CCNA Security Portable Command Guide: Network Foundation Protection

Date: Oct 25, 2012

Return to the article

This chapter lists some common threats against network infrastructures and goes on to discuss the Cisco Network Foundation Protection Framework, Control Plane Security, Management Plane Security, and Data Plane Security.

The chapter covers the following topics:

Threats Against the Network Infrastructure

Cisco Network Foundation Protection Framework

Control Plane Security

Management Plane Security

Data Plane Security

Threats Against the Network Infrastructure

Common vulnerabilities and threats against a network infrastructure include the following:

Vulnerabilities
  • Design errors
  • Protocol weaknesses
  • Software vulnerabilities
  • Device misconfiguration

Threats
  • Trust exploitation
  • Login, authentication, and password attacks
  • Routing protocol exploits
  • Spoofing
  • Denial of service (DoS)
  • Confidentiality and integrity attacks

The impact of those threats and vulnerabilities includes the following:

Impact
  • Exposed management credentials
  • High CPU usage
  • Loss of protocol keepalives and updates
  • Route flaps and major network transitions
  • Slow or unresponsive management sessions
  • Indiscriminate packet drops

Cisco Network Foundation Protection Framework

The Cisco Network Foundation Protection (NFP) framework provides an umbrella strategy for infrastructure protection forming the foundation for continuous service delivery.

NFP logically divides a router and Catalyst switches into three functional areas:

Control plane

Provides the ability to route data correctly. Traffic consists of device-generated packets required for the operation of the network itself, such as Address Resolution Protocol (ARP) message exchanges or Open Shortest Path First (OSPF) protocol routing advertisements.

Management plane

Provides the ability to manage network elements. Traffic is generated either by network devices or network management stations using tools such as Telnet, Secure Shell (SSH), Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Network Time Protocol (NTP), or Simple Network Management Protocol (SNMP).

Data plane (forwarding plane)

Provides the ability to forward data. Typically consists of user-generated packets being forwarded to another end station. Most traffic travels through the router via the data plane. Data plane packets are typically processed in fast-switching cache.

Figure 4-1 provides a conceptual view of the NFP framework.

Figure 4-1. NFP Planes

Each of these planes must be protected to provide network availability and ensure continuous service delivery. The Cisco NFP framework provides the tools and techniques to secure each of these planes.

Control Plane Security

Control plane security can be implemented using the following features:

Cisco AutoSecure

Cisco AutoSecure provides a one-step device lockdown feature to protect the control plane and the management and data planes. It is a script that is initiated from the command-line interface (CLI) to configure the security posture of routers and disables nonessential system processes and services. It first makes recommendations to address security vulnerabilities and then modifies the router configuration.

Routing protocol authentication

Neighbor authentication prevents a router from accepting fraudulent routing updates. Most routing protocols support neighbor authentication.

CoPP

Control Plane Policing (CoPP) is used on higher-end Cisco devices with route processors. It is a Cisco IOS feature designed to enable users to manage the flow of traffic managed by the route processor of their network devices.

Control Plane Policing

CoPP is designed to prevent unnecessary traffic from overwhelming the route processor. The CoPP feature treats the control plane as a separate entity with its own ingress (input) and egress (output) ports. Because the CoPP feature treats the control plane as a separate entity, a set of rules can be established and associated with the ingress and egress ports of the control plane.

CoPP consists of the following features:

CoPP

Control Plane Policing lets users configure a QoS filter that manages the traffic flow of control plane packets. This protects the control plane against reconnaissance and DoS attacks.

CPPr

Control Plane Protection is an extension of CoPP but allows a finer policing granularity. For example, CPPr can filter and rate-limit the packets that are going to the control plane of the router and discard malicious and error packets (or both).

Control Plane Logging

The Control Plane Logging feature enables logging of the packets that CoPP or CPPr drop or permit. It provides the logging mechanism that is needed to deploy, monitor, and troubleshoot CoPP features efficiently.

Management Plane Security

Management plane security can be implemented using the following features:

Login and password policy

Restrict device accessibility. Limit the accessible ports and restrict the “who” and “how” methods of access.

Role-based access control

Ensure access is only granted to authenticated users, groups, and services. Role-based access control (RBAC) and authentication, authorization, and accounting (AAA) services provide mechanisms to effectively authenticate access.

Authorize actions

Restrict the actions and views that are permitted by any particular user, group, or service.

Secure management access and reporting

Log and account for all access. Record who accessed the device, what occurred, and when it occurred.

Ensure the confidentiality of data

Protect locally stored sensitive data from being viewed or copied. Use management protocols with strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device configurations.

Present legal notification

Display legal notice developed with legal counsel.

Role-Based Access Control

RBAC restricts user access based on the role of the user. Roles are created for job or task functions and assigned access permissions to specific assets. Users are then assigned to roles and acquire the permissions that are defined for the role.

In Cisco IOS, the role-based CLI access feature implements RBAC for router management access. The feature creates different “views” that define which commands are accepted and what configuration information is visible. For scalability, users, permissions, and roles are usually created and maintained in a central repository server. This makes the access control policy available to multiple devices using it.

The central repository server can be a AAA server such as the Cisco Secure Access Control System (ACS) to provide AAA services to a network for management purposes.

Secure Management and Reporting

The management network is a very attractive target to hackers. For this reason, the management module has been built with several technologies designed to mitigate such risks.

The information flow between management hosts and the managed devices can be out-of-band (OOB) (information flows within a network on which no production traffic resides) or in-band (information flows across the enterprise production network, the Internet, or both).

Data Plane Security

Data plane security can be implemented using the following features:

Access control lists

Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.

Antispoofing

ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security features

Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.

ACLs

ACLs are used to secure the data plane in a variety of ways, including the following:

Block unwanted traffic or users

ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user authentication.

Reduce the chance of DoS attacks

ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection.

Mitigate spoofing attacks

ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks.

Provide bandwidth control

ACLs on a slow link can prevent excess traffic.

Classify traffic to protect other planes

ACLs can be applied on vty lines (management plane).
ACLs can control routing updates being sent, received, or redistributed (control plane).

Antispoofing

Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack.

Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.

Layer 2 Data Plane Protection

The following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port security

Prevents MAC address spoofing and MAC address flooding attacks

DHCP snooping

Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch

Dynamic ARP inspection (DAI)

Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks

IP source guard

Prevents IP spoofing addresses by using the DHCP snooping table

© 2024 Pearson Education, Pearson IT Certification. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |