The document discusses several approaches for securing multicast networks and traffic. It begins by outlining main security issues like unauthorized access, modification of traffic, and denial of service attacks. It then describes techniques for securing the edge of the multicast network, including filtering PIM messages, preventing RP mapping, using multicast boundaries, and passive interfaces. Additional methods covered include filtering multicast groups, using access control lists (ACLs) on trusted senders and receivers, and securing the rendezvous point (RP).
This document provides an overview and analysis of nation-state malware targeting telecommunications networks, specifically focusing on the Regin malware. It discusses the technical capabilities and architecture of Regin, analyzing how it infiltrates networks and implants modules. The document also explores other attack vectors such as SS7 and potential vulnerabilities in GPRS/IPX networks that malware could exploit. Dynamic demonstrations are provided of instrumenting Regin and simulating its attacks on networks and systems.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
HLR and HSS are the most important Telecom Equipment in an Operator Core
Network.
We are going to see that this so-called “Critical Infrastructure” is not
as robust as you could think, by exploring the some weaknesses of the
HLR/HSS equipment.
Plan:
* Virtualization of HLR/HSS, for instrumentation purposes
* HLR/HSS system analysis
* SS7/Diameter network fuzzing
* HLR/HSS binaries reverse
Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.
This document summarizes a chapter on network security from a CCNA certification study guide. It discusses types of security attacks and how to mitigate them using appliances like IDS and firewalls. It also covers using access control lists (ACLs) to filter network traffic by source/destination IP addresses, protocols, and port numbers. Standard ACLs filter by source IP only, while extended ACLs can filter additional fields. Named ACLs provide descriptive names. The document provides examples of creating and applying standard, extended, and named ACLs to network interfaces to control network access.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
The document summarizes information about detecting BGP hijacks in 2014. It provides background on BGP, how prefixes are announced and removed, and examples of prefix hijacks. It describes how a hijacker redirected cryptocurrency miners to earn an estimated $83,000 from February to May 2014. It also outlines active and passive countermeasures networks can take to detect and mitigate against BGP hijacks.
This document provides an overview and analysis of nation-state malware targeting telecommunications networks, specifically focusing on the Regin malware. It discusses the technical capabilities and architecture of Regin, analyzing how it infiltrates networks and implants modules. The document also explores other attack vectors such as SS7 and potential vulnerabilities in GPRS/IPX networks that malware could exploit. Dynamic demonstrations are provided of instrumenting Regin and simulating its attacks on networks and systems.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
HLR and HSS are the most important Telecom Equipment in an Operator Core
Network.
We are going to see that this so-called “Critical Infrastructure” is not
as robust as you could think, by exploring the some weaknesses of the
HLR/HSS equipment.
Plan:
* Virtualization of HLR/HSS, for instrumentation purposes
* HLR/HSS system analysis
* SS7/Diameter network fuzzing
* HLR/HSS binaries reverse
Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.
This document summarizes a chapter on network security from a CCNA certification study guide. It discusses types of security attacks and how to mitigate them using appliances like IDS and firewalls. It also covers using access control lists (ACLs) to filter network traffic by source/destination IP addresses, protocols, and port numbers. Standard ACLs filter by source IP only, while extended ACLs can filter additional fields. Named ACLs provide descriptive names. The document provides examples of creating and applying standard, extended, and named ACLs to network interfaces to control network access.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
The document summarizes information about detecting BGP hijacks in 2014. It provides background on BGP, how prefixes are announced and removed, and examples of prefix hijacks. It describes how a hijacker redirected cryptocurrency miners to earn an estimated $83,000 from February to May 2014. It also outlines active and passive countermeasures networks can take to detect and mitigate against BGP hijacks.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks
VNS3 Setup Guides for Popular Security Appliances (IPsec Configuration Instructions)
Learn how to set up VNS3 with SSG IPsec devices to get the most out of your VNS3 virtual network device.
SELTA develops and markets solutions Telco Operators and Service Providers Access Networks. With its technological innovations, SELTA supports operators in the modernization of network infrastructures which are increasingly service delivery oriented with a growing demand for bandwidth
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
This document provides recommendations for securing Cisco routers by tightening access controls and permissions. It recommends:
1. Creating a written router security policy that defines who can access and configure the router.
2. Commenting and organizing offline copies of router configurations and keeping them in sync with the live configurations.
