1. Staff AAA

2. Radius is not an ISP AAA Option

3. RADIUS TACACS+ Kerberos

4. What to Configure?

5. Simple Staff Authentication and Failsafe

8. Staff Authentication

9. Staff Accountability & Audit

10. Checkpoint with Authentication and Accounting

11. Limit Authority – Authorize Commands

12. Set Privileges

13. Checkpoint with default Authorization

14. Note on Privilege Levels and Authorization

15. One Time Password – Checking the ID

16. What is One Time Password

17. DoS the AAA Infrastructure

18. How to protect the AAA Servers?

19. Source Routing

20. ICMP Unreachable Overload

23. ICMP Unreachable Rate-Limiting

24. Tip: scheduler allocate

25. Introducing a New Router to the Network

27. Secure Template Sources

28. Input Hold Queue

31. What Ports Are open on the Router?

34. Receive ACL - Overview

35. Receive Adjacencies

36. Receive ACL Command

37. Receive ACL

38. Receive Path ACL

39. Packet Flow

40. Receive ACL – Traffic Flow

41. rACL Processing

42. rACL – Required Entries

44. rACL – Building Your ACL

45. Filtering Fragments

46. rACL – Iterative Deployment

47. Classification ACL Example

48. rACL – Iterative Deployment

51. rACL – Sample Entries

54. Use Detailed Logging

55. Core Dumps

57. Routing Protocol Security  Why to Prefix Filter and Overview? (Threats)  How to Prefix Filter?  Where to Prefix Filter?  Prefix Filter on Customers  Egress Filter to Peers  Ingress Filter from Peers  Protocol Authentication (MD5)  BGP BCPs that help add Resistance

58. Routing Protocol Security

59. Malicious Route Injection Perceive Threat

60. Malicious Route Injection Reality – an Example

61. Garbage in – Garbage Out: What is it?

62. Garbage in – Garbage Out: Results

63. Garbage in – Garbage Out: Impact

64. Garbage in – Garbage Out: What to do?

65. Malicious Route Injection Attack Methods

66. Malicious Route Injection Impact

67. What is a prefix hijack?

68. Malicious Route Injection What can ISPs Do?

71. What can ISPs Do? Containment Egress Prefix Filters

74. Malicious Route Injection What can ISPs Do?

75. How to Prefix Filter? Ingress and Egress Route Filtering

76. Ingress and Egress Route Filtering

80. Two Filtering Techniques

81. Ideal Customer Ingress/Egress Route Filtering ….

82. BGP Peering Fundamental

83. Guarded Trust

84. Where to Prefix Filter?

86. What to Prefix Filter? Documenting Special Use Addresses (DUSA) and Bogons

87. Documenting Special Use Addresses (DUSA)

90. Bogons

91. Ingress Prefix Filter Template

93. Prefix Filters on Customers

94. BGP with Customer Infers Multihoming

95. Receiving Customer Prefixes

97. Excuses – Why providers are not prefix filtering customers.

98. What if you do not filter your customer?

100. Prefixes to Peers

102. Egress Filter to ISP Peers - Issues

103. Policy Questions

104. Ingress Prefix Filtering from Peers

105. Ingress Routes from Peers or Upstream

106. Receiving Prefixes from Upstream & Peers (ideal case)

107. Receiving Prefixes — Cisco IOS

108. Net Police Route Filtering

110. Net Police Filter Technique #1

111. Technique #1 Net Police Prefix List

112. Net Police Prefix List Deployment Issues

113. Technique #2 Net Police Prefix List Alternative

115. Net Police Filter – Technique #3

116. Technique #3 Net Police Prefix List

117. Net Police Filter – Technique #3

118. Bottom Line

119. Secure Routing Route Authentication

120. Plain-text neighbor authentication

121. MD-5 Neighbor Authentication: Originating Router

123. Peer Authentication

125. OSPF Peer Authentication

126. OSPF and ISIS Authentication Example

127. BGP Peer Authentication

129. BGP MD5 ’ s Problem

130. BGP BCPs That Help Build Security Resistance

131. BGP Maximum Prefix Tracking

134. Avoid Default Routes

135. Network with Default Route – Pointing to Upstream A

136. Network with Default Route – But not Pointing to Upstream

137. Network with No Default Route

138. Default Route and ISP Security - Guidance

139. Default to a Sink-Hole Router/Network