1. Trang chủ
  2. » Công Nghệ Thông Tin

router security strategies - securing ip network traffic planes

673 697 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 673
Dung lượng 5,09 MB

Nội dung

www.dbebooks.com - Free Books & magazines Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA Cisco Press Router Security Strategies Securing IP Network Traffic Planes Gregg Schudel, CCIE No. 9591 David J. Smith, CCIE No. 1986 ii Router Security Strategies: Securing IP Network Traffic Planes Gregg Schudel, CCIE No. 9591 David J. Smith, CCIE No. 1986 Copyright © 2008 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing December 2007 Library of Congress Cataloging-in-Publication Data: Schudel, Gregg. Router security strategies : securing IP network traffic planes / Gregg Schudel, David J. Smith. p. cm. ISBN 978-1-58705-336-8 (pbk.) 1. Routers (Computer networks)—Security measures. 2. Computer networks—Security measures. 3. TCP/IP (Computer network protocol)—Security measures. I. Smith, David J., CCIE. II. Title. TK5105.543.S38 2007 005.8—dc22 2007042606 ISBN-13: 978-1-58705-336-8 ISBN-10: 1-58705-336-5 Warning and Disclaimer This book is designed to provide information about strategies for securing IP network traffic planes. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc. iii Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States please contact: International Sales international@pearsoned.com Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Eric Stewart Project Editor San Dee Phillips/Jennifer Gallant Copy Editor Bill McManus Technical Editors Marcelo Silva, Vaughn Suazo Editorial Assistant Vanessa Evans Book Designer Louisa Adair Composition ICC Macmillan Inc. Indexer WordWise Publishing Services, LLC Proofreader Molly Proue iv About the Authors Gregg Schudel, CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer sup- porting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security architectures and technology for inter-exchange carriers, web services providers, and mobile providers. Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where he supported network security research and development, most notably in conjunction with DARPA and other federal agencies involved in security research. Gregg holds an MS in engineering from George Washington University, and a BS in engineering from Florida Institute of Technology. Gregg can be contacted through e-mail at gschudel@cisco.com. David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a consulting system engineer supporting the Service Provider Organization. Since 1999 David has focused on service provider IP core and edge architectures, including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at Bellcore developing systems software and experimental ATM switches. David holds an MS in information networking from Carnegie Mellon University, and a BS in computer engineering from Lehigh University. David can be contacted through e-mail at dasmith@cisco.com. v About the Technical Reviewers Marcelo I. Silva, M.S., is a technical marketing engineer for the Service Provider Technology Group (SPTG) at Cisco. Marcelo is a 19-year veteran of the technology field with experiences in academia and the high-tech industry. Prior to Cisco, Marcelo was an independent systems consultant and full-time lecturer at the University of Maryland, Baltimore County. His career at Cisco began in 2000, working directly with large U.S. service provider customers designing IP/MPLS core and edge networks. Marcelo’s primary responsibility at Cisco today as a technical marketing engineer (TME) requires him to travel the world advising services provider customers on the deployment of Cisco’s high-end routers: Cisco 12000 Series (GSR) and Cisco CRS-1 Carrier Routing System. Marcelo has an MS in information systems from the University of Maryland, and lives in Waterloo, Belgium with his wife Adriana and son Gabriel. Vaughn Suazo, CCIE No. 5109 (Routing and Switching, Security), is a consulting systems engineer for Wireline Emerging Providers at Cisco. Vaughn is a 17-year veteran of the technology field with experience in server technologies, LAN/WAN networking, and network security. His career at Cisco began in 1999, working directly with service provider customers on technology areas such as core and edge IP network architectures, MPLS applications, network security, and IP services. Vaughn’s primary responsibility at Cisco today is as a consulting systems engineer (CSE) for service provider customers, specializing in service provider security and data center technologies and solutions. Vaughn lives in Oklahoma City, Oklahoma with his wife Terri and two children, and enjoys golfing in his leisure time. vi Dedications