INTERNET SERVICE PROVIDER SECURITY BEST PRACTICES

INTERNET SERVICE PROVIDER SECURITY BEST PRACTICES SESSION 1 Agenda A Brief Review Management Plane/Device Security Control Plane Data Plane Summary/Next Steps 2.scr

A BRIEF REVIEW 3 Denial of Service and ISPs DoS can Target an ISP Target an ISP s customer Target the core of the Internet Attacks are part of every day operations and can be of high severity with a profit motivation! Proper preparation can dramatically reduce affects of DoS attacks 4.scr

Goal: Secure the Internet ISPs compete In security, ISPs need to cooperate The security of the Internet is a concern for all Only a secure Internet will be sellable long term 5 What Do ISPs Need to Do? Protect themselves Help protect their customers from the Internet Protect the Internet from their customers 6.scr

How to Do It? Work with Operations Groups, Standards Organisations, and Vendors on new solutions Implement Best Common Practices (BCPs) ISP Infrastructure security ISP Network security ISP Services security 7 The Three Planes Data Plane Control Plane Ingress Packets Forwarding/Feature ASIC Cluster Forwarded Packets ToFab to other Line Cards Management Plane RAW Queue(s) Also called CPU Queue(s) and Punt Queue(s) Punted Packets Packets bound for the LC CPU or RP ASIC s Supporting CPU Receive Path Packets To the GRP or PRP 8.scr

What Is a Punt? Packets that need to be sent to the RP: Packets sent to a network device (receive adjacencies) Broadcast and multicast packets Logged packets (ACLs or unicast RPF with logging enabled) Packets with IP Options set Packets which cannot be immediately forwarded to a destination and require ARP/ICMP generation: Packets blocked by ACLs Packets with unknown destination Packets with expired TTL Destinations lacking a next-hop adjacency 9 MANAGEMENT PLANE / DEVICE SECURITY 2003, 2004 Cisco Systems, Inc. All rights reserved. 10.scr

Disable Unneeded Services No service finger No service udp-small-servers No service tcp-small-servers No ip http server No ip redirects No ip directed-broadcast No ip proxy-arp 11 Cisco Discovery Protocol CDP can be used to learn information about neighboring devices that are running CDP IP address, software version CDP is configured per interface Disable CDP when it isn t needed Public facing interfaces 12.scr

Source Routing / IP Options IP has a provision to allow source IP host to specify route through Internet ISPs should turn this off, unless it is specifically required: no ip source-route Packets with IP Options can be dropped or the options can be ignored (12.0(23)S / 12.3(4)T): ip options drop ip options ignore 13 ICMP Unreachable Overload Packets that cannot be forwarded are punted for ICMP Unreachable generation. Risk high number of unreachables overloading CPU no ip unreachables All Routers with any static route to Null0 should put no ip unreachables If Unreachables are needed, use ICMP Unreachable Rate-Limiting Command: ip icmp rate-limit unreachable [DF] <1-4294967295 millisecond> no ip icmp rate-limit unreachable [df] Default is 500 milliseconds 14.scr

What Ports Are Open on the Router? It may be useful to see what sockets/ports are open on the router Show ip sockets show some of the UDP ports opened IOSRouter#show ip sockets ProtoRemote Port Local Port In Out Stat TTY OutputIF 17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0 17 --listen-- 204.178.123.178 67 0 0 9 0 17 0.0.0.0 123 204.178.123.178 123 0 0 1 0 17 0.0.0.0 0 204.178.123.178 161 0 0 1 0 15 What Ports Are Open on the Router? Two steps required for TCP ports: show tcp brief all show tcp tcb GSR-1#sh tcp bri all TCB Local Address Foreign Address (state) 52F6D218 60.20.1.2.11002 60.20.1.1.179 ESTAB 52F7065C 50.20.1.1.179 50.20.1.2.11007 ESTAB 52F6CD8C *.* *.* LISTEN 537D0944 *.179 60.20.1.1.* LISTEN 537CE2C4 *.179 50.20.1.2.* LISTEN 16.scr

Network Time Protocol Synchronize time across all devices When security event occurs, data will have consistent timestamps From external time source: Upstream ISP, Internet, GPS, atomic clock From internal time source Router can act as stratum 1 time source ntp source loopback0 ntp server 10.223.1.1 source loopback0 ntp authenticate ntp authentication-key number md5 value 17 Configuring Syslog on a Router Syslog data is invaluable Attack forensics Day to day events and debugging To log messages to a syslog server host, use the logging global configuration command logging host logging trap level To log to internal buffer use: logging buffered size Ensure timestamps and sequence numbers service timestamps log service sequence-numbers 18.scr

