城域网安全实践--广州电信.ppt

* * * * * * * * 进一步思考 问题2：Guard部署在哪里合适，在MPLS 网络里如何牵引流量？ 在出口上部署还是在汇接路由器上部署？ 设备投资。 城域网内业务标签转发。 …………… * 进一步思考 问题3：如何提高网络设备本身的抗攻击能力？ Cisco设备的Control Plane Policy ……………… * 进一步思考 问题4：能否在省内、集团内统一要求在所有SR上进行源地址校验？ 运维与业务部门需要协调…… * 进一步思考 问题5：能否建立一套机制，在发生网络安全事件后可以在省内产生联动、协助、配合？ 例如建立一个邮件组； …………… * 谢谢！ * 替换原16、17 * * * * * * * * * * Analysis and filtering capabilities of the Guard The Guard uses traffic behavior analysis to determine whether sending sources are malicious or legitimate. To start with, the Guard creates a traffic behavior profile of what normal traffic behavior looks like. This traffic behavior profile, also known as a baseline, includes the following behavior parameters: 1. Packet RATES measured in packets-per-second (e.g. TCP SYN Packets measured in PPS) 2. Packet RATIOS (e.g. the ratio of SYN packets to FIN packets) 3. Number of open TCP CONNECTIONS (e.g. number of simultaneous TCP connections opened by a single source) These traffic behaviors are analyzed from the following perspectives: 1. By destination host address 2. By destination subnet 3. By source host address 4. By source subnet This traffic behavior analysis is also referred to as the Anomaly Recognition process. The Anomaly Recognition process is used by the Guard for two things: 1. To determine if all traffic destined to a target should be subject to one of the various Anti-Spoofing mechanisms to prevent spoofed sources from sending their packets 2. After Anti-Spoofing has been applied, to determine if the remaining sources (those that are not using spoofed source IP addresses) are behaving in an anomalous fashion. If yes, then counter-measures can be applied that will subject those anomalous sources to: a. a TCP Proxy mechanism to distinguish valid connections from invalid connections originating from the same source IP b. an automatically deployed drop filter that drops all traffic from the anomalous source for a set amount of time In general, the Gua