Control Plane Protection

Similar documents
Data Plane Protection. The googles they do nothing.

Service Provider Multihoming

Service Provider Multihoming

2016/01/17 04:05 1/19 Basic BGP Lab

Multihoming Complex Cases & Caveats

Module 16 An Internet Exchange Point

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)

IPv6 Security Safe, Secure, and Supported.

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Remember Extension Headers?

BraindumpsQA. IT Exam Study materials / Braindumps

ICS 451: Today's plan

Implementing Cisco IP Routing

CCNP (Routing & Switching and T.SHOOT)

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

IPv6 Module 16 An IPv6 Internet Exchange Point

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

TSIN02 - Internetworking

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

CCNP Switch Questions/Answers Securing Campus Infrastructure

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

Contents. EVPN overview 1

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

Monitoring BGP. Configuring the Router

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

IPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State

Implementing Cisco IP Routing ( )

CSCI-1680 Network Layer:

CCNA Routing and Switching (NI )

TEXTBOOK MAPPING CISCO COMPANION GUIDES

MPLS VPN--Inter-AS Option AB

TCP/IP Protocol Suite

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

Internet Control Message Protocol

Interconnecting Cisco Networking Devices Part 2 (ICND2 v3.0)

Insights on IPv6 Security

Service Provider Multihoming

HPE FlexFabric 5940 Switch Series

Cisco Certified Network Associate ( )

BGP Multihoming Techniques

Peering THINK. A Guide

Advanced Multihoming. BGP Traffic Engineering

Routing Basics. Campus Network Design & Operations Workshop

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

IPv6 Neighbor Discovery

Multihoming with BGP and NAT

An Operational Perspective on BGP Security. Geoff Huston February 2005

IPv6 Technical Challenges

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

BGP Multihoming Techniques

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

IPv6 Neighbor Discovery

Computer Networks ICS 651. IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery

Configuring IP Unicast Routing

Configuring IP Unicast Routing

Introducing Cisco Data Center Networking [AT]

MPLS VPN Inter-AS Option AB

Configuring IPv6 for Gigabit Ethernet Interfaces

Multihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.

BGP and the Internet

Access Rules. Controlling Network Access

IPv6 Client IP Address Learning

Lecture Computer Networks

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Service Provider Multihoming

Vendor: Cisco. Exam Code: Exam Name: CCIE Routing and Switching Written v5.0. Version: Demo

Configuring IP Unicast Routing

Deploying LISP Host Mobility with an Extended Subnet

MPLS VPN. 5 ian 2010

Insights on IPv6 Security

CCIE Routing and Switching (v5.0)

H3C S6800 Switch Series

Configuring Virtual Private LAN Services

2015/07/23 23:32 1/8 More ibgp and Basic ebgp

IP Routing Volume Organization

2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Intelligent WAN Multiple VRFs Deployment Guide

Unit 3: Dynamic Routing

BGP for Internet Service Providers

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo

Configuring IP Unicast Routing

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

Index. Numerics. Index 1

Table of Contents Chapter 1 Tunneling Configuration

BGP Configuration for a Transit ISP

ECE 435 Network Engineering Lecture 14

Configuring IPv6 First-Hop Security

Configuring VRF-lite CHAPTER

Exam Topics Cross Reference

Real4Test. Real IT Certification Exam Study materials/braindumps

MPLS MULTI PROTOCOL LABEL SWITCHING OVERVIEW OF MPLS, A TECHNOLOGY THAT COMBINES LAYER 3 ROUTING WITH LAYER 2 SWITCHING FOR OPTIMIZED NETWORK USAGE

RealCiscoLAB.com. Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions

Configuring Private VLANs

Routing Basics. ISP Workshops

Transcription:

Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control.

Layer 2 Attacks ARP injections MAC address flooding http://packetpushers.net/do-we-really-need-layer-2-security/

ARP Injection What is ARP injection? How can it be used? http://www.cisco.com/en/us/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html The only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?

What is ARP injection? ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.

How does it work?

How does it work?

How does it work?

How does it work?

ARP injection What can it be used for? Switch flooding. Allows for traffic interception. Disrupting traffic flows.

Defenses? Dynamic ARP Inspection. Your whole layer two domain is on DHCP right? Other wise ARP ACL s :(

MAC address flooding What is it? How can it be used? http://www.cisco.com/en/us/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html Mac address limits on switch ports

What is MAC address flooding? Switches have a maximum number of ARP address they can store (in the tens of thousands normally) So you send more than it can handle. The switch turns into a hub and floods all traffic to all ports.

Network Flooding

Network Flooding

Success. Network Flooding

Switches STP VTP VLAN Hopping Native VLAN http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf

STP What is STP? Potential attacks.

What is STP Allows a network of switches to automatically remove loops from a layer two network. It assists in directing traffic through the network http://www.secpoint.com/what-is-a-spanning-tree-protocol-attack.html http://www.alliedtelesis.com/solutions/diagram-27 So it could be used for intercepting traffic or disrupting traffic flow. Also sending a lot can cause STP to not converge.

VTP Cisco proprietary protocol for distributing vlan configuration. Never allow it to the outside world. Just disable it.

VLAN hopping Gaining access to a VLAN that was unintended. Harder than some people think. http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/ Potential to exploit DTP switchport nonegotiate switchport mode access

Native VLAN What is a native VLAN? When a port is a trunk, the native VLAN defines the behaviour of untagged packets. Don t run management or customer traffic over vlan 1. Force the native VLAN to use tagged packets, Also change it. switchport trunk native vlan tag switchport trunk native vlan 999 On unused ports change the default vlan to something else switchport access vlan 2

Layer 3 Protection ICMP Open Protocols

ICMP source-route redirects router advertisments unreachables proxy-arp gratuitous-arps mask-reply

Source routing Source routing allows the sender of the packet to choose the next hop. Don t allow random packets to choose their routing and ignore our policy.

Redirects Router won t accept them anyway, this disables sending. But don t send them as it s a leak of information.

Router Advertisements Used for advertising routers to a local subnet. For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges. For IPv6 it s enable automatically :( ipv6 nd ra suppress all

Unreachables no ip unreachables Rate limiting is now the default. http://www.ciscopress.com/articles/article.asp?p=345618&seqnum=5 http://www.cisco.com/en/us/docs/ios/12_4t/12_4t2/hticmpun.html

proxy-arp Please tell me no one is still using this!

ip arp gratuitous none Disable accepting ARP packets we didn t ask for. This disables the acceptance of unsolicited ARP packets. ip arp gratuitous none <- global http://www.cisco.com/en/us/docs/ios-xml/ios/ipaddr/command/ip_arp_gratuitous_through_ip_dhcp_ping_packets.html#guid- C730F25E-343A-4C4A-9E8C-2662B09EA5C4 http://www.cisco.com/en/us/docs/ios-xml/ios/ipaddr/command/ip_arp_gratuitous_through_ip_dhcp_ping_packets.html#guid-7a4211cf-8bfa-4a12- A9F7-1F8552D3CFED

mask-reply Disables replying to ICMP packets that request the subnet.

Echo Reply Request Don t disable it.

OSPF Make sure it s passive by default. Only enable it on internal networks. Always use MD5 authentication.

ebgp Security MD5 authentication TTL hack Prefix filters for inbound routes. Prefix filters for outbound routes. http://www.cisco.com/en/us/docs/ios/iproute_bgp/configuration/guide/irg_external_sp.html

MD5 Passwords Without means you trust everyone Prevents making connections without authentication. Also means corrupted packets will be dropped. But the MD5 sum needs to be verified for every packet.

TTL Protection Has anyone heard of this? It s pretty neat. http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7

TTL Protection Most BGP connections are on directly connected routers. So the TTL should never be decremented. So if we set the TTL to one on our packets should never get back to an attacker.

TTL Protection But that doesn t save us from accepting those initial SYN packets. And calculating the MD5 sum for the packet :(

TTL Protection So instead set the TTL to 255. :) Must be hard to configure! If the TTL is less than 254, drop it.

TTL Protection! Configuration. bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on ebgp!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!

Prefix Filters They really need some thinking about before applying them. Policy needs to be thought about before creating.

Prefix Filters RFC 1918 address space? RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598? 1122 127.0.0.1/8, 240.0.0.0/4 Loopback Address 1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private Space 2544 192.18.0.0/15 Network interconnection device testing. 3068 192.88.99.0/24 6to4 relay Anycast. 3927 169.254.0.0/16 Local link v4 5737 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 Test networks 6333 192.0.0.0/29 6598 100.64.0.0/10 6890 192.0.0.0/24 IETF protocol assignments.

Prefix Filters Bogon Filtering https://www.team-cymru.org/services/bogons/

Prefix Filters Your own prefixes? For downstream customer, only accept their prefix. For upstream vendors you ll need to accept routes for customers that are multihoming.

