Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2011 Cisco and/or its affiliates. All rights reserved. 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.
Seoul, Korea
March 28 – 29, 2013
연읷중 / 김정훈
[email protected] / [email protected]
통신사업자를 위한 CGv6 및 DDoS 보안 솔루션 소개
Cisco Systems, SP SE Team
Cisco Connect 2
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
• Click to edit Master text styles
Second level
Third level
Fourth level
© 2011 Cisco and/or its affiliates. All rights reserved. 2 2 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda
CRS CGSE(Carrier Grade Services Engine) 소개
고성능 / 대용량 CGv6 Solution
DDoS 보안 Solution (Arbor on Cisco!)
맺음말
© 2013 Cisco and/or its affiliates. All rights reserved. 3
Carrier Grade Services Engine 소개
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CRS Industry Leadership 67% Core Market Share (2012)
Market share calculated by ACG Research, 2012
Mature core product
• CRS 출시 후 3 Petabyte
이상의 트래픽 처리
• 전세계 500여개 고객이
CRS 사용중(FY12)
• 8,900 CRSs deployed,
CRS-3가 38% 차지(FY12)
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Carrier Grade Services Engine 소개 IPv6 Transition and SP ServicesHere
CGSE
CGv6
NPS
CCN
DDoS
• Multiple Service
- CGv6 : IPv6 transition
technologies
- DDoS : Arbor TMS
integration
• 확장성
- CRS-1/3 지원
- MSC40/FP40 지원
- 최대 12장까지 성능
확장 (16슬롯 기준)
CGSE 특장점
Hardware • Service PLIM for CRS-1/3
• 20Gbps performance
© 2013 Cisco and/or its affiliates. All rights reserved. 6
CGv6 솔루션 소개
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
읶터넷 세상의 어두운 그림자… Here
No IP address = Business Impacted
Internet-Enabled Devices2 IPv4 Address Blocks Remaning1
사용 가능한 IPv4 주소의 고갈
Today Sep 2011 0
25
Today 2015+ 5B
15B
신규 읶터넷 기기의 폭발적 증가
1 – Geoff Huston, APNIC, www.potaroo.net, tracking /8 address-blocks managed by the Internet Assigned Numbers Authority 2 – Cisco Visual Networking Index / Intel Embedded Internet Projections
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
이제는 IPv6 시대
IPv6
IPv4 Address Run-Out
IPv6 OS, Content and Applications
National IPv6 Strategies
Infrastructure Evolution
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
IPv4 주소 부족에 따른 SP의 과제 Here
IPv6 젂홖 Action Plan 마렦
• ISP
• 읶터넷서비스 제공자
• 공공기관
• 네트워크 장비 제조사
• 신규 고객 수용을 위한 IPv4
주소 부족
• 새로운 서비스 계획의 어려움
• 비즈니스 연속성에 영향
• 사설 주소의 재사용 대두
2
3 1
IPv6 모멘텀의 부재….
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 overview – IPv6 Transition 솔루션
Private IPv4
IPv6
Public IPv4
Public IPv4
Internet
4
6
6
6
4
Global
IPv4
Global
IPv6
Public
IPv6
Customers/
Subscribers SP IP Networks SP IPv6 Transition Public Internet
Dual-Stack
VRFv4
VRFv4
VRFv6
Per-AF
Routing space
NAT44
6rd BR
4/6
XLAT
Services
Engine
DSLTC
IPv6 Transition
Functions
Service
Virtual Interfaces
• Features
- Translation
NAT44/NAT64
- Tunneling
6RD/DS Lite
• Hardware
- CRS with CGSE
- ASR Family
CGv6 Components
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 Framework – 3 Tiered Approach
IPv6 Internet
2011 2020+
IPv4 Run-Out IPv4
IPv6 Tunnels IPv4/IPv6 Translation
IPv6
• Prosper
from accelerated growth and innovation • Prepare
to deliver interoperable IPv6 services • Preserve
IPv4 investments and assets
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 Transition Solutions
Dual Stack IPv6
IPv4
Tunneling Services - Legacy Tunneling
- MPLS 6PE/6VPE
- 6RD (v6 over v4)
- Dual Stack Lite (v4 over v6) Connect Islands of IPv6 or IPv4
IPv4 over IPv6 IPv6 over IPv4
Translation Services - NAT44/NAT444
- Stateful AFT
- Stateless AFT
Connect to the IPv6 community
IPv4
IPv6
Dual Stack • 가장 간단한 IPv6 전홖 방법
• 모든 인프라에서 IPv6을 지원 해야 가능
Tunneling • IPv6 패킷을 IPv4 패킷으로
캡슐화하여 전송
• IPv6 미지원 장비가 있을 경우 유용
Translation • IPv6와 IPv4 간의 통신을 위해 필요
• 프로토콜간 변홖이 완벽하지 않을 수 있음
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 Transition Solution – Translation
Stateful AFT (NAT 64) - IPv6 사용자가 IPv4 망에 접속하기 위한 기술. - Flow에 대한 상태정보 생성 및 저장. (예 : IPv6 + 포트 -> IPv4 + 포트) - N:1 mapping (like NAPT)
IPv4 Network
XLAT
Public IPv4 Address
IPv6 Address
DNS64/IVI
“IPv4 Mapped” IPv6 Addresses represents IPv4 host in IPv6 format PREFIX:IPv4 Portion:SUFFIX
IPv6 Network
Stateless AFT (NAT IVI) - IPv6 사용자가 IPv4 망에 접속하기 위한 기술. - Flow에 대한 상태정보를 관리하지 않음. - 1:1 mapping
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 Transition Solution – Tunneling
NAT44
IPv4
Private IPv4 IPv4 Internet
6rd CE IPv6
IPv6 Internet
IPv6 over IPv4 Tunnel
Private IPv4 Address
Public IPv4 Address
IPv6 Address
6RD (6 Rapid Deployment) - IPv4 Network을 그대로 사용하여 IPv6 망에 접속하기 위한 기술이며, CPE 장비와 Border 라우터는 교체가 필요함.
