CCIE Pursuit Blog

January 19, 2008

Internetwork Expert Volume II: Lab 4 – Section 8

Section 8 – Security – 4 Points

8.1 Traffic Filtering

You need to filter five different types of traffic on inbound from bb1 on r6.

ip access-list

“Permit ICMP echo requests and replies”

Does this mean allow ANY hosts to ping inbound on interface s0/0 ?  Or just bb1?  I chose any.

r6(config-ext-nacl)#permit icmp any any ?
  —output truncated—
  echo                         Echo (ping)
  echo-reply                   Echo reply

Then I hit this:

“Permit DNS lookups and zone transfers.”

No clue.

The IE solution guide has a good write up about this.  Basically:

DNS Zone Transfers: TCP port 53
DNS Lookups: UDP port 53

I’ll need to find out where to find information like this in the DOC as I don’t think that I’m going to memorize a bunch of ports before the exam.

“Permit any TCP and UDP sessions initiated from behind r6 to return.”

Crap.  This sounds like reflexive ACL.  Something that I’ve managed not to study.  😦

In the real lab, I would just skip this task.  This is an especially dangerous task because if you screw it up, you could mess up other tasks (i.e. IGP and EGP) that you’ve already successfully completed.  In this case, you’ll need to open up BGP as well as RIP. 

permit (reflexive)

Task 8.1 (IE Forum)

8.2 Spoof Detection

“…configure r4 to drop packets without a verifiable source address on the connection to bb3.”

I had no clue on this task, but I decided to see if I could find something in the command list containing any or all of the words “verifiable source address”.  I found this:

ip verify unicast source reachable-via

Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks on the basis of source IP address spoofing.

Note:It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF.

Note:Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.

r4(config)#ip cef
r4(config)#int fa0/1
r4(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

rx
 Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
 
any
 Examines incoming packets to determine whether the source address is in the FIB and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode).
 

rx sounds like the better choice.

r4(config-if)#ip verify unicast source reachable-via rx

I got this right.  The IE solution guide shows that there is also a legacy command available:

r4(config-if)#ip verify unicast reverse-path

Verification of verification  🙂

r4#sh ip int fa0/1 | i verif
  IP verify source reachable-via RX
  0 verification drops
  0 suppressed verification drops

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: