IN BROADBAND Presented by Atul Kumar Singh DGM (Project) Broadband Network Circle Agenda Introduction to BSNL Broadband Network 1 2 3 Regulatory Issues of Broadband 4 Cyber Threats/ Crimes Cases/ Issues 6 5 Conclusion Cyber Security- International Perspective Cyber Security- Readiness of BSNL Introduction to BSNL Broadband Network NIB Access Method Internet NIB BSNL ISDN PSTN Broadband M NT/TA ADSL RAS BRAS/BNG R M LAN 33Kbps 64/128Kbps >256 Kbps
PCs 64Kbps 100 Mbps RAS CDMA/WLL Access Network Multiplay Access Network Internet Services in BSNL NIB II MPLS Backbone External Internet Cloud NIB1 NRAS 2.2 Access Network Multiplay BNG CPE Internet Leased Line Customer GPRS Customers CDMA / WLL Customers P 2.1 Customers NIB1 Customers Broadband Customers 2.2 BRAS PDSN GSM Access Network MSC PE Respective Access Networks Wi-Fi / Wi-Max / Ku-Band / BDLC Customers IGW / IXP Network diagram of NIB-II Tier 2 LAN Switch ADSL terminals FE ADSL terminals ..DSLAM.. X-ge B X-ge C ADSL terminals FE ADSL terminals ..DSLAM.. X-ge D X-ge E ADSL terminals FE ..DSLAM.. Tier1 GigE Aggregation SW GigE BB Broadband RAS GigE Core router ADSL terminals ..DSLAM.. Multiplay Network Architecture A1 & A2 cities NOC, DRNOC, RPOP BNG Broadband Network Gateway RPR Resilient Packet Ring OCLAN Other Cities Local Area Network DSLAMs Digital Subscriber Line Access Multiplexer GE Gigabit Ethernet FE Fast Ethernet L3PE Layer 3 Providers Edge Router PE BNG BNG 7 Data Networks, BSNL Multiplay Network Architecture A3 & A4 cities BNG 8 Data Networks, BSNL Multiplay Network Architecture B1 & (B2+BNG) Cities BNG 9 Data Networks, BSNL Multiplay Network Architecture Other Cities BNG 10 Data Networks, BSNL Typical Subscriber connectivity Noida Kolkat a Chenna i Bangalore Mumba i Connectivity at Gateway/NIXI/Peering locations PE Router IXPRouter BW Provider IGW Router Peering N/w Yahoo/Google NIXI NIXI IGW Router IGW Router IXPRouter IXPRouter BW Provider BW Provider NIXI STM-1 LINK GigE LINK Chennai 10 GigELINK STM-16 LINK Typical connectivity at Core BNG BRAS BNG BNG P Router Co-located Access eqpt Non Co-located Access Eqpt NRAS PE NIB-1 ILL NRAS NRAS NIB-1 NIB-1 STM16 GigE GigE STM16 Regulatory Issues related to Broadband DIT Regulatory Framework High Court/ Supreme Court TDSAT DoT TRAI Ministry of I & B Internet Security Framework NIA/ MHA MoD CERT-In Other Agencies & State Police NTRO C-DoT Ministry of IT BSNL DoT TRAI Regulation 2006 (11 of 2006) on Quality of Service of Broadband Service These Regulations applicable to all the Internet Service Providers, Basic Service Providers, Unified Access Service Providers and Cellular Mobile Telecom Service providing Broadband Service These Regulations came into force with effect from 1st January, 2007. Quality of Service (QoS) Parameters The service providers shall meet the benchmarks for the Quality of Service parameters for Broadband
Service provisioning/ Activation Time: 100% cases in =<15 working days. Fault Repair/ Restoration Time: By next working day>90% and within 3 working days 99% Billing Performance: 100% billing complaints resolved within 4 weeks Response time to the customer for assistance (call centers): 60% within 60 sec and 80% within 90 sec Bandwidth Utilization/ Throughput: <80% during peak hours Service availability/ uptime: 98% Packet loss: <1% Network Latency: 120 msec to 800 msec
TRAIs Reporting Requirement The service providers shall submit the Performance Monitoring Reports on the QoS benchmarks for all the parameters in the format to be prescribed by the Authority on Quarterly basis, ending 31st March, 30th June, 30th September and31st December, but not later than 6 weeks from the end of the Quarter. The Authority may review from time to time the periodicity and the format of such report. Regulatory requirement for number of plans It is noticed that the broadband plans are forming the part of Fixed Wire line Services whereas the broadband is a separate service provided through Wire line. Broadband service will not be counted in the Wire line service segment to have uniform policy in allocation of Unique Numbers to the plans issued by the Corporate Office. CYBER CRIMES/ THREATS Cyber crimes Illegal Access (hacking) Data Espionage (key-loggers hw or sw based) Illegal Interception (WIPP encryption used in Wi-Fi is already broken) Data Interference Content Related Offences Child Pornography & Sexual abuse of children Hate Speech Religious Offences Illegal Gambling SPAM