3. Implementing access lists that only allow necessary protocols, ports, and IP addresses and deny all others.
4. Running the latest available IOS version and regularly testing router security.
This chapter discusses network security concepts like types of attacks, mitigation techniques, and access control lists. Standard access lists filter based on source IP addresses while extended lists can filter on additional attributes like destination IP, protocol, and port numbers. Access lists are applied to router interfaces to permit or deny traffic and are evaluated sequentially from top to bottom. They help control access to router VTY lines and filter inbound or outbound traffic.
The document discusses various network attacks such as unauthorized port access, DHCP spoofing, DHCP starvation, ARP spoofing, IP spoofing, CAM table overflows, VLAN hopping, spanning tree attacks, broadcast storms, routing protocol attacks, and SYN floods. It also provides recommendations to mitigate each attack such as configuring port security, DHCP snooping, dynamic ARP inspection, IP source guard, storm control, BPDU guard, root guard, authentication for routing protocols, and firewalls/IDS systems.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
Professional drones are now actively used across various industries to perform daily critical operations. In this awareness session, Nils Rodday will perform a live hack which exploits vulnerabilities of the professional drone and effectively compromises the security of the system to take over control. His session will also discuss practical fixes and approaches for remediating these issues.
(Source: RSA USA 2016-San Francisco)
The document discusses the configuration of network devices for a network topology. It includes:
1) A list of equipment used including Cisco switches and routers.
2) Diagrams of the Layer 2 and Layer 3 topologies, showing VLANs, routing protocols, and IP addressing.
3) Requirements and configuration sections detailing configurations for routing protocols like BGP, OSPF, EIGRP, services like NTP, and security features like NAT and CBAC.
The configurations provided implement an IBGP setup between routers, NTP synchronization, NAT for internal to external addressing, and CBAC to control external access to internal resources. Packet flows and debugging outputs validate the working of these configurations.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...PROIDEA
This document discusses Cisco's Vidmon solution for monitoring video quality in IP networks. It provides an overview of the challenges of transmitting video over IP, including QoS, monitoring and fault localization. It then describes how Vidmon can help operators actively monitor video streams, locate issues, and improve customer satisfaction. Benefits of deploying Vidmon in Vectra's network include faster fault identification, better problem diagnosis, cost savings, improved visibility of signal quality issues, and proactive monitoring.
The document discusses using open source tools pfSense and FRR to improve the security and reliability of Internet Service Provider (ISP) networks in Bangladesh. Case studies show how pfSense implemented as a firewall and router can block malware and threats based on intelligence feeds. This provides a better user experience than MikroTik routers by filtering attacks and bad actors at the core network level. The solution is low cost and easy for ISPs to implement and maintain.
The TK-90 HF transceiver provides reliable communications through powerful 100W transmission, 300 memory channels, and compatibility with remote control and optional voice recording accessories. It features a compact, rugged design suited for mobile or base station use along with enhanced audio quality, programmable function keys, and data connectivity options.
This presentation by Westermo’s Technical Lead Engineers Dakota Diehl and Benjamin Campbell, is an integral part of the Westermo webinar held on April 30th 2020, covering how to simplify your network management using Westermo software tools WeConnect and WeConfig.
Watch the webinar session here: https://www.westermo.com/news-and-events/webinars/simplify-your-network-management-using-software-tools
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Sumutiu Marius
This document discusses layer 2 security attacks on Ethernet switches and their mitigation. It begins with an overview of layer 2 attacks and caveats. It then discusses specific MAC address attacks like CAM overflow attacks, which can be used to flood a switch's CAM table and cause traffic to flood on a VLAN. The document recommends port security features on switches to mitigate MAC flooding attacks by limiting the number of MAC addresses that can be learned or used on a particular port.
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
Agenda
• IEC 62443 IACS standard
• Scope and why
• DHCP protocol and how it works
• DHCP’s Vulnerabilities
• Types of Cyber Attacks to DHCP
• Defense by network security DHCP Snooping
• Korenix products with advanced security features
The document discusses various hacking techniques for Cisco networks, including reconnaissance attacks like port scanning and sniffing, active attacks like password cracking and trust exploitation, and external attacks like IP spoofing and denial of service. It then covers defenses like authentication, encryption, access control lists, rate limiting, DHCP snooping, and storm control to mitigate risks from these hacking methods.
