Белая книга для Cisco Cisco ASA 5585-X Adaptive Security Appliance
Cisco and Public Sector Cyberdefense
26
Detection in the WAN
While it is important to recognize and prioritize good traffic, it is
also necessary to recognize and drop suspicious traffic.
also necessary to recognize and drop suspicious traffic.
Unicast
Reverse Path Forwarding (uRPF) offers a dynamic technique
for enabling ingress traffic filtering, discarding packets with invalid
source IP addresses based on a reverse-path look-up. uRPF is a
highly attractive alternative to traditional ACLs, which typically demand
significant management overhead and have a greater effect on device
performance. uRPF is typically deployed as an edge technology in order
to be most effective, minimizing the valid IP address space range and
enforcing the discard of anomalous packets as close to their origin as
possible.
for enabling ingress traffic filtering, discarding packets with invalid
source IP addresses based on a reverse-path look-up. uRPF is a
highly attractive alternative to traditional ACLs, which typically demand
significant management overhead and have a greater effect on device
performance. uRPF is typically deployed as an edge technology in order
to be most effective, minimizing the valid IP address space range and
enforcing the discard of anomalous packets as close to their origin as
possible.
The key function of uRPF is to verify that the path of an incoming
packet is consistent with the local packet forwarding information. This
is achieved by performing a reverse path look-up (hence the feature’s
name) using the source IP address of an incoming packet in order to
determine the current path (adjacency) to that IP address. The validity
packet is consistent with the local packet forwarding information. This
is achieved by performing a reverse path look-up (hence the feature’s
name) using the source IP address of an incoming packet in order to
determine the current path (adjacency) to that IP address. The validity
of this path determines whether uRPF will pass or drop the packet. If the
path is valid, the packet will be passed. If the path is not valid, the packet
will be silently discarded (unless an ACL exemption is configured).
path is valid, the packet will be passed. If the path is not valid, the packet
will be silently discarded (unless an ACL exemption is configured).
uRPF is a useful defense against an IP Source Spoofing attack, wherein
a packet from the Internet is specially crafted to have a source address
within the range of the local Intranet.
a packet from the Internet is specially crafted to have a source address
within the range of the local Intranet.
A key use of uRPF, independent of its deployment mode, is to enable
source-based remote triggered black hole (SRTBH). SRTBH is
a highly effective, dynamic, and highly efficient rapid reaction attack
tool to mitigate DDoS attacks. RTBH uses routing protocol updates
to manipulate route tables at the network edge or anywhere else in
the network to specifically drop undesirable traffic before it enters the
service provider network.
source-based remote triggered black hole (SRTBH). SRTBH is
a highly effective, dynamic, and highly efficient rapid reaction attack
tool to mitigate DDoS attacks. RTBH uses routing protocol updates
to manipulate route tables at the network edge or anywhere else in
the network to specifically drop undesirable traffic before it enters the
service provider network.
Most of the other detection technologies discussed previously such
as NetFlow, ERSPAN, DDoS detection, and protection are supported
on Cisco WAN platforms to provide a comprehensive integrated threat
detection solution.
as NetFlow, ERSPAN, DDoS detection, and protection are supported
on Cisco WAN platforms to provide a comprehensive integrated threat
detection solution.
Figure 9 Cisco Integrated Services Router Series
Continue
Previous