INternet INfrustructre is 11111222223333
abdirazak745
0 views
13 slides
Oct 08, 2025
Slide 1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
About This Presentation
this is required
Slide Content
LO 3. Test security and internet access
Infrastructure Security The Internet is considered a “critical infrastructure” Filtering routing information and filtering traffic (IP layer) are complementary DNS is the core protocols Your backbone: large firewall or transit network Data-center vs core infrastructure based detection Data-center: in-line (“complete packet”) Infrastructure/distributed: Net flow (“header only”) Find the right mix of both Scalability Sampled Net flow (high probability of missing single packets) vs one in-line device (mirrored traffic) per larger POP
ACLs (Access Control Lists) Always (try to) use compiled ACLs: avoid log[-input], source port, output ACLs, etc. Where to filter: edge, core, transit, peerings ? What to filter: protocols, source/destination IP/ports, header, payload? Who should filter: tier1, tier 2/3 providers (with broadband home users), enterprise In which direction: to and/or from the end-users (i.e. Protect the Internet from the users and/or vice-versa) ?
URPF (unicast Reverse Path Forwarding) Strict uRPF for single-homed customers (route to source IP points back to the ingress interface) Loose uRPF for multi-homed customers (route/network prefix present in the routing table) Loose uRPF doesn’t protect from customer spoofing Adapt strict/loose policy depending on your customers’ setup Statistics prove that uRPF is not really deployed (nor loose, nor strict)
Other (“edge”-only) features NBAR (Network Based Application Recognition) Used with custom Cisco PDLMs (Packet Description Language Module) to identify P2P traffic in quite some university networks TCP Intercept Usually done by the enterprise
DNS (Domain Name System) Quite a few attacks recently DNS “abuse” due to bad network/system setups and broken clients IP anycast helps but makes debugging more difficult (which server is actually producing the error )
ROUTER CONFIGURATIONS Routers can play an important role in assuring high levels of overall network security. This section describes some general principles that need to be followed regarding the deployment and configuration of routers. The reader is referred to an extremely useful publication by the National Security Agency System and Network Attack Center (SNAC): Router Security Configuration Guide .
Protecting the Router Itself Just as with any other network and systems equipment, before a router can protect the traffic that it carries, it must first protect itself. Some key steps to be carried out are described in the following subsections. Physical Security All the physical security measures apply to the physical protection of a router, whether it is a backbone-network router, an access router, or a customer-premises router. OS or NOS Vulnerabilities The discussion earlier in this chapter on vulnerabilities in OSs or NOSs applies to routers, and steps must be taken to defend against attacks that take advantage of these vulnerabilities. For example, it is a good practice to list what features the network needs and use the resulting feature list to select the appropriate version of the OS, realizing that the very latest version of any OS tends not to be as robust in general due to its limited exposure.
Configuration Hardening A router is similar to many computers in that it has many services enabled by default. Many of these services are unnecessary and may be used by an attacker for information gathering or for exploitation. All unnecessary services should be disabled. In addition, updates to configuration should be minimized and strictly controlled.
Router Configurations Router configurations are critical not only because they tell the router how to process data correctly over the network but also to process the data correctly in the face of hostile attacks (both maliciously or unintentionally). Thus, the design and implementation life cycle of router configuration files needs to be very carefully managed. The configuration design of routers typically proceeds after the network design is completed or in the later phases of network design. However, the management of configuration files, including the security-related aspects, can be treated as a separate entity
Design and Development Base routing protocol requirements on network security requirements. Different network security requirements dictate different routing protocol needs and different routing protocol security features. Identify secret-key arrangements and cryptographic algorithms for use in the VPNs to be supported. Design ACLs based on lists of services (e.g., TFTP, SMTP, etc.) to be permitted or denied on different interfaces or connections. The lists come from user requirements.
Deployment and Administration Assign appropriate privilege levels to administrative personnel as part of access control. Different administrative personnel are authorized to perform different functions that incur different levels of security risks. Follow well-documented methods and procedures for the installation and updating of router configurations to minimize unintentional problems that can result in security risks. Follow secure cryptographic key-management processes to minimize disclosure of secret-key information. Employ constant monitoring and detailed analysis of potential attacks. Audit trails are key to the detection of attacks and planning of future defenses. Apply robust attack recovery procedures to minimize the cost due to successful attacks.
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 13
- Age 55 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views