Config Change Notification and Logging Allows the tracking of configuration changes entered on a persession and per-user basis by implementing a configuration log. Tracks each configuration command that is applied, who applied the command, the parser return code for that command, and the time that the command was applied. Adds a notification mechanism that sends asynchronous notifications to registered applications whenever the configuration log changes Available 12.3(4)T on 1700, 2600, 3600, 3700, 7200, 7500, AS5xxx http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps5207/pr oducts_feature_guide09186a00801d1e81.html Also Contextual Configuration Diff utility http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps5207/pr oducts_feature_guide09186a00801d1dc2.html 19 SNMP Version 1 sends cleartext community strings and has no policy reference Version 2 addresses some of the known security weaknesses of SNMPv1 Version 3 provides authentication, encryption Not widely deployed Confirm NMS application support See NMS-2051 for additional detail. RFC-2570 Introduction to Version 3 of the Internet-standard Network Management Framework Recommended 20.scr

SNMP v1/2 Authentication and Authorization Line ACL can filter SNMP access SNMP Filtering RO read only RW read write View MIB restriction access-list 4 permit 172.16.2.100 snmp-server community <string> RO 4 snmp-server community <string> view <MIB view> 21 New Features CPU and Memory Threshold Notification CPU Threshold Notification 12.0(26)S, 12.3(4)T Generates an SNMP trap message when a predefined threshold of CPU usage is crossed http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps1829/ products_feature_guide09186a00801b3a4a.html Memory Threshold Notification 12.0(26)S and 12.2(18)S If available free processor or I/O memory falls below the specified thresholds, the router will log an event. Network operations staff can investigate, and if necessary take action, before router performance is impacted or free memory becomes so low that the router is in danger of crashing. http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps1838/ products_feature_guide09186a00801b1bee.html 22.scr

NetFlow Initially designed as a switching path but now the primary network accounting technology in the industry. NetFlow is the emerging standard traffic engineering / capacity planning technology. NetFlow is the primary network anomaly-detection technology. See SEC-2008 and NMS-2032 for details. 23 Access to the Router Console Telnet SSH Encrypted Access Local passwords Username based on the router External AAA TACACS+, RADIUS, Kerberos One-Time Passwords (OTP) 24.scr

Use Enable Secret Service password-encryption is reversible service password-encryption! hostname Router! enable password 7 14181C0E2A2B182A2824 The enable secret password hashed via MD5! Hostname Router! enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1 25 VTY Security Access to VTYs should be controlled ACL used to filter incoming data Logging can be used to provide more information access-list 3 permit 192.168.1.0 0.0.0.255 access-list 3 deny any line vty 0 4 access-class 3 in transport input ssh transport output none 26.scr

SSH Replaces telnet for a protected command and control communication channel Privacy and integrity provided through the use of strong cryptographic algorithms Supports TACACS+, RADIUS and Local Authentication Secure Copy (SCP) available in new SSH enabled code Restrict access to ssh via transport input ssh command SSHv2 now in IOS (12.3(4)T / 12.1(19)E) 27 Banners Login Banner This is a legal requirement in some jurisdictions; check with your legal group banner login ^ Authorised access only This system is the property of Galactic Internet Disconnect IMMEDIATELY if you are not an authorised user! Contact noc@isp.net 555-1212 for help. ^ 28.scr

Banners Exec Banner Used to remind staff of specific conditions: banner exec ^ PLEASE NOTE - THIS ROUTER SHOULD NOT HAVE A DEFAULT ROUTE! It is used to connect paying peers. These customers should not be able to default to us. The config for this router is NON-STANDARD Contact Network Engineering 555-1212 for more info. ^ 29 New Feature IOS Login Enhancements Login Enhancements Password Retry Delay Adds new flexibility to lock-out unwanted attempts to access the device Introduces a delay between successive failed Login attempts to alleviate dictionary attacks New global command login delay Generation of syslog messages for Login detection Available in 12.3(4)T http://www.cisco.com/en/us/partner/products/sw/iosswrel/ ps5207/products_feature_guide09186a00801d1cb3.html 30.scr

