– Chapter 4 – Secure Routing - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

– Chapter 4 – Secure Routing

Description:

Chapter 4 Secure Routing Build security into the design of routing router authentication route authentication control directed broadcast black hole filtering – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 19
Provided by: sceUhclE
Category:

less

Transcript and Presenter's Notes

Title: – Chapter 4 – Secure Routing


1
Chapter 4 Secure Routing
  • Build security into the design of routing
  • router authentication
  • route authentication
  • control directed broadcast
  • black hole filtering
  • URPF
  • Path integrity
  • 2 Case studies

2
Design issues of secure routing
  • Route filtering
  • When designing a private network, it is important
    to ensure that route filtering is used to
    filter out any bogus or undesired routes coming
    into the private net.
  • Examples special addresses (p.82)
  • It is equally important to ensure that the only
    networks advertised by the private network are
    those desired.
  • To ensure that IP address blocks belonging to a
    private network are not allowed to be advertised
    back into the network from outside.
  • net police filtering (aka. prefix filtering)
    next

3
Design issues of secure routing
  • Prefix Filtering
  • No routes with prefixes more specific than /20
    (or up to /24) are allowed to come in.
  • To ensure that an attack cannot be staged on a
    large ISPs router by increasing the size of its
    routing tables
  • Routes more specific than /20 are often not
    needed by large ISPs, so those routes can be
    filtered out to keep its routing table from
    getting out of control.
  • Example p.93 (incoming route filtering in a BGP
    router)
  • Another example next

4
Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf
5
Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf
  • ! only 195.11.14.0/24 is announced to neighbor
    193.10.11.2
  • ! all, with the exception of 200.1.1.0/24, is
    accepted from 193.10.11.2
  • router bgp 1
  • network 195.11.14.0/24
  • network 195.11.15.0/24
  • neighbor 193.10.11.2 remote-as 2
  • neighbor 193.10.11.2 description Router 2 of AS2
  • neighbor 193.10.11.2 prefix-list partialOut out
  • neighbor 193.10.11.2 prefix-list partialIn in
  • !
  • ip prefix-list partialOut permit 195.11.14.0/24
  • !
  • ip prefix-list partialIn deny 200.1.1.0/24
  • ip prefix-list partialIn permit any

6
Design issues of secure routing
  • network convergence
  • depends on many factors
  • complexity of the net architecture
  • redundancy in the network
  • route calculation algorithms and configuration
  • loops in the network
  • Fast convergence is desirable.
  • Problems with a a slow-converging network
  • can mean a considerable loss of revenue and/or
    productivity
  • may be subject to DoS attacks, because it takes
    longer to recover from network-disrupting attacks
    and thus aggravates problems

7
Design issues of secure routing
  • static routes
  • discussed earlier (example 3-1)
  • can be used to hard code information in the
    routing tables such that this info is unaffected
    by a network attack or propagated impact from
    other parts of the network
  • Disadvantage? scalability

8
Authentication of Router and Routes
  • Rationale of authenticating routers and routes
  • As part of an attack, the attacker may configure
    his machine or router to share incorrect routing
    information with the attacked router (AR).
  • Impacts?
  • Incorrect routing, disabled router, traffic
    redirection
  • Flood of routing talbe
  • e.g., A rogue router may act as a BGP speaker
    and neighbor, and advertises lots of specific
    routes into a core routers routing table.
  • Impacts?
  • slow or disabled router

9
Authentication of Router and Routes
  • Solutions?
  • Router authentication Routers must authenticate
    each other before sharing information.
  • Password-based authentication - Drawback?
  • MD5-HMAC - Implications?
  • Route authentication Integrity of the exchanged
    routing information must be verified.
  • Hashing-based methods, such as MD5-HMAC, can be
    used to authenticate routes.
  • Figure 4-1
  • Examples 4-1, 4-2, 4-3

