Archive for Network Security

Securing MP-EBGP VPNv4 for Inter-AS MPLS VPN

February 21, 2009 · Filed under Network Security, Service Provider · Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

1. Securing Inter-AS interfaces

  • Permit only BGP traffic because the other traffic that traverse between ASBRs is IP Labelled traffic.
  • Apply inbound and outbound. Logging the denied traffic for further investigation

interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
ip access-group ASBR-IN in
ip access-group ASBR-OUT out
!
ip access-list extended ASBR-IN
permit tcp any any eq bgp
permit tcp any eq bgp any
deny ip any any log
!
ip access-list extended ASBR-OUT
permit tcp any eq bgp any
permit tcp any any eq bgp
deny ip any any log
!

  • See the example of IPv4 and IP Labelled traffic that traverse beetwen ASBR routers below. Note that IPv4 is only BGP communication, and the remaining traffic is telnet or icmp traffic that has been labelled.

interas-mpls-ethereal

2. Securing MP-EBGP Peering Session

  • Use BGP MD5 Authentication to ensure that the BGP peer is the legitimate neighbor.

neighbor 172.16.0.1 password 7 011A08105E19071C

  • Use BGP TTL-Security with number of hop is 1. The BGP peering session between ASBRs usually using the back-to-back interface.

neighbor 172.16.0.1 ttl-security hops 1

  • Both ASBR did not communicating ini IPv4 (except BGP communication), so we must turn-off the IPv4 BGP Address-family

no bgp default ipv4-unicast

  • Use BGP Dampening to secure the ASBR CPU from frequently flapped routes

bgp dampening

  • Filter the Route-Target. Only allows Route-Target that need to extend across the AS. Disable BGP default RT filter to allow VPNv4 routes installed in the BGP VPNv4 table even the Route-Target is not configured on the ASBR.

Router BGP 100
no bgp default route-target filter
!
address-family vpnv4
neighbor 172.16.0.2 route-map ASBR in
exit address-family
!
route-map ASBR permit 10
match extcommunity 101
!
ip extcommunity-list 101 permit RT:200:123+
ip extcommunity-list 101 permit RT:200:222+

  • Set the BGP maximum-prefix filter.

neighbor 172.16.0.2 maximum-prefix 100 80

3. General Router Security

  • AAA Authentication
  • SSH Access for Management
  • Access-Class for Line VTY access
  • Read-Only SNMP with ACL
  • using NTP and disabling ntp on not appropriate interfaces
  • Enable CoPP if necessary
  • Specific and strict ACL for inter-AS interface
  • Enable Security Services
  1. Service Password-Encryption
  2. Service Timestamp for Debug and Logging
  3. Logging buffered
  • Disable small Services
  1. Disable udp-small-services (echo, discard)
  2. Disable tcp-small-service
  3. Disable finger-service
  4. Disable pad-service
  5. Disable unused bootp service
  6. Disable cdp
  7. Disable icmp unreachables on all interfaces including null0
  8. Disable ip source-route options
  9. Disable proxy-arp per interfaces
  10. Disable directed-broadcast per interfaces
  11. Disable icmp mask-reply per interfaces
  12. Disable http-service
  13. Disable ident-service

Comments (3) »

Securing MPLS LDP

November 25, 2008 · Filed under Network Security, Service Provider · Tagged , ,

To secure LDP communication between LSRs peer (PE to P), we can use MD5 authentication. Below is the simple configuration for MPLS LDP authentication:

Router(config)#mpls ldp neighbor direct_peer_ip password p@55w0rd

Verification:

Router#sh mpls ldp nei peer_ip_address detail
Peer LDP Ident: peer_ip_address:0; Local LDP Ident local_ip_address:0
TCP connection: peer_ip_address.12780 - local_ip_address.646; MD5 on
Password: not required, neighbor, in use
State: Oper; Msgs sent/rcvd: 3/4; Downstream; Last TIB rev sent 0
Up time: 00:00:55; UID: 4; Peer Id 0;
LDP discovery sources:

ldp-md51

Leave a comment »

« Previous entries
Next Page »