The document provides instructions for configuring multicast routing on ACI. It includes 9 steps: 1) enable multicast on the tenant, 2) create a multicast bridge domain, 3) create an IGMP policy, 4) create additional IGMP policies, 5) create an L3 interface policy for border leafs, 6) create an IGMP policy for border leafs, 7) create a PIM policy for border leafs, 8) configure an RP, and 9) verify the multicast configuration. The document also provides CLI commands for troubleshooting multicast routing and lists some limitations.
Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks
VNS3 Setup Guides for Popular Security Appliances (IPsec Configuration Instructions)
Learn how to set up VNS3 with SSG IPsec devices to get the most out of your VNS3 virtual network device.
SELTA develops and markets solutions Telco Operators and Service Providers Access Networks. With its technological innovations, SELTA supports operators in the modernization of network infrastructures which are increasingly service delivery oriented with a growing demand for bandwidth
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
This document provides recommendations for securing Cisco routers by tightening access controls and permissions. It recommends:
1. Creating a written router security policy that defines who can access and configure the router.
2. Commenting and organizing offline copies of router configurations and keeping them in sync with the live configurations.
3. Implementing access lists that only allow necessary protocols, ports, and IP addresses and deny all others.
4. Running the latest available IOS version and regularly testing router security.
This chapter discusses network security concepts like types of attacks, mitigation techniques, and access control lists. Standard access lists filter based on source IP addresses while extended lists can filter on additional attributes like destination IP, protocol, and port numbers. Access lists are applied to router interfaces to permit or deny traffic and are evaluated sequentially from top to bottom. They help control access to router VTY lines and filter inbound or outbound traffic.
The document discusses various network attacks such as unauthorized port access, DHCP spoofing, DHCP starvation, ARP spoofing, IP spoofing, CAM table overflows, VLAN hopping, spanning tree attacks, broadcast storms, routing protocol attacks, and SYN floods. It also provides recommendations to mitigate each attack such as configuring port security, DHCP snooping, dynamic ARP inspection, IP source guard, storm control, BPDU guard, root guard, authentication for routing protocols, and firewalls/IDS systems.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
Professional drones are now actively used across various industries to perform daily critical operations. In this awareness session, Nils Rodday will perform a live hack which exploits vulnerabilities of the professional drone and effectively compromises the security of the system to take over control. His session will also discuss practical fixes and approaches for remediating these issues.
(Source: RSA USA 2016-San Francisco)
The document discusses the configuration of network devices for a network topology. It includes:
1) A list of equipment used including Cisco switches and routers.
2) Diagrams of the Layer 2 and Layer 3 topologies, showing VLANs, routing protocols, and IP addressing.
3) Requirements and configuration sections detailing configurations for routing protocols like BGP, OSPF, EIGRP, services like NTP, and security features like NAT and CBAC.
The configurations provided implement an IBGP setup between routers, NTP synchronization, NAT for internal to external addressing, and CBAC to control external access to internal resources. Packet flows and debugging outputs validate the working of these configurations.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...PROIDEA
This document discusses Cisco's Vidmon solution for monitoring video quality in IP networks. It provides an overview of the challenges of transmitting video over IP, including QoS, monitoring and fault localization. It then describes how Vidmon can help operators actively monitor video streams, locate issues, and improve customer satisfaction. Benefits of deploying Vidmon in Vectra's network include faster fault identification, better problem diagnosis, cost savings, improved visibility of signal quality issues, and proactive monitoring.
The document discusses using open source tools pfSense and FRR to improve the security and reliability of Internet Service Provider (ISP) networks in Bangladesh. Case studies show how pfSense implemented as a firewall and router can block malware and threats based on intelligence feeds. This provides a better user experience than MikroTik routers by filtering attacks and bad actors at the core network level. The solution is low cost and easy for ISPs to implement and maintain.
The TK-90 HF transceiver provides reliable communications through powerful 100W transmission, 300 memory channels, and compatibility with remote control and optional voice recording accessories. It features a compact, rugged design suited for mobile or base station use along with enhanced audio quality, programmable function keys, and data connectivity options.
This presentation by Westermo’s Technical Lead Engineers Dakota Diehl and Benjamin Campbell, is an integral part of the Westermo webinar held on April 30th 2020, covering how to simplify your network management using Westermo software tools WeConnect and WeConfig.
Watch the webinar session here: https://www.westermo.com/news-and-events/webinars/simplify-your-network-management-using-software-tools
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Sumutiu Marius
This document discusses layer 2 security attacks on Ethernet switches and their mitigation. It begins with an overview of layer 2 attacks and caveats. It then discusses specific MAC address attacks like CAM overflow attacks, which can be used to flood a switch's CAM table and cause traffic to flood on a VLAN. The document recommends port security features on switches to mitigate MAC flooding attacks by limiting the number of MAC addresses that can be learned or used on a particular port.