Prefix Filters Customer filtering. Accept only what s assigned. Peer filtering. Get a prefix list from them, but still block bogons and your space. Provider filtering. Unlikely they would give you a prefix list, it would be too long anyway, still filter bogons and your space. Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise. ftp://ftp-eng.cisco.com/cons/isp/security/ingress-prefix-filter-templates/t-ip-prefix-filter-ingress-loose-check-vcurrent.txt

Max Prefixes Should you accept 1,000,000 routes from everyone? Even customers? Is there one good number?

Communities + Route maps Settings communities on BGP routes is a great policy enforcement tool. Reduces the need to statically configure prefix lists at every peering point. Makes out bound prefix selection a breeze. If it s fast and easy it will be better maintained. Use route maps to apply policy to incoming and outgoing routes.

Internet Exchange Security Layer 2 issues. ARP injection MAC attacks (flooding) Layer 3 issues Non-Policy Routing. http://conference.apnic.net/ data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_1346119861.pdf https://www.ams-ix.net/config-guide

Layer 2 Issues We ve talked about this already, but this is where you are most in danger of it happening. I ve never heard about anyone being attacked, so don t be too nervous.

Non-Policy Routing? What s that? When another organisation ignores advertised routing policy and makes up their own. Examples?

Free outbound transit Easy, just add a static route for a destination and send it to a router on the exchange. This isn t a how-to Of course you ll want to test it before put the route in.

Lay out, two AS both connected to the same exchange. Free outbound

AS10 notices that it s outbound traffic to it s upstream is busy. Doesn t want to pay for more bandwidth! Free outbound

They noticed that a lot of the traffic is going to AS30. They also notice that AS30 is connected directly to AS20. Free outbound

Free outbound So a less than ethical admin adds a route for 10.30.0.0/16 to send traffic via AS20 s router that is attached to the exchange.

Free outbound Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20 s exchange port gets busy, so they pay for an upgrade.

Free inbound transit Bit more difficult to do. Again this isn t a how to

Free inbound

Free inbound So advertise more specifics via a lower cost path. Perhaps you wouldn t want to advertise your whole address space de-aggregated.

Is this the only way to do it? Nope, you could just advertise subnet, or use appending ASs to your path. You could use this on peers as well. Free inbound

Free symmetric traffic. This is the most valuable type of stealing bandwidth. So the most specific and difficult. Still this is not a how to

So here we have AS10 is connected to two exchanges, along with AS20. Free symmetric transit

Free symmetric transit So AS10 has an expensive transit services between it s two POPs. But it s getting too busy, what to do? So an unethical admin notices that AS20 is connected to both exchanges as well.

Free symmetric transit So after a bit of testing adds static route for two subnets to send traffic via AS20.

Problem solved, for someone. Other ways to achieve that? Advertise those sub-subnets? Free symmetric transit

Defences? Prefixes lists. ACLs. Separate exchange router, recommended. Separate VRF.

The null0 route drops all the traffic for which there is no known routes. Exchange Router

VRF Lite Combined with urpf is a way to secure your peering interface. Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface. Be warned it makes configurations difficult. https://supportforums.cisco.com/thread/201655 http://routing-bits.com/2010/09/13/vrf-lite-route-leaking/ http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/ http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/ http://www.experts-exchange.com/hardware/networking_hardware/routers/q_28010516.html http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

Mike Jager Exchange security testing

v4 vs v6 Security Is there a difference in the control plane?

v4 vs v6 Security Actually there are some slight differences.

What s different? There s no ARP any more. Now there s multicast for neighbour discovery.

What s different? They insist on making our lives easier SLAAC via RD and RA s Source routing still available. Source routing is disabled by default in Cisco boxes, yay.

What s different? I can t heard wh..<bzzt> No more fragmentation on routers.

What s different? But that means ICMPv6 is important now. Neighbour discovery (v6 ARP) SLAAC Packet too big ICMP messages Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.

What s different? The max packet size allowable is now, 32**2-1 (That s over 4Gig in size) Can t wait to see what some operating systems make of that.

What s different? Privacy is harder to find with SLAAC But minimum allocations are /64 so the OS can use temporary addresses.

What s different? The addresses are HEAPS longer. Making management harder.

What s different? Tunneling? We got tunneling. 6to4 (automatic) Teredo (automatic) 6in4 (configured) All run over protocol 41, but can fallback to UDP. Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.

What s different? Implementations are new, so there will be new bugs. Juniper was forwarding traffic to linklocal addresses?!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback