Staff AAA

Radius is not an ISP AAA Option

RADIUS TACACS+ Kerberos

What to Configure?

Simple Staff Authentication and Failsafe

Staff Authentication

Staff Accountability & Audit

Checkpoint with Authentication and Accounting

Limit Authority – Authorize Commands

Set Privileges

Checkpoint with default Authorization

Note on Privilege Levels and Authorization

One Time Password – Checking the ID

What is One Time Password

DoS the AAA Infrastructure

How to protect the AAA Servers?

Source Routing

ICMP Unreachable Overload

ICMP Unreachable Rate-Limiting

Tip: scheduler allocate

Introducing a New Router to the Network

Secure Template Sources

Input Hold Queue

What Ports Are open on the Router?

Receive ACL - Overview

Receive Adjacencies

Receive ACL Command

Receive ACL

Receive Path ACL

Packet Flow

Receive ACL – Traffic Flow

rACL Processing

rACL – Required Entries

rACL – Building Your ACL

Filtering Fragments

rACL – Iterative Deployment

Classification ACL Example

rACL – Iterative Deployment

rACL – Sample Entries

Use Detailed Logging

Core Dumps

Routing Protocol Security  Why to Prefix Filter and Overview? (Threats)  How to Prefix Filter?  Where to Prefix Filter?  Prefix Filter on Customers  Egress Filter to Peers  Ingress Filter from Peers  Protocol Authentication (MD5)  BGP BCPs that help add Resistance

Routing Protocol Security

Malicious Route Injection Perceive Threat

Malicious Route Injection Reality – an Example

Garbage in – Garbage Out: What is it?

Garbage in – Garbage Out: Results

Garbage in – Garbage Out: Impact

Garbage in – Garbage Out: What to do?

Malicious Route Injection Attack Methods

Malicious Route Injection Impact

What is a prefix hijack?

Malicious Route Injection What can ISPs Do?

What can ISPs Do? Containment Egress Prefix Filters

Malicious Route Injection What can ISPs Do?

How to Prefix Filter? Ingress and Egress Route Filtering

Ingress and Egress Route Filtering

Two Filtering Techniques

Ideal Customer Ingress/Egress Route Filtering ….

BGP Peering Fundamental

Guarded Trust

Where to Prefix Filter?

What to Prefix Filter? Documenting Special Use Addresses (DUSA) and Bogons

Documenting Special Use Addresses (DUSA)

Bogons

Ingress Prefix Filter Template

Prefix Filters on Customers

BGP with Customer Infers Multihoming

Receiving Customer Prefixes

Excuses – Why providers are not prefix filtering customers.

What if you do not filter your customer?

Prefixes to Peers

Egress Filter to ISP Peers - Issues

Policy Questions

Ingress Prefix Filtering from Peers

Ingress Routes from Peers or Upstream

Receiving Prefixes from Upstream & Peers (ideal case)

Receiving Prefixes — Cisco IOS

Net Police Route Filtering

Net Police Filter Technique #1

Technique #1 Net Police Prefix List

Net Police Prefix List Deployment Issues

Technique #2 Net Police Prefix List Alternative

Net Police Filter – Technique #3

Technique #3 Net Police Prefix List

Net Police Filter – Technique #3

Bottom Line

Secure Routing Route Authentication

Plain-text neighbor authentication

MD-5 Neighbor Authentication: Originating Router

Peer Authentication

OSPF Peer Authentication

OSPF and ISIS Authentication Example

BGP Peer Authentication

BGP MD5 ’ s Problem

BGP BCPs That Help Build Security Resistance

BGP Maximum Prefix Tracking

Avoid Default Routes

Network with Default Route – Pointing to Upstream A

Network with Default Route – But not Pointing to Upstream

Network with No Default Route

Default Route and ISP Security - Guidance

Default to a Sink-Hole Router/Network