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
Agenda
• IEC 62443 IACS standard
• Scope and why
• DHCP protocol and how it works
• DHCP’s Vulnerabilities
• Types of Cyber Attacks to DHCP
• Defense by network security DHCP Snooping
• Korenix products with advanced security features
The document discusses various hacking techniques for Cisco networks, including reconnaissance attacks like port scanning and sniffing, active attacks like password cracking and trust exploitation, and external attacks like IP spoofing and denial of service. It then covers defenses like authentication, encryption, access control lists, rate limiting, DHCP snooping, and storm control to mitigate risks from these hacking methods.
The document provides instructions for configuring multicast routing on ACI. It includes 9 steps: 1) enable multicast on the tenant, 2) create a multicast bridge domain, 3) create an IGMP policy, 4) create additional IGMP policies, 5) create an L3 interface policy for border leafs, 6) create an IGMP policy for border leafs, 7) create a PIM policy for border leafs, 8) configure an RP, and 9) verify the multicast configuration. The document also provides CLI commands for troubleshooting multicast routing and lists some limitations.
This document discusses participant access control in IP multicasting. It begins with an overview of existing IP multicast protocols like IGMP and PIM-SM. It then discusses the need for access control to prevent attacks from unauthorized senders and receivers. The remainder of the document proposes an access control architecture that uses AAA protocols to authenticate participants and control their access through extensions to IGMP and the use of protocols like PANA and IKEv2.
Catalyst Smart Operations : Simplify Your NetworkCisco Russia
This document discusses several Cisco Catalyst Smart Operations technologies including Auto Secure, Interface Templates, Easy VSS, and AutoConf. Auto Secure simplifies security configuration with one command to enable DHCP snooping, ARP inspection, and port security globally and per port. Interface Templates provide predefined configurations that can be applied to interfaces with one command. AutoConf automates the application of Interface Templates to simplify network configuration.
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
The document discusses using BGP FlowSpec to provide network security for an internet service provider. It begins with an introduction to BGP FlowSpec, describing its components and how rules are distributed using BGP. It then covers using BGP FlowSpec for different DDoS mitigation scenarios, including stateless amplification attacks, stateless L3/L4 attacks, and stateful attacks targeting application resources. Configuration and other use cases are also briefly mentioned.
The document discusses router and routing protocol attacks. It provides an overview of common routing protocols like RIP, OSPF, BGP and discusses their vulnerabilities. Specific attacks against these protocols are described like route injection attacks, spoofing, denial of service attacks. The document emphasizes the need for routing protocol security best practices like authentication, access control and monitoring to prevent such attacks.
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPROIDEA
Marek Janik - Huawei
Language: Polish
W trakcie sesji postaram sie zaprezentować sposoby ochrony sieci przed atakami DDoS, zarówno ogólno dostępnych, specjalizowanych oraz jako forma usługi od operatora lub dedykowanej firmy. Po prezentacji będzie można samemu ocenić czy „jakieś” i „jakie” rozwiązanie AntiDDoS jest potrzebne ze względu na prowadzona działalność w Internecie.
Zarejestruj się na kolejną edycję PLNOG już dzisiaj: krakow.plnog.pl
The document discusses security considerations for network design across layers 2-4. It covers topics like VLANs, STP, ARP, DHCP, wireless access, subnetting, NAT, ICMP, routing protocols, router hardening, asymmetric routing, and DoS attacks and mitigations at the network and transport layers. It provides details on potential issues and recommended defenses for many common protocols and network design elements.
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
This document provides technical summaries of various network attacks and exploitation techniques. It begins with an overview of the author's background and experience in network security. It then summarizes several methods, including exploiting SNMP configurations, manipulating routing tables through policy routing, using GRE and ERSPAN tunnels to enable remote packet capture, exploiting DLSw to tunnel traffic covertly, and exploiting lawful intercept functions to duplicate traffic. The goal is to educate about various risks while maintaining an instructional tone.
The document provides an overview of the CCNA certification and covers topics like internetworking, IP addressing, routing protocols, Cisco IOS, and more. It begins with an introduction to computer networks and protocols. Then it discusses the OSI reference model, IP addressing fundamentals, routing protocols like RIP, IGRP, EIGRP and OSPF, Cisco IOS configuration, and IP routing. The document serves as a study guide for CCNA exam topics at a high level.
