Presentation - Cisco Knowledge Network

More documents

Recommendations

Info

Remote Triggered Black Holes (RTBH)Route Injected Black Hole• Network device begins sendingtraffic that is out of policy• Black/Sink Hole traffic by protocol,flow, SGT, or IP• Static RPL based config to assignblack hole nexthop• Routes Injected via BGP Flow Specpropagated to entire network• Black/Sink Hole could be initiated bya number of security devices ormanually by administrator• Traffic can be dropped at first L3network device or routed to sinkhole across network for inspectionBlack Holes injectedby network securitydevicesTraffic routed to centrallocation for loggingInfected or Attackingmachine’s traffic droppedwith Remote TriggeredBlack Hole at first routedhop© 2012 Cisco and/or its affiliates. All rights reserved. 14
• Implementing blackholing requires two stages forconfiguration before CSCtb78915 and CSCtr79451• Creation of a static dummy /32 (IPv4) or /128 (IPv6) pointingtowards Null0• A routing policy that sets the next-hop towards the dummyaddress• Implementing blackholing requires one stage forconfiguration after CSCtb78915 and CSCtr79451• A routing policy to set next-hop to ‘discard’ for both RPL andRoute-map© 2012 Cisco and/or its affiliates. All rights reserved. 15
Page 1 and 2: Routing SecurityAn Holistic Overvie
Page 3 and 4: • Objectives of this talk:• Pre
Page 5 and 6: © 2012 Cisco and/or its affiliates
Page 7 and 8: Biggest Bandwidth• Largest monito
Page 9 and 10: ThreatsAttack on device control pla
Page 13: Utilizing routing technology in the
Page 17 and 18: Active/Active FirewallPre-2010 Oper
Page 19 and 20: Sink Hole RoutingIPS/IDS Enhancemen
Page 21 and 22: Hardening the infrastructureOlder S
Page 23 and 24: CoPP Enhancements for Routing• At
Page 25 and 26: • Main function is to forwards fo
Page 27 and 28: • LPTS has HW policers on line ca
Page 29 and 30: Enhanced Router Authentication / Co
Page 31 and 32: Securing Inter-AS VPN Confidentiali
Page 33 and 34: Distribution Automation of Security
Page 37 and 38: Malformed BGP UpdatesInvalidAttribu
Page 39 and 40: • Comes into play after attribute
Page 43 and 44: 20Source: NANOG 46: Tom Daly et al.
Page 45 and 46: BeforeAfter© 2012 Cisco and/or its
Page 47 and 48: • http://www.networkworld.com/new
Page 49 and 50: • The goal of the RPKI is to cryp
Page 51 and 52: • Each AS publishes a cryptograph
Page 53 and 54: CA ToolsetPublicationpoint (can beh
Page 55 and 56: EBGP updateRouterCheck and markorig
Page 57 and 58: The “One Behind” Attack• AS65
Page 59 and 60: The “Shorter Prefix” Problem•
Page 61 and 62: Future• Start Here• AS65000 adv
Page 63 and 64: Advertisement vs. Path Validation
Page 65 and 66:
• What are Bogons?A bogon is a bo
Page 67 and 68:
• Multi-Instance / Multi-AS BGP
Page 69 and 70:
© 2012 Cisco and/or its affiliates
show all

Presentation - Cisco Knowledge Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?