Upload
linda-green
View
235
Download
0
Tags:
Embed Size (px)
Citation preview
Staff AAA
Radius is not an ISP AAA Option
RADIUS TACACS+ Kerberos
What to Configure?
Simple Staff Authentication and Failsafe
Simple Staff Authentication and Failsafe
Simple Staff Authentication and Failsafe
Staff Authentication
Staff Accountability & Audit
Checkpoint with Authentication and Accounting
Limit Authority – Authorize Commands
Set Privileges
Checkpoint with default Authorization
Note on Privilege Levels and Authorization
One Time Password – Checking the ID
What is One Time Password
DoS the AAA Infrastructure
How to protect the AAA Servers?
Source Routing
ICMP Unreachable Overload
ICMP Unreachable Overload
ICMP Unreachable Overload
ICMP Unreachable Rate-Limiting
Tip: scheduler allocate
Introducing a New Router tothe Network
Introducing a New Router tothe Network
Secure Template Sources
Input Hold Queue
Input Hold Queue
Input Hold Queue
What Ports Are open on the Router?
What Ports Are open on the Router?
What Ports Are open on the Router?
Receive ACL - Overview
Receive Adjacencies
Receive ACL Command
Receive ACL
Receive Path ACL
Packet Flow
Receive ACL – Traffic Flow
rACL Processing
rACL – Required Entries
rACL – Required Entries
rACL – Building Your ACL
Filtering Fragments
rACL – Iterative Deployment
Classification ACL Example
rACL – Iterative Deployment
rACL – Iterative Deployment
rACL – Iterative Deployment
rACL – Sample Entries
rACL – Sample Entries
rACL – Sample Entries
Use Detailed Logging
Core Dumps
Core Dumps
Routing Protocol Security Why to Prefix Filter and Overview? (Threats) How to Prefix Filter? Where to Prefix Filter? Prefix Filter on Customers Egress Filter to Peers Ingress Filter from Peers Protocol Authentication (MD5) BGP BCPs that help add Resistance
Routing Protocol Security
Malicious Route InjectionPerceive Threat
Malicious Route InjectionReality – an Example
Garbage in – Garbage Out: What is it?
Garbage in – Garbage Out: Results
Garbage in – Garbage Out: Impact
Garbage in – Garbage Out: What to do?
Malicious Route InjectionAttack Methods
Malicious Route InjectionImpact
What is a prefix hijack?
Malicious Route InjectionWhat can ISPs Do?
Malicious Route InjectionWhat can ISPs Do?
Malicious Route InjectionWhat can ISPs Do?
What can ISPs Do?Containment Egress Prefix Filters
What can ISPs Do?Containment Egress Prefix Filters
What can ISPs Do?Containment Egress Prefix Filters
Malicious Route InjectionWhat can ISPs Do?
How to Prefix Filter?Ingress and Egress Route Filtering
Ingress and Egress Route Filtering
Ingress and Egress Route Filtering
Ingress and Egress Route Filtering
Ingress and Egress Route Filtering
Two Filtering Techniques
Ideal Customer Ingress/Egress Route Filtering ….
BGP Peering Fundamental
Guarded Trust
Where to Prefix Filter?
Where to Prefix Filter?
What to Prefix Filter? Documenting Special Use Addresses (DUSA) and Bo
gons
Documenting Special Use Addresses (DUSA)
Documenting Special Use Addresses (DUSA)
Documenting Special Use Addresses (DUSA)
Bogons
Ingress Prefix Filter Template
Ingress Prefix Filter Template
Prefix Filters on Customers
BGP with Customer Infers Multihoming
Receiving Customer Prefixes
Receiving Customer Prefixes
Excuses – Why providers are not prefix filtering customers.
What if you do not filter your customer?
What if you do not filter your customer?
Prefixes to Peers
Prefixes to Peers
Egress Filter to ISP Peers - Issues
Policy Questions
Ingress Prefix Filtering fromPeers
Ingress Routes from Peers or Upstream
Receiving Prefixes from Upstream & Peers (ideal case)
Receiving Prefixes — Cisco IOS
Net Police Route Filtering
Net Police Route Filtering
Net Police Filter Technique #1
Technique #1 Net Police Prefix List
Net Police Prefix List Deployment Issues
Technique #2 Net Police Prefix List Alternative
Technique #2 Net Police Prefix List Alternative
Net Police Filter – Technique #3
Technique #3 Net Police Prefix List
Net Police Filter – Technique #3
Bottom Line
Secure RoutingRoute Authentication
Plain-text neighbor authentication
MD-5 Neighbor Authentication: Originating Router
MD-5 Neighbor Authentication: Originating Router
Peer Authentication
Peer Authentication
OSPF Peer Authentication
OSPF and ISIS Authentication Example
BGP Peer Authentication
BGP Peer Authentication
BGP MD5’s Problem
BGP BCPs That Help Build Security Resistance
BGP Maximum Prefix Tracking
BGP Maximum Prefix Tracking
BGP Maximum Prefix Tracking
Avoid Default Routes
Network with Default Route – Pointing to Upstream A
Network with Default Route – But not Pointing to Upstream
Network with No Default Route
Default Route and ISP Security - Guidance
Default to a Sink-Hole Router/Network