|
Extreme Exploits. Advanced Defenses Against Hardcore Hacks Authors: Oppleman V., Friedrichs O., Watson B. Published year: 2005 Pages: 26-29/120 |
 |
|
|
||
|
|
||
|
|
||
Part II: Defending Your Perimeter and Critical Internet Infrastructure
Chapter List
- Chapter 4: Reliable Connectivity
- Chapter 5: Securing the Perimeter
- Chapter 6: Redefining the DMZSecuring Critical Systems
- Chapter 7: Intrusion Detection and Prevention
- Chapter 8: E-mail Gateways, Filtering, and Redundancy
- Chapter 9: Data LeaksExploiting Egress
- Chapter 10: Sinkholes and Backscatter
- Chapter 11: Securing Wireless Networks
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
Chapter 4: Reliable Connectivity
Overview
So, do you think that just because the "circuit" between you and your ISP rarely goes down, you have reliable connectivity? What happens when your border router fails? What happens when your firewall goes down? What happens when routing fails? What happens when all of the above still appear to be operational but your packets don't go anywhere ? Could it be that your border router inappropriately responds to directed traffic and that you are under a denial-of-service attack? If any of these questions suddenly makes your blood run cold, read on.
In this chapter, we will cover these questions and other risks that can severely impact reliable Internet connectivity for your organization, and we present techniques to mitigate the risk.
-
Components of Reliable Connectivity Components that affect reliable connectivity.
-
Exposing Weaknesses in Connectivity How attackers and hardware/software failures can take you down.
-
Border Router Security Mitigating the risk of attack as well as hardware and/or software failure.
-
Internet Gateways and Multihoming Utilizing multiple Internet gateways with BGP multihoming to mitigate the risk of gateway failures and denial-of-service attacks.
-
Backup of Critical Device Configurations Backing up router, switch, and firewall configurations to enable rapid disaster recovery.
-
Bandwidth Utilization Monitoring and managing bandwidth at your Internet gateways.
-
Redundant and Spare Equipment Deploying redundant hardware and developing a hardware spare inventory plan to enable rapid disaster recovery.
-
Geographic Distribution of Critical Systems Deploying systems running critical applications in geographically diverse locations on your network, and using anycast.
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
Components of Reliable Connectivity
As noted in the introduction, reliable connectivity consists of much more than a reliable circuit from an ISP. Depending on your network and Internet gateway architecture, the following general categories may impact your connectivity to the Internet:
-
Device configuration backups
-
ISP/organizational routing configuration and policy
-
Limited bandwidth
-
Geographical/topological diversity of critical application servers (DNS, e-mail, and so on)
-
Layer-2 switches interconnecting gateway equipment
-
Spare router, switch, and/or interface cards
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
Exposing Weaknesses in Connectivity
This section provides a summary of components that may contribute to unreliable connectivity given certain conditions (see Table 4-1). These unreliable conditions may be exploited by attackers , or they may just happen by accident . Either way, failure of these components creates a denial of service (DoS) against your network. Typically, DoS is an event caused when protocols are exploited that create availability problems by means of overloading, confusing, or crashing routing and systems infrastructure within a network. However, a failure of an Internet circuit, border router, firewall, or critical DNS and e-mail systems can create a DoS event as well. If these components fail, and you have no redundancy, you will experience denial of service to some degree.
|
Component |
Condition |
Effect |
|---|---|---|
|
Border router |
No or minimal access control lists |
Directed SYN-flood may crash router or severely degrade service |
|
Internet gateway |
Single router, single ISP |
Hardware/software failure, or ISP outage causes complete outage (DoS) |
|
Multihomed routing (multiple circuits and/or ISPs) |
Improper routing configuration or routing policy |
Lack of redundancy through Internet gateways |
|
Circuit bandwidth |
Limited or unmonitored bandwidth |
Packet loss, latency, severely degraded service |
|
Critical DNS/mail servers |
Physically located on a common LAN segment |
Failure of circuit, border router, and possibly firewall may cause complete failure of these servers |
|
Spare router/switch chassis and interface cards |
Hardware fails, and you do not have replacements for critical elements |
Potentially complete outage while you await shipping or purchase of new equipment |
|
|
||
|
|
||
|
|
||
|
Extreme Exploits. Advanced Defenses Against Hardcore Hacks Authors: Oppleman V., Friedrichs O., Watson B. Published year: 2005 Pages: 26-29/120 |
|
Similar books on Amazon
Similar books
Similar materials
- Securing Exchange Outlook Web Access with ISA Server 2004
- Terms of the Trade
- Castles: An Example of Defense-in-Depth Architecture
- Securing an Enterprise Application
- Section 10.8. Combined Fragments
- Tools Available for Securing IPv6 Networks
- Tips and Tricks for Securing Access to the Network
- Section 24.9. Everything Starts with the Business
- Section 11.2. Understanding the ESX Server File and Directory Structure
- Residential Security Systems