MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

Slides:



Advertisements
Similar presentations
An Operational Perspective on BGP Security Geoff Huston February 2005.
Advertisements

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
Static Routing Exercise AFNOG 2003/ Track 2 # 1 Static Routing Exercise u Unix network interface configuration u Cisco network interface configuration.
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Static Routing Exercise Scalable Infrastructure Workshop AfNOG 2011.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—5-1 Implementing Path Control Assessing Path Control Network Performance Issues.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
Computer Networks Layering and Routing Dina Katabi
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
Guide to TCP/IP, Third Edition
TCOM 515 Lecture 6.
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
Slide /2009COMM3380 Routing Algorithms Distance Vector Routing Each node knows the distance (=cost) to its directly connected neighbors A node sends.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
IP Forwarding.
The Hebe-jebes (or He-B-GPs): Understanding the Roles of EBGP, IBGP and an IGP Using Lab 7-4, IBGP, Next Hop and Synchronization Rick Graziani Cabrillo.
Nanog 14, Atlanta Interesting Peering Activities at the Exchange Points 1 Naiming Shen Cisco Systems.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
Access Control List (ACL)
Chapter 9. Implementing Scalability Features in Your Internetwork.
© Synergon Informatika Rt., 1999 Chapter 12 Connecting Enterprises to an Internet Service Provider.
TCOM 515 IP Routing. Syllabus Objectives IP header IP addresses, classes and subnetting Routing tables Routing decisions Directly connected routes Static.
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
CCNA – Cisco Certified Network Associates Access Control List (ACL) By Roshan Chaudhary Lecturer Islington College.
Access-Lists Securing Your Router and Protecting Your Network.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
R1R1 GD ERER ISP 1 R2R2 R3R3 R4R4 ISP 2 Normal Data Traffic AS100 AS600AS700 AS65535 AS200 Normal Operation: R1 peer to IPS1 with EBGP, and R2 peer to.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
ACCESS CONTROL LIST.
Access Control Lists (ACL). Access-List Overview 4 A Filter through which all traffic must pass 4 Used to Permit or Deny Access to Network 4 Provides.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Forwarding Packets in a Transit AS.
Wild Stuff ExtendedACLGeneralACLStandardACL Got the Right Number?
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Connecting an Enterprise Network to an ISP Network
Border Gateway Protocol
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Chapter 4: Access Control Lists (ACLs)
Cisco Real Exam Dumps IT-Dumps
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
BGP Overview BGP concepts and operation.
Practical IPv6 Filtering
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Presentation transcript:

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

MENU Control Plane Packet Filters Receive Access-List (rACL) on Cisco Input filter on Lo0 on Juniper Deployed in 2002 ­Deny IP fragments ­Permit SSH, SNMP, DNS, TACACS, NTP, etc secured by src/dst pairs ­Permit BGP, IGMP, PIM ­Permit subset of ICMP ­Permit UDP >= 1024 do not break traceroute to the router ­Deny everything else and count it…

MENU

Control Plane Packet Filters How we deployed Cisco rACLs: 1. Build the access-list 2. Replace all deny statements with permit 3. Deploy on several routers 4. If you get matches where you shouldn’t, change to permit/log and see what it is 5. Repeat until no more unexpected matches Constantly improve ­Add src/dst pairs, reduce src/dst ranges, etc

MENU Control Plane Packet Filters Good IP addressing strategy needed Made routers harder to kill Really helps with the magic packet attacks Few operational implications ­“Sprint’s routers are broken because I cannot ping your router with a 1501/4471 byte (fragmented) packet.” Change control can be difficult Routers still vulnerable to attacks against TCP/179, ICMP, IP options, UDP, etc

MENU Limit Reachability To Control Plane IP Addresses Most attacks target IPs on routers obtained from a traceroute Let’s remove the ability to reach SprintLink- Customer /30 networks from the big dangerous Internet

MENU Route /24 to Null /30 Advertise /24 via eBGP Best route to /30 is null0 Do not redistribute connected routes into BGP or igp. Run next-hop self.5.6 Static route to /32 added if needed

MENU / Packets from /30 will pass uRPF check (i.e. ICMP Type 3 Code 4) /30 is no longer reachable from ISP A /30 is still reachable from ISP B

MENU Limit Reachability To Control Plane IP Addresses Does not add 100% security ­But makes it a little harder for the attacker 25% of customers required the use of their point-to-point address Took over a year to implement Implications ­Traceroute through the router not impacted ­Any packets to the routers breaks PING –Folks LOVE to PING our routers… Traceroute

MENU Limit Reachability To Control Plane IP Addresses Do the same thing in the core ­“advertise-passive-only” in Cisco ­IS-IS export policy in Juniper

MENU Route /24 to Null / /31 Do not redistribute connected routes into BGP or igp. Run IS-IS “advertise passive-only” Can’t reach /30 Can’t reach /31 Can reach /

MENU Limit Reachability To Control Plane IP Addresses RFC1918 loop backs for management (SNMP, SSH, iBGP, etc….) Rate limiting rACL ­CoPP (Control Plane Policing) on Cisco Apply BTSH/GTSH to rACL Ignore IP-Options ­Forward packets as if there are no options set ­Similar to “no ip source-route” on Cisco

MENU What does all this mean? Don’t plan on sending any packets destined to the router. ­But this is already happening with the MPLS-ization of networks. More secure infrastructure ­Not perfect, but better than where most of us are now ­Can be done without ingress filtering which is hard

MENU References newft/120limit/120s/120s22/ft_ipacl.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.