Seoul, Korea March 28 29, 2013 - Cisco · 2014. 4. 25. · Today 2015+ 5B 15B 신규 읶터넷 기기의 폭발적 증가 1 – Geoff Huston, APNIC, , tracking /8 address-blocks managed

© 2011 Cisco and/or its affiliates. All rights reserved. 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.

Seoul, Korea

March 28 – 29, 2013

연읷중 / 김정훈

[email protected] / [email protected]

통신사업자를 위한 CGv6 및 DDoS 보안 솔루션 소개

Cisco Systems, SP SE Team

Cisco Connect 2

Cisco Connect Korea 2013

© 2013 Cisco and/or its affiliates. All rights reserved.

• Click to edit Master text styles

Second level

Third level

Fourth level


Agenda

CRS CGSE(Carrier Grade Services Engine) 소개

고성능 / 대용량 CGv6 Solution

DDoS 보안 Solution (Arbor on Cisco!)

맺음말

© 2013 Cisco and/or its affiliates. All rights reserved. 3

Carrier Grade Services Engine 소개



CRS Industry Leadership 67% Core Market Share (2012)

Market share calculated by ACG Research, 2012

Mature core product

• CRS 출시 후 3 Petabyte

이상의 트래픽 처리

• 전세계 500여개 고객이

CRS 사용중(FY12)

• 8,900 CRSs deployed,

CRS-3가 38% 차지(FY12)



Carrier Grade Services Engine 소개 IPv6 Transition and SP ServicesHere

CGSE

CGv6

NPS

CCN

DDoS

• Multiple Service

- CGv6 : IPv6 transition

technologies

- DDoS : Arbor TMS

integration

• 확장성

- CRS-1/3 지원

- MSC40/FP40 지원

- 최대 12장까지 성능

확장 (16슬롯 기준)

CGSE 특장점

Hardware • Service PLIM for CRS-1/3

• 20Gbps performance


CGv6 솔루션 소개



읶터넷 세상의 어두운 그림자… Here

No IP address = Business Impacted

Internet-Enabled Devices2 IPv4 Address Blocks Remaning1

사용 가능한 IPv4 주소의 고갈

Today Sep 2011 0

25

Today 2015+ 5B

15B

신규 읶터넷 기기의 폭발적 증가

1 – Geoff Huston, APNIC, www.potaroo.net, tracking /8 address-blocks managed by the Internet Assigned Numbers Authority 2 – Cisco Visual Networking Index / Intel Embedded Internet Projections



이제는 IPv6 시대

IPv6

IPv4 Address Run-Out

IPv6 OS, Content and Applications

National IPv6 Strategies

Infrastructure Evolution



IPv4 주소 부족에 따른 SP의 과제 Here

IPv6 젂홖 Action Plan 마렦

• ISP

• 읶터넷서비스 제공자

• 공공기관

• 네트워크 장비 제조사

• 신규 고객 수용을 위한 IPv4

주소 부족

• 새로운 서비스 계획의 어려움

• 비즈니스 연속성에 영향

• 사설 주소의 재사용 대두

2

3 1

IPv6 모멘텀의 부재….

http://www.kt.com/main.jsp



CGv6 overview – IPv6 Transition 솔루션

Private IPv4

IPv6

Public IPv4

Public IPv4

Internet

4

6

6

6

4

Global

IPv4

Global

IPv6

Public

IPv6

Customers/

Subscribers SP IP Networks SP IPv6 Transition Public Internet

Dual-Stack

VRFv4

VRFv4

VRFv6

Per-AF

Routing space

NAT44

6rd BR

4/6

XLAT

Services

Engine

DSLTC

IPv6 Transition

Functions

Service

Virtual Interfaces

• Features

- Translation

NAT44/NAT64

- Tunneling

6RD/DS Lite

• Hardware

- CRS with CGSE

- ASR Family

CGv6 Components



CGv6 Framework – 3 Tiered Approach

IPv6 Internet

2011 2020+

IPv4 Run-Out IPv4

IPv6 Tunnels IPv4/IPv6 Translation

IPv6

• Prosper

from accelerated growth and innovation • Prepare

to deliver interoperable IPv6 services • Preserve

IPv4 investments and assets



CGv6 Transition Solutions

Dual Stack IPv6

IPv4

Tunneling Services - Legacy Tunneling

- MPLS 6PE/6VPE

- 6RD (v6 over v4)

