http://www.grnet.gr Firewall on Demand A multidomain approach Leonidas Poulopoulos , Yannis Mitsos – GRNET NOC Firewall on Demand workshop TF-MSP meeting 27-28 November 2014 Network threats Incidents per category per year 60 50 • GRNET Cloud IaaS 40 30 2014 2013 20 10 0 GRNET - Rapid Anomaly Detection Python tool - rady Volumetric Packets (WP-pingback) Consequences • Performance degradation – GÉANT Backbone – NRENs • Outages • Services malfunction • Resources – Human – Equipment Mitigation Techniques though time acls, firewall filters RTBH BGP flowspec The BGP way • Well established model of trust • Stable and robust – Powers the internet • Remote triggered black-hole routing • BGP flow specification – “My name is Wall, Fire Wall” Who are you BGP Flowspec? • • • BGP Flowspec defined in RFC 5575 Layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intradomain and inter-domain basis Match – – – – – – – – • source/dest prefix source/dest port ICMP type/code packet size DSCP TCP flag fragment type Etc Actions – – – – – – accept discard rate-limit sample redirect etc A firewall filter over BGP??? • Propagates wherever BGP flow spec is enabled – Currently supported by Juniper • To the very ends of the network • To peering networks – Downstream – Upstream Ideas! • Apply to a single point and let it propagate to my borders • Sounds like attacks are now mitigated closer to source!!! – YES!!!! • Seems that it is more granular than RTBH – YES!!!! • Can we automate this?? Can we go from RFC to tool? – Have already done this!!! Can you remind me why we need BGP flowspec? ACLS • • • • • Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration BGP RTHB • • • • • Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI Firewall on Demand – from RFC to tool NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS DEVELOPED BY: GRNET GRANULARITY: Per-flow level ACTION: Drop, rate-limit, redirect SPEED: 1-2 orders of magnitude quicker EFFICIENCY: closer to the source, multi-domain AUTOMATION: integration with other systems MANAGEABILITY: status track, web interface GRNET setup ACL Flowspec Victim GEANT GRNET ACL Flowspec Flowspec FoD Flowspec How does it work? • • • • • • Customer’s NOC logs in web tool & describes flows and actions Destination validated against customer’s IP space A dedicated router is configured to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire UPSTREAM IX FoD NREN Client Client Web eBGP NETCONF iBGP Have you tried it in production? • GRNET network in production since 2011 3years 21Tbytes 100rules 40users 20peers Time to go multidomain fod.geant.net FoD recipe • 1 central FoD instance • BGP flowspec enabled in GÉANT routers • 3 flavors – NREN without BGP flowspec supporting equipment – NREN with BGP flowspec equipment that uses local FoD – NREN with BGP flowspec equipment that uses GEANT’s FoD Phase 1 tests Attacker CARNet GÉANT Flowspec Flowspec Victim GRNET Flowspec FoD Click Apply 6 seconds later… FoD Application Architecture Shibboleth/eduGAIN OPEN SOURCE User Interface Django MVC Long Polling (Gevent) • https://code.grnet.gr/projects/flowspy • http://flowspy.readthedocs.org Job Queue (Celery/Beanstalk) Caching Layer (Memcached) Network Config to XML proxy (nxpy) Python NETCONF client (ncclient) NETCONF P eBG eBGP iBGP iBGP Under the hood • Django application – 1.4 – Debian Wheezy system packages • Application server – Gunicorn • HTTP server – Apache Proxy module • Database – MySQL • Caching – Memcached • Job scheduler – Celeryd • Que – Beanstalkd • Network client – Ncclient - NETCONF Installation and monitoring • Extensively tested on Debian Wheezy – Using system packages • Done in ~ 30 mins • Monitored components – Host checks – Service checks • Apache (check_http) • Gunicorn (check_mk) • Celeryd (check_mk) Joining FoD • Shibboleth attributes: – email (maps to HTTP_EMAIL) – persistent-nameid or persistent-id or targeted-id (all map to HTTP_REMOTE_USER) • A valid institution/peer with active subnets Support • GRNET will actively support FoD • Same codebase • Small changes in single and multidomain – Shibboleth vs. eduGAIN • Full installation documentation of multidomain flavor will be provided by the end of Nov 2014 http://www.grnet.gr Thank you