Cyber crimes Copyright & Trademark offences/ violations Computer related frauds (manipulation of digital document, phishing, identity theft etc.) Misuse of Device (like rent a Botnet) Combined Attacks (Cyber terrorism)
Internet Crime reported in Year-2008 Cyber Crime Cases Reported What is Cyber crime ? Statistics of Defaced Indian Web Sites
CYBER THRETS- Cases 2009-10 attacks overview
Conficker Slowloris & Sockstress Mydoom.EA Twitter Google Conficker attack Conficker: Zero-Minute Attack Malware Victim Victim Victim Victim Victim Victim Victim Victim Main propagation vector: TCP Port 445 (RPC)
Slide 30 Conficker Malware Spread Slide 31 Low Rate Denial-of-Service Attacks Introduction Typical DoS/DDoS attacks High rate network / application flooding single packet attacks (vulnerability exploitation) A new trend: Low rate flood attacks Exploit software weaknesses that allow attackers to misuse Web applications or TCP stack resources Service denial to legitimate users Go undetected by threshold-based tools Recent attacks Slowloris (July 2009) Sockstress (September 2009) Slide 33 Slowloris Slide 34 Attacker Apache Web Server HTTP GET / CRLF/CRLF HTTP REPLY HTTP GET / CRLF/ HTTP GET/CRLF HTTP REPLY HTTP GET / CRLF HTTP GET / CRLF HTTP GET / CRLF Service misuse attack Server overload due to pending GET requests Minimal traffic exchange
Low rate DoS attack A single client can reach complete denial-of service within a few minutes Sockstress On September 8th Microsoft and Cisco released a patch against Sockstress tool which was rated as critical. Sockstress includes a set of tools each exploits a different weaknesses of the TCP/IP stack. Sockstress tool uses various techniques to create local resource consumption, which crashes a service or the entire machine - essentially a denial of service attack. So far it is reported that this affects all systems running any service utilizing TCP, including Windows, Mac, Linux, and BSD. Slide 35 Mydoom.EA (AKA as July 2009 Cyber Attacks) Slide 37 Spreading the Bot Malware: spam Advertiser Message with malware code Victim Victim Victim Spammer Slide 38 Activating the Bot malware Victim Command & Control Server Slide 39 Internet Public Web Servers Bot (Infected host) Bot (Infected host) Attacker BOT Command C&C Server Bot (Infected host) Bot (Infected host) Legitimate User Bot Characteristics ~20,000 zombie computers Diversified attacks: HTTP page flood SYN flood with packet anomalies UDP flood ICMP flood Destinations in US and S/Korea ~ 1-2 Gbps inbound traffic (200K-500K) PPS Mydoom.EA: 1 st Strike Slide 40 Internet Public Web Servers Bot (Infected host) Bot (Infected host) Attacker BOT Command C&C Server Bot (Infected host) Bot (Infected host) Legitimate User Bot Characteristics ~50,000 zombie computers Diversified attacks: HTTP page flood SYN flood with packet anomalies UDP flood ICMP flood Destinations in US and S/Korea ~ 6-7 Gbps inbound traffic (>2 Million PPS) Mydoom.EA: 2 nd Strike Slide 41 Mydoom.EA: Time Flow 1 st Strike (July 5 th , 2009)
Targets in the US: Government, Media & eCommerce 2 nd Strike (July 7 th , 2009)
Target sin the US and S/Korea Over 25 sites
4 th Attack (July 9 th ~ 10 th , 2009)
Targets in US and S/Korea Over 60 sites 3 rd Strike (July 8 th ~ 9 th , 2009)
