1 / 15

Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell ryanm@sprint.net. Control Plane Packet Filters. Receive Access-List (rACL) on Cisco Input filter on Lo0 on Juniper Deployed in 2002 Deny IP fragments Permit SSH, SNMP, DNS, TACACS, NTP, etc

kurt
Download Presentation

Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell ryanm@sprint.net

  2. Control Plane Packet Filters • Receive Access-List (rACL) on Cisco • Input filter on Lo0 on Juniper • Deployed in 2002 • Deny IP fragments • Permit SSH, SNMP, DNS, TACACS, NTP, etc • secured by src/dst pairs • Permit BGP, IGMP, PIM • Permit subset of ICMP • Permit UDP >= 1024 • do not break traceroute to the router • Deny everything else • and count it…

  3. Control Plane Packet Filters • How we deployed Cisco rACLs: 1. Build the access-list 2. Replace all deny statements with permit 3. Deploy on several routers 4. If you get matches where you shouldn’t, change to permit/log and see what it is 5. Repeat until no more unexpected matches • Constantly improve • Add src/dst pairs, reduce src/dst ranges, etc

  4. Control Plane Packet Filters • Good IP addressing strategy needed • Made routers harder to kill • Really helps with the magic packet attacks • Few operational implications • “Sprint’s routers are broken because I cannot ping your router with a 1501/4471 byte (fragmented) packet.” • Change control can be difficult • Routers still vulnerable to attacks against TCP/179, ICMP, IP options, UDP, etc

  5. Limit Reachability To Control Plane IP Addresses • Most attacks target IPs on routers obtained from a traceroute • Let’s remove the ability to reach SprintLink-Customer /30 networks from the big dangerous Internet

  6. Best route to 192.0.2.4/30 is null0 Advertise 192.0.2.0/24 via eBGP Static route to 192.0.2.6/32 added if needed Do not redistribute connected routes into BGP or igp. Run next-hop self Route 192.0.2.0/24 to Null0 .5 192.0.2.4/30 .6

  7. Packets from 192.0.2.4/30 will pass uRPF check (i.e. ICMP Type 3 Code 4) 192.0.2.4/30 is no longer reachable from ISP A 192.0.2.4/30 is still reachable from ISP B .5 192.0.2.4/30 .6

  8. Limit Reachability To Control Plane IP Addresses • Does not add 100% security • But makes it a little harder for the attacker • 25% of customers required the use of their point-to-point address • Took over a year to implement • Implications • Traceroute through the router not impacted • Any packets to the routers breaks • PING • Folks LOVE to PING our routers… • Traceroute

  9. Limit Reachability To Control Plane IP Addresses • Do the same thing in the core • “advertise-passive-only” in Cisco • IS-IS export policy in Juniper

  10. Do not redistribute connected routes into BGP or igp. Run IS-IS “advertise passive-only” Can’t reach 192.0.2.4/30 Can reach 192.0.2.6/31 Can’t reach 192.0.2.4/31 .4 192.0.2.4/31 Route 192.0.2.0/24 to Null0 .5 .6 192.0.2.6/31 .7

  11. Limit Reachability To Control Plane IP Addresses • RFC1918 loop backs for management (SNMP, SSH, iBGP, etc….) • Rate limiting rACL • CoPP (Control Plane Policing) on Cisco • Apply BTSH/GTSH to rACL • Ignore IP-Options • Forward packets as if there are no options set • Similar to “no ip source-route” on Cisco

  12. What does all this mean? • Don’t plan on sending any packets destined to the router. • But this is already happening with the MPLS-ization of networks. • More secure infrastructure • Not perfect, but better than where most of us are now • Can be done without ingress filtering which is hard

  13. References http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s22/ft_ipacl.pdf http://www.juniper.net/solutions/literature/app_note/350013.pdf

More Related