The document discusses various types of firewall technologies used to control access between trusted and untrusted networks. It describes packet filtering, session filtering, application-level gateways, and circuit-level proxies. Packet filtering makes decisions on individual packets while session filtering tracks connection state. Application gateways understand specific protocols while circuit proxies operate at the transport layer. The document also covers network address translation, encryption, spoofing attacks, and fragmentation attacks against firewalls.
A firewall is a choke point that controls and monitors network traffic between networks of differing trust levels. It imposes restrictions on network services by only allowing authorized traffic and auditing access. Firewalls can be characterized by the protocol level they control, including packet filtering, circuit gateways, and application gateways. A dynamic packet filter combines these approaches and captures the semantics of network connections.
This chapter discusses network security concepts like types of attacks, mitigation techniques, and access control lists. Standard access lists filter based on source IP addresses while extended lists can filter on additional attributes like destination address, protocol, and port numbers. Access lists are applied to router interfaces to permit or deny traffic and help implement security policies. The document provides examples of how to configure standard and extended access lists on Cisco routers to control network access.
This document provides an overview of routing protocols and network security concepts. It discusses distance vector protocols like RIP, path vector protocols like BGP, and link state protocols like OSPF. It covers routing attacks such as source routing, spoofing, and man-in-the-middle attacks. It also discusses secure routing requirements and authentication methods used in protocols.
The presentation introduces the group's network and firewall architecture, including a public DMZ, private DMZ, and internal network. It discusses packet filtering and configuring iptables rules to allow certain traffic to the public DMZ servers while blocking other traffic. It also covers tweaks to prevent common attacks like IP spoofing, IP smurfing, SYN flooding and ping flooding through techniques like disabling IP spoofing and source routing, enabling SYN cookies, and rate limiting ICMP echo requests.
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
1. The document compares the security features of HDN switches and Cisco switches. HDN switches contain integrated security capabilities like detecting and blocking malware packets without port blocking.
2. HDN switches automatically detect anomalies and generate alerts. They support monitoring via VNM and include logging. In comparison, Cisco uses separate security appliances like CSA and Cisco Prime LMS.
3. HDN switches are managed through the VNM management tool while Cisco uses its own management systems.
This document discusses firewall technologies and how they work to secure networks. It begins by defining what a firewall is and its purpose of controlling access between trusted and untrusted networks. It then explains different types of firewalls including packet filtering, stateful inspection, proxies, and how each works. The document also covers topics like filtering, spoofing, fragmentation attacks, and how firewalls can help prevent these threats while noting limitations.
This document summarizes a presentation given at Defcon 16 about performing an Internet-scale man-in-the-middle attack by hijacking BGP routes. The attack works by originating a route for the target's IP space and setting the AS path to include the ASes along the normal route to the target. Return traffic is then sent back along this engineered path, allowing the attacker to intercept and manipulate traffic without detection. Proper adjustment of TTL values is also described to anonymize the hijacking router and outbound networks. A live demo is said to be part of the presentation agenda.
VoIP security involves threats like denial of service attacks, eavesdropping, and quality of service issues. Best practices include using firewalls with application layer gateways or session border controllers, encrypting media and signaling, prioritizing bandwidth for VoIP, and restricting access to call managers through physical and logical security measures. NIST recommends logically separate networks, endpoint encryption, and avoiding vulnerabilities in softphones and wireless networks without encryption.
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPROIDEA
The document discusses network security training that includes an exercise on responding to threats and mitigating distributed denial-of-service (DDoS) attacks, as well as configuring security tools like Control Plane Policing (CoPP) and remote triggered black hole (RTBH) routing.
Similar to PLNOG 9: Piotr Wojciechowski - Multicast Security (20)
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...SkillCertProExams
• For a full set of 760+ questions. Go to
https://skillcertpro.com/product/databricks-certified-data-engineer-associate-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
This presentation by OECD, OECD Secretariat, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Juraj Čorba, Chair of OECD Working Party on Artificial Intelligence Governance (AIGO), was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
2. ABOUT ME
¢ Senior Network Engineer MSO at VeriFone Inc.
