Network Security Notes: Configuring Route Filtering

Posted by Teacher of Cisco .
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks

Network Security Notes: Configuring Route Filtering

Network Security Notes: Configuring Route Filtering

Posted: 21 Dec 2011 08:08 PM PST


As my previous post about Understanding Route Filtering, this post I would like to introduce for more details about the Route Filtering, but with the Route Filtering configuration.



Route filters work by regulating what networks a router will advertise out of an interface to another router or what networks a router will accept on an interface from another router. Route filtering can be used by administrators to manually assure that only certain routes are announced from a specific routing process or interface. This feature allows administrators to configure their routers to prevent
malicious routing attempts by intruders.

You can configure route filtering in one of two ways:

* Inbound route filtering: The router can be configured to permit or deny routes advertised by a neighbor from being installed to the routing process.

* Outbound route filtering: The route filter can be configure to permit or deny routes from being advertised from the local routing process, preventing neighboring routers from learning the routes.

I. Configuring Inbound Route Filters:

The steps for configuring inbound route filters are as follows:

1. Use the access list global configuration command to configure an access−list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list in [interface−name]


For Example: I want to configure inbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

For this command of access-list:
- Access-list number is 120
- Permission: permit
- Source Network: 192.168.1.0/24
- Destination Network: 172.16.1.0/24

2. Configure command inbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.1.0
Router-B(config-router)#network 172.16.1.0
Router-B(config-router)#distribute−list 120 in Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.1.0 and 172.16.1.0
- Access-list: applied access-list 120 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will allow/permit only inbound traffic from network 192.168.1.0/24 to destination network 172.16.1.0/24 via Interface Serial 0/0 of Router-B.

II. Configuring Outbound Route Filters:

The steps to configure outbound route filters are described here:

1. Use the access−list global configuration command to configure an access list that permits or denies the specific routes that are being filtered.

2. Under the routing protocol process, use the following command:

distribute−list out [interface−name| −
routing − process|autonomous−system−number]


For Example: I want to configure outbound route filter on Router-B (Router-B is a name of my router). The following steps should be configured:

1. Create an access-list: Configure access-list by access-list command:

Router-B#config t
.......
Router-B(config)#access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

For this command of access-list:
- Access-list number is 110
- Permission: deny
- Source Network: 192.168.10.0/24
- Destination Network: 172.16.10.0/24

2. Configure command Outbound route filter under a routing protocol:

Router-B(config)#router rip
Router-B(config-router)#network 192.168.10.0
Router-B(config-router)#network 172.16.10.0
Router-B(config-router)#distribute−list 120 out Serial 0/0

For the above command, I configure inbound route filter on Router-B:
- Protocol: RIP version 1
- Network: 192.168.10.0 and 172.16.10.0
- Access-list: applied access-list 110 as already configured on step 1
- Interface: Serial 0/0

After configure the two steps above, Router will deny only outbound traffic from network 192.168.10.0/24 to destination network 172.16.10.0/24 via Interface Serial 0/0 of Router-B.

Any questions or comments, please leave below...Thanks!

Other sites you may want to see:

WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
Network Security: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Chinese hack on U.S. Chamber went undetected for 6 months

Posted: 21 Dec 2011 08:32 AM PST


Chinese hackers lurked in the U.S. Chamber of Commerce network for six months without being detected, enjoying unrestricted access although it is unknown what information they exploited, according to a published report.

Mozilla launches Firefox 9, speeds up JavaScript

Posted: 21 Dec 2011 08:30 AM PST


Mozilla on Tuesday shipped Firefox 9, claiming that the new browser processes JavaScript up to 36% faster than its predecessor.

Chinese hackers breached U.S. Chamber of Commerce, report says

Posted: 21 Dec 2011 08:30 AM PST


Chinese hackers broke into computers at the U.S. Chamber of Commerce and had access to everything on its systems including information on about 3 million of its members, according to a report in today's Wall Street Journal.

LibreOffice backers want community to join 'bug hunt'

Posted: 21 Dec 2011 08:19 AM PST


The organization behind LibreOffice is hoping community members will help it uncover problems with an upcoming release of the open-source office suite via an international "bug hunt" next week.

Will Kim Jong Un be for cyberwarfare what his dad was for nukes?

Posted: 21 Dec 2011 05:22 AM PST


Security experts have differing views on what the death of Kim Jong Il will mean for the future of cyberattacks.

Security minefield: 'Bring your own device' will bedevil IT security in 2012

Posted: 21 Dec 2011 02:00 AM PST


The rapid adoption of the newest mobile devices -- especially the Apple iPhone and iPad and the Google Android-based equivalents -- will be a huge disruptive force in enterprise security next year. Not only will there be pressure to decide how to protect and manage these devices, which are growing as malware targets, the complexity of this task is magnified many times over because companies are allowing employees to use their own personal smartphones and tablets for business purposes -- what's sometime called "bring your own device" (BYOD).

Twitter to open source Android security tech

Posted: 20 Dec 2011 12:25 AM PST


Twitter plans to open source some of the Android security products built by the developers behind Whisper Systems, which Twitter acquired last month.

Lady Gaga Twitter, Facebook pages recover from iPad 2 scam hacks

Posted: 19 Dec 2011 09:30 PM PST


Lady Gaga's Twitter and Facebook pages were hacked on Monday, tricking some of her millions of followers to a scam website looking to suck up victims' personal information.

Lady Gaga's Twitter and Facebook Accounts Hacked, Fans Duped by 'Free iPad 2' Scam

Posted: 20 Dec 2011 08:34 AM PST


Over 100,000 Lady Gaga fans were hit by the pervasive "click here to win a free iPad 2!" scam Monday after hackers infiltrated the pop star's Twitter and Facebook accounts.

0 comments:

Subscribe to: Post Comments (Atom)
Post a Comment