Cisco IOS TACACS+ Login Authentication Encrypts Passwords with Encryption (7) Define List neteng to Use TACACS+ Define List tech to Use TACACS+ then the Local User and Password Enable Secret Overrides the (7) Encryption Define Local Users Secret Command md5! service password-encryption! hostname Router! aaa new-model aaa authentication login neteng group tacacs+ enable aaa authentication login tech group tacacs+ local aaa authentication enable default group tacacs+ enable enable secret 5 $1$hM3l$.s/DgJ4TeKdDk! username bill secret 5 $1$A4Um$1NkLTeSwxYynxIHD6zlfc1 31 Cisco IOS TACACS+ Login Authentication tacacs-server host 172.16.1.4 tacacs-server key <key>! line con 0 login authentication neteng line aux 0 login authentication neteng line vty 0 4 login authentication tech! end Defines the IP Address of the TACACS+ Server Defines the Shared Key for Communicating with the TACACS+ Server Uses the Authentication Mechanisms Listed in neteng TACACS+ then Enable Password Uses the Authentication Mechanisms Listed in tech TACACS+ then a Local User/Password 32.scr

One-Time Passwords May be used with TACACS+ or RADIUS The same password will never be reused by an authorized administrator Key Cards CryptoCard token server included with Cisco Secure ACS Support for security dynamics and secure computing token servers in Cisco Secure ACS 33 Limit Authority Authorize Commands Differentiate staff authority on the router Help desk Operations Second level/third level support Use privilege levels (0 15) System Administrator Level 2: show, debug, ping Network Engineer Level 15: all commands Router 34.scr

Set Privileges Set level of privilege for each user class privilege configure level 5 interface privilege interface level 5 shutdown privilege exec level 5 show ip route privilege exec level 5 configure terminal privilege exec level 5 show running-config Initially difficult to deploy Long-term benefit outweighs short term pain Other options are TACACS+-based authorization or 35 New Feature Role Based CLI Access New Feature: Role-Based CLI, aka CLI Views Defines CLI access based on administrative roles Security Enhances the security of the device by defining the set of CLI commands that are accessible to a particular user Availability Avoids unintentional execution of CLI commands by unauthorized personnel Operational efficiency Prohibits users from viewing CLI commands that are inaccessible to them, greatly improving usability http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps 5207/products_feature_guide09186a00801ee18d.html 36.scr

Complete AAA Config aaa new-model aaa authentication login default tacacs+ local enable aaa authentication enable default tacacs+ local enable aaa authorization exec default tacacs+ local aaa authorization commands 1 default tacacs+ local aaa authorization commands 15 default tacacs+ local aaa accounting exec start-stop tacacs+ ip tacacs source-interface Loopback0 tacacs-server host 10.1.1.1 Try 10.1.1.1 first. tacacs-server host 10.2.1.1 tacacs-server key CKr3t# If no reply use 10.2.1.1 line vty 0 4 access-class 3 in username bill secret 5 $1$A4Um$1NkLTeSwxYynxIHD6zlfc1 37 New IOS Command: AutoSecure New CLI command that automates the configuration of security features and disables certain features enabled by default that could be exploited for security holes Router#auto secure [management forwarding] [no-interact] Implements a number of best practices to help secure the router Released in 12.3(1) Mainline and 12.3T Full details in 12.3 Mainline release documentation: http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps5187/product s_feature_guide09186a008017d101.html 38.scr

Input Hold Queue Queue that stores packets destined for the router Input Hold Queue is important for initial BGP convergence (when you are sending the full table) DOS/DDOS attacks against the router can fill the input hold queue knocking out legitimate packets 39 Input Hold Queue Input Hold Queue is physically on the Route Processor (RP for 7500, GRP for 12000) Default is 75 Recommend 1500 (Check memory before applying looking for 20M free) improves BGP convergence with Internet routing table. Applied to all interfaces interface XXXXXX hold-queue 1500 in 40.scr

Input Hold Queue 12008-e10-2#sh inter pos 5/0 POS5/0 is up, line protocol is up. Output queue 0/40, 0 drops; input queue 97/1500, 54 drops 5 minute input rate 76502000 bits/sec, 31139 packets/sec 5 minute output rate 72517000 bits/sec, 26560 packets/sec.. 41 Selective Packet Discard (SPD) When a link goes to a saturated state, you will drop packets; the problem is that you will drop any type of packets including your routing protocols Selective Packet Discard (SPD) will attempt to drop non-routing packets instead of routing packets when the link is overloaded 42.scr

