Saturday, July 10, 2010

IPX Vol 1 - Lab 12 - Security

Lab 12 deals with Security in a very broad manner. Securing BGP, IGPs, Interfaces, logging, SNMP, NTP, anti-spoofing, Management security, and disabling unnecessary services.

Let's break it down...

12.1 - Accepting a limited amount of BGP prefixes from a neighbor
#neighbor 1.2.3.4 max-prefix 125000

12.2 - Securing BGP, on the destination router, create an ACL to allow the neighbor/source to create a TCP connection on port 179 to the destination router. Allow both sourcing from tcp 179 and destined to 179 on the destination router, then deny any to port 179 and finally permit tcp any and ip any.

12.3 - (a) Advertise a default route to neighbor #nieghbor 1.2.3.4 default-information originate.
Then configure the neighbor to only receive a default route via a prefix-list (0.0.0.0/0).

(b) RFC 1918 prefix-list should look like:
#ip prefix-list RFC1918 permit 10.0.0.0/8 le 32
#ip prefix-list RFC1918 permit 192.168.0.0/16 le 32
#ip prefix-list RFC1918 permit 172.16.0.0/12 le 32

Don't forget the le 32 since subnets of each of these ranges are still RFC1918.

(c) ORF - BGP outbound route filter is used to send a prefix-list upstream so that the filter happens there instead of after getting all the BGP prefixs and then having to filter locally. Saves resources.
#neighbor 1.2.3.4 capability orf prefix-list send

12.4 and 12.5 are OSPF and EIGRP authentication, EIGRP everything is done on the interface while OSPF area authentication is done in the area and then on the interfaces in that area.

12.6 - Anti-Spoofing

(a) to prevent spoofing configure uRPF under an interface.
#ip verify unicast source reachable-via rx allow-default

(b) uRPF in loose mode the router will drop the packet if the route for the source is via a null interface. Configured the same was as (a) plus the routes pointing to null0

(c) using an ACL to block spoofing. Create a standard ACL denying the subnets/hosts in your internal network, then apply inbound on the ingress interface.

(d) redundant

(e) configure ip accounting.
#interface s0/1.26
#ip accounting access-violations

12.7 - Logging - straight forward with the exception of Core dumps. Remember the key work "exception" to configure core dump file name, protocol, and IP addy of the dump server.

12.8 - Interactive Access

(d) SSH server - don't forget to configure a domain-name, crypto key generate rsa, and AAA if necessary.

This section was long and there are definitely some things I knew at one point but have forgotten. Good to review and to deep dive via Narbik's books.