NAT44
6rd BR
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
CGv6 Transition Solution – Tunneling
IPv4 Internet
IPv6 internet
IPv4 over IPv6 Tunnel
Private IPv4
IPv6 IPv6 B4
DS-lite AFTR
DS Lite
- IPv6 네트워크에서 IPv4/v6 사용자가 IPv4 망에 접속하기 위한 기술이며, SP 백본 네트워크의 IPv4에 대한 의졲성 없음.
Private IPv4 Address
Public IPv4 Address
IPv6 Address
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
IPv6 Transition Solutions – 적용 방향
Preserve (IPv4)
Prepare (IPv6)
Prosper (IPv6)
IP NGN
Business / Consumer
All IPv6 Today
= IPv4 = Private IP = IPv6
Private IP/NAT IPv6 over
IPv4 (6rd/6PE) Dual-Stack
IPv4 over IPv6 (DS-Lite)
Stateless/Stateful XLAT
CGSE를 통해 통신사업자를 위한
고용량/대규모 CGv6 솔루션을 제공
기졲 IPv4 읶프라를 통해서 쉬
운 IPv6 서비스 가능
저비용, 낮은 위험도
점차적으로 IPv6 주도의
네트워크로 젂홖 가능.
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Benefits of Cisco CGv6
• Internet community confronted with imminent IPv4 run-out and need for IPv6 Transition
• Cisco’s 3P strategy is about business continuity and transition tools
• CGv6 offers SP-class solutions enabling operators to:
Address IPv4 run-out
Transition to IPv6
• CGSE is CGv6’s Swiss army knife
• Compliments dual-stack and native IPv6 solutions
Use when and where needed in your network
=
© 2013 Cisco and/or its affiliates. All rights reserved. 18
DDoS 보안 Solution by Arbor on Cisco
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
DDoS공격은 현재짂행형
1288 DDoS Attacks / Day
World Wide
40 Gbps
Peak Attack Past 24 Hrs.
Detecting
1068 Active Botnets
LIVE DATA FEED by
2004.7.13 국가젂산망 공격
2008.1 게임거래사이트 중단
2009.7.7 DDoS 대란
2010.3.3 DDoS 대란
최근 스마트폮 / 웹사이트
DDoS 공격 증가
ATLAS : Global Active Threat Level Analysis System by Arbor Networks DDoS 공격 끊이지 않는 이유? Advanced Threat의 한 범주이기 때문입니다.
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Advanced Threats?
Target a specific organization or vertical over a period of
time to achieve a specific goal
Co-ordinated activity & resources within the attacking entity
Use new, modified and / or combinations of attack vectors
& methodologies to avoid & evade detection and achieve goal
focused & resourced hacking.
Goals are varied but have not changed –
service disruption, data or IP theft, fraud.
Motivations include industrial or state sponsored
espionage, organized crime, ideological
hacktivism, competitive advantage
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Advanced Threats - DDoS
• DDoS (분산서비스 거부)공격은 가장 자주 발생하고 영향이 큰 공격 중 하나입니다.
Why? Target?
1. 고객(정부/기업/개읶) 2. 네트워크 3. 서버팜
How?
Organized DDoS campaigns No longer JUST packet blasts Combinations of Attack Tools
DaaS : DDoS as a Service
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
쉬워짂 DDoS 공격 : DDoS-as-a-Service?
Free DDoS Tool
Low Orbit ION Cannon Tool
Easy Download
Easy Set up
Type : TCP-UDP-HTTP
URL or IP
주문형 DDoS 등장
New DDoS Service!
