News Details  :

BGP Best Practices

 avoid default routes—
 ISPs with full BGP feeds should avoid defaults
 DOS/DDOS attack use spoofed addresses from the un-allocated IP V4 space.

http://www.iana,org.assignments/ipv4-address-space for the latest macro allocation

Infrastructure Security

BCP 38 Ingress Packet filtering
>> must use inbound& outbound
>>uRPF –-- s
strict mode urpf for customer single homed
Loose mode urpf for multihomed customer
For single homed customer should be configured with single homed
>>CEF (cisco)
BCP 84 – list of creating filters rules.

Re-coloring at the Edge- IP precedence?
Using IP Routing as a security tools ?

We can use Null0(Black hole) /Analysis Device /Rate Limitation
Black HOLE
Remote Triggered Black hole filtering ---
SPRINT, Nlayer ,Hurricane are implementing RTBH techniques

Can be a computer with Zebra (interface

Trigger Router config –
Sink Hole Routers/ Networks

Monitoring Scan Rates –
RIR filtering –

Dark IP – Ip not in use..

NSP SEC –





Synopsis of Network Security Workshop - 17 July 2009

Network Telemetry –

SNMP V3 provides authentication & Encryption.

> Both Pull model for statistical pooling & a push model for trap generation based upon events
>http://www.net-snmp.org/
Net-Snmp toolset
>Graph CRC error using MRTG
>PPS (packet per second) graph using MRTG
> MRTG can graph email traffic i.e spam mails using spamassain
> DNS Query per second using MRTG
> QPS( Query Per Second) can be graphed using MRTG

SNMP: RRD tools
 Cacti, Cricket, Big Sister etc are open souce snmp using RRD Tools
 Nagios, bigsister,bigbrother

Commercial Tools;
RMON : Remote monitoring

Syslog :
Keep all the log on central server
SPAN/ Mirror port for using

NetFlow for billing
� It is a traffic analysis tools
� Flows defined by –
� Source IP address
� Dest IP
� So Port
� Des Port
� L3 protocol type
� TOS (Type of Service)
� FLAGS
� PACKETS (no of packets)

Netflow tools
Nfsen
Nfoump

Advantage of using netflow
Service provider

Peering Arrangement
SLA VPN
Usage-Based Billing
DOS/ Worm Detection
Traffic Engineering
Troubleshooting

Enterprise:

Internet Access
Associate Cost of TI
Policy Compliance monitoring

http://net.doit.wisc.edu/


Synopsis of Network Security Workshop : 18th July 2009

 Analysis of MPLS/VPN Security
 Ideally MPLS Core & Internet Core should be separate
 Different ways to give internet—
1. Internet in the Global routing tables using LSPs between PEs
2. Traditional way the Core router & Border Gateway router should be reachable from internet so there are chance of Attacks

IF we use MPLS
>the Core router CPU utilization is low because it is not carrying any routing info.
>The Core will be secure because it is not reachable from internet
> PE routers are reachable (bi directional)
> P routers are not reachable

2. Scenario(internet in VRF)
> All the routers will carry full or partial routing info.
>All the routers are prone to attacks
> it can be used in small n/w
>we need to secure PE interface

3. IP Sec
>Purpose of IPSec
1. Encryption
2. Direct Authentication of CEs
3. Integrity of traffic
4.Replay Detection

Opt 1: Static IP Sec
Opt 2: Dynamic Crypto map
Opt 3:
Opt 4:

MPLS doesn’t provide:
 no protection against mis-configuration of core
 protection against from within the core
 it doesn’t do encryption
 Customer n/w security

Labels got L3 intelligence & Frame Relay switching speed

It is possible to use the same link (Local loop) to provide VPN Service & Internet service by using sub interface & separate VR’s for each service

We learn how to configure MPLS VPN

Four important steps are
1.Configuration of MPBGP
2.Configuration of VRF
3.Configuration of RD & RT

We learn how to check the vrf details using show vrf commands

Evening Session:

We can monitor security threat by comparing Baseline Data

Using Nagios
 DNS can be checked using
 SSH can be checked using nagios
 We can write our own plugin:
 We can monitor VRF & MPLS links for customers using Nagios

Any cast:
 IP v4 any cast we can use a security technique
 It is not a protocol , it is a configuration methodology
 DNS infrastructure uses anycast
 Same ip address to the same interface
 Anycast can be used in building either local server clusters , or global networks
 F-root is a local anycast server cluster

Best practice for anycast
 Use two separate overlapping cloud
 Anycast works with both TCP & UDP
 To troubleshooting we can use TXT records for DNS Server anycast
 Anycast can be used for collecting flow traffic & SNMP traffic
 Anycast is useful to distribute load on DNS Server ,Email server

Protecting the Backbone point to point

Reacting to Attacks

There are lot of tools
 ACL
 Control plane policy
 Firewall
 IDS/IPS
 BGP Triggers
 Packet Scrubbing

Synopsis of Network Security Workshop - 19 July 2009

Trace back spoofed IPV4 address

Imp
• Apply ACL & monitor the logs
• We can use Query netflow table
• IP Source tracker

• If we put ACL to stop the attack the CPU utilization will increase
• So we can put filters for some time & remove it afterward
• The log collection system should be configured properly

By configuring netflow we can get lot of realtime Data to analysis using

# show ip cache flow

We study the Case study how cisco handles SQL Slammer attacks
1. Preparation phase :
We required people, processes, procedures, lines of communication, tools to handle events.24/7/365 business operations.

