Implications of Securing - PowerPoint PPT Presentation

About This Presentation
Title:

Implications of Securing

Description:

Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell ryanm_at_sprint.net Control Plane Packet Filters Receive Access-List (rACL) on Cisco ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 16
Provided by: Spri89
Category:

less

Transcript and Presenter's Notes

Title: Implications of Securing


1
  • Implications of Securing
  • Router Infrastructure
  • NANOG 31
  • May 24, 2004
  • Ryan McDowell
  • ryanm_at_sprint.net

2
Control Plane Packet Filters
  • Receive Access-List (rACL) on Cisco
  • Input filter on Lo0 on Juniper
  • Deployed in 2002
  • Deny IP fragments
  • Permit SSH, SNMP, DNS, TACACS, NTP, etc
  • secured by src/dst pairs
  • Permit BGP, IGMP, PIM
  • Permit subset of ICMP
  • Permit UDP gt 1024
  • do not break traceroute to the router
  • Deny everything else
  • and count it

3
(No Transcript)
4
(No Transcript)
5
Control Plane Packet Filters
  • How we deployed Cisco rACLs
  • 1. Build the access-list
  • 2. Replace all deny statements with permit
  • 3. Deploy on several routers
  • 4. If you get matches where you shouldnt,
  • change to permit/log and see what it is
  • 5. Repeat until no more unexpected matches
  • Constantly improve
  • Add src/dst pairs, reduce src/dst ranges, etc

6
Control Plane Packet Filters
  • Good IP addressing strategy needed
  • Made routers harder to kill
  • Really helps with the magic packet attacks
  • Few operational implications
  • Sprints routers are broken because I cannot
    ping your router with a 1501/4471 byte
    (fragmented) packet.
  • Change control can be difficult
  • Routers still vulnerable to attacks against
    TCP/179, ICMP, IP options, UDP, etc

7
Limit Reachability To Control Plane IP Addresses
  • Most attacks target IPs on routers obtained from
    a traceroute
  • Lets remove the ability to reach
    SprintLink-Customer /30 networks from the big
    dangerous Internet

8
Route 192.0.2.0/24 to Null0
.5
192.0.2.4/30
.6
9
.5
192.0.2.4/30
.6
10
Limit Reachability To Control Plane IP Addresses
  • Does not add 100 security
  • But makes it a little harder for the attacker
  • 25 of customers required the use of their
    point-to-point address
  • Took over a year to implement
  • Implications
  • Traceroute through the router not impacted
  • Any packets to the routers breaks
  • PING
  • Folks LOVE to PING our routers
  • Traceroute

11
Limit Reachability To Control Plane IP Addresses
  • Do the same thing in the core
  • advertise-passive-only in Cisco
  • IS-IS export policy in Juniper

12
.4
192.0.2.4/31
Route 192.0.2.0/24 to Null0
.5
.6
192.0.2.6/31
.7
13
Limit Reachability To Control Plane IP Addresses
  • RFC1918 loop backs for management (SNMP, SSH,
    iBGP, etc.)
  • Rate limiting rACL
  • CoPP (Control Plane Policing) on Cisco
  • Apply BTSH/GTSH to rACL
  • Ignore IP-Options
  • Forward packets as if there are no options set
  • Similar to no ip source-route on Cisco

14
What does all this mean?
  • Dont plan on sending any packets destined to the
    router.
  • But this is already happening with the
    MPLS-ization of networks.
  • More secure infrastructure
  • Not perfect, but better than where most of us are
    now
  • Can be done without ingress filtering which is
    hard

15
  • References
  • http//www.cisco.com/univercd/cc/td/doc/product/so
    ftware/ios120/120newft/120limit/120s/120s22/ft_ipa
    cl.pdf
  • http//www.juniper.net/solutions/literature/app_no
    te/350013.pdf
Write a Comment
User Comments (0)
About PowerShow.com