Routing and router security in an operator environment
|
|
- Suzan Millicent Reeves
- 5 years ago
- Views:
Transcription
1 DD2495 p Routing and router security in an operator environment Olof Hagsand KTH CSC 1
2 Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from attacks. Most attacks are originated in end-hosts. Most notably windows PCs. The attacks are usually against single hosts or servers. These attacks often use bandwidth and are normally not a problem for the operators themselves, since most operators have wire-speed routers. It is difficult to generate that large amount of bandwidth. But an operator may want to protect its customers Attacks can also be set against the infra-structure itself. Such as towards the control-plane of the router. Effects of such attacks may be disastrous Operators also do not want to originate attacks Attacks may be based in its own customers 2
3 Attack traffic Arbor Networks, (2009) 3
4 Routing failures by mistake AS7007 incident (1997) One router in AS7007 defragmented all Internet routes into /24 and announced all routes with itself as origin AS9121 incident (2004) > /24 routes announced upstreams Youtube incident (2008) Instead of blocking, announce all youtube prefixes to the Internet (next slide) 4
5 5
6 TCP attacks Since BGP uses TCP for peering, BGP is sensitive to TCP attacks. RST injection causes peering to terminate SYN floods may cause denial-of service due to overload TCP sequence prediction attack Guessing next sequence can be used to inject false data Protect peering physically, TTLs, Authentication: MD5, IPSEC. 6
7 Indirect attacks Since the BGP peering runs on the same link as the data, an overloaded link may bring the BGP pering down. Examples where this has happened: SQL Slammer Nimda Large-scale DOS attacks One can also send large number of packets to the control-plane (see next slide) Packets directed at the route processor eg terminating traffic (destined to router) Packets of novel functionality handled by RP only (eg IPv6) You need to filter traffic to the RP rate-limit and identify which traffic the router requires e.g.: ssh/bgp/is-is Set firewall-filters for terminating traffic In juniper this is done by filtering to interface 'lo' 7
8 Fast path, slow path Control Processor CPU Memory Routing Table Slow path Line Card Line Card Fast path Line Card Line Card Fast path If line cards can determine outgoing port Slow path Control processor must determine outgoing port 8
9 Route filtering Route filtering: examine all imported/exported routes and place policies on which routes are imported and announced. Typically at the edges of a network: towards customers or peers. Never run your internal routing protocol on interfaces where there may be external nodes So that the IGP may not be compromised by false routes Egress filtering dont give transit by mistake Ingress filtering Check validity of received routes Check with registries (eg RIPE) (But these are not always updated) Combine with traffic/packet filters (ACLs) Only accept packets with source addresses matching the announced prefixes 9
10 Securing routing information within BGP But suppose a BGP router has been taken over by an attacker How do you protect against falsified BGP information? BGP relies on mutual and 'transitive' trust Attack forms: Blackholing (malicious) Announce prefix to attack traffic and then drop it Redirection Traffic to a destination is redirected to another (incorrect) destination Subversion Force the traffic to pass through a specifc link to eavesdrop or modify data, but reaches the original destination Instability Successive adverisement, withdrawals => trigger route flap damping Practical BGP: pages Beware of BGP attacks 10
11 Attack method: prefix hijacking Announce false updates Claim reachability of a prefix it does not have Claim it owns (originates) a prefix it does not own Multiple Origin AS (MOAS) Prefix hijacking is limited by the connectivity and locality of the compromised router 11
12 Example: prefix hijacking A claims reachability to AS6 and ownership of prefixes of AS6, but cannot affect routers in AS4 and AS6 (and AS5 and AS3 to a certain degree) AS1 AS2 A AS3 AS4 AS5 AS6 12
13 AS graph and peering relations Tier 1: Full Internet connectivity AS1 AS2 Transit NSPs ISPs AS3 Peer AS4 AS5 Customer Stubs/ Customers AS6 AS7 AS8 AS9 13
14 Netsec lab topology Tier1 Core: X.0/24 Customers: 10.X.0.0/16 Tier 1: Full Internet connectivity AS /0/ /27 RTX1.2 1/0/0 1/0/1 NSPs ISPs 1/0/1 1/0/0 RTX2 RTX4 2/0/0 2/0/0 1/0/0 1/0/1 RTX3 1/0/1 1/0/0 AS650(X-1)1 AS650X1 AS650(X+1)1 Customers X3 14
15 Juniper routers : J
16 The CLI See intro material in the IP routing course The first lab (static) contains a CLI tutorial The reference manual contains common commands Two major modes: Operational mode: Monitor and troubleshoot, network connectivity, hardware Configure mode: Configuration of interfaces, routing protocols, authentication, logging, etc. Completion and query As you would expect, <TAB> and <?> Line editing Emacs operations: <ctrl-b>, <ctrl-f>, <ctrl-a>, <ctrl-e>, <ctrl-p>, <ctrl-n>,... On-line help: help reference help topic 16
