Applications Applications Applications Northbound API (i.e. REST, Python, Java) Controller Southbound API (i.e. OpenFlow, NETCONF, PCEP) Data Plane Switch Switch Switch Switch Switch Switch Host Host

29 SDN Security - The Bad Things Control Plane Vulnerabilities The whole network is actually managed by a controller and some applications The whole network might collapse if something goes wrong on these Applications and controller are built on commodity computing platforms Vulnerabilities in these platforms will also affect the whole network Possible effects after taking over the Controller/Applications Modify/Insert/Delete content Spy on traffic Bypass security rules by driving traffic around Redirect traffic to compromised hosts for further exploitation Security depends more on virtual topology than physical A MITM attack becomes very-very attractive, making happy And as if that were not enough Both Northbound/Southbound APIs can also get compromised if not secured When nested applications or multiple organizations are involved, things can get messy

30 SDN Security The Good Things Enforce a global/uniform security policy Check and maintain compliance with security standards Basic security rules can be applied on all devices Rapid response to threads Traffic redirection through an explicit security device is easier Tracking flows can help you isolate bad hosts faster Hardening SDN Apply OS hardening rules to controller and applications platforms Enforce RBAC policies for administration Implement a HA architecture on all critical parts Prefer an OOB network for control traffic Use authenticated/encrypted communication in all API calls Run frequent validation of flow policies Watch closely for new security architectures/frameworks

31 SDN Cleaner Infection: The end user clicks on a URL or attachment which downloads a rootkit. Breach: The rootkit begins executing a series of procedures to connect to the botnet control network. Watch: An SDN Application watches the traffic pattern from the infected host to the outside hosts. Detect: Based on the traffic flows the SDN Application detects that there is active malware on the infected host. React: The SDN Application initiates a quarantine directive to the SDN Controller based on these traffic flows. Respond: The SDN Controller creates a set of OpenFlow rules and pushes them down to the OpenFlow-enabled switch. Redirect: Infected host s DNS and web traffic is redirected by the OpenFlow switch to a specific web server, which displays a web page with the necessary actions to be performed. Permit: Once the corrective actions have been performed, the rules are changed to the initial ones that allow the end host back into the network.

32 In summary Thank you