Targets in US and S/ Korea Over 45 sites Slide 42 Mydoom.EA: USA Targets Botnet Attack Slide 43 July 2009 Cyber Attacks Slide 44 Why Mydoom.EA is so challenging? Dynamic attack tool Generates diversified attacks Both spoofed (DDoS) and non- spoofed (HTTP flood) attacks Highly distributed attack HTTP page flood targets home page of victim sites High attack rate July 2009 Cyber Attacks: fighting back Slide 45 Attack Vector Probable Solution Bot malware spread IPS or Network Behavior Analysis Bot Command & Control messages IPS Application flooding - HTTP page flood attack Network Behavior Analysis Network flooding - SYN/UDP/ICMP flood attack DoS Protection No single protection tool can handle todays Cyber threats Twitter Attacks Emerging Threats Cyxymu DDoS (Aug 2009) Attack Distributed SYN floods and UDP floods Result Twitter suffered hours of downtime All victims had poor QoS for days Slide 47 Google Attacks Operation Aurora Google hacked Slide 49 Google / Twitter Attacks 2009
Hackers Change in Motivation 2001 2009 Vandalism and publicity Hacktivism Financially motivated Blaster (Attacking Microsoft web site) 2003
Srizbi (Botnet) 2007 Rustock (Botnet) 2007 Kracken (Botnet) 2009 July 2009 Cyber Attacks US & Korea Slide 50 How to prevent Cyber crime Technical prevention At ISP level
At User/ Customer level
Network & Data Center security: Solutions IPS DoS Protection NBA SYN Cookies Rate Limit Signatures Behaviour Analysis Signatures Stateful Inspection Rate Limit Source Behaviour Service Patterns Internet Access Router Web Servers Application Servers Firewall DoS Protection IPS NBA Anti Trojan / phishing Slide 52 How to Mitigate/ Prevent- Cyber Threats/ Crimes Slide 53 How to prevent Cyber crime- at user level Update OS Updated Antivirus protection Anti-spam and Trojan protection Safe Internet banking Good legal policies
How to prevent Cyber crime- in Organisation Using the computer at workplace between efficiency and privacy - Include the Policy on how to use Internet at workplace as a part of the labour contract - Training the employees on usage of Internet and software - Training the employees on how they should treat confidential information and the essential passwords Cyber Security International Perspective Cyber Security We are on Information Super Highway without seatbelts on.
Cyber Security is one of the most critical concerns of information age.
Connecting the World Responsibly
It forms cornerstone of a healthy, connected world.
ITU -Initiative Mission : Cyber security for All Global Cybersecurity Agenda (GCA) A framework for International Cooperation & Response Launched on 7 th March -2007 GCA focuses on building partnership and collaboration between all relevant parties in the fight against cyber threats. Dr. Arias, President of Costa Rica, is the patron of GCA. With its 191 Member states and more than 700 sector members ITU has enough reach to cater to Cyber security need of the world
ITU -Initiative GCA is built on 5 Strategic Pillars/ Work Areas with 7 main Strategic goals 1. Legal Measures- ITU Toolkit for cyber crime legislation (http://www.itu.int/ITU-D/cyb/cubersecurity/legistation.html) 2. Technical and Procedural Measures By ITUs Standardization Sector (ITU-T) Latest one is H.323 Security Standards for use by H.3 series IP multimedia systems (like VoIP, Video conferencing etc.) J.170 Security Standards for two way IP services on Cable TV n/w. X.1205 Overview of Cybersecurity which provides definition and taxonomy of security threats. M.1078 for IMT-2000 Networks (3G & Mobile Broadband)
ITU -Initiative 3. Organizational Structures Member states to establish CIRTs (Computer Incident Response Team) -India has CERT 4. Capacity Building To develop a sustainable and proactive culture of Cybersecurity. CIIP Self-Assessment Tool (Critical Information Infrastructure Protection) ITU -Initiative 5. International Cooperation A High Level Expert Group (HLEG) comprised a group of high level experts from governments, industry, relevant regional/ international organizations, research institutes, academic institutions and individual experts appointed by ITU for further developing the GCA. IMPACT IMPACT Center for Policy and International Cooperation ITU Cybersecurity Gateway Child Online Protection (COP)-Nov-2008 IMPACT (International Multilateral Partnership Against Cyber Threats) Is an public-private initiative dedicated to enhancing the global communitys capacity to prevent, defend and respond to cyber threats. In Nov-2008 ITU become a member of IMPACT Advisory Board. HQ in Cyberjaya in Malaysia Is also GRCs main center.