17 Firewall configuration Applies to interfaces: in and out Identifies packets, instead of routes Filters on lo are for local traffic eth- 1/0/0 All filters have an implicit deny rule! RE lo eth- 1/0/1 Example: interfaces eth 1/0/0 { unit 0 { family inet { filter { input rule1; output rule2; firewall { filter rule1 { term allow { from { source address { /16; /8; then accept; term reject{ then { log; discard; 17
18 Firewall conditions and actions destination-address source-address address destination-port source-port protocol dscp icmp-code packet-length interface-group fragmentation-offset fragment-flags first-fragment is-fragment ip-options accept: Accept the packet and send it to its destination discard: Silent discard reject: Drop and send an ICMP error message to the source. alert: Log an alert for the packet. count: Count the packets sample: Sample traffic log/syslog: packet header is logged. output-queue: Assign the packet to an output-queue loss-priority: Set packet loss priority (PLP) policer: apply a policer (next slide) tcp-flags tcp-established tcp-initial 18
19 Policers If a policer is associated to an interface, it rate-limits the traffic to adhere to a token bucket specifying average bandwidth and maximum burst size. When the threshold is exceeded, the traffic is either discarded, its loss-priority is set, or it is placed in a specific output queue. Typic use: Apply to lo0 to protect RE Example: firewall { policer p500k { if-exceeding{ bandwidth-limit 500k; burst-size-limit 50k; then{ discard; Actions: discard, forwarding-class loss-priority 19
20 Support ticket 1 One of your customers, Media Solutions LDT, is using your network for a local office. Their access router is RTX3. They have recently been experiencing network slowdowns and problems connecting over SSH. From time to time their downlink has been full. They suspect they might be under a DDoS attack and asks you to try to mitigate the attack. 20
21 SP1: Comments A customer is overwhelmed with traffic. You need to filter traffic using firewall rules Which traffic do you drop? You have to observe traffic and from trace create drop filters. Assistants can provide dumps for you Where does attack traffic come from? Hint: identify illegal traffic Where do you apply the filters? Think about what parts of the network you want to protect 21
22 Support ticket 2 You have recently been contacted by the transit provider you are connected to (e.g the operator that provides the link to RTX1). There have been complaints about a large amount of packets with invalid source addresses originating in your network. You are asked to solve this problem. 22
23 SP2: Comments The Transit provider receives traffic with illegal source addresses Extend (or add new) firewall rules For traffic transmitted from your network, which source addresses are legal / illegal? Where do illegal source addresses come from? Where do you apply filters? 23
24 Support ticket 3 There have recently been several attacks on our routers. These have been both in the form of distributed DoS attacks and aimed attacks at various protocols on the routers, such as TCP reset attacks. To prevent new attacks we need to protect the routers. You have been given the task of designing and implementing a filter for the router engines (located on the loopback interface of a Juniper Router). 24
25 SP3: Comments Routers are under attack To protect the router engine (main CPU) Add input firewall filters on loopback Identify which traffic (eg protocols) you know the routers need: routing, ssh,... Identify which sub-networks you want to access the routers from for control and management Create firewall rules on lo that drops everything else. Also: rate-limit access traffic (but not routing) 25
Security in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationRouter Lab Reference
KTHNOC Router Lab Reference Juniper version Table of Contents 1 Introduction...3 2 Reference: Workstation...3 2.1 Configuring network access...3 2.2 Connecting to your router...4 3 Reference: Basic commands...4
More informationMPLS/RSVP/BGP lab KTH CSC. Juniper version. Group Nr. Name1. Name2. Name3. Name4. Name5. Grade. Instructor s Signature
KTH CSC MPLS/RSVP/BGP lab Juniper version Group Nr Name1 Name2 Name3 Name4 Name5 Grade Instructor s Signature Table of Contents 1Goals...3 2 Preparations...3 3 Initial configuration...5 4 RSVP-signalled
More informationLARGE SCALE IP ROUTING
Building ISP Networks Xantaro Page 1 / 18 TABLE OF CONTENTS 1. LAB ACCESS 4 1.1 Accessing the Jumphost... 4 1.2 Access to your routers... 4 1.3 Local Network Topology... 5 1.4 Global Network Topology...