Selective Packet Discard (SPD) Input Hold Queue (default 75) SPD Headroom (default 100 in 12.0(22)S increased to 1000) SPD Extended Headroom (default 10) Interface Input Queue (Hold Queue) SPD Headroom SPD Extended Headroom 0 75 175 185 Normal IP, BGP, ISIS, OSPF, HDLC BGP, ISIS, OSPF, HDLC ISIS, OSPF, HDLC 43 Monitoring SPD Queues You have a problem when you: See the number of priority packets drop (H) See the Fast Flushes increase (D) GSR-2#sh interface pos 0/0 switching POS0/0 Link to GSR#1 Throttle count A Drops RP B SP C SPD Flushes Fast D SSE E SPD Aggress Fast F SPD Priority Inputs G Drops H 44.scr

mbehring Monitoring SPD Modes SPD has three drop modes: NORMAL below threshold RANDOM min threshold has been reached MAX max threshold has been reached There is a problem when Current Mode is MAX GSR-2#sh ip spd Current mode: normal. Queue min/max thresholds: 73/100, Headroom: 1000, Extended Headroom: 100 IP normal queue: 0, priority queue: 0. SPD special drop mode: aggressively drop bad packets 45 Infrastructure Security telnet snmp outside core outside Why should outside devices be talking to your core? Infrastructure ACLs (iacl) Receive ACLs (racl) Control Plane Policing (CoPP) 46.scr

Infrastructure ACLs Basic premise: filter traffic destined TO your core routers Do your core routers really need to process all kinds of garbage? Develop list of required protocols that are sourced from outside your AS and access core routers Example: ebgp peering, GRE, IPSec, etc. Use classification ACL as required Identify core address block(s) This is the protected address space Summarization is critical simpler and shorter ACLs 47 Infrastructure ACLs Infrastructure ACL will permit only required protocols and deny ALL others to infrastructure space ACL should also provide anti-spoof filtering Deny your space from external sources Deny RFC1918 space Deny multicast sources addresses (224/4) RFC3330 defines special use IPv4 addressing 48.scr

Infrastructure ACLs Infrastructure ACL must permit transit traffic Traffic passing through routers must be allowed via permit ip any any ACL is applied inbound on ingress interfaces Fragments destined to the core can be filtered via fragments keyword Fragments pose a security risk: by default they are not filtered by ACLs Fragments are likely not needed access-list 101 deny/permit fragments 49 Infrastructure ACL in Action SRC: 127.0.0.1 DST: any ACL in PR1 ACL in PR2 SRC: valid DST: Rx (any R) R1 R2 R3 SRC: ebgp peer DST: CR1 ebgp CR1 ACL in R4 R5 CR2 ACL in SRC: valid DST: external to AS (e.g. customer) 50.scr

Example: Infrastructure ACL! Deny our internal space as a source of external packets access-list 101 deny ip our_cidr_block any! Deny src addresses of 0.0.0.0 and 127/8 access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any! Deny RFC1918 space from entering AS access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any 51 Example: Infrastructure ACL! The only protocol that require infrastructure access is ebgp. WE have defined both src and dst addresses access-list 101 permit tcp host peera host peerb eq 179 access-list 101 permit tcp host peera eq 179 host peerb! Deny all other access to infrastructure access-list 101 deny ip any core_cidr_block! Permit all data plane traffic access-list 101 permit ip any any 52.scr

Receive ACL s (7500/GSR) Excessive traffic destined to RP can lead to high CPU DoS Receive ACLs filter traffic destined to the RP via receive adjacencies racls explicitly permit or deny traffic destined to the GRP racls do NOT affect transit traffic Traffic is filtering on the ingress LC, prior to RP processing racls enforce security policy by filtering who/what can access the router 53 Receive Adjacencies CEF entries for traffic destined to router Real interfaces Loopbacks 12000-1#sh ip cef Prefix Next Hop Interface 10.1.2.0/24 172.16.1.216 GigabitEthernet3/0 10.1.3.0/24 172.16.1.216 GigabitEthernet3/0 172.16.1.196/32 receive (172.16.1.196 is an interface IP address) Packets with next hop receive are sent to the RP for processing 54.scr