IMPACT- GRC As part of ITUs collaboration with International Multilateral Partnership Against Cyber Threats, the Global Response Centre (GRC) plays a pivotal role in putting technical measures in place to combat new and evolving cyber threats. Two prime highlights of GRC are
NEWS: Network Early Warning System ESCAPE: Electronically Secure Collaboration Application Platform for Experts Cyber Security - Australia 17.7 Million incidents reported in 2008 650 Million Aus $ in monetary terms CIRT established in 1993, 2 nd after US. Based in University of Queensland, Brisbane Have Trusted Infrastructure Sharing n/w. Have Critical Infrastructure Advisory Council International gateway Consolidation ISP Code & Practices. Contributing towards Cyber crime legislation for other countries. They have Dept. of Broadband and Digital Economy http://www.staysmartonline.gov.au E-Security awareness week 5 th to 12 th June
Cyber Security - India 1.1 billion subs as on July-2009 More than 2 million domains in India Growth of about 11 million GSM users every month CERT-In formed on 27 th - Oct-2009 under Ministry of IT. ISO 27001 Best Practices for Cybersecurity http://www.cert-in.org.in/securepc/index.html
Cyber Security Readiness of BSNL Security Measure By BSNL Security Hardware /Software Security policy Physical Security Policy Network Security Policy Secrecy of Information Security Advisory Advisory to BSNL Personnel Advisory to BSNL Customers Security Drill done with CERT-In and others
Security Hardware/Software in NIB Firewalls Load Balancers (Firewall & Server) Network Application Switch Host Based Intrusion Detection System(HIDS) Network IDS (NIDS) Antivirus Solution Antispam solution Security Management Solution Symantec Enterprise Security Architecture (SESA) Symantec Incident Manager (SIM) Symantec Correlation Manager. Symantec Event Collector for Checkpoint Symantec Event Relay for IBM
Physical Security Policy Lock and Key Room Biometrics Access Recording of sensitive area Remote observation Room Access policy Maintaining of Log Register Network Security Policy Access Policy Privilege level of access Password Management Access/Filter List For access of equipments For internet traffic Limit simultaneous access users Encryption user/password etc
Secrecy of Information Networks Resources Information like equipments H/W & S/W, IP address policy etc Information of security Policy Information of security measure Information about access policy Information about Password policy
Security Advisory to Node BSNL Personnel Physical Access of Equipments Only authorised person Log register etc Password Management Alphanumeric Dont use name, DOB etc Up-date PC Software, Patch etc. Beware in installing freeware patch Educate about Antivirus, antispam etc.
Security Advisory to Customers/ Users Password management Misuse of E-mail/Internet PCs security
PCs Security Guidelines Virus Protection Password Disable Vulnerable services Firewalls Disable File/Print sharing Keep OS Security patch updated- important for Windows users Disconnect Internet Cable from PC when not in use.
Efforts made along with CERT-In A Network Security Drill was conducted in Noida Data Center on 18 th March-2010 of NIB-II Project-3. Vodafone, DMRC, CRIS, SBI, Airtel, CBEC, IAF, PNB, NTPC, IDBI, ONGC and Tata Communications participated in the drill. Kingfisher, ICICI, NSE, MTNL, Power Grid, Bank of India, Income Tax Department could not later participate in the drill BSNL scored 65% marks. It helped in improving security settings in Data Center Firewall Etc.
Efforts made along with CERT-In Along with CERT-In BBNW Circle tested our ADSL Modems with respect to security of our Broadband customers in their lab and they issued following suggestions for security :- Disable web management, telnet, ICMP and SSH services from WAN port of ADSL/ VOIP Routers right at the time of installations. Only devices web management port should be enabled from LAN, disable telnet, SSH or any file uploading/ downloading services from LAN port. Check and remove file uploading/ downloading utilities such as wget, ftp etc. Upgrade the firmware of the modems/ Routers and educate users for the same. Create unique user name and/ or password for web management specific to the customer and deliver to him/ her in confidential manner. Provide usage details to the users in monthly bill. CERT-In has created a Crisis Management Group for Countering Cyber attacks and cyber terrorism.- BSNL is part of that team. CERT-In is publishing open proxy servers on their website http://www.cert- in.org.in/knowledgebase/whitepapers/openproxy.htm and we have to take necessary action related to our network. Security Advisories/ Vulnerabilities issued by CERT-In are regularly published on BBNW website http://dnw.bsnl.co.in.