¢ Previously Network Solutions Architect at one of top
polish IT integrators
¢ CCIE #25543 (Routing & Switching)
¢ Blogger – http://ccieplayground.wordpress.com
¢ Administrator of CCIE.PL board
— The biggest Cisco community in Europe
— Over 6100 users
— 3 admin, 7 moderators
— 48 polish CCIEs as members, 20 of them actively posting
— About 150 new topics per month
— About 1000 posts per month
— English section available!
3. AGENDA
¢ Main security issues
¢ Securing the edge of multicast network
¢ Trusted and secure sender/receiver
¢ Dense Mode Fallback problems
¢ Tunneled multicasts
¢ Admission control
5. MAIN SECURITY ISSUES
¢ Why to control?
— Access control – permit specified sources/destinations
— Policies
— Admission – can we transport multicast?
¢ Where to deploy security?
— Local router/switch
— policy-server
6. MAIN SECURITY ISSUES
¢ What we have to protect?
— Content and services
— Device control-plane
— Data plane protection – saturation of network links
¢ How we can protect?
— Packet filtering
— Registration filtering
— State creation
— Encryption
7. MAIN SECURITY ISSUES
¢ Threat overview
— Threats against confidentiality
¢ Must multicast applications does not encrypt data – traffic can
be eavesdropped
— Threats against traffic integrity
¢ Without application-level security or network-based security
multicast traffic is open to being modified in transit
— Threats against network integrity
¢ Unauthorized senders, receivers, or compromised network
elements can access the multicast network, send and receive
traffic without authorization or overload network resources.
— Threats against availability
¢ There are a number of denial of service attack possibilities that
can make resources unavailable to legitimate users
8. MAIN SECURITY ISSUES
¢ Threats from the sender side
— Layer 2 attacks – not multicast specific but still
dangerous
— Masquerading – sender can pretend to be another
sender (ie. Source IP Spoofing)
— Theft of service – without proper control it is possible to
use the multicast service illegitimately from the sender
side
9. MAIN SECURITY ISSUES
¢ Threats from the sender side
— Attacks with multicast traffic
¢ Network saturation
¢ Multicast state attack – to many states created on router
¢ Attempt to become PIM DF on LAN segment
¢ Fake RP announcement to disrupt PIM-SM/BiDir service –
spoofing AutoRP or BSR
¢ Unauthorized sender
¢ Attacks against control-plane using multicast traffic (ie. OSPF
multicast traffic)
10. MAIN SECURITY ISSUES
¢ Threats from the receiver side
— Similar attacks as for sender side
— Layer2 attacks
— Masquerading and thief of data
— Attack vector usually an IGMP
11. MAIN SECURITY ISSUES
¢ Threats against a Rendezvous Point and BSR
— PIM-SM RP and PIM-BSRs are critical points in
multicast network
— Vulnerable to all forms of attacks described before
— Additionally:
¢ PIM Unicast attacks with source IP Spoofing
¢ DoS attacks by sending PIM Register and PIM Register-stop
messages
13. SECURING MULTICAST EDGE
¢ Multicast PIM Control Packets:
— Hello, Join/Prune, Assert etc.
— All messages are link-local (TTL=1)
— Destination All-PIM-Routers (224.0.0.13)
— Attack must originate on the same subnet
¢ Unicast PIM Control Packets:
— Register, Register-Stop, C-RP-Advertisement
— Attacks can originate from anywhere
14. SECURING MULTICAST EDGE
FILTERING PIM MESSAGES
¢ Filter all PIM packets from untrusted sources
— Router must receive PIM Hellos to establish relation
— PIM packets can be filtered
— It’s not spoofing-proof
15. SECURING MULTICAST EDGE
FILTERING PIM MESSAGES
¢ Filter all PIM packets from untrusted sources
interface
Ethernet0/0
ip
address
10.0.12.1
255.255.255.0
ip
pim
neighbor-‐filter
PIM-‐FILTER
!
ip
access-‐list
standard
PIM-‐FILTER
permit
10.0.0.1
16. SECURING MULTICAST EDGE
PREVENT RP MAPPING
¢ RP Announce Filter
— Configure it on Mapping Agent
— Specify which IP addresses are accepted as RP
Candidates for which groups.
ip
pim
rp-‐announce-‐filter
rp-‐list
RP
group-‐list
MGROUPS
!
ip
access-‐list
standard
MGROUPS
permit
224.0.0.0
15.255.255.255
ip
access-‐list
standard
RP
permit
10.0.0.2
permit
10.0.0.3
For what groups MA
should accept C-RP
List of allowed C-RP’s
17. SECURING MULTICAST EDGE
MULTICAST NETWORK BOUNDARY
¢ Multicast boundary
— Administratively scoped boundary on an interface in
order to filter source traffic coming into the interface
— Prevent mroute states from being created on the
interface
— Enables reuse of the same multicast group address in
different administrative domains
— Filter data and control plane traffic including IGMP,
PIM, and Auto-RP messages. PIM Register messages are
sent using unicast and will not be filtered.