Receive ACL Command Introduced in 12.0(21)S2/12.0(22)S ip receive access-list [number] Standard, extended or compiled ACL As with other ACL types, show access-list provide ACE hit counts Only affect IP protocols IS-IS permit statements not required Log keyword can be used for more detail 55 Receive ACL: Traffic Flow [no] ip receive access-list <num> GSR GRP i/f Line Card Line Card i/f IN OUT Receive-ACL Switch Packets to the Router Packets through the Router Receive-ACL IN OUT 56.scr

racl: Building Your ACL Develop list of required protocols OSPF, BGP, ssh, etc. e.g. access-list 110 permit tcp src_ip host loopback eq 22 Develop address requirements Determine interface on router Many interfaces? Loopback or real? Deployment is an iterative process Start with relatively open lists tighten as needed 57 racl: Summary Advantages Single point of protection for receive adjacencies Limitations Platform support - Only 7500 and GSR Binary Decision Can only permit or deny packets Some types of traffic can be either good or bad it would be nice to have rate-limiting capabilities 58.scr

Control Plane Policing (CoPP) CoPP leverages Modular QoS CLI (MQC) for QoS policy definition Consistent approach on all boxes Dedicated control-plane interface Single point of application Highly flexible: permit, deny, rate limit Extensible protection Changes to MQC (e.g. ACL keywords) are applicable to CoPP 59 Protecting the Control Plane CONTROL PLANE Management SNMP, Telnet ICMP IPv6 Routing Updates Management SSH, SSL.. INPUT to the Control Plane OUTPUT from the Control Plane CONTROL PLANE POLICING (Alleviating DoS Attack) SILENT MODE (Reconnaissance Prevention) Processor Switched Packets PACKET BUFFER OUTPUT PACKET BUFFER INCOMING PACKETS Locally Switched Packets CEF/FIB LOOKUP Infrastructure Security, 3/04 For Cisco Internal Use Only 60.scr

Configuring CoPP CoPP policy is applied to the control-plane itself Router(config)# control-plane Router(config-cp)# service-policy input control-plane-policy Three Step Process: Define classes of traffic Create class-map s Define actual QoS policy (application of rate-limiting to traffic classes) Create policy-map s Apply CoPP policy to control plane interface 61 Sample CoPP Configuration Router(config)# access-list 140 permit tcp host 10.1.1.1 any eq ssh Router(config)# access-list 140 permit udp host 10.1.1.2 any eq snmp Router(config)# class-map mgmt-class Router(config-cmap)# match access-group 140 Router(config-cmap)# exit Traffic to be ratelimited: SNMP and ssh from mgmt host Define class-map for Router(config)# policy-map control-plane-policy this traffic Router(config-pmap)# class mgmt-class Router(config-pmap-c)# police 80000 conform transmit exceed drop Router(config-pmap-c)# exit Router(config-pmap)# exit Define the policy for this class map: up to 80 kbps: transmit, else drop Router(config)# control-plane Router(config-cp)# service-policy input control-plane-policy Router(config-cp)# exit Apply policy: to control-plane 62.scr

Deploying CoPP What rate of TCP/179 traffic is normal or acceptable? racl are relatively simple to deploy Need BGP/OSPF/SNMP/etc Deny all else To get the most value from CoPP, detailed planning is required: Depends on how you plan to deploy it Bps vs. pps In vs. out 63 Deploying CoPP Easy answer: mimic racl behavior Same limitations as with racl Recommendations: Develop multiple classes of control plane traffic e.g critical, important, normal, undesirable, default Use ACLs to define traffic for each Depending on class defined, apply appropriate policy Critical: no rate limit Important: high rate limit Flexible class definition allows extension of model Fragments, TOS, ARP(!) 64.scr

Deploying CoPP: Challenges Every network is going to have different rate for all kinds of traffic Only time and experience will help Show commands can help with ACL hits and rate information Currently no log keyword Makes it hard to diagnose required traffic Real-world hardware vs. software performance implications GSR, Sup720 Deployment whitepaper: http://www.cisco.com/en/us/products/sw/iosswrel/ps1838/prod ucts_white_paper09186a0080211f39.shtml 65 CoPP: Release Info / Availability Support being added in hardware in the Sup720. 12.3T 12.2S The control-plane policy is pushed down to the hardware forwarding engine(s), and the application of the CoPP policy (policing/dropping) performed in hardware. Supported in 12.3(4)T Supported in 12.2(18)S 12.0S (work in progress) 66.scr

CONTROL PLANE 2003, 2004 Cisco Systems, Inc. All rights reserved. 67 Routing Protocol Security Routing protocols can be attacked Denial of service Smoke screens False information Reroute packets Protect the routing protocol! Prefix Filtering Routing Protocol Authentication May Be Accidental or Intentional! 68.scr

