Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos

Staff AAA

Radius is not an ISP AAA Option

RADIUS TACACS+ Kerberos

What to Configure?

Simple Staff Authentication and Failsafe



Staff Authentication

Staff Accountability & Audit

Checkpoint with Authentication and Accounting

Limit Authority – Authorize Commands

Set Privileges

Checkpoint with default Authorization

Note on Privilege Levels and Authorization

One Time Password – Checking the ID

What is One Time Password

DoS the AAA Infrastructure

How to protect the AAA Servers?

Source Routing

ICMP Unreachable Overload



ICMP Unreachable Rate-Limiting

Tip: scheduler allocate

Introducing a New Router tothe Network

Introducing a New Router tothe Network

Secure Template Sources

Input Hold Queue

Input Hold Queue

Input Hold Queue

What Ports Are open on the Router?



Receive ACL - Overview

Receive Adjacencies

Receive ACL Command

Receive ACL

Receive Path ACL

Packet Flow

Receive ACL – Traffic Flow

rACL Processing

rACL – Required Entries

rACL – Required Entries

rACL – Building Your ACL

Filtering Fragments

rACL – Iterative Deployment

Classification ACL Example




rACL – Sample Entries



Use Detailed Logging

Core Dumps

Core Dumps

Routing Protocol Security Why to Prefix Filter and Overview? (Threats) How to Prefix Filter? Where to Prefix Filter? Prefix Filter on Customers Egress Filter to Peers Ingress Filter from Peers Protocol Authentication (MD5) BGP BCPs that help add Resistance

Routing Protocol Security

Malicious Route InjectionPerceive Threat

Malicious Route InjectionReality – an Example

Garbage in – Garbage Out: What is it?

Garbage in – Garbage Out: Results

Garbage in – Garbage Out: Impact

Garbage in – Garbage Out: What to do?

Malicious Route InjectionAttack Methods

Malicious Route InjectionImpact

What is a prefix hijack?

Malicious Route InjectionWhat can ISPs Do?



What can ISPs Do?Containment Egress Prefix Filters




How to Prefix Filter?Ingress and Egress Route Filtering

Ingress and Egress Route Filtering




Two Filtering Techniques

Ideal Customer Ingress/Egress Route Filtering ….

BGP Peering Fundamental

Guarded Trust

Where to Prefix Filter?

Where to Prefix Filter?

What to Prefix Filter? Documenting Special Use Addresses (DUSA) and Bo

gons

Documenting Special Use Addresses (DUSA)



Bogons

Ingress Prefix Filter Template

Ingress Prefix Filter Template

Prefix Filters on Customers

BGP with Customer Infers Multihoming

Receiving Customer Prefixes

Receiving Customer Prefixes

Excuses – Why providers are not prefix filtering customers.

What if you do not filter your customer?

What if you do not filter your customer?

Prefixes to Peers

Prefixes to Peers

Egress Filter to ISP Peers - Issues

Policy Questions

Ingress Prefix Filtering fromPeers

Ingress Routes from Peers or Upstream

Receiving Prefixes from Upstream & Peers (ideal case)

Receiving Prefixes — Cisco IOS

Net Police Route Filtering

Net Police Route Filtering

Net Police Filter Technique #1

Technique #1 Net Police Prefix List

Net Police Prefix List Deployment Issues

Technique #2 Net Police Prefix List Alternative

Technique #2 Net Police Prefix List Alternative

Net Police Filter – Technique #3

Technique #3 Net Police Prefix List

Net Police Filter – Technique #3

Bottom Line

Secure RoutingRoute Authentication

Plain-text neighbor authentication

MD-5 Neighbor Authentication: Originating Router

MD-5 Neighbor Authentication: Originating Router

Peer Authentication

Peer Authentication

OSPF Peer Authentication

OSPF and ISIS Authentication Example

BGP Peer Authentication

BGP Peer Authentication

BGP MD5’s Problem

BGP BCPs That Help Build Security Resistance

BGP Maximum Prefix Tracking



Avoid Default Routes

Network with Default Route – Pointing to Upstream A

Network with Default Route – But not Pointing to Upstream

Network with No Default Route

Default Route and ISP Security - Guidance

Default to a Sink-Hole Router/Network

Documents

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos