Presentation is loading. Please wait.

Presentation is loading. Please wait.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Published byCody Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp."— Presentation transcript:

1 Edge Protection 111

2 The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp

3 “outside” Core The New World: Network Edge Core routers individually secured PLUS Infrastructure protection Routers generally NOT accessible from outside telnet snmp

4 Infrastructure ACLs Basic premise: filter traffic destined TO your core routers –Do your core routers really need to process all kinds of garbage? Develop list of required protocols that are sourced from outside your AS and access core routers –Example: eBGP peering, GRE, IPSec, etc. –Use classification ACL as required Identify core address block(s) –This is the protected address space –Summarization is critical  simpler and shorter ACLs

5 Infrastructure ACLs Infrastructure ACL will permit only required protocols and deny ALL others to infrastructure space ACLs now need to be IPv4 and IPv6! ACL should also provide anti-spoof filtering –Deny your space from external sources –Deny RFC1918 space –Deny multicast sources addresses (224/4) –RFC3330 defines special use IPv4 addressing

6 Digression: IP Fragments Fragmented Packets can cause problems... –Fragmented packets can be used as an attack vector to bypass ACLs –Fragments can increase the effectiveness of some attacks by making the recipient consume more resources (CPU and memory) due to fragmentation reassembly Reality Check – Routers & Switches should not be receiving fragments! –In today’s networks, management & control plane traffic should not be fragmenting. –If it does, it means something is BROKE or someone is attacking you. Recommendation – Filter all fragments to the management & control plane … logging to monitor for errors and attacks.

7 Infrastructure ACLs Infrastructure ACL must permit transit traffic –Traffic passing through routers must be allowed via permit IP any any iACL is applied inbound on ingress interfaces Fragments destined to the core can be filtered via the iACL

8 SRC: 127.0.0.1 DST: Any SRC: Valid DST: Rx (Any R) SRC: eBGP Peer DST: CR1 eBGP SRC: Valid DST: External to AS (e.g. Customer) ACL “in” Infrastructure ACL in Action PR1PR2 R1 CR1 R4 R2 R3 R5 CR2

9 Iterative Deployment Typically a very limited subset of protocols needs access to infrastructure equipment Even fewer are sourced from outside your AS Identify required protocols via classification ACL Deploy and test your iACLs

10 Step 1: Classification Traffic destined to the core must be classified NetFlow can be used to classify traffic –Need to export and review Classification ACL can be used to identify required protocols –Series of permit statements that provide insight into required protocols –Initially, many protocols can be permitted, only required ones permitted in next step –ACL Logging can be used for additional detail; hits to ACL entry with logging might increase CPU utilization: impact varies by vendor/platform Regardless of method, unexpected results should be carefully analyzed  do not permit protocols that you can’t explain!

11 Step 2: Begin to Filter Permit protocols identified in step 1 to infrastructure only address blocks Deny all other to addresses blocks –Watch access control entry (ACE) counters –ACL logging can help identify protocols that have been denied but are needed Last line: permit anything else  permit transit traffic The iACL now provides basic protection and can be used to ensure that the correct suite of protocols has been permitted

12 Steps 3 & 4: Restrict Source Addresses Step 3: –ACL is providing basic protection –Required protocols permitted, all other denied –Identify source addresses and permit only those sources for requires protocols –e.g., external BGP peers, tunnel end points Step 4: –Increase security: deploy destination address filters if possible

13 Infrastructure ACLs Edge “shield” in place Not perfect, but a very effective first round of defense –Can you apply iACLs everywhere? –What about packets that you cannot filter with iACLs? –Hardware limitations Next step: secure the control/management planes per box “outside” telnet snmp Core

Download ppt "Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.

Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
IPv6 Transition : Why a new security mechanisms model is necessary?

IPv6 Transition : Why a new security mechanisms model is necessary?
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 

1 Access Lists. 2 Introduction ACL (access list)  a list of conditions that categorize packets. Rules:  Sequential order.  Until a match is made. 
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Effective Uses of Packet- Filtering Devices. Filtering Based on Source Address: The Cisco Standard ACL 1.One of the things that packet-filtering technology.

Effective Uses of Packet- Filtering Devices. Filtering Based on Source Address: The Cisco Standard ACL 1.One of the things that packet-filtering technology.
Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)

Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.

Similar presentations

Ads by Google