Saturday, November 04, 2017

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate:

relating to, measuring, or measured by the quantity of something rather than its quality.

Well although it is most likely not always going to be the case were you can place a $ value to a risk, with Quantitative  risk assessment that is the goal, and it can be achieved for assets are tangible (server, safe, storage...) or intangible ( patent, software...)

Step 1

Determine the Asset you wish to protect and from what is the threat is risking the asset.

Step 2

AV - determine the asset value in $ value

EF - assess the Exposure factor or how bad would the asset be impacted in case threat exploit happened and the value is in %

SLE = AV * EF , that is single loss expectancy or in other words the $ value of single incident

ARO - Annual rate of Occurrence basically it is a counter of how many times we expect that incident to happen in 1 year, and it can be a whole number or a fraction for example if we know that a major earthquake in our are can happen 1 every 100 years then the ARO would be 1/100 = 0.01

ALE = SLE * ARO , Annual loss expectancy is taking the single loss $ value times the annual rate and we are getting the $ value of our risk per year.

Now that is not the whole deal as once we have the $ value of our risk we want to see if we can reduce it or alternatively we need to accept it if the reduction cost is for example more expensive.

Step 3

So the next step is to identify the risk mitigation / reduction tools (safe guards) and once we understand them we need to go back and recalculate ALE after implementing our safe guards.

ALE1 ( before implementing safe guards)
ALE2 ( After implementing safe guards) or Residual Risk
SafeGuards - FW, IPS/IDS, Fence, fire system

ALE1 - ALE2 - SafeGuards = Risk Mitigation Value

Risk Value with negative value would be tricky as there is no clear return on investment for placing counter measures. so your other options are:

Accept the risk by executive decision that must be documented.
Sharing the risk for example by buying an insurance policy.
Avoid the risk not always you can but if possible, avoiding an act or usage may eliminate the risk



Note: ignore the risk is never a valid option!

Monday, October 30, 2017

Awesome Neil Anderson Cisco CCNA Lab Guide

I was honored to be approached earlier today by Mr. Neil Anderson fellow CCIE :-) that have his very cool and highly popular site www.flackbox.com, Neil have done some grate work building a new elaborate and ready to use CCNA Lab guide that I am more then happy to share his link over my blog: http://www.flackbox.com/cisco-ccna-lab-guide

I have taken a quick look and it for the CCNA Candidate it would be a grate guide to get to know his way around the Cisco Networking Practical work, in addition Neil have made it for you all that easy by keeping it all within the Virtual environment of GNS3 so you would not have to lift your ass of the seat even (Like I did back in the days ~20y ago) 

So for all the CCNA to be (and I would add to the once that are as well) highly recommended


Good Luck

Thursday, October 19, 2017

Domain 1 Security and Risk Management - Part 1

First Domain of the CISSP hold 12 Sections and discuss aspects of Risk Management Concepts, Tools, Laws, Standards, around People Process and Technology.  here are some short highlights from my notes:

Understand and apply concepts of confidentiality, integrity, and availability 

CIA (Confidentiality / Integrity / Availability ) if I would to say them in my own words I would say that  Confidentiality is the way to assure asset is kept secret from any unauthorized system and / or person. 
  • How To Protect: most common is the use of encryption taking data and encrypting is done by multiple different techniques.
Integrity is the assurance that asset you have was not handled in any way shape or form by an unauthorized system and / or person.
  • How To Protect: That is more complex however can be done by introducing multiple mechanisms like together refereed to as the AAA (Triple AAA from networking or 5 A from ISC2 world) Identification Authentication Authorization Audit Accounting 
Availability making sure asset is obtainable (I had to look for other word :-)) when needed
  • How To Protect: In a high level that is by assuring service / asset health and stability 

Now often the CIA is refereed to as CIA triad 


Note: the word asset was mentioned multiple times to assure we get use to the terminology.
Asset: can be "data / person / company / resource / service..." or anything you can put a value to it and is worth protecting.
Google Definition: a useful or valuable thing, person, or quality.