19. SECURING MULTICAST EDGE
MULTICAST NETWORK BOUNDARY
¢ BSR Border
— BSR message filtering applied to interface
— Protects from both sending and receiving BSR messages
— Does not set up multicast boundary
20. SECURING MULTICAST EDGE
PIM PASSIVE
¢ PIM Passive Interface
— No PIM messages are sent or received
— Router does not join to 224.0.0.13
— No AutoRP or BSR messages are sent
— Unicast PIM Packets unaffected
— Configure only on non-redundant segments!
interface
Ethernet0/0
ip
address
10.0.12.1
255.255.255.0
ip
pim
passive
21. SECURING MULTICAST EDGE
MULTICAST GROUP FILTERING
¢ Multicast groups filtering
— New and nice way to filter all multicast traffic for
particular groups
— Introduced in IOS 12.2(33)SXI, 12.2(33)SRE, 15.0(1)M;
IOS XR 2.6
— Disables multicast protocol actions and traffic
forwarding for unauthorized groups or channels for all
interfaces on the router
— No IGMP/MLD cache entries, PIM, MRIB/MFIB state
are ever created for these group ranges and all data
packets are immediately dropped
22. SECURING MULTICAST EDGE
MULTICAST GROUP FILTERING
¢ Multicast groups filtering
— VRF aware
— Access-list that defines the multicast groups or channels
to be permitted or denied globally
¢ Standard ACL for groups
¢ Extended ACL for (S,G)
— AutoRP have to be explicitly permitted, otherwise it
would be filtered
ip
multicast
group-‐range
1
!
access-‐list
1
permit
224.0.1.39
0.0.0.0
access-‐list
1
permit
224.0.1.40
0.0.0.0
access-‐list
1
permit
239.0.0.0
0.255.255.255
24. TRUSTED AND SECURE SENDER/RECEIVER
ACL ON THE EDGE
¢ Many multicast security issues originating at the
sender can be mitigated with appropriate unicast
security mechanisms
— Source address spoofing protection (uRPF and ACL with
IP Source Guard for the access layer)
— Infrastructure ACL
interface
GigabitEthernet0/0
ip
access-‐group
permit_mcast
ip
access-‐list
extended
permit_mcast
permit
10.0.0.0
0.0.0.255
239.0.0.0
0.127.255.255
deny
ip
any
224.0.0.0
15.255.255.255
log
permit
ip
any
any
25. TRUSTED AND SECURE SENDER/RECEIVER
ACL ON THE EDGE
¢ Advantages of ACLs:
— Done in hardware on most platforms
— Filters before multicast routing occurs so no states are
created if denied
— Best for ingress filtering
— Search documentation for best practice examples
26. TRUSTED AND SECURE SENDER/RECEIVER
ACL ON THE EDGE
ip
access-‐list
extended
igmp-‐control
…
deny
igmp
any
any
pim
!
No
PIMv1
deny
igmp
any
any
dvmrp
!
No
DVMRP
packets
deny
igmp
any
any
host-‐query
!
Do
not
use
this
command
with
redundant
routers.
!
In
that
case
this
packet
type
is
required
permit
igmp
any
host
224.0.0.22
!
IGMPv3
membership
reports
permit
igmp
any
any
14
!
Mtrace
responses
permit
igmp
any
any
15
!
Mtrace
queries
permit
igmp
any
224.0.0.0
15.255.255.255
host-‐query
!
IGMPv1/v2/v3
queries
permit
igmp
any
224.0.0.0
15.255.255.255
host-‐report
!
IGMPv1/v2
reports
permit
igmp
any
224.0.0.0
15.255.255.255
7
!
IGMPv2
leave
messages
deny
igmp
any
any
!
Implicitly
deny
unicast
IGMP
here!
…
permit
ip
any
any
!
Permit
other
packets
interface
ethernet
0
ip
access-‐group
igmp-‐control
in
27. TRUSTED AND SECURE SENDER/RECEIVER
ACL ON THE EDGE
¢ IGMP Filtering
— Controls entries into IGMP cache
— Extended ACL – you know how to do it!
