Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
| | ||
| | ||
| | ||
| Step | Description |
|---|---|
| Enforce border router security. | Apply strong access control lists, disable dangerous/unused services, and run a stable network operation system, using unicast RPF when applicable . |
| Multihome your network. | Utilize different ISPs to multihome when possible. If utilizing a single ISP, request that your circuits home to different aggregation routers in the ISP's network, if possible. |
| Secure BGP peering sessions. | Utilize MD5 passwords (hashes) and/or the BGP TTL hack to secure BGP sessions from attack and spoofing. |
| Monitor bandwidth utilization. | Monitor your bandwidth utilization, set thresholds that meet your business requirements, and upgrade before reliability becomes a problem. |
| Geographically distribute critical servers (and anycast). | Place critical applications/systems in topologically diverse locations, or utilize third-party outsource providers that have geographically diverse systems. Larger wide area networks may employ anycast. |
| Back up network device configurations. | Develop a backup plan/schedule, and copy configuration files of all routers, switches, and firewalls to a secure location for backup with other critical data. Additionally, encrypt stored configuration files (including passwords). |
| Develop hardware sparing plan. | Develop a sparing plan, purchase and stock the spares , and/or contract with your vendor to provide rapid parts replacement. |
Recommended Reading
-
National Security Agency's router and switch security hardening guidelines (http://www.nsa.gov/snac/)
-
BGP Security Risks and Countermeasures (http://www.nanog.org/mtg-0206/ppt/BGP-Risk-Assesment-v.5.pdf)
-
RFC 1546, Host Anycasting
-
RFC 1918, Address Allocation for Private Internets
-
Path MTU Discovery (http://www.netheaven.com/pmtu.html)
-
RFC 2196, Site Security Handbook
-
RFC 2827, Ingress Filtering Guidelines
| | ||
| | ||
| | ||