What to Prefix Filter? Bogons IANA has reserved several blocks of IPv4 that have yet to be allocated to a RIR: http://www.iana.org/assignments/ipv4-address-space Special-Use IPv4 Addresses Special Use Addresses (SUA) are reserved for special use :-) Defined in RFC3330: ftp://ftp.isi.edu/in-notes/rfc3330.txt Examples: 127.0.0.1, 192.0.2.0/24 These blocks of IPv4 addresses should never be advertised into the global Internet Route Table Filters should be applied on the AS border for all inbound and outbound advertisements 69 Where to Prefix Filter? Ingress Filter Customer s Prefixes AS 500 X W Egress Filter Prefixes to Internet. Ingress Filters Coming from Internet D AS 300 C E AS 400 Customer Filters In and Out N Customer A B AS 100 M AS 200 70.scr

How to Prefix Filter? Ingress and Egress Route Filtering Two flavors of route filtering: Distribute list Widely used Prefix list Increasingly used Both work fine Engineering preference Two filtering techniques: Explicit Permit (permit then deny any) Explicit Deny (deny then permit any) 71 Ingress and Egress Route Filtering Extended ACL for a BGP Distribute List access-list 150 deny ip host 0.0.0.0 any access-list 150 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 150 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 150 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 150 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 150 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 150 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 150 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 150 permit ip any any 72.scr

Ingress and Egress Route Filtering Prefix-List for a for a BGP Prefix List ip prefix-list rfc1918-dsua deny 0.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 10.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 127.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 169.254.0.0/16 le 32 ip prefix-list rfc1918-dsua deny 172.16.0.0/12 le 32 ip prefix-list rfc1918-dsua deny 192.0.2.0.0/24 le 32 ip prefix-list rfc1918-dsua deny 192.168.0.0/16 le 32 ip prefix-list rfc1918-dsua deny 224.0.0.0/3 le 32 ip prefix-list rfc1918-dsua permit 0.0.0.0/0 le 32 73 Ingress and Egress Route Filtering BGP Route Filtering router bgp 200 no synchronization bgp dampening neighbor 10.220.4.1 remote-as 210 neighbor 10.220.4.1 version 4 neighbor 10.220.4.1 distribute-list 150 in neighbor 10.220.4.1 distribute-list 150 out neighbor 10.222.8.1 remote-as 220 neighbor 10.222.8.1 version 4 neighbor 10.222.8.1 prefix-list rfc1918-dsua in neighbor 10.222.8.1 prefix-list rfc1918-dsua out no auto-summary 74.scr

Prefix Filter All Routes from Customers! ISPs should only accept prefixes which have been assigned or allocated to their downstream peer/customer Example: Customer has 10.50.0.0/20 block Customer should only announce this block upstream You should only accept this prefix from them Explicitly permit prefixes from other ISPs (i.e. multihomed customer) Prefix Filter Prefix Filter Prefix Filter Prefix Filter Customer ISP Peer 75 Prefix Filter All Routes to Peers! What do you send to the Internet? Your prefixes More specific customers prefixes (customers who are multihoming) What do you not send to the Internet? Special Use Addresses and Bogons assume garbage will leak into your ibgp Lower Prefix Boundary Unless absolutely necessary, do not allow anything in the /25 /32 range The egress filter list can grow to be very large More specifics for customers Specific blocks from other ISPs Prefix Filter Prefix Filter Prefix Filter Prefix Filter Customer ISP Peer 76.scr

Prefix Filter All Routes from Peers! Ingress Routes from Peers and/or the Upstream ISP are the nets of the Internet Ideally, the peering policy should be specific so that exact filters can be put in place Dynamic nature of the peering makes it hard to maintain specific route filters Don t accept RFC1918 etc prefixes Don t accept your own prefix Don t accept default (unless you need it) Don t accept prefixes longer than/24 Prefix Filter Prefix Filter Prefix Filter Prefix Filter Customer ISP Peer 77 Secure Routing Route Authentication Configure Routing Authentication Signs Route Updates Campus Verifies Signature Signature Route Updates Certifies Authenticity of Neighbor and Integrity of Route Updates 78.scr

Route Authentication Authenticates routing update packets Shared key included in routing updates Plain text Protects against accidental problems only Message Digest 5 (MD5) Protects against accidental and intentional problems Often non-implemented Never seen an attack My peer doesn t use it 79 Route Authentication Multiple keys supported Key lifetimes based on time of day Use first valid key Supported for BGP, IS-IS, OSPF, RIPv2, and EIGRP Syntax differs depending on routing protocol 80.scr

OSPF and ISIS Authentication Example OSPF ISIS interface ethernet1 ip address 10.1.1.1 255.255.255.0 ip ospf message-digest-key 100 md5 qa*&gthh3! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip router isis isis password pe#$rt@s level-2 81 BGP Route Authentication router bgp 200 no synchronization neighbor 10.1.2.1 remote-as 300 neighbor 10.1.2.1 description Link to Excalabur neighbor 10.1.2.1 send-community neighbor 10.1.2.1 version 4 neighbor 10.1.2.1 soft-reconfiguration inbound neighbor 10.1.2.1 route-map Community1 out neighbor 10.1.2.1 password 7 iuhg9287dhsa7swk 82.scr

BGP Route Authentication Works per neighbor or for an entire peer-group Two routers with password mis-match: %TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179 One router has a password and the other does not: %TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local router's IP address]:179 83 DATA PLANE 2003, 2004 Cisco Systems, Inc. All rights reserved. 84.scr

RFC 2827/BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other then the address you have allocated to them! ftp://ftp.isi.edu/in-notes/rfc2827.txt 85 BCP 38 Packet Filtering Principles Filter as close to the edge as possible Filter as precisely as possible Filter both source and destination where possible 86.scr

Techniques for BCP 38 Filtering Static ACLs on the edge of the network Unicast RPF Strict Mode Cable source verify (DHCP) Dynamic ACLs with AAA profiles IP Source Guard 87 Static BCP 38 Ingress Packet Filtering ISP s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow Only Source Addresses from the Customer s 96.0.X.X/24 Access-list 101 permit 96.0.20.0 0.0.0.255 any applied inbound 96.0.20.0/24 Internet ISP 96.0.21.0/24 96.0.19.0/24 Access-list 101 permit 96.0.18.0 0.0.0.255 any applied inbound 96.0.18.0/24 88.scr

Unicast Reverse Path Forwarding (urpf) CEF is required IP packet source address is checked to ensure that the route back to the source is valid Two Flavors of urpf: Strict Mode for: BCP 38/RFC 2827 Filters on Customer Ingress Edge Loose Mode for: ISP-to-ISP Edge Remotely Triggered Black Hole Filtering (See SEC-2008 for additional detail) Care required in multihomed situations 89 urpf Strict Mode A simple and scalable implementation of BCP 38: How do you manage BCP 38 ACLs for over 10,000 lease line customers? One command that automatically configures BCP 38 filtering? It would be really nice if the line engineer who first brings up the customer interface can configure this feature without needing to create ACLs or touch the routing protocols! It would be nice if the filter could be automatically updated! Use urpf!!! 90.scr

Strict urpf Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast reverse-path or: ip verify unicast source reachable-via rx i/f 1 S D data i/f 2 i/f 3 i/f 1 S D data i/f 2 i/f 3 FIB:... S -> i/f 1... Same i/f: Forward FIB:... S -> i/f 2... Other i/f: Drop 91 Loose urpf Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast source reachable-via any i/f 2 i/f 2 i/f 1 S D data i/f 3 i/f 1 S D data i/f 3 FIB:... S -> i/f x... Any i/f: Forward FIB:......?... Not in FIB or route -> null0: Drop 92.scr

Deploying urpf Single-homed Customers urpf provides simple, easy way to deploy BCP 38 filtering Simple config for many customers Dual-homed Customers Asymmetric Routing Must tweak routing Use BGP Weight, local_pref to ensure consistent best path urpf can be used with dual homed customers with proper engineering 93 Unicast RPF Verification Commands: show ip traffic include RPF show ip interface ethernet 0/1/1 include RPF debug ip cef drops rpf <ACL> Router# show ip traffic IP statistics: Rcvd: 1471590 total, 887368 local destination Drop: 3 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, 0 unicast RPF, 0 forced drop 94.scr

SUMMARY / NEXT STEPS 2003, 2004 Cisco Systems, Inc. All rights reserved. 95 Summary/Next Steps Protecting your infrastructure is your #1 priority Proper router configuration is critical first step in increasing security Develop baseline configuration for your various platforms Audit to ensure compliance with standard Develop procedures for introducing new routers into the network Once a solid foundation has been deployed, advanced DoS mitigation techniques can be deployed 96.scr

