Abilene Transit Security Policy Joint Techs Summer

1
Abilene Transit Security PolicyJoint Techs
Summer 05Vancouver, BC, CA

• Steve Cotter
• Director, Network Services
• scotter_at_internet2.edu

2
Basic Premise

• Policy determined by basic properties of a IP
  network
• Control is at the edge
• Hosts determine when and where to send packets
  and initiate flows
• This control often leads to vulnerabilities
• Hosts can become compromised
• Hosts may be used to compromise other hosts
• Can lead to large amounts of traffic sent to
  other hosts
• As a backbone network, we view Abilene as a
  pipe and not a controlling entity

3
Network Control

• The Abilene backbone does have the means to apply
  some control across the network
• Possible to block traffic on some ports
• Possible to block all traffic from a particular
  IP addresses
• Security Policy 1 Abilene does not unilaterally
  filter traffic on a network wide basis unless the
  network itself is under attack.
• Scenario Compromised hosts use port 135 to
  propagate a virus to infect other hosts.
• Abilene would not unilateral block that port
• That function handled more efficiently at the
  edge
• Had the routers or switches themselves been under
  attack, would have blocked that traffic
  immediately

4
Filtering Traffic

• The Abilene backbone will filter traffic in some
  situations
• If one or more hosts on a connector or peer were
  under attack
• If requested by an institution, peer or connector
  (noc_at_abilene.iu.edu, 317-278-6622)
• Security Policy 2 Abilene will filter traffic
  to a connector or peer if requested by that
  particular connector or peer network, filtering
  the appropriate traffic through the connection in
  question.
• Abilene will make every possible attempt to
  authenticate those making requests for traffic
  filtering through interconnection points.
• Abilenes method for blocking this traffic is our
  BGP Discard Routing procedure

5
Filtering Traffic

• Abilene reserves the right to protect itself and
  its connectors / peers from other connectors and
  peers.
• If a threat to the network exists through a
  particular connector, Abilene reserves the right
  to filter that traffic
• Ultimately, Abilene could disconnect the
  offending connector or peer
• Security Policy 3 Abilene reserves the right to
  filter all traffic or terminate any connection if
  it is under attack.
• Every attempt will be made to contact the network
  in question to discuss various options and
  alternatives.

6
Research and Education Information Sharing
Analysis Center (REN-ISAC)

• The REN-ISAC supports higher education and the
  research community by
• Provides advanced security services to national
  supporting networks
• Supports efforts to protect the national
  cyberinfrastructure by participating in the
  formal sector ISAC infrastructure
• Security Policy 4 Abilene will report all known
  incidents of security threats to the REN-ISAC
• Determining what traffic is a security threat is
  a network research problem. A measurement
  infrastructure is part of Abilenes network
  operations (Abilene Observatory).

7
Data Collection

• Abilene collects flow statistics on a sampling
  basis that potentially could identify source and
  destination addresses and ports
• This data is anonomyzed (11 lower order bits of
  all IP addresses are zeroed out) before it is
  saved to disk
• For privacy reasons Abilene does not collect
  data pertaining to communications between
  identifiable hosts
• However, this information could identify
  compromised hosts
• Security Policy 4 During times of security
  attacks, the REN-ISAC can unanonomyze data, but
  only that data related to the attack itself. The
  resulting data is anonomyzed as soon as possible
  after the attack is understood.

8
Data Analysis

• Information derived from analysis of the flow
  data that identifies specific institutions or
  hosts is treated as confidential information.
• Security Policy 5 Institutions may request
  specific sources of cyber security attacks
  located on their respective networks. Only
  security related information we be reported to
  the institutions.
• Abilene data is meant to supplement, not replace,
  data collected by individual institutions or
  connectors. Internet2 strongly encourages
  institutions to collect their own data,
  potentially providing a greater degree of
  specificity to particular security problems.

9
BGP Discard Routing

• Connectors can advertise routes to Abilene via
  BGP for which all traffic to those routes will be
  discarded by the Abilene routers. This is useful
  during a DoS attack because the traffic can be
  dropped before it crosses the link to the
  connector.
• Here are a few important points
• Discard routes will NOT be accepted for routes
  larger than a /24
• There is no way to place a limit on the number of
  discard routes a connector can advertise. The
  limit on the total number of routes a Connector
  can advertise is currently 3,000.
• Abilene's default policy is to not accept routes
  smaller than a /27. There have been some
  exceptions made to this policy. For those /28 and
  smaller routes, it will not be possible to
  announce more specific discard routes.

10
Abilene Information

• For more Information
• http//abilene.internet2.edu
• http//abilene.internet2.edu/observatory/
• http//abilene.internet2.edu/security/
• Or contact us at
• scotter_at_internet2.edu
• heather.bruning_at_internet2.edu
• abilene_at_internet2.edu

11
(No Transcript)