Firewall on Demand multidomain A top-down approach

advertisement
http://www.grnet.gr
Firewall on Demand
A multidomain approach
Leonidas Poulopoulos , Yannis Mitsos – GRNET NOC
Firewall on Demand workshop
TF-MSP meeting 27-28 November 2014
Network threats
Incidents per category per year
60
50
•
GRNET Cloud IaaS
40
30
2014
2013
20
10
0
GRNET - Rapid Anomaly
Detection Python tool - rady
Volumetric
Packets
(WP-pingback)
Consequences
• Performance degradation
– GÉANT Backbone
– NRENs
• Outages
• Services malfunction
• Resources
– Human
– Equipment
Mitigation Techniques though
time
acls, firewall filters
RTBH
BGP flowspec
The BGP way
• Well established model of trust
• Stable and robust
– Powers the internet
• Remote triggered black-hole routing
• BGP flow specification
– “My name is Wall, Fire Wall”
Who are you BGP Flowspec?
•
•
•
BGP Flowspec defined in RFC 5575
Layer 4 (TCP and UDP) firewall filters to be distributed in BGP on both a intradomain and inter-domain basis
Match
–
–
–
–
–
–
–
–
•
source/dest prefix
source/dest port
ICMP type/code
packet size
DSCP
TCP flag
fragment type
Etc
Actions
–
–
–
–
–
–
accept
discard
rate-limit
sample
redirect
etc
A firewall filter over BGP???
• Propagates wherever BGP flow spec is enabled
– Currently supported by Juniper
• To the very ends of the network
• To peering networks
– Downstream
– Upstream
Ideas!
• Apply to a single point and let it propagate to my borders
• Sounds like attacks are now mitigated closer to source!!!
– YES!!!!
• Seems that it is more granular than RTBH
– YES!!!!
• Can we automate this?? Can we go from RFC to tool?
– Have already done this!!!
Can you remind me why we
need BGP flowspec?
ACLS
•
•
•
•
•
Distributed across the
network
Closer to the source
Fine-grained even on
core/backbone networks
Multidomain easy
propagation towards the
upstream via BGP
Easy automation &
integration
BGP RTHB
•
•
•
•
•
Flowspec: enhancement of
RTBH
Does not affect all traffic to
victim
Less coarse
More actions
Separate NLRI
Firewall on Demand – from RFC
to tool
NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS
DEVELOPED BY: GRNET
GRANULARITY: Per-flow level
ACTION: Drop, rate-limit, redirect
SPEED: 1-2 orders of magnitude quicker
EFFICIENCY: closer to the source, multi-domain
AUTOMATION: integration with other systems
MANAGEABILITY: status track, web interface
GRNET setup
ACL
Flowspec
Victim
GEANT
GRNET
ACL
Flowspec
Flowspec
FoD
Flowspec
How does it work?
•
•
•
•
•
•
Customer’s NOC logs in web
tool & describes flows and
actions
Destination validated against
customer’s IP space
A dedicated router is
configured to advertise the
route via BGP flowspec
Dynamic firewall filters are
implemented on all routers
Attack is mitigated upon
entrance
End of attack: Removal via the
tool, or auto-expire
UPSTREAM
IX
FoD
NREN
Client
Client
Web
eBGP
NETCONF
iBGP
Have you tried it in production?
• GRNET network in production since 2011
3years 21Tbytes 100rules 40users 20peers
Time to go multidomain
fod.geant.net
FoD recipe
• 1 central FoD instance
• BGP flowspec enabled in GÉANT routers
• 3 flavors
– NREN without BGP flowspec supporting
equipment
– NREN with BGP flowspec equipment that uses
local FoD
– NREN with BGP flowspec equipment that uses
GEANT’s FoD
Phase 1 tests
Attacker
CARNet
GÉANT
Flowspec
Flowspec
Victim
GRNET
Flowspec
FoD
Click Apply
6 seconds later…
FoD Application Architecture
Shibboleth/eduGAIN
OPEN SOURCE
User Interface
Django MVC
Long Polling
(Gevent)
• https://code.grnet.gr/projects/flowspy
• http://flowspy.readthedocs.org
Job Queue (Celery/Beanstalk)
Caching Layer
(Memcached)
Network Config to
XML proxy (nxpy)
Python NETCONF client
(ncclient)
NETCONF
P
eBG
eBGP
iBGP
iBGP
Under the hood
• Django application
– 1.4 – Debian Wheezy system packages
• Application server
– Gunicorn
• HTTP server
– Apache Proxy module
• Database
– MySQL
• Caching
– Memcached
• Job scheduler
– Celeryd
• Que
– Beanstalkd
• Network client
– Ncclient - NETCONF
Installation and monitoring
• Extensively tested on Debian Wheezy
– Using system packages
• Done in ~ 30 mins
• Monitored components
– Host checks
– Service checks
• Apache (check_http)
• Gunicorn (check_mk)
• Celeryd (check_mk)
Joining FoD
• Shibboleth attributes:
– email (maps to HTTP_EMAIL)
– persistent-nameid or persistent-id or targeted-id (all map
to HTTP_REMOTE_USER)
• A valid institution/peer with active subnets
Support
• GRNET will actively support FoD
• Same codebase
• Small changes in single and multidomain
– Shibboleth vs. eduGAIN
• Full installation documentation of multidomain flavor will be
provided by the end of Nov 2014
http://www.grnet.gr
Thank you
Download