SlideShare a Scribd company logo

Best Current Practice (BCP) 38 Ingress Filtering for Security

GLC Networks
GLC Networks

Webinar topic: Best Current Practice (BCP) 38 Ingress Filtering for Security Presenter: Achmad Mardiansyah In this webinar series, we discussed about IBest Current Practice (BCP) 38 Ingress Filtering for Security Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording available on Youtube https://youtu.be/0YQRQ046Lg8

Technology
1 of 48
Download to read offline
www.glcnetworks.com Best Current Practice (BCP) 38: Ingress Filtering for Security GLC Webinar, 17 Mar 2022 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia
www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Network attack ● BCP 38 ● Live practice ● Q & A 2
www.glcnetworks.com Introduction 3
www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
www.glcnetworks.com Prerequisite ● This presentation requires some prerequisite knowledge ● We assume you already know: ○ Computer network ○ Mikrotik RouterOS 9
www.glcnetworks.com Review prerequisite knowledge 10
www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 11
www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 12 / datagram
www.glcnetworks.com Layer 4 header 13
www.glcnetworks.com Layer 3 header 14
www.glcnetworks.com Layer 2 header, ethernet 15
www.glcnetworks.com Layer 2 header, 802.11 16
www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 17
www.glcnetworks.com Layer 2 vs Layer 3 addressing 18 Layer 2 Layer 3 ● Burned-in address ● Adjacent communication ● Consist of 48 bit binary, written in HEX format. 1 HEX = 4 bit ● Unique for every physical port ● 6 first HEX digit -> represent the manufacturer ● Logical address ● End-to-end communication ● IPv4 32 bit long ● 2 versions: IPv4 (our focus) and IPv6 ● Consist of network part & host part ● Can be class based IP address (without subnet) ● Now it is classless IP address -> VLSM (variable length subnet mask) ● CIDR (classless inter domain routing)
www.glcnetworks.com IP spec (RFC 791) ● Defined long time ago (what 1981?) ● Defines how the IP header looks like ● Still used up to know ● New version -> IPv6 19
www.glcnetworks.com How the layer 3 address look like? ● IPv4 address is 32 bit long ● Written in binary -> always think in binary ● Displayed to human in decimal every 8 bit (octet). ● Has 2 parts: network part and host part ● Like a phone number 0812 XXXXXXXX -> hierarchical ● All devices in the network will have same network part ● First and last address cannot be used (for network id and broadcast id) 20 Network part host part
www.glcnetworks.com Variable-Length Subnet Masking (VLSM) ● Variable-Length Subnet Masking (VLSM) ● Can divide an IP address block into subnets of different sizes using / (slash) notation ● Solution the in efficient of classful IP address (fixed length). No more class A, B, C ● RFC: 1878 (1895) ● Basis for CIDR ● Example: 23.45.0.0/17 ○ 23.45.0.0/25 ○ 23.45.0.128/25 21
www.glcnetworks.com Classless Inter-Domain Routing (CIDR) ● Provides a new and more flexible way to specify network addresses in routers (using slash as notation) ● allow flexible allocation of Internet Protocol (IP) addresses. ● CIDR lets a routing table entry represent an aggregation of networks that exist in the forward path ● Each IP address has a network prefix that identifies their network ● RFC: 1519 22
www.glcnetworks.com Router vs Routing ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks 23 Physical router Router icon
www.glcnetworks.com Network design: physical connection (physical topology) ● Router connects layer 2 segments ● Router works on layer 3 ● Meaning, each layer 2 segment has network ID 24 R1 R2 R3 R4 ISP2 ISP1 internet
www.glcnetworks.com Network design: logical connection (logical topology) 25 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially
www.glcnetworks.com Forwarding packets using routing table ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works 26 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com A packet arrived at R1… (example) Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110 27 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com Where routing table lookup happens? 28
www.glcnetworks.com Administrative distance (analogy) 29 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
www.glcnetworks.com Administrative distance ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router 30
www.glcnetworks.com Static routing 31 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control on routing table
www.glcnetworks.com Dynamic routing 32 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol
www.glcnetworks.com Autonomous system (AS) ● Is a collection of routers and networks under one administration and apply single routing policy ● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet Registry: APNIC, ARIN, RIPE, etc) 33 AS1 AS4 AS3 AS2
www.glcnetworks.com Addressing, IANA, RIR ● Internet is based on IP (internet protocol) addressing scheme -> RFC791 ● Addressing has to be unique ● IANA (Internet Assigned Number Authority) regulates IP address allocation ● IANA delegates (some of its authority) to RIR (Regional Internet Registry) ● RIR delegates to country’s ● Every organisation must have IP address block to join the internet and build a routing scheme among their equipment 34
www.glcnetworks.com Asymmetric routing ● Currently, routing is done one-way only (outbound) ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outbound traffic 35 R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
www.glcnetworks.com Private IP, public IP and NAT 36 Public IP Private IP (RFC1918) ● Public IP is used globally (internet) ● Must be unique ● Usually borrowed from ISP (via ADSL, GPON, GSM, 4G, etc) ● Private IP is used privately (internal organisation) ● Duplicated in many organisations
www.glcnetworks.com Network attack 37
www.glcnetworks.com 38
www.glcnetworks.com BCP 38 39
www.glcnetworks.com Best Current Practice (BCP)? ● IETF creates RFC (request for comments), it contains rules of how communication works ● BCP is A collection of RFC for best current practices with various topics 40
www.glcnetworks.com BCP 38 ● Implemented in RFC 2827 and RFC 3704 (for ISP) ● 41
www.glcnetworks.com BCP 38 on Mikrotik 42
www.glcnetworks.com Reverse-path filtering (RFC3704) ● Disables/enables source validation. ○ no - No source validation. ○ strict - applies Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. ○ loose - applies Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. ● Recommendation: use strict mode to prevent IP spoofing from DDoS attacks. ● For asymmetric routing, complex routing, and vrrp case loose mode is recommended. 43 R1 12.1.1.0/24 .1 .10 internet dst: y.y.y.y src: 12.1.1.99 dst: 12.1.1.10 src: x.x.x.x dst: x.x.x.x src: 12.1.1.10 .99
www.glcnetworks.com TCP syncookies ● Send out syncookies when the syn backlog queue of a socket overflows. ● This is to prevent against the common 'SYN flood attack'. 44
www.glcnetworks.com Live practice ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 45
www.glcnetworks.com QnA Any questions? 46
www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 47
www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 48

