Posts Tagged ‘tcp’

Securing MP-EBGP VPNv4 for Inter-AS MPLS VPN

February 21, 2009 4 comments

1. Securing Inter-AS interfaces

  • Permit only BGP traffic because the other traffic that traverse between ASBRs is IP Labelled traffic.
  • Apply inbound and outbound. Logging the denied traffic for further investigation

interface FastEthernet0/0
ip address
ip access-group ASBR-IN in
ip access-group ASBR-OUT out
ip access-list extended ASBR-IN
permit tcp any any eq bgp
permit tcp any eq bgp any
deny ip any any log
ip access-list extended ASBR-OUT
permit tcp any eq bgp any
permit tcp any any eq bgp
deny ip any any log

  • See the example of IPv4 and IP Labelled traffic that traverse beetwen ASBR routers below. Note that IPv4 is only BGP communication, and the remaining traffic is telnet or icmp traffic that has been labelled.


2. Securing MP-EBGP Peering Session

  • Use BGP MD5 Authentication to ensure that the BGP peer is the legitimate neighbor.

neighbor password 7 011A08105E19071C

  • Use BGP TTL-Security with number of hop is 1. The BGP peering session between ASBRs usually using the back-to-back interface.

neighbor ttl-security hops 1

  • Both ASBR did not communicating ini IPv4 (except BGP communication), so we must turn-off the IPv4 BGP Address-family

no bgp default ipv4-unicast

  • Use BGP Dampening to secure the ASBR CPU from frequently flapped routes

bgp dampening

  • Filter the Route-Target. Only allows Route-Target that need to extend across the AS. Disable BGP default RT filter to allow VPNv4 routes installed in the BGP VPNv4 table even the Route-Target is not configured on the ASBR.

Router BGP 100
no bgp default route-target filter
address-family vpnv4
neighbor route-map ASBR in
exit address-family
route-map ASBR permit 10
match extcommunity 101
ip extcommunity-list 101 permit RT:200:123+
ip extcommunity-list 101 permit RT:200:222+

  • Set the BGP maximum-prefix filter.

neighbor maximum-prefix 100 80

3. General Router Security

  • AAA Authentication
  • SSH Access for Management
  • Access-Class for Line VTY access
  • Read-Only SNMP with ACL
  • using NTP and disabling ntp on not appropriate interfaces
  • Enable CoPP if necessary
  • Specific and strict ACL for inter-AS interface
  • Enable Security Services
  1. Service Password-Encryption
  2. Service Timestamp for Debug and Logging
  3. Logging buffered
  • Disable small Services
  1. Disable udp-small-services (echo, discard)
  2. Disable tcp-small-service
  3. Disable finger-service
  4. Disable pad-service
  5. Disable unused bootp service
  6. Disable cdp
  7. Disable icmp unreachables on all interfaces including null0
  8. Disable ip source-route options
  9. Disable proxy-arp per interfaces
  10. Disable directed-broadcast per interfaces
  11. Disable icmp mask-reply per interfaces
  12. Disable http-service
  13. Disable ident-service

Controlling TCP-Half (Embryonic) Connection on Cisco PIX Firewall

June 6, 2008 Leave a comment

One solution to prevent or minimizing the risk of DoS/DDoS (Dsitributed Denial of Service) attack is to limit the tcp-half connection from outside to the inside or DMZ network (Usually every administrator of networks, put the public servers (web, ftp, mail servers, etc.) in the DMZ network).

TCP half connection is the TCP connection that not yet completed. One of the DoS/DDoS attack method is to flood the target with the TCP Syn packet. The objective of this attack is to fulfill the TCP connection slots of the target, so the legitimate traffic will not occur.

If your network use Cisco PIX Firewall, you can minimize the risk of this attack with controlling the TCP-Half (Embryonic) connection, with add an option in your Static NAT configuration like an example below:

static (dmz,outside) netmask tcp 0 1000

1000 is the limit of the TCP-Half connection that can occur between the outside network and the server in the DMZ network ( is the local and is the global IP Address).

At least there are two things that will happen for this scenario:

  • If until the tcp half-closed time reach the timeout value and the ACK signal is never come, then the TCP half-connection will drop by PIX Firewall. You can set the TCP Half Connection timeout with the command: ” timeout half-closed hh[:mm[:ss]] “. The default time is 10 minutes.

  • If the TCP Syn packet that coming from the outside network was spoofed active IP Address, then the real appliance that used the spoofed IP Address will send the TCP RST packet to the PIX Firewall, so the TCP half connection will be dropped.
Categories: Network Security Tags: , , ,