What is AAA in the CISSP world?

Identification - Process of providing Identity available to the next stage of authentication in the world I am from Identification and Authentication are part of the same process as without one the other can't exist however for the sake of CISSP lets keep open mind.
Authentication - Once you received the Identifier we need to be able to authenticate and make sure that this is indeed the account and there are different authentication methods like password, pin code, bio (finger print)...
Authorization - After we have passed Authentication then we need to be able to provide limit access to resources according to our job requirement providing to much may impact confidentiality and integrity and providing to little may impact availability  
Audit - auditing is a very important function and again from my networking world it was part of accounting, the audit function is to provide monitoring and ability to go back and look who did what and when, very important part in troubleshooting and fundamental part of ability to be able  prove non-repudiation  
Accounting - The ability to prove a subject identity and track his activities if needed to later be presented in court of law.

Alignment of security function to business strategy, goals, mission, and objectives  

First maybe lets define what is Governance - according to google dictionary it is the action of governing, meaning ?! if you own a company or if you are one of the C-level function in a company it would be expected of you to govern and lead the company in the path to success, and part of it would be taking responsibility to providing company policies, goals, mission statements.





Elements to remember with related to Governance:
  1. Corporate Executive Must be committed to the Security Plan - Due Care!
  2. Corporate Executive are to define the mission statement and company policy.
  3. CISO / CSO should not be subject to company politics and avoid and possible conflict of interest
  4. Company Executive have the responsibility highest responsibility to the company security and in case they where care less they also may be subject to personal legal actions against them.
  5. Security Plan is subject to Due Diligence, always be responsive to the needed changes

Organizational processes 

Like with life when you get to a cross road there is higher risk as a cross road increase complexity and evolve cars moving on the same road in different directions, introducing proper mechanism like rules signs, light.. will reduce the risk, same is with Organizational Changes when purchasing new company / systems or god forbid when laying of personal the Organization need to be ready to face the implications

  • make sure there is a well elaborated and sorted plan
  • make sure all personal and / or systems are informed and ready for the change
  • prepare a backup / restoration / rollback (you name it) plan
  • make sure you have a way to monitor and measure the change and identify and negative impact

Organizational roles and responsibilities 

Roles and responsibilities are highly important, to do your job well especially in large organization you need to know what are your duties what is expected from you and how can you assist to the goals of your organization.

Key Roles To Know and remember:

Data Owner - as the name suggest it is the data highest authority for making sure data security is in order and normally will be senior manager, the Data owner is responsible for classifying also the data security level.

Data Custodian - this is  for whom that is being given the task of practically making sure data security is addressed as classified and according to the guidelines, normally would be IT / IS.

Auditor - is responsible for the monitor and making sure security policy's are being followed implemented and issue periodic reporting to be review by senior management. in case auditor discover and report issues the senior management must address.

Senior Manager- have the top responsibility and liability for organization security however the implementation of security is a function that is delegated to Security professionals

User - Any user in the organization have his role in keeping the corporate security policy by following the provided policies and procedures.

Due Care/Due Diligence

Due Care

It is the action of "caring" about the possible of system / person other might do harm to an asset!
  •  Data Owner (normally Organization Executive) is obligated to Due Care
Law: the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.  reference 

Due Diligence

It is an action performed in iterative and repeatable manner with steps taken for verifying / monitoring and applying actions in order to preserve company policy and standards.
  • Data Owner is obligated to make sure a due diligence is conducted on normal basis 
  • Data Custodian are normally performing the due diligence in practice.
Google Translate: reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.


To be continue...