10
Control/disable directed broadcast
  • Directed broadcast allows packets to be
    broadcast to all the machines on the subnet
    directly attached to a router.
  • May be used by attackers to start attacks
  • e.g., smurf attack
  • A type of DoS attack
  • Figure 21-3
  • An attacker sends a ping echo request to the
    broadcast address on a network, causing all the
    machines in that segment to send echo replies to
    the attacked router. ? impact packet flood

11
Black Hole Filtering
  • Purpose to filter out undesired traffic, by
    directing specific routes to a null interface
  • An alternative to ACL
  • Advantage no access list processing ? save
    processing time
  • Disadvantage Null routing is based on the
    packets destination IP addresses only, while ACL
    can work on source address, destination address,
    and layer 4 info as well.
  • A weaker form of route filtering
  • Example 4-5 interface null0

12
URPF
  • Unicast Reverse Path Forwarding
  • Purpose to thwart attempts to send packets with
    spoofed source IP addresses
  • A mechanism configured on a router to disable
    outgoing packets with source IP addresses not in
    the range belonging to its site
  • Advantage A more efficient and effective
    outgoing packets filtering mechanism than ACL
  • Requirement CEF (Cisco Express Forwarding) must
    be enabled on that router, because URPF looks at
    the FIB (forwarding information base) rather than
    the the routing table.
  • Example Figure 4-2

13
URPF (cont.)
  • Constraint can not be deployed on a router that
    has asymmetric routes set up.
  • In asymmetric routing, more than one interface is
    used (by a router or firewall) to route packets
    of a private network. ? The interface through
    which the router sends return traffic for a
    packet may not be the same interface on which the
    original packet was received.
  • In general, URPF is deployed on the edge of a
    network. ? allowing the antispoofing capabilities
    to be effective to the entire network
  • Example 4-6 ip verify unicast reverse-path

14
Path Integrity
  • Rule of thumb Routing should be performed based
    on the optimum paths calculated by the underlying
    routing protocols. ? However, the routing
    protocols may be affected by ICMP redirects and
    IP source routing when making such calculations.
  • ICMP redirects allows a router to inform another
    router on its local segment not to use certain
    hop in its path to certain host. ? because
    including the hop will result in paths thats not
    optimal
  • ICMP redirects is the default setting on Cisco
    routers.
  • Should be disabled unless absolutely necessary
  • IP source routing next

15
Path Integrity (cont.)
  • IP source routing an IP feature allowing a user
    to set a field in the IP packet to specify the
    desired path
  • May be used by attackers to subvert the workings
    of normal routing protocols
  • Example An attacker can specify a router (A)
    that is attached to both a private and the public
    network as an intermediate point in the source
    path to reach a private address (e.g., 10.1.1.1).
  • All intermediate routers, with IP source routing
    enabled, will forward the packet to router A. ?
    causing DoS attack
  • Advice disable IP source routing on the router

16
Case study 1Securing the BGP Routing Protocol
  • an exterior gateway protocol
  • Example techniques
  • Enable BGP peer authentication
  • Filter incoming routes
  • Filter outgoing routes
  • Use the network statement to advertise the
    network block
  • Disable BGP multihop feature (that is, do not
    allow peering between routers not directly
    connected to each other)
  • Control TCP port 179 ? using the firewall or ACLs
    to do the filtering
  • Disable BGP version negotiation (instead,
    hard-code the version info)
  • Use police filters and null routes
  • Set up route dampening values ? to prevent
    flapping routes
  • Use the maximum-prefix command
  • Logging changes in neighbor status

17
Case Study 2 Securing the OSPF routing protocols
  • an interior gateway protocol
  • Example techniques
  • Router authentication
  • Nonbroadcast neighbor configuration
  • Using stub areas
  • Using loopback interfaces as the router Ids
  • Tweaking SPF timers
  • Route filtering

18
Summary
  • Security of routers and routes is critical for
    the security of the whole network.
  • The net administrator should configure his
    routers and routes, not only to protect the
    private network, but also to help to protect the
    whole Internet.
  • Next security of LAN switching
Write a Comment
User Comments (0)
About PowerShow.com