To my best friend and beautiful wife, Carol, for her love and encouragement, and for allowing me to commit precious time away from our family to write this book. To my awesome boys, Alex and Gary, for their patience and understanding, and for their energy and enthusiasm that keeps me motivated. Thanks to my co-author, David Smith, for gratefully accepting my challenge, and for bringing his knowledge and experience to this project. —Gregg I dedicate this book to my loving wife, Vickie, and my wonderful children, Harry, Devon, and Edward, whom have made my dreams come true. Thank you for all of your support and inspiration during the writing of this book. I also dedicate this book to my mother and late father, whose sacrifices have afforded my brothers and me great opportunities. Finally, to my co-author, Gregg Schudel, for consider- ing me for this special project. It was an opportunity of a lifetime and I am forever grateful. —David Acknowledgments This book benefited from the efforts of all Cisco engineers who share our dedication and passion for understanding and furthering IP network security. Among them, there are a few to whom we are partic- ularly grateful. To Barry Greene, for his constant innovations, tireless leadership, and dedication to SP security. Without his efforts, many of these IP traffic plane security concepts would not have been devel- oped. Also, to Michael Behringer, for his constant encouragement, and for always providing sound advice on our many technical questions. And to Roland Dobbins, Ryan McDowell, Jason Bos, Rajiv Raghunarayan, Darrel Lewis, Paul Quinn, Sean Donelan, and Dave Lapin, for always making them- selves available to consult on the most detailed of questions. We gratefully thank our extraordinary technical reviewers, Marcelo Silva and Vaughn Suazo, for their thorough critiques and feedback. Thanks also to John Stuppi and Ilker Temir for providing their invalu- able reviews as well as to Russell Smoak for his leadership. We also thank Dan Hamilton, Don Heidrich, Chris Metz, Vaughn Suazo, and Andrew Whitaker for reviewing our original proposal and providing valuable suggestions. We also give special thanks to John Stewart, Cisco Systems Vice President and Chief Security Officer, for taking time from his very busy schedule to write the foreword of our book, as well as for his unique leadership in the areas of both security and network operations. We would like to thank our managers, Jerry Marsh and Jim Steinhardt, for their tremendous support throughout this project. Finally, special thanks go to Cisco Press and our production team: Brett Bartow (Executive Editor), Eric Stewart (Development Editor), San Dee Phillips (Senior Project Editor), Jennifer Gallant (Project Editor), and Bill McManus (Copy Editor). Thanks also to Andrew Cupp (Development Editor) for the valuable editorial assistance. Thank you for working with us to make this book a reality. vii viii Contents at a Glance Foreword xix Introduction xx Part I IP Network and Traffic Plane Security Fundamentals 3 Chapter 1 Internet Protocol Operations Fundamentals 5 Chapter 2 Threat Models for IP Networks 65 Chapter 3 IP Network Traffic Plane Security Concepts 117 Part II Security Techniques for Protecting IP Traffic Planes 145 Chapter 4 IP Data Plane Security 147 Chapter 5 IP Control Plane Security 219 Chapter 6 IP Management Plane Security 299 Chapter 7 IP Services Plane Security 347 Part III Case Studies 403 Chapter 8 Enterprise Network Case Studies 405 Chapter 9 Service Provider Network Case Studies 443 Part IV Appendixes 485 Appendix A Answers to Chapter Review Questions 487 Appendix B IP Protocol Headers 497 Appendix C Cisco IOS to IOS XR Security Transition 557 Appendix D Security Incident Handling 597 Index 608 ix Contents Foreword xix Introduction xx Part I IP Network and Traffic Plane Security Fundamentals 3 Chapter 1 Internet Protocol Operations Fundamentals 5 IP Network Concepts 5 Enterprise Networks 7 Service Provider Networks 9 IP Protocol Operations 11 IP Traffic Concepts 19 Transit IP Packets 20 Receive-Adjacency IP Packets 21 Exception IP and Non-IP Packets 22 Exception IP Packets 22 Non-IP Packets 23 IP Traffic Planes 24 Data Plane 25 Control Plane 27 Management Plane 29 Services Plane 30 IP Router Packet Processing Concepts 32 Process Switching 36 Fast Switching 39 Cisco Express Forwarding 44 Forwarding Information Base 44 Adjacency Table 45 CEF Operation 46 General IP Router Architecture Types 50 Centralized CPU-Based Architectures 50 Centralized ASIC-Based Architectures 52 Distributed CPU-Based Architectures 54 Distributed ASIC-Based Architectures 56 Summary 62 Review Questions 62 Further Reading 63 [...]