Saturday, October 14, 2017

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)

Lets start with the obvious change:

CISSP - Before Apr 2018 CISSP - from Apr 2018
1. Security and Risk Management 16% 15%
2. Asset Security 10% 10%
3. Security Engineering 12% 13%
4. Communications and Network Security 12% 14%
5. Identity and Access Management 13% 13%
6. Security Assessment and Testing 11% 12%
7. Security Operations 16% 13%
8. Software Development Security 10% 10%

So as you can see from the table above there are not mind blowing ground up changes , we are still in 8 Domain format, there are small variations in the ratio between the domains and since we have 250 Questions still questions have the same wight 1% eq 2.5 questions so if you look at that this way and take an example Domain 1 was reduced in 2 - 3 questions for the favor of Domain 3 that Ratio was increased by 1%. I would see that as a very minor diff.

Now if you look into each Domain in more details then

Domain 1 Security and Risk Management - originally with 12 Sections and still is with 12 Sections however 
  • Section 1.2 was reduced to 5 sub areas from 6 by merging Due Care and Due Diligence into one section, does it mean we need to know less about them ?! I think not
  • Section 1.4 Similarly Computer Crime (The law Term) was changed to Cyber Crime and was merged with Data Breachs
  • Section 1.9 Again 12 sub areas where trimmed by merging content to 11 sections
Domain 2 Asset Security - Seem to be unchanged for the most part small change to Section 2.5.4 instead of cryptography it was modified to Data protection methods I would think it is a more global look of what is available to Data protection other then the focus on Crypto

Domain 3 Security Engineering 
  • Section 3.5 was appended with IOT, I would say kind of expected change with all the buzz around it (no offense intended).
  • Section 3.11.7 Water Issues was modified to Environment Issues, as well seem to be kind of obvious to change as focus only on Water hazards kind of ...
Domain 4 Communication and Network Security 
  • Section 4.1.7 Cryptography used to maintain communication security - removed
  • Section 4.2.6 Physical devices - removed
  • Section 4.4 Prevent and Mitigate network Attack was removed
Domain 5 IAM 
  • Section 5.3 as was was removed and new 5.3 is equivalent to Old Section 5.4 and in addition it seem to be segmented to 3 sub areas Cloud, On-Premise and Federated.
  • Section 5.6 Prevent and Mitigate access control - removed
  • Section 5.7 Manage the Identity - removed
Domain 6 Security Assessment and Testing
  • Section 6.1 was extended with 3 sub areas of Internal , External Third Party
  • Section 6.5 was getting the same workout Section 6.1 received  
Domain 7 Security Operations
  • Section 7.16 Address personnel safety and security concerns was extended and received 4 sub areas Travel , Security training and awareness, Emergency management , Duress

Domain 8 Software Development Security 
  • Section 8.2 was trimmed from 5 sub areas to 3
    • Security weaknesses and vulnerabilities at the source-code level - removed
    • Security or API -removed
  • Section 8.3 Acceptance testing - removed
  • New Section 8.5 Define and apply secure coding guidelines and standards with 3 sub areas
    • Security weaknesses and vulnerabilities at the source-code level
    • Security of application programming interfaces
    • Secure coding practices

So overall if looking on the changes there are not fundamental but I think they are the necessary to be made if looking into the industry, so good luck to me and who ever is going to take the challenge :-)

Wednesday, August 23, 2017

Do not be scared from WCCP

I would like to try with you (my readers) explanation in a format of Q&A , hopefully that will make it easier to understand as WCCP is not that hard.

Q:What is WCCP (web cache communication protocol)?

A:To make it simple WCCP is a protocol running between a router and a network appliance for allowing safer and smarter redirection of traffic.

Q:When you say network appliance what do you mean?

A: In WCCPv1 the protocol was used only for redirection of web traffic (and only TCP port 80) so it was clearly very limited for web application (hence the name), however since WCCPv2 the usage and capability expended and WAN optimization devices (WAAS, Riverbed SteelHead etc.) Security Appliances (Cisco WSA, Bluecoat WAF etc.) are using WCCP to receive traffic for optimization or content security handling.

Q: What are the main components of WCCP?