Recommended

Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network GLC Networks
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikAchmad Mardiansyah
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappGLC Networks
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotikAchmad Mardiansyah
 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw tableAchmad Mardiansyah
 

Recommended

Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network GLC Networks
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikAchmad Mardiansyah
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappGLC Networks
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotikAchmad Mardiansyah
 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw tableAchmad Mardiansyah
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on MikrotikGLC Networks
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filterAchmad Mardiansyah
 
ISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthAchmad Mardiansyah
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
 
Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackGLC Networks
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik HotspotGLC Networks
 
Mikrotik VRRP
Mikrotik VRRPMikrotik VRRP
Mikrotik VRRPAchmad Mardiansyah
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on MikrotikGLC Networks
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep DiveGLC Networks
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrackAchmad Mardiansyah
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikGLC Networks
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radiusAchmad Mardiansyah
 
Mikrotik firewall NAT
Mikrotik firewall NATMikrotik firewall NAT
Mikrotik firewall NATAchmad Mardiansyah
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced trainingJignesh H. Bhalsod
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Mikrotik fastpath
Mikrotik fastpathMikrotik fastpath
Mikrotik fastpathAchmad Mardiansyah
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotikAchmad Mardiansyah
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 
Mikrotik firewall mangle
Mikrotik firewall mangleMikrotik firewall mangle
Mikrotik firewall mangleAchmad Mardiansyah
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansingКирилл Кекер
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundGLC Networks
 