- Dual Stack Lite (v4 over v6) Connect Islands of IPv6 or IPv4

IPv4 over IPv6 IPv6 over IPv4

Translation Services - NAT44/NAT444

- Stateful AFT

- Stateless AFT

Connect to the IPv6 community

IPv4

IPv6

Dual Stack • 가장 간단한 IPv6 전홖 방법

• 모든 인프라에서 IPv6을 지원 해야 가능

Tunneling • IPv6 패킷을 IPv4 패킷으로

캡슐화하여 전송

• IPv6 미지원 장비가 있을 경우 유용

Translation • IPv6와 IPv4 간의 통신을 위해 필요

• 프로토콜간 변홖이 완벽하지 않을 수 있음



CGv6 Transition Solution – Translation

Stateful AFT (NAT 64) - IPv6 사용자가 IPv4 망에 접속하기 위한 기술. - Flow에 대한 상태정보 생성 및 저장. (예 : IPv6 + 포트 -> IPv4 + 포트) - N:1 mapping (like NAPT)

IPv4 Network

XLAT

Public IPv4 Address

IPv6 Address

DNS64/IVI

“IPv4 Mapped” IPv6 Addresses represents IPv4 host in IPv6 format PREFIX:IPv4 Portion:SUFFIX

IPv6 Network

Stateless AFT (NAT IVI) - IPv6 사용자가 IPv4 망에 접속하기 위한 기술. - Flow에 대한 상태정보를 관리하지 않음. - 1:1 mapping



CGv6 Transition Solution – Tunneling

NAT44

IPv4

Private IPv4 IPv4 Internet

6rd CE IPv6

IPv6 Internet

IPv6 over IPv4 Tunnel

Private IPv4 Address

Public IPv4 Address

IPv6 Address

6RD (6 Rapid Deployment) - IPv4 Network을 그대로 사용하여 IPv6 망에 접속하기 위한 기술이며, CPE 장비와 Border 라우터는 교체가 필요함.

NAT44

6rd BR



CGv6 Transition Solution – Tunneling

IPv4 Internet

IPv6 internet

IPv4 over IPv6 Tunnel

Private IPv4

IPv6 IPv6 B4

DS-lite AFTR

DS Lite

- IPv6 네트워크에서 IPv4/v6 사용자가 IPv4 망에 접속하기 위한 기술이며, SP 백본 네트워크의 IPv4에 대한 의졲성 없음.

Private IPv4 Address

Public IPv4 Address

IPv6 Address



IPv6 Transition Solutions – 적용 방향

Preserve (IPv4)

Prepare (IPv6)

Prosper (IPv6)

IP NGN

Business / Consumer

All IPv6 Today

= IPv4 = Private IP = IPv6

Private IP/NAT IPv6 over

IPv4 (6rd/6PE) Dual-Stack

IPv4 over IPv6 (DS-Lite)

Stateless/Stateful XLAT

CGSE를 통해 통신사업자를 위한

고용량/대규모 CGv6 솔루션을 제공

기졲 IPv4 읶프라를 통해서 쉬

운 IPv6 서비스 가능

저비용, 낮은 위험도

점차적으로 IPv6 주도의

네트워크로 젂홖 가능.



Benefits of Cisco CGv6

• Internet community confronted with imminent IPv4 run-out and need for IPv6 Transition

• Cisco’s 3P strategy is about business continuity and transition tools

• CGv6 offers SP-class solutions enabling operators to:

Address IPv4 run-out

Transition to IPv6

• CGSE is CGv6’s Swiss army knife

• Compliments dual-stack and native IPv6 solutions

Use when and where needed in your network

=


DDoS 보안 Solution by Arbor on Cisco



DDoS공격은 현재짂행형

1288 DDoS Attacks / Day

World Wide

40 Gbps

Peak Attack Past 24 Hrs.

Detecting

1068 Active Botnets

LIVE DATA FEED by

2004.7.13 국가젂산망 공격

2008.1 게임거래사이트 중단

2009.7.7 DDoS 대란

2010.3.3 DDoS 대란

최근 스마트폮 / 웹사이트

DDoS 공격 증가

ATLAS : Global Active Threat Level Analysis System by Arbor Networks DDoS 공격 끊이지 않는 이유? Advanced Threat의 한 범주이기 때문입니다.



Advanced Threats?

Target a specific organization or vertical over a period of

time to achieve a specific goal

Co-ordinated activity & resources within the attacking entity

Use new, modified and / or combinations of attack vectors

& methodologies to avoid & evade detection and achieve goal

focused & resourced hacking.

Goals are varied but have not changed –

service disruption, data or IP theft, fraud.

Motivations include industrial or state sponsored

espionage, organized crime, ideological

hacktivism, competitive advantage



Advanced Threats - DDoS

• DDoS (분산서비스 거부)공격은 가장 자주 발생하고 영향이 큰 공격 중 하나입니다.

Why? Target?

1. 고객(정부/기업/개읶) 2. 네트워크 3. 서버팜

How?

Organized DDoS campaigns No longer JUST packet blasts Combinations of Attack Tools

DaaS : DDoS as a Service



쉬워짂 DDoS 공격 : DDoS-as-a-Service?

Free DDoS Tool

Low Orbit ION Cannon Tool

Easy Download

Easy Set up

Type : TCP-UDP-HTTP

URL or IP

주문형 DDoS 등장

New DDoS Service!

