Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

intERLab

advertisement 
Staff AAA
Radius is not an ISP AAA Option
RADIUS TACACS+ Kerberos
What to Configure?
Simple Staff Authentication and
Failsafe
Simple Staff Authentication and
Failsafe
Simple Staff Authentication and
Failsafe
Staff Authentication
Staff Accountability & Audit
Checkpoint with Authentication
and Accounting
Limit Authority – Authorize
Commands
Set Privileges
Checkpoint with default
Authorization
Note on Privilege Levels and
Authorization
One Time Password – Checking
the ID
What is One Time Password
DoS the AAA Infrastructure
How to protect the AAA Servers?
Source Routing
ICMP Unreachable Overload
ICMP Unreachable Overload
ICMP Unreachable Overload
ICMP Unreachable Rate-Limiting
Tip: scheduler allocate
Introducing a New Router to
the Network
Introducing a New Router to
the Network
Secure Template Sources
Input Hold Queue
Input Hold Queue
Input Hold Queue
What Ports Are open on the
Router?
What Ports Are open on the
Router?
What Ports Are open on the
Router?
Receive ACL - Overview
Receive Adjacencies
Receive ACL Command
Receive ACL
Receive Path ACL
Packet Flow
Receive ACL – Traffic Flow
rACL Processing
rACL – Required Entries
rACL – Required Entries
rACL – Building Your ACL
Filtering Fragments
rACL – Iterative Deployment
Classification ACL Example
rACL – Iterative Deployment
rACL – Iterative Deployment
rACL – Iterative Deployment
rACL – Sample Entries
rACL – Sample Entries
rACL – Sample Entries
Use Detailed Logging
Core Dumps
Core Dumps
Routing Protocol Security
 Why to Prefix Filter and Overview? (Threats)
 How to Prefix Filter?
 Where to Prefix Filter?
 Prefix Filter on Customers
 Egress Filter to Peers
 Ingress Filter from Peers
 Protocol Authentication (MD5)
 BGP BCPs that help add Resistance
Routing Protocol Security
Malicious Route Injection
Perceive Threat
Malicious Route Injection
Reality – an Example
Garbage in – Garbage Out:
What is it?
Garbage in – Garbage Out:
Results
Garbage in – Garbage Out:
Impact
Garbage in – Garbage Out:
What to do?
Malicious Route Injection
Attack Methods
Malicious Route Injection
Impact
What is a prefix hijack?
Malicious Route Injection
What can ISPs Do?
Malicious Route Injection
What can ISPs Do?
Malicious Route Injection
What can ISPs Do?
What can ISPs Do?
Containment Egress Prefix Filters
What can ISPs Do?
Containment Egress Prefix Filters
What can ISPs Do?
Containment Egress Prefix Filters
Malicious Route Injection
What can ISPs Do?
How to Prefix Filter?
Ingress and Egress Route Filtering
Ingress and Egress Route
Filtering
Ingress and Egress Route
Filtering
Ingress and Egress Route
Filtering
Ingress and Egress Route
Filtering
Two Filtering Techniques
Ideal Customer Ingress/Egress
Route Filtering ….
BGP Peering Fundamental
Guarded Trust
Where to Prefix Filter?
Where to Prefix Filter?
What to Prefix Filter?
 Documenting Special Use Addresses (DUSA)
and Bogons
Documenting Special Use
Addresses (DUSA)
Documenting Special Use
Addresses (DUSA)
Documenting Special Use
Addresses (DUSA)
Bogons
Ingress Prefix Filter Template
Ingress Prefix Filter Template
Prefix Filters on Customers
BGP with Customer Infers
Multihoming
Receiving Customer Prefixes
Receiving Customer Prefixes
Excuses – Why providers are
not prefix filtering customers.
What if you do not filter your
customer?
What if you do not filter your
customer?
Prefixes to Peers
Prefixes to Peers
Egress Filter to ISP Peers Issues
Policy Questions
Ingress Prefix Filtering from
Peers
Ingress Routes from Peers or
Upstream
Receiving Prefixes from
Upstream & Peers (ideal case)
Receiving Prefixes — Cisco IOS
Net Police Route Filtering
Net Police Route Filtering
Net Police Filter Technique #1
Technique #1 Net Police Prefix
List
Net Police Prefix List
Deployment Issues
Technique #2 Net Police Prefix
List Alternative
Technique #2 Net Police Prefix
List Alternative
Net Police Filter – Technique #3
Technique #3 Net Police Prefix
List
Net Police Filter – Technique #3
Bottom Line
Secure Routing
Route Authentication
Plain-text neighbor authentication
MD-5 Neighbor Authentication:
Originating Router
MD-5 Neighbor Authentication:
Originating Router
Peer Authentication
Peer Authentication
OSPF Peer Authentication
OSPF and ISIS Authentication
Example
BGP Peer Authentication
BGP Peer Authentication
BGP MD5’s Problem
BGP BCPs That Help Build
Security Resistance
BGP Maximum Prefix Tracking
BGP Maximum Prefix Tracking
BGP Maximum Prefix Tracking
Avoid Default Routes
Network with Default Route –
Pointing to Upstream A
Network with Default Route –
But not Pointing to Upstream
Network with No Default Route
Default Route and ISP Security
- Guidance
Default to a Sink-Hole
Router/Network
Related documents
Pre- (means before or in advance)
Pre- (means before or in advance)
Prefix Origins bi- Year 6
Prefix Origins bi- Year 6
Doc
Doc
Prefix Origins tri- Year 6
Prefix Origins tri- Year 6
An Introduction to Prefixes and Roots: Lesson II
An Introduction to Prefixes and Roots: Lesson II
Download
advertisement