DNS play an important role in a network. It is therefore important for the information in a DNS
table to be protected from authorized modification.
Write your paper on protecting the information in a DNS table.
Solution
The DNS protocol leverages the User Datagram Protocol (UDP) for the majority of its
operations. UDP is a connectionless protocol and, as such, it can be easily spoofed. Many of the
attacks described in this document rely on spoofing to be successful.
Several security controls can be implemented to limit spoofing. These controls are described in
the following sections.
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (Unicast RPF) is a feature that can reduce the effectiveness of
packets with spoofed source addresses. A network device using Unicast RPF evaluates the
source of each IP packet against its local routing table in order to determine source address
validity. While it can detect and filter some spoofed traffic, Unicast RPF does not provide
complete protection against spoofing because spoofed and valid packets with the same source
address may arrive on the same interface.
Unicast RPF operates in two modes: strict and loose. In strict mode, the Unicast RPF feature uses
the local routing table to determine if the source address within a packet is reachable through the
interface on which the packet was received. If it is reachable, the packet is permitted; if it was
not, the packet is dropped. Strict mode Unicast RPF is best deployed on network boundaries
where traffic asymmetry is not prevalent.
Strict mode Unicast RPF is enabled on Cisco IOS devices using the interface configuration
command ip verify unicast source reachable-via rx; the previous format of this command was ip
verify unicast reverse-path. Strict mode Unicast RPF can be enabled on the Cisco PIX, ASA, and
FWSM firewalls using the ip verify reverse-path interface interface configuration command.
In loose mode Unicast RPF, if the source address of a packet is reachable through any interface
on the Unicast RPF enabled device, the packet is permitted. If the source address of the IP packet
is not present in the routing table, the packet is dropped. Loose mode Unicast RPF can be
enabled on Cisco IOS devices using the ip verify source reachable-via any interface
configuration command; loose mode Unicast RPF is not available on Cisco PIX, ASA or FWSM
firewalls.
More information about Unicast RPF is available in the Applied Intelligence Understanding
Unicast Reverse Path Forwarding white paper.
IP Source Guard
IP source guard is a Layer 2 security feature that builds upon Unicast RPF and DHCP snooping
to filter spoofed traffic on individual switch ports. DHCP snooping, which is a prerequisite of IP
source guard, inspects DHCP traffic within a VLAN to understand which IP addresses have been
assigned to which network devices on which physical switch port. Once this information has
been gathered and stored in the DHCP snooping bindings table, IP source g.
DNS play an important role in a network. It is therefore important f.pdf
1. DNS play an important role in a network. It is therefore important for the information in a DNS
table to be protected from authorized modification.
Write your paper on protecting the information in a DNS table.
Solution
The DNS protocol leverages the User Datagram Protocol (UDP) for the majority of its
operations. UDP is a connectionless protocol and, as such, it can be easily spoofed. Many of the
attacks described in this document rely on spoofing to be successful.
Several security controls can be implemented to limit spoofing. These controls are described in
the following sections.
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (Unicast RPF) is a feature that can reduce the effectiveness of
packets with spoofed source addresses. A network device using Unicast RPF evaluates the
source of each IP packet against its local routing table in order to determine source address
validity. While it can detect and filter some spoofed traffic, Unicast RPF does not provide
complete protection against spoofing because spoofed and valid packets with the same source
address may arrive on the same interface.
Unicast RPF operates in two modes: strict and loose. In strict mode, the Unicast RPF feature uses
the local routing table to determine if the source address within a packet is reachable through the
interface on which the packet was received. If it is reachable, the packet is permitted; if it was
not, the packet is dropped. Strict mode Unicast RPF is best deployed on network boundaries
where traffic asymmetry is not prevalent.
Strict mode Unicast RPF is enabled on Cisco IOS devices using the interface configuration
command ip verify unicast source reachable-via rx; the previous format of this command was ip
verify unicast reverse-path. Strict mode Unicast RPF can be enabled on the Cisco PIX, ASA, and
FWSM firewalls using the ip verify reverse-path interface interface configuration command.
In loose mode Unicast RPF, if the source address of a packet is reachable through any interface
on the Unicast RPF enabled device, the packet is permitted. If the source address of the IP packet
is not present in the routing table, the packet is dropped. Loose mode Unicast RPF can be
enabled on Cisco IOS devices using the ip verify source reachable-via any interface
configuration command; loose mode Unicast RPF is not available on Cisco PIX, ASA or FWSM
firewalls.
More information about Unicast RPF is available in the Applied Intelligence Understanding
Unicast Reverse Path Forwarding white paper.
2. IP Source Guard
IP source guard is a Layer 2 security feature that builds upon Unicast RPF and DHCP snooping
to filter spoofed traffic on individual switch ports. DHCP snooping, which is a prerequisite of IP
source guard, inspects DHCP traffic within a VLAN to understand which IP addresses have been
assigned to which network devices on which physical switch port. Once this information has
been gathered and stored in the DHCP snooping bindings table, IP source guard is able to
leverage it to filter IP packets received by a network device. If a packet is received with a source
address that does not match the DHCP snooping bindings table, the packet is dropped.
The implementation of IP source guard within the access layer of a network can effectively
eliminate the origination of spoofed IP traffic. However, because it requires DHCP to remain
manageable, it is not possible to deploy IP source guard on internal-to-external network
boundaries.