Bharat Sanchar Nigam Limited
Lawful Interception & Monitoring Requirement As per ISP Licensing Policy Security Requirement Two Stage 1. Traffic interception The complete traffic of n/w to be provided for monitoring The data is being analyzed by respective security agencies as per their requirement 2. CDR Analysis CDR analysis based on IP, Time & date to trace the user information The CDR of respective project are available with their respective billing system The user information is being provided through Billing/provisioning system License clause 1.10.10.1 Monitoring facilities. (a) At each - International Gateway location and / or ISP node with a router/switch having an outbound capacity of 2 Mbps or more --- ALL BSNL NODES FALLS UNDER THIS (i) Every international gateway location and/or the ISP node with a router/switch having a capacity of 2 Mbps or more shall be equipped with a monitoring Centre at the cost of the ISP. Suitable appropriate monitoring system is to be set up by ISPs carrying Internet telephony traffic through their Internet gateways and /or ISP nodes at their own cost. (ii) Office space of 10 feet x 10 feet with adequate uninterrupted power supply and air-conditioning (iii) one local exclusive telephone line (iv) cost of maintenance of the equipment and infrastructure
80 1. Narrow-Band (LIM at PE) NIB-1 Project-2.1 of NIB-II 2. Broadband Project-2.2 ( LIM at T-1/BRAS) Multiplay (LIM at BNG) 3. Internet Leased Line (LIM at PE) NIB-1 Eqpt. Project-1
Present LIM Connectivity DOT has authorized CDOT as the coordinating agency for installation of Monitoring Equipment. CDOT has installed LIM equipment at 8 locations Jammu, Chandigarh, Noida, Jalandhar, Kokatta, Hyderabad, Jaipur & Guwahati. Present LIM Connectivity contd. Latest Development from June-2010 DoT and MHA are very serious on this issue. DoT called review meeting with BSNL in June, 2010 to review LIM solution deployment in BSNL and third review meeting will be held on 20 th
Aug-2010. BSNL is finalising plans to deploy LIM solution as per requirement of Security agencies at 5 Gateway locations and 9 States in Phase-1. Typical Network Architecture of BSNL Internet Gateways at Bangalore/Chennai/ Mumbai/Noida/ Kolkata 40 GE (4*10GE) 20 GE (2*10 GE) 30 GE (3*10 GE) Core 1 Core 2 IGW-PE IGW 2* STM 16 IXP 20 GE To IBP To Peers Tapping at these points Total 5 Taps Required. Total 10 10GE ports required 5 84 Gateway Bandwidth Traffic Details (as on 14-07-2010) SN Name of IGW node Connected STMs/ BW (in Gbps) Connected BW for NIXI & Others (in Gbps) Peak Traffic (in Gbps) Incoming Outgoing Total 1 Bangalore 64 / 9.9 0 9.3 2.6 11.9 2 Chennai 80 / 12.4 2 14.2 5.3 19.5 3 Kolkatta 48 / 7.4 0 6.4 0 6.4 4 Mumbai 169 / 26.2 6 31.8 7.7 39.5 5 New Delhi 16 / 2.5 1 1.1 4.1 5.2 Total 377 / 58.4 9 62.8 19.7 82.5 Planned LIM deployment In Circles In Circles BSNL is planning to deploy LIM solution along with MPLS Core Routers. Phase-1 will be covering 9 Circles (West Bengal, Orissa, Jharkhand, Chhattisgarh, Jharkhand, Bihar, North East, Jammu & Kashmir and Andhra Pradesh. Plan is still under finalization.
Login detail of users The detail of all Narrowband / Broadband/ messaging users are being provided as per requirement Logging detail are kept for 1 year in the archive and 6 months on the system It is provided on the basis of minimum information of IP address, time and date of user Call Data Record Analysis For cases related to identification of user based on IP Address, date and time.
1. BSNL has designated nodal offices for taking such request from these security/ police agencies in each SSA. 2. All SSA nodal officers are required to get the user details from BBNW nodal officer DGM (BB), Multiplay NOC, BBNW Circle, Bangalore and reply back. 3. For Central Agencies like NIA, IB, CBI, CERT, TERM, NTRO, DRI and Delhi Police DGM (Project), BBNW Circle, New Delhi is the direct nodal officer for such cases.
Process for handling Cyber Crime related cases coming through Security/ Police Agencies India in also getting ready to deal with Cyber Crime Conclusions
Security measures can never ensure 100% security. Security measures/ methods/ equipments need constant improvement.