Staff AAA

1
Staff AAA
2
Radius is not an ISP AAA Option
3
RADIUS TACACS Kerberos
4
What to Configure?
5
Simple Staff Authentication and Failsafe
6
Simple Staff Authentication and Failsafe
7
Simple Staff Authentication and Failsafe
8
Staff Authentication
9
Staff Accountability Audit
10
Checkpoint with Authentication and Accounting
11
Limit Authority Authorize Commands
12
Set Privileges
13
Checkpoint with default Authorization
14
Note on Privilege Levels and Authorization
15
One Time Password Checking the ID
16
What is One Time Password
17
DoS the AAA Infrastructure
18
How to protect the AAA Servers?
19
Source Routing
20
ICMP Unreachable Overload
21
ICMP Unreachable Overload
22
ICMP Unreachable Overload
23
ICMP Unreachable Rate-Limiting
24
Tip scheduler allocate
25
Introducing a New Router tothe Network
26
Introducing a New Router tothe Network
27
Secure Template Sources
28
Input Hold Queue
29
Input Hold Queue
30
Input Hold Queue
31
What Ports Are open on the Router?
32
What Ports Are open on the Router?
33
What Ports Are open on the Router?
34
Receive ACL - Overview
35
Receive Adjacencies
36
Receive ACL Command
37
Receive ACL
38
Receive Path ACL
39
Packet Flow
40
Receive ACL Traffic Flow
41
rACL Processing
42
rACL Required Entries
43
rACL Required Entries
44
rACL Building Your ACL
45
Filtering Fragments
46
rACL Iterative Deployment
47
Classification ACL Example
48
rACL Iterative Deployment
49
rACL Iterative Deployment
50
rACL Iterative Deployment
51
rACL Sample Entries
52
rACL Sample Entries
53
rACL Sample Entries
54
Use Detailed Logging
55
Core Dumps
56
Core Dumps
57
Routing Protocol Security

• Why to Prefix Filter and Overview? (Threats)
• How to Prefix Filter?
• Where to Prefix Filter?
• Prefix Filter on Customers
• Egress Filter to Peers
• Ingress Filter from Peers
• Protocol Authentication (MD5)
• BGP BCPs that help add Resistance

58
Routing Protocol Security
59
Malicious Route InjectionPerceive Threat
60
Malicious Route InjectionReality an Example
61
Garbage in Garbage Out What is it?
62
Garbage in Garbage Out Results
63
Garbage in Garbage Out Impact
64
Garbage in Garbage Out What to do?
65
Malicious Route InjectionAttack Methods
66
Malicious Route InjectionImpact
67
What is a prefix hijack?
68
Malicious Route InjectionWhat can ISPs Do?
69
Malicious Route InjectionWhat can ISPs Do?
70
Malicious Route InjectionWhat can ISPs Do?
71
What can ISPs Do?Containment Egress Prefix
Filters
72
What can ISPs Do?Containment Egress Prefix
Filters
73
What can ISPs Do?Containment Egress Prefix
Filters
74
Malicious Route InjectionWhat can ISPs Do?
75
How to Prefix Filter?Ingress and Egress Route
Filtering
76
Ingress and Egress Route Filtering
77
Ingress and Egress Route Filtering
78
Ingress and Egress Route Filtering
79
Ingress and Egress Route Filtering
80
Two Filtering Techniques
81
Ideal Customer Ingress/Egress Route Filtering .
82
BGP Peering Fundamental
83
Guarded Trust
84
Where to Prefix Filter?
85
Where to Prefix Filter?
86
What to Prefix Filter?

• Documenting Special Use Addresses (DUSA) and
  Bogons

87
Documenting Special Use Addresses (DUSA)
88
Documenting Special Use Addresses (DUSA)
89
Documenting Special Use Addresses (DUSA)
90
Bogons
91
Ingress Prefix Filter Template
92
Ingress Prefix Filter Template
93
Prefix Filters on Customers
94
BGP with Customer Infers Multihoming
95
Receiving Customer Prefixes
96
Receiving Customer Prefixes
97
Excuses Why providers are not prefix filtering
customers.
98
What if you do not filter your customer?
99
What if you do not filter your customer?
100
Prefixes to Peers
101
Prefixes to Peers
102
Egress Filter to ISP Peers - Issues
103
Policy Questions
104
Ingress Prefix Filtering fromPeers
105
Ingress Routes from Peers or Upstream
106
Receiving Prefixes from Upstream Peers (ideal
case)
107
Receiving Prefixes Cisco IOS
108
Net Police Route Filtering
109
Net Police Route Filtering
110
Net Police Filter Technique 1
111
Technique 1 Net Police Prefix List
112
Net Police Prefix List Deployment Issues
113
Technique 2 Net Police Prefix List Alternative
114
Technique 2 Net Police Prefix List Alternative
115
Net Police Filter Technique 3
116
Technique 3 Net Police Prefix List
117
Net Police Filter Technique 3
118
Bottom Line
119
Secure RoutingRoute Authentication
120
Plain-text neighbor authentication
121
MD-5 Neighbor Authentication Originating Router
122
MD-5 Neighbor Authentication Originating Router
123
Peer Authentication
124
Peer Authentication
125
OSPF Peer Authentication
126
OSPF and ISIS Authentication Example
127
BGP Peer Authentication
128
BGP Peer Authentication
129
BGP MD5s Problem
130
BGP BCPs That Help Build Security Resistance
131
BGP Maximum Prefix Tracking
132
BGP Maximum Prefix Tracking
133
BGP Maximum Prefix Tracking
134
Avoid Default Routes
135
Network with Default Route Pointing to Upstream
A
136
Network with Default Route But not Pointing to
Upstream
137
Network with No Default Route
138
Default Route and ISP Security - Guidance
139
Default to a Sink-Hole Router/Network