More Related Content

What's hot

ISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthAchmad Mardiansyah
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
 
Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackGLC Networks
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on MikrotikGLC Networks
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikGLC Networks
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 

What's hot (20)

IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filter
 
ISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthISP load balancing with mikrotik nth
ISP load balancing with mikrotik nth
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
 
Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs Fasttrack
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Mikrotik VRRP
Mikrotik VRRPMikrotik VRRP
Mikrotik VRRP
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
 
Policy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on MikrotikPolicy Based Routing (PBR) on Mikrotik
Policy Based Routing (PBR) on Mikrotik
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radius
 
Mikrotik firewall NAT
Mikrotik firewall NATMikrotik firewall NAT
Mikrotik firewall NAT
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
Mikrotik fastpath
Mikrotik fastpathMikrotik fastpath
Mikrotik fastpath
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotik
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on Mikrotik
 
Mikrotik firewall mangle
Mikrotik firewall mangleMikrotik firewall mangle
Mikrotik firewall mangle
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
 

Similar to Best Current Practice (BCP) 38 Ingress Filtering for Security

Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundGLC Networks
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7GLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1GLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)GLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateGLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costGLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeGLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
 
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)GLC Networks
 
IPv6 with Mikrotik
IPv6 with MikrotikIPv6 with Mikrotik
IPv6 with MikrotikGLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7GLC Networks
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikGLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route originGLC Networks
 

Similar to Best Current Practice (BCP) 38 Ingress Filtering for Security (20)

Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 Segment
 
Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inbound
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix Aggregate
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface cost
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area type
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdf
 
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
 
IPv6 with Mikrotik
IPv6 with MikrotikIPv6 with Mikrotik
IPv6 with Mikrotik
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route origin
 

More from GLC Networks

Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up routeGLC Networks
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINXGLC Networks
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2GLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1GLC Networks
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1GLC Networks
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPGLC Networks
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2GLC Networks
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2GLC Networks
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)GLC Networks
 

More from GLC Networks (15)

Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loop
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopback
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up route
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration Management
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINX
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Best Current Practice (BCP) 38 Ingress Filtering for Security