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationExamination. ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491
Examination ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: October 21st 2008 10:00 13:00 a) No help material is allowed
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationIntroduction to routing
DD2490 p4 2010 Introduction to routing Olof Hagsand KTH/CSC Network example: KTH Intranet Levels of abstraction The Internet is huge Necessary to divide the routing problem into sub-problems. There are
More informationConfiguring Firewall Filters (J-Web Procedure)
Configuring Firewall Filters (J-Web Procedure) You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer
More informationExample: Conditionally Generating Static Routes
1 of 5 9/30/2012 5:46 PM Example: Conditionally Generating Static Routes Understanding Conditionally Generated Routes Example: Configuring a Conditional Default Route Policy Understanding Conditionally
More informationLecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011
Lecture 4: Intradomain Routing CS 598: Advanced Internetworking Matthew Caesar February 1, 011 1 Robert. How can routers find paths? Robert s local DNS server 10.1.8.7 A 10.1.0.0/16 10.1.0.1 Routing Table
More informationRouting Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security
Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationGARR customer triggered blackholing
GARR customer triggered blackholing Silvia d Ambrosio, Nino Ciurleo Introduction From discussions with the GARR working group on "contrast to DDoS", we understood the importance of a collaboration between
More informationExamination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491
Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: October 21st 2008 10:00 13:00 a) No help material is allowed You
More informationA Survey of BGP Security: Issues and Solutions
A Survey of BGP Security: Issues and Solutions Butler, Farley, McDaniel, Rexford Kyle Super CIS 800/003 October 3, 2011 Outline Introduction/Motivation Sources of BGP Insecurity BGP Security Today BGP
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationA Survey of BGP Security Review
A Survey of BGP Security Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being interesting Border
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationConfiguring Control Plane Policing
21 CHAPTER This chapter describes how to configure control plane policing (CoPP) on the NX-OS device. This chapter includes the following sections: Information About CoPP, page 21-1 Guidelines and Limitations,
More informationLecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture
Lecture outline Internet Routing Security Issues Z. Morley Mao Lecture 3 Jan 14, 2003 Recap of last lecture, any questions? Existing routing security mechanisms - SBGP General threats to routing protocols
More informationAccess Control List Enhancements on the Cisco Series Router
Access Control List Enhancements on the Cisco 12000 Series Router Part Number, May 30, 2008 The Cisco 12000 series router filters IP packets using access control lists (ACLs) as a fundamental security
More informationNetwork Configuration Example
Network Configuration Example Configuring Active Flow Monitoring Version 9 Modified: 2017-01-18 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All
More informationBGP Security. Kevin s Attic for Security Research
Kevin s Attic for Security Research kevinkoo001@gmail.com Table 1. BGP Operation (1): Concept & Topology 2. BGP Operation (2): Message Exchange, Format and Path Decision Algorithm 3. Potential Attacks
More informationFlashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities
Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationDDoS Mitigation & Case Study Ministry of Finance
DDoS Mitigation Service @Belnet & Case Study Ministry of Finance Julien Dandoy, FODFin Technical Architect Grégory Degueldre, Belnet Network Architect Agenda DDoS : Definition and types DDoS Mitigation
More informationTDC 375 Network Protocols TDC 563 P&T for Data Networks
TDC 375 Network Protocols TDC 563 P&T for Data Networks Routing Threats TDC 375/563 Spring 2013/14 John Kristoff DePaul University 1 One of two critical systems Routing (BGP) and naming (DNS) are by far
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationConfiguring Advanced BGP
CHAPTER 6 This chapter describes how to configure advanced features of the Border Gateway Protocol (BGP) on the Cisco NX-OS switch. This chapter includes the following sections: Information About Advanced
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationConfiguring Flood Protection
Configuring Flood Protection NOTE: Control Plane flood protection is located on the Firewall Settings > Advanced Settings page. TIP: You must click Accept to activate any settings you select. The Firewall
More informationImplementing Access Lists and Prefix Lists
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures
More informationJunos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,
More informationConfiguring QoS CHAPTER
CHAPTER 34 This chapter describes how to use different methods to configure quality of service (QoS) on the Catalyst 3750 Metro switch. With QoS, you can provide preferential treatment to certain types
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationCISCO NETWORK FOUNDATION PROTECTION: PROTECTING THE CISCO CATALYST SERIES PLATFORM
CISCO NETWORK FOUNDATION PROTECTION: PROTECTING THE CISCO CATALYST SERIES PLATFORM SECURITY TECHNOLOGY GROUP JANUARY 2005 1 Agenda Introduction Configuring Control Plane Protection Deployment Guide Summary
More informationOperation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents
Table of Contents Table of Contents Chapter 1 Static Routing Configuration... 1-1 1.1 Introduction... 1-1 1.1.1 Static Route... 1-1 1.1.2 Default Route... 1-1 1.1.3 Application Environment of Static Routing...
