IPTV & Cisco Systems Korea Cisco Systems, Inc. All rights reserved. 1

Business Access Aggregation Distributed Edge Regional HE Core Acquisition Network Super HE Content Owner BRAS Residential IP Content Network External Partners RG RG MPLS PE Policy Servers e Internal Enterprise/NOC Untrusted Mostly Trusted Trusted Internet Peering Internet Untrusted 2008 Cisco Systems, Inc. All rights reserved. 6

Leading Practice Category Disable Unnecessary Services Control Device Access Examples ICMP redirects, CDP, IP Source Routing TACACS+, Radius, Password Encryption Protects Against Threats Unauthorized Access Secure Ports and Interfaces Reconnaissance, Denial-of- Service Disable unused interfaces, Reconnaissance, Denial-of of- VLAN Pruning Service Secure Routing Infrastructure Secure Switching Infrastructure Control Resource Exhaustion Policy Enforcement MD5 Authentication, Route Filters Port Security, Storm Control Control Plane Policing (CoPP), Hardware-based Rate Limiters urpf Denial-of of-service Denial-of-Service Denial-of-Service IP Spoofing, Denial-of-Service 2008 Cisco Systems, Inc. All rights reserved. 14

- DA = 239.244.244.1 SA = 10.0.1.1 E0 Network Engineer Source ip access-list extended source permit igmp any any 6! IGMPv2 reports permit igmp any any 7! IGMPv2 leave deny igmp any any! Queries, PIMv1, DVMRP, deny pim any any! Hello, Join/Prune, BSR deny ip any 224.0.0.0/8! Source.. permit ip any any - Source ACL -IGMP Join Filtering 2008 Cisco Systems, Inc. All rights reserved. 15

IGMP? CPU/ unlimited IGM MP/MLD E ntries 0 IGMP/MLD Table max Total Memory Ut ilization Memory Resources Gasp! 0 Other Processes t1 t2 tn t1 t2 tn time time IGMP/MLD Valid Periodic IGMP/MLD Reports Malicious IGMP/MLD Reports IGMP/MLD table size can be limited globally or per interface. IPv4 IGMP Limit 12.2(15)T: ip igmp limit <1-64000> IPv6 MLD Limit 12.4(2)T: ip mld limit <1-64000> 2008 Cisco Systems, Inc. All rights reserved. 16

Goal Features Subscriber Identification DHCP Option 60, DHCP Option 82 Subscriber Authentication PPPoE or Web Portal (Using Radius) Subscriber Isolation Rogue DHCP Server MAC Forced Forwarding on DSLAM Private VLAN/PVLAN Edge on Switch DHCP Snooping IP address spoofing Limiting No. of Channels/IGMP/Multicast states DHCP Snooping + IP Source Guard (IPSG) on Switch IGMP State limits/max-groups & Multicast limits on Switch 2008 Cisco Systems, Inc. All rights reserved. 17

- IP Source Guard Cisco IP Source Guard - DHCP Snooping Port ACL - IP Spoofing DHCP Requests DHCP Responses DHCP Response DHCP Request Untrusted P1 P3 Trusted DHCP Server DHCP Snooping Function 2008 Cisco Systems, Inc. All rights reserved. 18

? Firewalls and Router ACLs / Network Intrusion Detection Security Agents CCTV Centralized Security and Policy Management Identity, AAA, Access Control Servers and Certificate Authorities Encryption and Virtual Private Networks (VPN s) 2008 Cisco Systems, Inc. All rights reserved. 20

Cisco IP NGN APP PLICATION LAYER SERVICE LAYER LAYER ETWORK L NE GAMING DATA CENTER Service Exchange Customer Element PRESENCE- BASED TELEPHONY Access / Aggregation WEB SERVICES Intelligent t Edge SECURITY + + Transport MOBILE APPS INTELLIGENT NETWORKING IP CONTACT CENTER Open Framework for Enabling Triple Play on the Move (Data, Voice, Video, Mobility) Multiservice Core ering E R raffic Enginee L A Y E agement Tr I O N A L e BW Mana O P E R A T curity Serv ice Assuranc Sec 2008 Cisco Systems, Inc. All rights reserved. 21

DPI (Deep Packet Inspection)? IP Packet Inspection & Control - application - - traffic actioin Ap pplication Su ubscriber Netw work Condit tion Mark Block Redirect Set QoS 2008 Cisco Systems, Inc. All rights reserved. 25

Self-Service Service Security Level and Content Filter Anti-Spam Anti-Virus Anti-X Content t URL Filtering Filtering AAA Broadband Policy Manager SEF BRAS/BNG ISG/SSG Service Control Engine Core Internet Security Self-Service Station Web Portal Patch Server Scan/Test SW Server 2008 Cisco Systems, Inc. All rights reserved. 27