THANK YOU! Q & A 2003, 2004 Cisco Systems, Inc. All rights reserved. 97 Tools: SNMP Open source SNMP command-line tools, library, trapgenerator, agent, etc. available from http://www.net-snmp.org/ Open source SNMP visualization, storage, and graphing tools developed by Tobi Oetiker: MRTG the Multi Router Traffic Grapher http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ RRDTool the Round Robin Database Tool http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ Commercial systems such as HP OpenView, Micromuse NetCool, IBM Tivoli, CA Unicenter Several open source systems - Big Brother (http://bb4.com/), Big Sister (http://bigsister.graeff.com/), Nagios (http://www.nagios.org/), and others 98.scr

Tools: NetFlow OSU FlowTools Open source NetFlow collection and retrieval tools developed and maintained by Mark Fullmer, available from: http://www.splintered.net/sw/flow-tools/ FlowScan Open source NetFlow graphing/visualization tools developed and maintained by Dave Plonka, available from: http://net.doit.wisc.edu/~plonka/flowscan/ Arbor Networks Peakflow products NetFlow-Based Traffic Characterization and Anomaly Detection: http://www.arbornetworks.com/products_sp.php 99 Tools: Syslog LogAnalysis.org has references to numerous logging and analysis tools in their Library: http://loganalysis.org/ Syslog-ng from BalaBit adds a lot of useful functionality: http://www.balabit.com/products/syslog_ng/ 100.scr

SP Security Reference Material ISP Essentials ftp://ftp-eng.cisco.com/cons/ SP Security Information (whitepapers and bootcamp): ftp://ftp-eng.cisco.com/cons/isp/security/ ftp://ftp-eng.cisco.com/cons/isp/security/cpn-summit- 2004/ NANOG Security Curriculum http://nanog.org/ispsecurity.html 101 Cisco Security Reference Material Cisco Security Reference Information http://www.cisco.com/warp/public/707/ref.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Cisco Product Security Advisories and Notices http://www.cisco.com/warp/public/707/advisory.html 102.scr

Cisco Feature Reference Material Infrastructure / Transit ACL Reference http://www.cisco.com/warp/public/707/iacl.html http://www.cisco.com/warp/public/707/tacl.html racl Command Reference http://www.cisco.com/en/us/products/sw/iosswrel/ps1829/ products_feature_guide09186a00800a8531.html Control Plane Policing Deployment Whitepaper http://www.cisco.com/en/us/products/sw/iosswrel/ps1838/ products_white_paper09186a0080211f39.shtml Access Lists and IP Fragments http://www.cisco.com/warp/public/105/acl_wp.html 103 Cisco Feature Reference Material Understanding Selective Packet Discard (SPD) http://www.cisco.com/en/us/partner/products/hw/routers/p s167/products_tech_note09186a008012fb87.shtml Cisco Netflow Page http://www.cisco.com/warp/public/732/tech/nmp/netflow/ Cisco SNMP Page http://www.cisco.com/en/us/tech/tk648/tk362/tk605/tech_pr otocol_home.html SNMP Object Navigator http://www.cisco.com/pcgi-bin/support/mibbrowser/unity.pl 104.scr

External Reference Material Secure Cisco IOS Template Secure BGP Template http://www.cymru.com/documents/secure-iostemplate.html http://www.cymru.com/documents/secure-bgptemplate.html Bogon List http://www.cymru.com/documents/bogon-list.html Dave Dittrich s DDoS Page http://staff.washington.edu/dittrich/misc/ddos/ 105 External Reference Material BCP-38 (RFC-2827) Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing ftp://ftp.isi.edu/in-notes/rfc2827.txt RFC-3330 Special-Use IPv4 Addresses ftp://ftp.isi.edu/in-notes/rfc3330.txt 106.scr

Associated Sessions SEC-2004 Responding to Security Incidents SEC-2008 Service Provider Responses to Denial of Service Attacks NMS-2032 NetFlow for Accounting, Analysis and Attack NMS-2051 Securely Managing Your Network and SNMPv3 107 Recommended Reading Cisco ISP Essentials ISBN 1-58705-041-2 Network Security Principles and Practices ISBN 1-58705-025-0 Inside Cisco IOS Software Architecture ISBN 1-57870-181-3 Available on-site at the Cisco Company Store 108.scr

Complete Your Online Session Evaluation! WHAT: WHY: Complete an online session evaluation and your name will be entered into a daily drawing Win fabulous prizes! Give us your feedback! WHERE: Go to the Internet stations located throughout the Convention Center HOW: Winners will be posted on the onsite Networkers Website; four winners per day 109 110.scr