Category Archives: CCIE Security

BCP38 – RFC2827 Network Ingress Filtering: Defeat DoS with Forged Source Addresses

CCIE Security, , ,

information-security

This Best Current Practice document outlines a common sense approach to preventing Denial of Service (DoS) attacks that are from forged (spoofed) source IP addresses. You should note that this document does not provide advise for preventing DoS attacks from valid sourced traffic. The techniques in this document are also valuable since it ensures you can track ingress traffic back to a legitimate and unique source address.

Of particular concern is when the attacker spoofs the address of another legitimate organization. This might result in the filtering of that legitimate traffic, or worse, the false accusation of wrongdoing against that organization. These legitimate systems of the other organization might also be subject to the SYN ACK traffic from the attacked organization.

Remember, flood type attacks sourced from unreachable addresses are also dangerous. This is because resources on the attacked device can become depleted as the device reserves resources in an attempt to respond to the incoming traffic.

The Best Current Practice recommends an ingress filter which restricts the traffic accepted to only that sourced from the legitimate network or networks that exist behind the filtering device.

The document also makes it clear that certain forms of special services might be impacted with such filters. For example, Mobile IP could be problematic in such an environment.

Should you be interested in reading the full document as you prepare for your written exam – it is located here.

The Group Encrypted Transport (GET) VPN

CCIE Security, , , ,

mpls-icon

GET VPN is a really clever method of enabling a full mesh of VPN connections that can be established dynamically. No longer will an administrator need to worry about the construction of point-to-point VPN tunnels that can be very cumbersome and tedious to create and maintain. Another awesome feature is that there is header preservation with GET VPN. So the solution can eliminate the need for things like GRE tunnels for protecting multicast traffic and NAT traversal.

GET VPN relies upon a new protocol called the Group Domain of Interpretation (GDOI). You can basically think of this protocol as an enhanced version of ISAKMP. It will provide the safety net of keying information in the GET VPN environment. Key Servers (KS) can provide the keying information to Group Members (GMs) in the GET VPN. Note that by design, the Key Server does not participate in the encryption domain. Instead, its job is to distribute the ISAKMP/IPsec Security Association (SAs) to the Group Members.

So the Key Server (or Servers for redundancy) are an important ingredient in the GET VPN. They store the IPsec policies that group members will use to encrypt unicast and multicast traffic to each other! By the way – this device can store multiple policies for multiple different groups to add to the flexibility of the solution. It is also possible to use GET VPN in conjunction with Dynamic Multipoint VPNS (DMVPNs). Continue reading The Group Encrypted Transport (GET) VPN