A: That is an Excellent Question :-) , well

  • Redirector - The Router or group of routers
  • Web Cache - That is the misleading part as is called a web cache but as mention above the network appliance can be also appliance that is performing MAPI or CIFS optimization, note that also the web cache function can be a cluster of Web Cache Engines that get traffic based on assignment method (lets elaborate on that later...)
Q: What are the responsibilities of the Redirector and Web Cache?

A: It seems like we are on the same page as you have some grate questions
  • Redirector Jobs
    • Listen for Web Cache Registration/s
    • Intercept trafic according to configuration
    • Redirect to the relevant Cache Engine according to the calculated assignment (again, we will elaborate later) in case there are multiple
      • There are 2 redirection methods (L2/GRE) 
    • Maintain state by simply exchange control messages
  • Web Cache Jobs
    • Register to a Redirector list (one or more)
    • Maintain state by simply exchange control messages
    • Receive traffic from Redirector handle and send it to its destination
Q: What do you mean by "Maintain State"?

A: When redirector want to redirect traffic first he need to know to who he can send the traffic and if the web cache is active and ready to receive the traffic, and from the other end the web cache want to know who is going to send him traffic and tell him what he allowed to send (if he want to limit him)
That state is maintained with messages that are exchanged    

Web Cache - send HERE_I_AM
Redirector - react with I_SEE_YOU

pic1: in the following you can see and example of packet capture between Redirector to Web Cache Engine


Q: You mention also something about redirection method (GRE/L2)?

A: I see you keep tracking , so yes! there are 2 Redirection methods L2 and GRE

GRE - as it sounds the router will create a GRE tunnel it will use to send traffic over to the Web Cache, the Web Cache return traffic can be L2 or Generic GRE (WAAS implementation)

L2 - simply mean traffic that need to be redirected the router will re-write the MAC destination to the Web Cache MAC address.

Show command over the router, you can see that Service ID 61 there is 1 Web Cache 1 Router Assignment HASH and redirection is GRE:


C881-K9-IL1#sh ip wccp summary
WCCP version 2 enabled, 2 services

Service     Clients   Routers   Assign      Redirect   Bypass    
-------     -------   -------   ------      --------   ------    
Default routing table (Router Id: 172.24.190.113):
61          1         1         HASH        GRE        GRE       
62          0         0         HASH/MASK   GRE/L2     GRE/L2    

C881-K9-IL1#



Q: What is HASH and MASK ?

A: The WCCP was intended to provide a scalable and robust way of redirection traffic allowing high amount of traffic to load share between multiple Cache Engines and the Algorithm used to perform load sharing is either by HASH (default in most routers) or MASK (default mostly in L3 Switches)

Q: Almost forgot , what is service ID 61 62...?

A: As you remember the WCCP started to allow only TCP port 80 redirection however as there requirement modified there was a need to make it more flexible by allowing what is called dynamic service groups, the service group can define  ports and redirection assignments based on source / destination... 

Q: Why do I need 2 or more groups?

A: Some of the Cache Engines like WAAS are doing what is called transparent proxy , that mean that traffic sent from Client to Origin (Web Server) will keep the IP SRC/DST, so if traffic will be redirected only when sent from Client to Origin the return traffic will not be intercepted and it will be an asymmetric TCP connection that will be eventuality terminated as although the session is transparent TCP ports and seq/ack are not and both Client and Server will see that they are not actually talking to each other both directions, so now you will ask me so why not just set the same Service to intercept both direction, that is a good question and the answer is each Service Group has an assignment that determine to which Web Cache to Send the traffic , if you set the same HASH to both sides your traffic may return to the Wrong Web Cache so in order for traffic to return to the same Cache Engine you need to have the flip side of the Assignment 

