Section 8 – Security – 4 Points
8.1 Traffic Filtering
You need to filter five different types of traffic on inbound from bb1 on r6.
“Permit ICMP echo requests and replies”
Does this mean allow ANY hosts to ping inbound on interface s0/0 ? Or just bb1? I chose any.
r6(config-ext-nacl)#permit icmp any any ?
echo Echo (ping)
echo-reply Echo reply
Then I hit this:
“Permit DNS lookups and zone transfers.”
The IE solution guide has a good write up about this. Basically:
DNS Zone Transfers: TCP port 53
DNS Lookups: UDP port 53
I’ll need to find out where to find information like this in the DOC as I don’t think that I’m going to memorize a bunch of ports before the exam.
“Permit any TCP and UDP sessions initiated from behind r6 to return.”
Crap. This sounds like reflexive ACL. Something that I’ve managed not to study. 😦
In the real lab, I would just skip this task. This is an especially dangerous task because if you screw it up, you could mess up other tasks (i.e. IGP and EGP) that you’ve already successfully completed. In this case, you’ll need to open up BGP as well as RIP.
8.2 Spoof Detection
“…configure r4 to drop packets without a verifiable source address on the connection to bb3.”
I had no clue on this task, but I decided to see if I could find something in the command list containing any or all of the words “verifiable source address”. I found this:
Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks on the basis of source IP address spoofing.
Note:It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF.
Note:Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.
r4(config-if)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received
Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
Examines incoming packets to determine whether the source address is in the FIB and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode).
rx sounds like the better choice.
r4(config-if)#ip verify unicast source reachable-via rx
I got this right. The IE solution guide shows that there is also a legacy command available:
r4(config-if)#ip verify unicast reverse-path
Verification of verification 🙂
r4#sh ip int fa0/1 | i verif
IP verify source reachable-via RX
0 verification drops
0 suppressed verification drops