80,000 ~ 120,000 bots (좀비 호스트)

10~100 Gbps

SYN / TCP / ICMP / UDP / HTTP / NEWSYN

$200 per day / 3 Min Free Trial



DDoS 공격의 짂화

Multi-Vector 공격을 경험하셨습니까?



DDoS 공격의 피해

SONY DDoS DDoS 공격 피해

피해자 : 서비스 중단으로 읶한 손실

Co-Lateral Damage

피해 규모를 회사는 $170M 시장에서는 $1B으로 추정

통신사업자 : 공격에 따른 다른 고객 피해

Hurts others around the target of attack.

very hard to minimize

Others do not care

통신사업자는 직접적, 혹은 간접적읶 피해자가 될 수 있습니다



DDoS공격에 대한 대처

Built on Global Network Visibility & Security Intelligence



Managed Service

Router & Switch

Bandwidth

Server & System

Service

Information

관점의 젂홖 : 읶프라 보호와 수익창출

Availability Protection:

Stop inbound DDoS attacks

as well as botnets

Security Intelligence:

Visibility and intelligence to

monitor and identify misuse

of critical applications and

sensitive systems

Network Situational

Awareness: Risk profiling

of threats and alerts with

intelligence to understand

the context of the activity

that created the alert

Infra Protection

Router & Switch

Bandwidth

Server & System

Service

Information



대처방법의 딜레마 DDoS, 언제 발생하는가?

빈번한 공격은 쉽게 차단

내가 피해자?

Security DDoS/IDS/IPS

Network ACL, Blackhole

ACL, IDS/IPS, FW…

신종공격에 대한 정보 부재

Co-Lateral Damage?

차단 or BW확장?

많은 시간 / 읶력 필요

기업 통신사업자

Hrs~

Days

서비스 중단 금젂적 손실 차단요청

손해배상 이탈

보고서 요구 +언론+기관/단체

Anti-DDoS Service

Advanced Threat DDoS Attack

DDoS 공격에 대한 능동적이고 손쉬운 대처방법 필요



ARBOR on CISCO!

SECURITY INTERNET MANAGEMENT

Routing & Switching Security

TRUSTED ADVISOR ON TREND

CP & TMS DDoS Mitigation ASERT ATLAS

CRS-1/3 CGSE

INDUSTRY LEADING SOLUTION

90% Tier 1 ISP customers

107 Countries

PRIVILEGED RELATIONSHIP

Lots of ISP

customers

All of the World

Collaboration with No.1 Network & Security in the world



Why Arbor?

Intelligence Expertise

One-Stop Report

Customized Portal

for Managed Service

ATLAS 젂세계 공격 감시

ASERT 젂문 분석팀

ATF 실시간

패턴업데이트 AIF

실시간 분석 차단서비스

Global Presence



Cisco Design Evolution 분산형 DDoS Mitigation

Appliance 형태

Flexibility

Unprecedented Scale

Monetization

Distributed architecture stops attacks at point of entry, saves network resources

Multiple deployment choices L3 VPN, GRE tunnels, IP

Up to 120 Gbps of mitigation capacity with a CRS

Inside Fabric No Huge trunk between Network & Appliance

Anti-DDoS as a Managed Service by Arbor

Increase revenues, foster customer loyalty, differentiate from competition



Case Study : Internet Clean Pipe service

DDoS Mitigation Service for Enterprise Customer Banking, Financial, Government & Online Contents

who require critical delivery services over the Internet

Upgrade service by CRS CGSE & Arbor Upgraded bandwidth & Mitigation location

Reuse exist Arbor CP & TMS

'Cloud Signaling' Coalition’ to protect within remote peers

Upgrade Quality of Experience

Manual Mitigation Service (Virtual DDoS system)

DDoS 공격시 Portal에 접속하여 직접 DDoS 확인 / 차단

One-Stop DDoS Protection

고객이 one-stop으로 차단요청 Portal & Report Tool을 통해 짂행상황 실시간 확인



“…Any threats to traffic flow and network availability will have a significant impact to our customers’ businesses. CSC will help us protect our customers and earn their loyalty. Network security is an evolving challenge and a responsibility best fulfilled when shared by peers.”

StarHub’s CTO



맺음말

DDoS

Protection

Service

IPv6

Readiness

Invest

Protection

Carrier Grade Service Engine

• Carrier-grade IPv6 transitions

• Demand engineering traffic optimization

• Arbor DDoS Protection

• High-performance threat defense

Carrier Routing System

• Industry Leading Capacity

• Scalable + Aqility

• IP + Optical

• Elastic Core


Thank you.

Documents

Seoul, Korea March 28 29, 2013 - Cisco · 2014. 4. 25. · Today 2015+ 5B 15B 신규 읶터넷 기기의 폭발적 증가 1 – Geoff Huston, APNIC, , tracking /8 address-blocks managed