28. TRUSTED AND SECURE SENDER/RECEIVER
SOURCE CONTROL
¢ Rendezvous Point gives a single point of control for all sources
in the network for any group range in ASM and PIM-SM
networks
¢ (S,G) is not created on RP but still is on FHR
¢ It’s control-plane – possibility to DDoS RP.
¢ Works best with other edge filtering methods
29. TRUSTED AND SECURE SENDER/RECEIVER
SECURING RECEIVER
¢ Control IGMP on receiver side
— IGMP is enabled by default if multicasts are enabled
— IGMP carries protocols – PIMv1, Mrinfo, DVMRP, Mtrace
— Unicast IGMP should always be filtered – those are used
in special situations like unidirectional links
— If single IGMP querier is present on non-redundant
segment then IGMP queries should be dropped
30. TRUSTED AND SECURE SENDER/RECEIVER
SECURING RECEIVER
¢ Restrict which multicast sources receiver can join
— For ASM filter basing on destination address
— For SSM using IGMPv3 filter basing on source and
destination address
32. DENSE MODE FALLBACK PROBLEMS
¢ Dense Mode Fallback occurs when RP information
is lost
— PIM determines whether a multicast group operates in
PIM-DM or PIM sparse-dense mode based solely on the
existence of RP information in the group-to-RP mapping
cache
¢ It’s event, when PIM mode falling back from sparse
mode to dense mode
— Dense mode flooding occurs
33. DENSE MODE FALLBACK PROBLEMS
¢ Dense Mode Fallback Prevention provides a method
for:
— Preventing Dense Mode Fallback
— Blocking multicast traffic for groups not specifically
configured (there is no RP for the group)
¢ By default Dense Mode Fallback is enabled
— Except when all interfaces are configured in PIM Sparse
Mode (not PIM Sparse-Dense Mode)
34. DENSE MODE FALLBACK PROBLEMS
ip
multicast-‐routing
ip
pim
send-‐rp-‐announce
ethernet
0
scope
16
group-‐list
1
ip
pim
rp-‐address
10.8.0.20
1
no
ip
pim
dm-‐fallback
!
interface
ethernet
0/0
ip
pim
sparse-‐dense-‐mode
36. ADMISSION CONTROL
¢ Control-plane protection
¢ Resource allocation
¢ Bandwidth protection from congestion
¢ Content-based policies
¢ Subscriber-based policies
37. ADMISSION CONTROL
¢ Limiting number of multicast routes in mroute
table
— No new entries created after reaching limit
— Syslog warning beyond threshold point
— vrf-aware
39. ADMISSION CONTROL
¢ Limiting mroute
state for PIM
and IGMP per
interface
¢ Egress
admission
control
¢ Ingress
admission
control
40. ADMISSION CONTROL
¢ Limit the number of IGMP groups joined both globally
and per interface
ip
igmp
limit
100
¢ Exceptions can be defined by ACL
ip
igmp
limit
100
except
MCAST-‐GRP
!
ip
access-‐list
extended
MCAST-‐GRP
permit
ip
any
host
239.255.255.254
deny
ip
any
any
43. TUNNELLED MULTICAST
¢ IPSec point-to-point tunnel interfaces since late 12.3T
permits to encrypt multicast traffic
¢ Multicast for GET VPN since 12.4(6)T
— Including control-plane security
¢ Manual key distribution or RFC3547 GDOI (Group
Domain of Interpretation)
44. TUNNELLED MULTICAST
¢ GDOI Implementation
— Group members register
with the key server –
IPsec policy and keys that
are necessary for encrypt
and decrypt IP Multicast
packets are distributed
— Group members exchange
IP Multicast packets that
are encrypted using IPSec
— As needed, the key server
pushes a rekey message to
the group members
46. TUNNELLED MULTICAST
¢ GDOI – few facts:
— It’s not IKE!
— Uses UDP port 848
— Not negotiated – server push keys and policies
— No keepalives
47. TUNNELLED MULTICAST
¢ Secure PIM control traffic
— Encrypt and Authenticate PIM Packets
— Crypt map for 224.0.0.13 (PIM Control Messages) except
of PIM Register which is unicast – require additional
protection
— Hop-by-hop encryption
— Not all combinations of hash+security+encryption works
for multicast traffic!
— Recommended mode is transport with manual keys