  • 1. www.glcnetworks.com Best Current Practice (BCP) 38: Ingress Filtering for Security GLC Webinar, 17 Mar 2022 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia
  • 2. www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Network attack ● BCP 38 ● Live practice ● Q & A 2
  • 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  • 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  • 6. www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
  • 7. www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
  • 8. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
  • 9. www.glcnetworks.com Prerequisite ● This presentation requires some prerequisite knowledge ● We assume you already know: ○ Computer network ○ Mikrotik RouterOS 9
  • 11. www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 11
  • 12. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 12 / datagram
  • 17. www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 17
  • 18. www.glcnetworks.com Layer 2 vs Layer 3 addressing 18 Layer 2 Layer 3 ● Burned-in address ● Adjacent communication ● Consist of 48 bit binary, written in HEX format. 1 HEX = 4 bit ● Unique for every physical port ● 6 first HEX digit -> represent the manufacturer ● Logical address ● End-to-end communication ● IPv4 32 bit long ● 2 versions: IPv4 (our focus) and IPv6 ● Consist of network part & host part ● Can be class based IP address (without subnet) ● Now it is classless IP address -> VLSM (variable length subnet mask) ● CIDR (classless inter domain routing)
  • 19. www.glcnetworks.com IP spec (RFC 791) ● Defined long time ago (what 1981?) ● Defines how the IP header looks like ● Still used up to know ● New version -> IPv6 19
  • 20. www.glcnetworks.com How the layer 3 address look like? ● IPv4 address is 32 bit long ● Written in binary -> always think in binary ● Displayed to human in decimal every 8 bit (octet). ● Has 2 parts: network part and host part ● Like a phone number 0812 XXXXXXXX -> hierarchical ● All devices in the network will have same network part ● First and last address cannot be used (for network id and broadcast id) 20 Network part host part
  • 21. www.glcnetworks.com Variable-Length Subnet Masking (VLSM) ● Variable-Length Subnet Masking (VLSM) ● Can divide an IP address block into subnets of different sizes using / (slash) notation ● Solution the in efficient of classful IP address (fixed length). No more class A, B, C ● RFC: 1878 (1895) ● Basis for CIDR ● Example: 23.45.0.0/17 ○ 23.45.0.0/25 ○ 23.45.0.128/25 21
  • 22. www.glcnetworks.com Classless Inter-Domain Routing (CIDR) ● Provides a new and more flexible way to specify network addresses in routers (using slash as notation) ● allow flexible allocation of Internet Protocol (IP) addresses. ● CIDR lets a routing table entry represent an aggregation of networks that exist in the forward path ● Each IP address has a network prefix that identifies their network ● RFC: 1519 22
  • 23. www.glcnetworks.com Router vs Routing ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks 23 Physical router Router icon
  • 24. www.glcnetworks.com Network design: physical connection (physical topology) ● Router connects layer 2 segments ● Router works on layer 3 ● Meaning, each layer 2 segment has network ID 24 R1 R2 R3 R4 ISP2 ISP1 internet
  • 25. www.glcnetworks.com Network design: logical connection (logical topology) 25 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially
  • 26. www.glcnetworks.com Forwarding packets using routing table ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works 26 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 27. www.glcnetworks.com A packet arrived at R1… (example) Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110 27 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 29. www.glcnetworks.com Administrative distance (analogy) 29 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
  • 30. www.glcnetworks.com Administrative distance ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router 30
  • 31. www.glcnetworks.com Static routing 31 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control on routing table
  • 32. www.glcnetworks.com Dynamic routing 32 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol
  • 33. www.glcnetworks.com Autonomous system (AS) ● Is a collection of routers and networks under one administration and apply single routing policy ● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet Registry: APNIC, ARIN, RIPE, etc) 33 AS1 AS4 AS3 AS2
  • 34. www.glcnetworks.com Addressing, IANA, RIR ● Internet is based on IP (internet protocol) addressing scheme -> RFC791 ● Addressing has to be unique ● IANA (Internet Assigned Number Authority) regulates IP address allocation ● IANA delegates (some of its authority) to RIR (Regional Internet Registry) ● RIR delegates to country’s ● Every organisation must have IP address block to join the internet and build a routing scheme among their equipment 34
  • 35. www.glcnetworks.com Asymmetric routing ● Currently, routing is done one-way only (outbound) ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outbound traffic 35 R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
  • 36. www.glcnetworks.com Private IP, public IP and NAT 36 Public IP Private IP (RFC1918) ● Public IP is used globally (internet) ● Must be unique ● Usually borrowed from ISP (via ADSL, GPON, GSM, 4G, etc) ● Private IP is used privately (internal organisation) ● Duplicated in many organisations
  • 40. www.glcnetworks.com Best Current Practice (BCP)? ● IETF creates RFC (request for comments), it contains rules of how communication works ● BCP is A collection of RFC for best current practices with various topics 40
  • 41. www.glcnetworks.com BCP 38 ● Implemented in RFC 2827 and RFC 3704 (for ISP) ● 41
  • 43. www.glcnetworks.com Reverse-path filtering (RFC3704) ● Disables/enables source validation. ○ no - No source validation. ○ strict - applies Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. ○ loose - applies Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. ● Recommendation: use strict mode to prevent IP spoofing from DDoS attacks. ● For asymmetric routing, complex routing, and vrrp case loose mode is recommended. 43 R1 12.1.1.0/24 .1 .10 internet dst: y.y.y.y src: 12.1.1.99 dst: 12.1.1.10 src: x.x.x.x dst: x.x.x.x src: 12.1.1.10 .99
  • 44. www.glcnetworks.com TCP syncookies ● Send out syncookies when the syn backlog queue of a socket overflows. ● This is to prevent against the common 'SYN flood attack'. 44
  • 45. www.glcnetworks.com Live practice ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 45
  • 47. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 47
  • 48. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 48