2. Identification phase :
Using Netflow telemetry

3. Classification :
Classify the scope of attacks depends on n/w architecture.

4. Traceback :
Instrumentation plus knowledge of n/w

5. Reaction :
Apply the ACLs at all internet POPs
Apply the ACLs to all the switch ports till end user level & access level

6. Post mortem Phase :
Learn the Way to handle the this type of attacj

ISP can put the contract with internet customer that if customer will use my link for abusing we can disconnect. & in case of emergency / Severe attack we can shut down the attacks.

Wireless Security

1. Open Access
2. Basic Security – WEP (40 bit or 128 bit Static Encryption )
3. Enhanced Security – WPA , 802.1x,TKIP Encryption, mutual Authentication., Dynamics keys

• We can educate the vendors for new security threats & new technique to overcome this.
• For public WIFI spot it is difficult to implement WEP keys & other authentication technique

VLAN –Based Security for Modern Service-Provision n/w

• Traditional method of Putting statefull inspection box & putting packet firewall is not much useful
• Dividing segments like DMZ zone , outside zone, LAN zone is not much useful
• The Attacks can be from inside so creating DMZ zone is not much useful
• The VLAN based method for putting server inside our n/w is secure method
• Put the customers in different VLAN in IDC
• We can use netflow or router using the above technique

DOS Attacks
• To prevent the DOS first technique is DOS Attack
• DDOS is DOS
• Now DOS attacks are driven by money
• We can’t ignore DOS
• Windows vista enable IPv6 by default
• Worms & DOS are closely related
• Worms enable BOTnets – DOS
• The worms enters using some loop holes like unpatched Os, USB Drives, Email attachment
• The Second phase is propagation – it will spread itself within LAN mostly using port 135
• The third Phase is Paylod – install rootkit ,give control to other guy (hacker)
• Worm generally infect End station
• BCP 38 is a new std ..
• six phase of incident Reporting

Layer 2 security :
• The Lower layer make higher layers prone to security attacks
• Trunk port can access all the VLAN traffic
• Std are 802.1q and ISL
• Dynamic Trunk protocol not works on router

Various attacks—

Vlan hopping attacks
• Switch can do decapsulation only one layer
• Attacker can send a VLAN
• Native VLAN & Management VLAN should not be default
• Disable unused ports & put the VLAN is unused VLAN
• Do not use VLAN 1 for anything
• DTP & STP should be off for user interface
• On native VLAN use tags

MAC Attacks
• CAM means Content Addressable Memory
• Macoff tool – included in dsniff
• It attacks cisco device based on Tables size
• Once CAM Tables is full the switch will work as a hub

Countermeasures for MAC attacks
• Enable switch port security
• We can put how many MAC address per port switch will learn
• Restricted feature put high CPU utilization

DHCP Attacks

DHCP starvation attacks
• Same client will request unlimited no of IP address using different MAC Address
• CM: We can put limit no of MAC Address per port on switch

DHCP Rogue Attacks
• DHCP server can give wrong gateway, DNS Ip address & IP address to the client
• CM: we can use dhcp snooping on cisco device
• Reduce DHCP Lease time

ARP Attacks

Tools for attacks :
Dsniff & Ettercap are ARP attack tools

• Ettercap is second generation tools it can run on win,linux
• The attack will poison the ARP tables
• CM : dynamic arp inspection (DAI) & dhcp snooping
• CM:Check the DHCP binding info & check the arp table
• ARPWatch is free tools to track MAC & IP address

Spoofing Attacks :
• Mac Spoofinfg Attack (attacker send the wrong source MAC Address)
• IP Spoofing attack (attackers send the incorrect source ip address)
• Counter Measures : We can use IP Source Guard – it will verify each packet IP source guard check its binding table
• Hw to configure source guard

DHCP snooping needs to be enabled
For enabling source guard MAC should be enabled with option 82

Reacting with BGP:

RTBH can be source based
ACL can face issue with dynamic attack profile
Best practice is using ACL & RTBH

TIPD – Threat Info Distribution Protocol—
• Cisco Propriety

Packet Scrubbing:

One of the mitigation technique
Collect the packets to scrubbers same as RTBH technique instead of using null0 we can direct the traffic to scrubber device.
DDOS can be prevented using Cisco Guard device or any other IDS/IPS


* CM – Counter Measures