Sample Configuration:


ip wccp source-interface Loopback0
ip wccp 61
ip wccp 62
!
!
interface Loopback0
ip address 20.255.255.4 255.255.255.255
!
interface GigabitEthernet1
description DIRECT_WAN
ip address 20.200.0.2 255.255.255.252
ip wccp 62 redirect in
!
interface GigabitEthernet4
description "SITE_LAN"
ip address 20.2.0.1 255.255.255.0
ip wccp 61 redirect in
!
interface GigabitEthernet6
description “WAAS Segment”
ip address 20.100.0.1 255.255.255.252
 Note: That Cisco have a default preconfigured behavior for SID 61 and 62 
61 : hash is based on source IP

62 : hash is based on destination IP


OK Folks hope that provide some clarity and understanding, WCCP is really not very scary and very useful protocol :-)

Note: there are some excellent info in Cisco and also some limitation with platforms but I wanted to make sure first that there is clarity to the fundamentals

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/configuration/guide/cnfg/traffic.html 

 

Tuesday, August 22, 2017

DNS Proxy with Juniper SRX

It is often when you come across deployments where branch users need reach an internal resource that is also mapped for external users via DNS however the problem start when user inside the corp is resolving that address over the public DNS he will get response of the public address of that resource and in order for him to reach that address packet will need to go out form the internal trust zone to outside and back in , this is what is called a DNS Split Horizon problem!

to fix that you can either use some static host configuration that is very unscaleable or use a DNS proxy and Internal forwarders, for that there are 2 main methods (with Juniper SRX):

Method 1 

Split DNS configuration where all DNS traffic is default to 8.8.8.8 with the exception of sguez.net that is using 198.168.1.200 (Internal DNS)
root@SRXv01# show system services dns | display set 
set system services dns dns-proxy interface ge-0/0/1.0
set system services dns dns-proxy default-domain * forwarders 8.8.8.8
set system services dns dns-proxy default-domain sguez.net forwarders 198.168.1.200


[edit]
root@SRXv01#
Important part when configuring dns-proxy over SRX is to enable the dns system service  

root@SRXv01# show security zones security-zone trust host-inbound-traffic | display set
set security zones security-zone trust host-inbound-traffic system-services dns

[edit]
root@SRXv01#

Method 2


Split DNS configuration where all DNS traffic is default to 8.8.8.8 with the exception of sguez.net that is using 198.168.1.200 (Internal DNS) and for external resolve via (external DNS) based on request source (clients IP's):

root@SRXv01# show system services dns dns-proxy | display set 
set system services dns dns-proxy interface ge-0/0/1.0
set system services dns dns-proxy view internal match-clients 192.168.0.0/16
set system services dns dns-proxy view internal domain sguez.net forwarders 192.168.1.200
set system services dns dns-proxy view external match-clients 172.24.190.114/28
set system services dns dns-proxy view external domain sguez.net forwarders 192.168.1.201

[edit]
root@SRXv01#

Also with that configuration do not forget the enable for dns system services

root@SRXv01# show security zones security-zone trust host-inbound-traffic | display set
set security zones security-zone trust host-inbound-traffic system-services dns

[edit]
root@SRXv01#

Verification for both:


Clear Cache:
root@SRXv01# run clear system services dns-proxy cache
Show Cache:
root@SRXv01# run show system services dns-proxy cache 
Clear Statistics:
root@SRXv01# run clear system services dns-proxy statistics 
Show Statistics: 
root@SRXv01# run show system services dns-proxy statistics  

Further Reference:


Tuesday, November 26, 2013

VRF Maximum Routes

 

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.

 

I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured
10 maximum routes under that vrf however I did not want to be aggressive so I have set the

 

warning only option.
See that immediately I get a notice that I have more routes then the maximum, however no action
is taken other then alerting and sending a syslog.
!
PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only 
% The current number of routes in the routing table is equal to, or exceeds the configured warning limit
PE_ashdod_otherisp.n(config-vrf)#
*Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_EXTRANET
PE_ashdod_otherisp.n(config-vrf)#do sh ip rou vrf DC_EXTRANET
Routing Table: DC_EXTRANET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      50.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        50.0.0.0/30 [200/0] via 20.255.10.10, 00:09:31
B        50.0.100.0/24 [200/0] via 20.255.10.10, 00:09:31
B        50.255.255.1/32 [200/0] via 20.255.10.10, 00:09:31
      60.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
B        60.0.0.0/30 [200/0] via 7.7.7.7, 00:00:04
B        60.0.100.0/24 [200/0] via 7.7.7.7, 00:00:04
B        60.0.101.0/24 [200/0] via 7.7.7.7, 00:00:04
B        60.0.102.0/24 [200/0] via 7.7.7.7, 00:00:04
B        60.0.103.0/24 [200/0] via 7.7.7.7, 00:00:04
B        60.255.255.1/32 [200/0] via 7.7.7.7, 00:00:04
      70.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C        70.0.0.0/30 is directly connected, FastEthernet2/0
L        70.0.0.1/32 is directly connected, FastEthernet2/0
B        70.0.100.0/24 [20/0] via 70.0.0.2, 00:20:22
B        70.0.101.0/24 [20/0] via 70.0.0.2, 00:20:22
B        70.0.102.0/24 [20/0] via 70.0.0.2, 00:20:22
B        70.0.103.0/24 [20/0] via 70.0.0.2, 00:20:22
B        70.255.255.1/32 [20/0] via 70.0.0.2, 00:20:22
PE_ashdod_otherisp.n(config-vrf)#

 

 

now I would like to show you what will happen from RIB/FIB and BGP when I am activating the maximum prefix’s in aggressive mode:

 

Prior to modifying the maximum value, on the CE you can see that I am getting BGP updates:
CE_ashdod_DC_SERVICES#  show ip bgp     
BGP table version is 160, local router ID is 70.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 50.0.0.0/30      70.0.0.1                               0 9002 33462 ?
*> 50.0.100.0/24    70.0.0.1                               0 9002 33462 ?
*> 50.255.255.1/32  70.0.0.1                               0 9002 33462 ?
*> 60.0.0.0/30      70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.100.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.101.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.102.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.103.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.255.255.1/32  70.0.0.1                               0 9002 9001 33462 ?
Now maximum routes is set to 10 and Threshold before sending warning to 100% notice
immediately RIB and FIB will be updated accordingly however BGP is not effected meaning that
this is locally significant and will not cause a lot of noise due to a local problem / over utilizing allowed
resources.
PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 100 
% The current number of routes in the routing table is equal to, or exceeds the configured warning limit
% The routing table is being reloaded to enforce (or allow) the new route limit.
PE_ashdod_otherisp.n(config-vrf)#
*Nov 26 20:57:08.359: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_EXTRANET
*Nov 26 20:57:08.363: %IPRT-3-ROUTELIMITEXCEEDED: IP routing table limit exceeded - DC_EXTRANET
PE_ashdod_otherisp.n(config-vrf)#
PE_ashdod_otherisp.n(config-vrf)#
PE_ashdod_otherisp.n(config-vrf)#do sh ip rou vrf DC_EXTRANET       
Routing Table: DC_EXTRANET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      50.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        50.0.0.0/30 [200/0] via 20.255.10.10, 00:00:15
B        50.0.100.0/24 [200/0] via 20.255.10.10, 00:00:15
B        50.255.255.1/32 [200/0] via 20.255.10.10, 00:00:15
      60.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B        60.0.0.0/30 [200/0] via 7.7.7.7, 00:00:15
B        60.0.100.0/24 [200/0] via 7.7.7.7, 00:00:15
B        60.0.101.0/24 [200/0] via 7.7.7.7, 00:00:15
B        60.0.102.0/24 [200/0] via 7.7.7.7, 00:00:15
B        60.0.103.0/24 [200/0] via 7.7.7.7, 00:00:15
      70.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        70.0.0.0/30 is directly connected, FastEthernet2/0
L        70.0.0.1/32 is directly connected, FastEthernet2/0
PE_ashdod_otherisp.n(config-vrf)#
CE_ashdod_DC_SERVICES#  show ip bgp 
BGP table version is 184, local router ID is 70.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 50.0.0.0/30      70.0.0.1                               0 9002 33462 ?
*> 50.0.100.0/24    70.0.0.1                               0 9002 33462 ?
*> 50.255.255.1/32  70.0.0.1                               0 9002 33462 ?
*> 60.0.0.0/30      70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.100.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.101.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.102.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.0.103.0/24    70.0.0.1                               0 9002 9001 33462 ?
*> 60.255.255.1/32  70.0.0.1                               0 9002 9001 33462 ?

Additional scenario:

maximum prefix’s are at 14

 

Routing Table: DC_EXTRANET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      50.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        50.0.0.0/30 [200/0] via 20.255.10.10, 00:01:23
B        50.0.100.0/24 [200/0] via 20.255.10.10, 00:01:23
B        50.255.255.1/32 [200/0] via 20.255.10.10, 00:01:23
      60.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
B        60.0.0.0/30 [200/0] via 7.7.7.7, 00:00:20
B        60.0.100.0/24 [200/0] via 7.7.7.7, 00:00:20
B        60.0.101.0/24 [200/0] via 7.7.7.7, 00:00:20
B        60.0.102.0/24 [200/0] via 7.7.7.7, 00:00:20
B        60.0.103.0/24 [200/0] via 7.7.7.7, 00:00:20
B        60.255.255.1/32 [200/0] via 7.7.7.7, 00:00:20
      70.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        70.0.0.0/30 is directly connected, FastEthernet2/0
L        70.0.0.1/32 is directly connected, FastEthernet2/0
B        70.0.100.0/24 [20/0] via 70.0.0.2, 00:01:23
B        70.0.101.0/24 [20/0] via 70.0.0.2, 00:01:23
B        70.0.102.0/24 [20/0] via 70.0.0.2, 00:01:23

 

I send withdraw  for 70.0.101.0/24 from the CE router, now I have one more spot (14 –1) available, however the router does not re-evaluate the table and insert the next available, think of what if it did! (the CE could have abuse the router causing him to always re-evaluate what need to be inserted/removed to/from RIB/FIB!!), re-evaluation happen when you modify maximum routes value or when you re-send (withdraw and update) the un-used  routes  :

 

PE_ashdod_otherisp.n(config)#do sh ip rou vrf DC_EXTRANET
Routing Table: DC_EXTRANET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is not set
      50.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        50.0.0.0/30 [200/0] via 20.255.10.10, 00:01:30
B        50.0.100.0/24 [200/0] via 20.255.10.10, 00:01:30
B        50.255.255.1/32 [200/0] via 20.255.10.10, 00:01:30
      60.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
B        60.0.0.0/30 [200/0] via 7.7.7.7, 00:00:27
B        60.0.100.0/24 [200/0] via 7.7.7.7, 00:00:27
B        60.0.101.0/24 [200/0] via 7.7.7.7, 00:00:27
B        60.0.102.0/24 [200/0] via 7.7.7.7, 00:00:27
B        60.0.103.0/24 [200/0] via 7.7.7.7, 00:00:27
B        60.255.255.1/32 [200/0] via 7.7.7.7, 00:00:27
      70.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C        70.0.0.0/30 is directly connected, FastEthernet2/0
L        70.0.0.1/32 is directly connected, FastEthernet2/0
B        70.0.100.0/24 [20/0] via 70.0.0.2, 00:01:30
B        70.0.102.0/24 [20/0] via 70.0.0.2, 00:01:30
PE_ashdod_otherisp.n(config)#

 

However if you do not care about abuse from CE side you can use the below command, that will re-evaluate once crossing certain threshold, but I think that if you do not care about the abuse (do not limit the amount of prefix’s):

PE_ashdod_otherisp.n(config-vrf)# maximum routes 14 100 reinstall ?  
  <1-100>  Threshold value (%) at which to reinstall routes back to VRF

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate: relating to, meas...