After a security incident, a network security engineer discovers that a portion of the company's sensitive external traffic has been redirected through a secondary
ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure?
Implementing an inbound BGP prefix list helps control which routes are accepted from BGP peers, providing a way to manage and secure routing information from unauthorized advertisements. This measure can help in preventing traffic redirection through unauthorized ISPs, thus enhancing network security. Furthermore, an inbound BGP prefix list allows for managing routing while maintaining redundancy and failover capabilities in the event of a single provider failure. Disabling BGP or using OSPF and static routes does not offer the same level of control and flexibility as BGP with a prefix list.
An inbound BGP prefix list is a list of IP prefixes (routes) that are allowed to be received and accepted by a BGP speaker. By implementing an inbound BGP prefix list, the network security engineer can control which routes are accepted by the company's BGP speaker, and can block any routes that are not authorized. This can help to prevent external traffic from being redirected through unauthorized ISPs or other routes. Disabling BGP and implementing a single static route for each internal network would not be effective, as it would not allow the network to function in the event of a single provider failure. Implementing a BGP route reflector would not address the issue of external traffic being redirected through an unauthorized ISP. Disabling BGP and implementing OSPF (Open Shortest Path First) would not be effective, as OSPF is a routing protocol that is used within a single autonomous system, and would not address the issue of external traffic being redirected through an unauthorized ISP.
A secondary ISP is not necessarily an unauthorized ISP.
Its says ISP that is not normally used.
Defenses against BGP hijacks include IP prefix filtering, meaning IP address announcements are sent and accepted only from a small set of well-defined autonomous systems, and monitoring Internet traffic to identify signs of abnormal traffic flows.
Trust only those you know Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
B. Implement a BGP route reflector. BGP (Border Gateway Protocol) is a routing protocol used to exchange routing and reachability information between autonomous systems (ASs) on the Internet. It is possible to configure BGP to ensure that traffic is only routed through specific ISPs or network paths, and a BGP route reflector can be used to centralize the distribution of routing information within an AS. This can help secure the routes used by the company's external traffic, while also allowing the network to continue functioning in the event of a single provider failure. Disabling BGP and implementing a single static route for each internal network or an OSPF (Open Shortest Path First) protocol could be effective in some cases, but a BGP route reflector would be the most effective option for securing the routes while allowing the network to function in the event of a single provider failure.
Prefix filtering all day https://www.catchpoint.com/bgp-monitoring/bgp-hijacking
Answer is B. Implementing an inbound BGP prefix list (option C) may help filter incoming routes, but it may not address the issue of securing the routes and allowing the network to function in the event of a single provider failure.
A route reflector is a BGP feature that helps to distribute routing information across the network more efficiently. By implementing a BGP route reflector, the network can maintain multiple routes to different destinations, including backup routes, which can be used in the event of a single provider failure. Option C, implementing an inbound BGP prefix list, is a useful security measure but does not address the issue of securing routes in the event of a provider failure.
The term securing routes can have multiple meanings. I think I'm changing my answer to C
the correct answer is C
C is the correct answer. It will filter the routes and provides security
Implementing an inbound BGP prefix list (Option C) is the best approach to secure routes and ensure the network can function correctly with multiple ISPs. This method allows the network security engineer to control which prefixes are accepted from BGP peers, preventing unauthorized route advertisements and securing the routing infrastructure while maintaining redundancy and failover capabilities.
Ans. B The Border Gateway Protocol (BGP) is a protocol used to exchange routing information across autonomous systems on the internet. The question describes a situation where traffic is being redirected through an unexpected route, which could be a sign of a BGP hijacking attack. Option B, "Implement a BGP route reflector", is the best solution. A BGP route reflector helps to control the propagation of routes in a network. It allows a router to advertise (or "reflect") BGP routes to other routers in the same autonomous system. This can help to ensure that traffic follows the expected paths, even in the event of a single provider failure. The other options are less suitable. Disabling BGP and implementing static routes or OSPF (Options A and D) would not provide the same level of control over route propagation and could lead to other issues. Implementing an inbound BGP prefix list (Option C) could help to filter incoming routes but would not necessarily prevent the redirection of outgoing traffic.
B. Implement a BGP route reflector. Explanation: BGP Route Reflector (B): A BGP route reflector is used in BGP (Border Gateway Protocol) to reduce the number of BGP peer connections and simplify the BGP topology. In the context of securing routes and maintaining functionality in the event of a single provider failure, a BGP route reflector helps by reflecting BGP routes between multiple routers. This enhances redundancy and resilience in the network.
Implement a BGP route reflector (Option B): A BGP route reflector is used in BGP deployments to simplify the management of BGP route advertisements. It helps in controlling the distribution of BGP routing information and improving the scalability of the BGP network. Using a route reflector architecture can enhance the resilience of the network, allowing it to function even if one provider fails. Implement an inbound BGP prefix list (Option C): BGP prefix lists are used to filter routes. While this can help control the routes that are accepted from external BGP peers, it doesn't inherently provide redundancy or failover capabilities in the event of a single provider failure.
nbound BGP Prefix List: Implementing an inbound BGP prefix list allows you to filter and control the routes that are accepted from external BGP peers. By specifying a prefix list, you can control which routes are allowed into your network. This helps in securing the routes and prevents the acceptance of unauthorized or unexpected routes.
The question is focused on securing the routes while allowing the network to function in the event of a single provider failure. In this context, implementing an inbound BGP prefix list alone may not address the redundancy and failover requirements associated with the dynamic nature of BGP and the potential failure of a single ISP. The most effective solution for maintaining network functionality in the face of a single provider failure, while securing BGP routes, often involves implementing BGP route reflectors or using other BGP mechanisms for redundancy and failover.
Changing Answer to C.
B. Implementing a BGP route reflector would be the best option to secure the routes while allowing the network to function in the event of a single provider failure. A route reflector is a BGP routing protocol component that helps distribute routing information within a single autonomous system (AS). It receives routing information from other routers in the AS and propagates it to other routers in the AS. By using a route reflector, the network engineer can ensure that routes are distributed evenly and redundantly across multiple ISP links while maintaining control over which routes are used. Additionally, it simplifies the configuration of BGP by eliminating the need for a full mesh of BGP peerings between all routers.
I agree that C - Prefix Filtering is the right way to do it but the questions lean heavily on the word BEST. The BEST way to secure the routes is A - disable BGP and use static routes. That would definitely prevent a hijack from occurring.
You are missing the key phrase "event of a single provider failure". Static routes mean you would lose connectivity until you changed them if the ISP changes something on their node. https://www.noction.com/blog/bgp-hijacking