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationIPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall
More informationSecurity Issues of BGP in Complex Peering and Transit Networks
Technical Report IDE-0904 Security Issues of BGP in Complex Peering and Transit Networks Presented By: Supervised By: Muhammad Adnan Khalid Qamar Nazir Olga Torstensson Master of Computer network engineering
More informationThe information in this document is based on Cisco IOS Software Release 15.4 version.
Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Relevant Configuration Verify Test case 1 Test case 2 Test case 3 Troubleshoot Introduction
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationJunos Enterprise Switching
Junos Enterprise Switching Chapter 6: Device Security and Firewall Filters 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology internet technologies and standards Piotr Gajowniczek BGP (Border Gateway Protocol) structure of the Internet Tier 1 ISP Tier 1 ISP Google
More informationBGP FlowSpec Route-reflector Support
The BGP (Border Gateway Protocol) Flowspec (Flow Specification) Route Reflector feature enables service providers to control traffic flows in their network. This helps in filtering traffic and helps in
More informationConfiguring QoS. Finding Feature Information. Prerequisites for QoS
Finding Feature Information, page 1 Prerequisites for QoS, page 1 Restrictions for QoS, page 3 Information About QoS, page 4 How to Configure QoS, page 28 Monitoring Standard QoS, page 80 Configuration
More informationVendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo
Vendor: Alcatel-Lucent Exam Code: 4A0-102 Exam Name: Alcatel-Lucent Border Gateway Protocol Version: Demo QUESTION 1 Upon the successful establishment of a TCP session between peers, what type of BGP message
More informationBGP Origin Validation
BGP Origin Validation ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated
More informationIntroduction. Keith Barker, CCIE #6783. YouTube - Keith6783.
Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationLab 4. Firewall Filters and Class of Service. Overview. Introduction to JUNOS Software & Routing Essentials
Lab 4 Firewall Filters and Class of Service Overview This lab demonstrates configuration and monitoring of Firewall Filters and Class of Service on JUNOS devices. In this lab, you use the Command Line
More informationCisco CCIE Security Written.
Cisco 400-251 CCIE Security Written http://killexams.com/pass4sure/exam-detail/400-251 QUESTION: 193 Which two of the following ICMP types and code should be allowed in a firewall to enable traceroute?
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationInternet Infrastructure
Internet Infrastructure Internet Infrastructure Local and inter-domain routing TCP/IP for routing and messaging BGP for routing announcements Domain Name System Find IP address from symbolic name (www.cc.gatech.edu)
More informationPreventing Traffic with Spoofed Source IP Addresses in MikroTik
Preventing Traffic with Spoofed Source IP Addresses in MikroTik Presented by Md. Abdullah Al Naser Sr. Systems Specialist MetroNet Bangladesh Ltd Founder, mn-lab info@mn-lab.net The routing system of the
More informationEnterprise QoS. Tim Chung Network Architect Google Corporate Network Operations March 3rd, 2010
Enterprise QoS Tim Chung Network Architect Google Corporate Network Operations March 3rd, 2010 Agenda Challenges Solutions Operations Best Practices Note: This talk pertains to Google enterprise network
More informationConfiguring QoS. Understanding QoS CHAPTER
29 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-qos) commands or by using standard QoS commands on the Catalyst 3750 switch. With QoS, you can provide
More informationCSc 466/566. Computer Security. 18 : Network Security Introduction
1/81 CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:57:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationConfiguring QoS CHAPTER
CHAPTER 37 This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-qos) commands or by using standard QoS commands on the Catalyst 3750-E or 3560-E switch. With QoS,
More informationIBGP scaling: Route reflectors and confederations
DD2491 p2 2009/2010 IBGP scaling: Route reflectors and confederations Olof Hagsand KTH /CSC 1 Literature Route Reflectors Practical BGP pages 135 153 RFC 4456 Confederations Practical BGP pages 153 160
More informationExamination IP routning inom enkla datornät, DD2490 IP routing in simple networks, DD2490 KTH/CSC. Date: 20 May :00 19:00 SOLUTIONS
Examination IP routning inom enkla datornät, DD2490 IP routing in simple networks, DD2490 KTH/CSC Date: 20 May 2009 14:00 19:00 SOLUTIONS a) No help material is allowed - You are not allowed to use books
More informationSections Describing Standard Software Features
27 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to
More informationConfiguring Control Plane Policing
This chapter contains the following sections: Information About CoPP Information About CoPP, on page 1 Control Plane Protection, on page 2 CoPP Policy Templates, on page 4 CoPP Class Maps, on page 8 Packets