... Limits 367 IP Fragmentation and Reassembly 368 Provider Core Security 370 Disable IP TTL to MPLS TTL Propagation at the Network Edge IP Fragmentation 371 Router Alert Label 371 Network SLAs 372 370 xv Inter-Provider Edge Security 372 Carrier Supporting Carrier Security Inter-AS VPN Security 374 IPsec VPN Services 376 IPsec VPN Overview 376 IKE 377 IPsec 378 Securing IPsec VPN Services 386 IKE Security. .. Application 6 Presentation 5 Session 7 Application 6 Presentation 5 Session Peer-to-Peer Communications Peer-to-Peer Communications 4 Transport Peer-to-Peer Communications Peer-to-Peer Communications Destination Node 4 Transport Peer-to-Peer Communications Peer-to-Peer Communications 3 Network 3 Network 3 Network 3 Network 3 Network 2 Data Link 2 Data Link 2 Data Link 2 Data Link 2 Data Link 1 Physical... traffic planes IP Network Concepts Internet Protocol (IP) and IP/ Multiprotocol Label Switching (IP/ MPLS) packet-based networks capable of supporting converged network services are rapidly replacing purposebuilt networks based on time-division multiplexing (TDM), Frame Relay, Asynchronous Transfer Mode (ATM) and other legacy technologies Service providers worldwide are deploying IP/ MPLS core networks... principles provides an effective security strategy Who Should Read This Book? This book was written for network engineers, and network operations and security staff of organizations who deploy and/or maintain IP and IP/ MPLS networks The primary audience includes those engineers who are engaged in day-to-day design, engineering, and operations of IP networks Subscribers of a service based on IP or IP/ MPLS... essential for IP network securityIP networks provide any-to-any and end-to-end connectivity by nature In its simplest form, a router provides destination-based forwarding of IP packets If a router has a destination prefix in its forwarding table, it will forward the packet toward its final destination Hence, routing (and more specifically, what prefixes are in the forwarding table of the router) is one... overlooked, components of IP network security For example, using a default route often has significant implications for network security The ubiquitous nature of IP, along with its any-to-any, end-to-end operational characteristics, provides inherent flexibility and scalability at unprecedented levels This is at the same time both a positive IP Network Concepts 7 and a negative aspect of IP networking On the... characteristics provide the basis for securing IP traffic planes in enterprise networks, as you will learn in more detail in later sections In addition, a detailed case study on securing IP traffic planes in enterprise networks is provided in Chapter 8, “Enterprise Network Case Study.” IP Network Concepts Figure 1-1 9 Conceptual Enterprise Network Architecture Remote/ Branch Office Network Management Data Center... learn why IP traffic planes must be protected and from what types of attacks • Chapter 3, IP Network Traffic Plane Security Concepts”: Provides a broad overview of each IP traffic plane, and how defense in depth and breadth strategies are used to provide robust network security Part II, Security Techniques for Protecting IP Traffic Planes, ” provides the in-depth, working details that serious networking... overview of security incident handling techniques, and a list of common security incident handling organizations PART I IP Network and Traffic Plane Security Fundamentals Chapter 1 Internet Protocol Operations Fundamentals Chapter 2 Threat Models for IP Networks Chapter 3 IP Network Traffic Plane Security Concepts In this chapter, you will learn about the following: • • • • • IP networking concepts IP protocol... with less network- centric backgrounds who wish to understand the issues and requirements of IP network traffic plane separation and security This book also provides great insight into the technical interworkings and operations of IP routers that both senior and less-experienced network professionals can benefit from xxii How This Book Is Organized For those readers who are new to IP network security . Cataloging-in-Publication Data: Schudel, Gregg. Router security strategies : securing IP network traffic planes / Gregg Schudel, David J. Smith. p. cm. ISBN 97 8-1 -5 870 5-3 3 6-8 (pbk.) 1. Routers. 005.8—dc22 2007042606 ISBN-13: 97 8-1 -5 870 5-3 3 6-8 ISBN-10: 1-5 870 5-3 3 6-5 Warning and Disclaimer This book is designed to provide information about strategies for securing IP network traffic planes. Every effort. Traffic Concepts 19 Transit IP Packets 20 Receive-Adjacency IP Packets 21 Exception IP and Non -IP Packets 22 Exception IP Packets 22 Non -IP Packets 23 IP Traffic Planes 24 Data Plane 25 Control

Ngày đăng: 25/03/2014, 12:04

TỪ KHÓA LIÊN QUAN