Please enable JavaScript.
Coggle requires JavaScript to display documents.
Network Security 5.4 - 5.5 - Network Security (Routing Security (Types of…
Network Security 5.4 - 5.5 - Network Security
Routing Security
BGP - Border Gateway Protocol
conditions
Typology Condition
Preference Condition
Export Condition
BGP is insecure
main problem: no validation of announcements
allowing hijacking traffic
man-in-the-middle
DoS
Types of Attacks / Faults
Prefix hijacking
subprefix hijacking
unanounced prefix hijacking
IP prefix: Assignement and Hijacking
origin hijacking
path hijacking
route leakage
Countermeasures
filter routes based of prefix
limit rate of announcements
Securing BGP
Origin Authentication (RPKI - Resource Public Key Infrastructure)
periodic sync with trust-anchor
protect against prefix hijacks
slowly gaining traction
Path Validation (BGPsec)
real-time signature validation
protects against false paths
builds on the RPKI
Secure Forwarding (Data Plane)
Control plane
BGP is a routing protocol to compute routes
Data plane
Routers forward data packets
attacks
Drop, delay, modify, inject packets
while still sending the routing announcements
VLAN Security
Introduction
Before VLAN
one cable per subnet
moving hosts meant phisical rewiring
adding a new subnet meant adding new wires and switches
bandwith not shared between subnets
After VLAN
the wires are virtual now
complete remote reconfiguration of networks
bandwith on a wire can now be shared between subnets
802.1Q Overview
Layer 2 extension
Header
TPID - Tag Protocol Identifier (16Bit)
PCP - Priority Code Point (3BIT)
DEI - Drop Eligbale Indicator (1Bit)
VID - VLAN Identifier (12BIT)
modes of Operation
Untagged (Access)
Tagged (Trunk)
Mixed (General)
possible Attacks
Switch spoofing
Double Tagging
Attack Mitigation (Milderung)
Get your config right
Disable automatic trunk negotiation
Explicitly set all non-trunk ports as access ports
do not use VLAN 1
Set the Port-VID on trunk ports to an unsed VLAN
Explicitly tag all packets on a trunk port with the Port:VID
use PCP to allow mission critical systems to communicate while under a flooding (DoS) attack
other VLAN Technics
MAC VLAN
use MAC address of the connected system to assign a VLAN
problems
MAC addresses can be spoofed
only system is authenticated, not the user
when deploying new hardware the MAC address has to be added to the configuration of every switch
solution
use IWWW 802.1X authentication
Protocol VLAN
use the protocol type in upper layer to assign VLAN
helps to create different adminsitrative domains
prevents conflicts in upper layer protocols
Private VLAN
each port can only talk to specific ports
seperation into 2 VLANs for one subnet
Primary VLAN
IEEE 802.1Q VLAN
Secondary VLAN
a group of systems belonging to the VLAN
reduces the braodcast domain within a single subnet
use cases
betwork segregation
assign hosts to VLAN wihtout changing their IPaddress
secure hosting
allows server to talk only to the firewall
secure VDI
terminals are only allowed too talk to the server
backup network
hosts are only allowd to talk to ther backup system
VXLAN
create overlay networks