More informationHP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
More informationActual4Test. Actual4test - actual test exam dumps-pass for IT exams
Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : JN0-102 Title : Juniper Networks Certified Internet Associate, Junos (JNCIA-Junos) Vendor : Juniper
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationCCNA Course Access Control Lists
CCNA Course Access Control Lists Access Control Lists (ACL) Traffic Filtering Permit or deny packets moving through router Permit or deny (VTY) access to or from a router Traffic Identifying for special
More informationSections Describing Standard Software Features
30 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to
More informationQ&As. CCIE Routing and Switching Written. Pass Cisco Exam with 100% Guarantee
350-001 Q&As CCIE Routing and Switching Written Pass Cisco 350-001 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money Back Assurance
More informationRPKI in practice. Sebastian Wiesinger DE-CIX Technical Meeting June 2017
RPKI in practice Sebastian Wiesinger sebastian.wiesinger@noris.net DE-CIX Technical Meeting June 2017 Generate ROAs Generate ROAs for your prefixes RIPE NCC makes this very easy Available at the LIR portal
More informationHow to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values,
Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values This module describes how to use an IP access list to filter IP packets that contain certain IP Options, TCP
More informationPrerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports This module describes how to use an IP access list to filter IP packets that contain certain IP Options, TCP flags, noncontiguous
More informationKTH/CSC, PIM-SM lab, rev: 1.13 KTH/CSC. PIM-SM lab. Juniper version. Group Nr. Name1. Name2. Name3. Name4. Name5. Grade. Instructor s Signature
KTH/CSC PIM-SM lab Juniper version Group Nr Name1 Name2 Name3 Name4 Name5 Grade Instructor s Signature KTH/CSC, PIM-SM lab, rev: 1.12 Table of Contents 1 Goals...3 2 Preparations...3 3 Install the multicast
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : JN0-643 Title : Enterprise Routing and Switching, Professional (JNCIP- ENT) Vendor : Juniper Version : DEMO Get Latest
More informationTopics for This Week
Topics for This Week Routing Protocols in the Internet OSPF, BGP More on IP Fragmentation and Reassembly ICMP Readings Sections 5.6.4-5.6.5 1 Hierarchical Routing aggregate routers into regions, autonomous
More informationNetwork Security - ISA 656 Routing Security
Network Security - ISA 656 Angelos Stavrou December 4, 2007 What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games
More informationSecuring BGP Networks using Consistent Check Algorithm
Securing BGP Networks using Consistent Check Algorithm C. K. Man, K.Y. Wong, and K. H. Yeung Abstract The Border Gateway Protocol (BGP) is the critical routing protocol in the Internet infrastructure.
More informationImplementing LPTS. Prerequisites for Implementing LPTS. Information About Implementing LPTS
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations. For
More informationnetwork security cs642 computer security adam everspaugh
network security cs642 computer security adam everspaugh ace@cs.wisc.edu today Reminder: HW3 due in one week: April 18, 2016 CIDR addressing Border Gateway Protocol Network reconnaissance via nmap Idle
More informationControl Plane Policing
The feature allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS XE routers and switches against reconnaissance
More informationEverything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017
Welcome to Everything you need to know about IPv6 security I can manage in 30min IPv6 Day Copenhagen November 2017 Henrik Lund Kramshøj hlk@zencurity.dk Slides are available as PDF, kramshoej@github c
More informationInterdomain Routing Reading: Sections K&R EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277)
Interdomain Routing Reading: Sections K&R 4.6.3 EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277) Guest Lecture by Brighten Godfrey Instructor: Vern Paxson TAs: Lisa Fowler, Daniel
More informationExcessive ARP Punt Protection was supported.
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations. For
More informationAuthors: Mark Handley, Vern Paxson, Christian Kreibich
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley, Vern Paxson, Christian Kreibich Exploitable Ambiguities NIDS does not have full range
More informationCisco.Actualtests v by.DD.70q
Cisco.Actualtests.642-775.v2012-09-17.by.DD.70q Number: Cisco 642-775 Passing Score: 800 Time Limit: 120 min File Version: Version: 4.1 http://www.gratisexam.com/ Maintaining Cisco Service Provider Routing
More informationIPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
More informationJuniper JN Enterprise Routing and Switching Support Professional (JNCSP-ENT)
Juniper JN0-694 Enterprise Routing and Switching Support Professional (JNCSP-ENT) http://killexams.com/exam-detail/jn0-694 D. An OSPF adjacency is flapping. Answer: C, D QUESTION: 44 You use static routes
More information