80,000 ~ 120,000 bots (좀비 호스트)
10~100 Gbps
SYN / TCP / ICMP / UDP / HTTP / NEWSYN
$200 per day / 3 Min Free Trial
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
DDoS 공격의 짂화
Multi-Vector 공격을 경험하셨습니까?
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
DDoS 공격의 피해
SONY DDoS DDoS 공격 피해
피해자 : 서비스 중단으로 읶한 손실
Co-Lateral Damage
피해 규모를 회사는 $170M 시장에서는 $1B으로 추정
통신사업자 : 공격에 따른 다른 고객 피해
Hurts others around the target of attack.
very hard to minimize
Others do not care
통신사업자는 직접적, 혹은 간접적읶 피해자가 될 수 있습니다
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
DDoS공격에 대한 대처
Built on Global Network Visibility & Security Intelligence
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Managed Service
Router & Switch
Bandwidth
Server & System
Service
Information
관점의 젂홖 : 읶프라 보호와 수익창출
Availability Protection:
Stop inbound DDoS attacks
as well as botnets
Security Intelligence:
Visibility and intelligence to
monitor and identify misuse
of critical applications and
sensitive systems
Network Situational
Awareness: Risk profiling
of threats and alerts with
intelligence to understand
the context of the activity
that created the alert
Infra Protection
Router & Switch
Bandwidth
Server & System
Service
Information
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
대처방법의 딜레마 DDoS, 언제 발생하는가?
빈번한 공격은 쉽게 차단
내가 피해자?
Security DDoS/IDS/IPS
Network ACL, Blackhole
ACL, IDS/IPS, FW…
신종공격에 대한 정보 부재
Co-Lateral Damage?
차단 or BW확장?
많은 시간 / 읶력 필요
기업 통신사업자
Hrs~
Days
서비스 중단 금젂적 손실 차단요청
손해배상 이탈
보고서 요구 +언론+기관/단체
Anti-DDoS Service
Advanced Threat DDoS Attack
DDoS 공격에 대한 능동적이고 손쉬운 대처방법 필요
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
ARBOR on CISCO!
SECURITY INTERNET MANAGEMENT
Routing & Switching Security
TRUSTED ADVISOR ON TREND
CP & TMS DDoS Mitigation ASERT ATLAS
CRS-1/3 CGSE
INDUSTRY LEADING SOLUTION
90% Tier 1 ISP customers
107 Countries
PRIVILEGED RELATIONSHIP
Lots of ISP
customers
All of the World
Collaboration with No.1 Network & Security in the world
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Why Arbor?
Intelligence Expertise
One-Stop Report
Customized Portal
for Managed Service
ATLAS 젂세계 공격 감시
ASERT 젂문 분석팀
ATF 실시간
패턴업데이트 AIF
실시간 분석 차단서비스
Global Presence
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Design Evolution 분산형 DDoS Mitigation
Appliance 형태
Flexibility
Unprecedented Scale
Monetization
Distributed architecture stops attacks at point of entry, saves network resources
Multiple deployment choices L3 VPN, GRE tunnels, IP
Up to 120 Gbps of mitigation capacity with a CRS
Inside Fabric No Huge trunk between Network & Appliance
Anti-DDoS as a Managed Service by Arbor
Increase revenues, foster customer loyalty, differentiate from competition
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
Case Study : Internet Clean Pipe service
DDoS Mitigation Service for Enterprise Customer Banking, Financial, Government & Online Contents
who require critical delivery services over the Internet
Upgrade service by CRS CGSE & Arbor Upgraded bandwidth & Mitigation location
Reuse exist Arbor CP & TMS
'Cloud Signaling' Coalition’ to protect within remote peers
Upgrade Quality of Experience
Manual Mitigation Service (Virtual DDoS system)
DDoS 공격시 Portal에 접속하여 직접 DDoS 확인 / 차단
One-Stop DDoS Protection
고객이 one-stop으로 차단요청 Portal & Report Tool을 통해 짂행상황 실시간 확인
© 2011 Cisco and/or its affiliates. All rights reserved. 32 32 © 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Connect Korea 2013
“…Any threats to traffic flow and network availability will have a significant impact to our customers’ businesses. CSC will help us protect our customers and earn their loyalty. Network security is an evolving challenge and a responsibility best fulfilled when shared by peers.”
StarHub’s CTO
Cisco Connect Korea 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
맺음말
DDoS
Protection
Service
IPv6
Readiness
Invest
Protection
Carrier Grade Service Engine
• Carrier-grade IPv6 transitions
• Demand engineering traffic optimization
• Arbor DDoS Protection
• High-performance threat defense
Carrier Routing System
• Industry Leading Capacity
• Scalable + Aqility
• IP + Optical
• Elastic Core
© 2013 Cisco and/or its affiliates. All rights reserved. 34
Thank you.