This chapter deals with Cisco IOS Network Foundation Protection (NFP) as a framework for infrastructure protection, all its components, and commonly used countermeasures asfound in Cisco IOS devices. More precisely, this chapter differentiates the security measures to be implemented on the three conceptual planes of Cisco IOS devices: the control plane, the data plane, and the management plane. This chapter also discusses using Cisco Configuration Professional (CCP) to implement security controls on Cisco IOS routers.
Trang 2Threats Against the Network Infrastructure
¢ Cisco Network Foundation Protection (NFP) provides an umbrella Strategy for infrastructure protection by encompassing Cisco lOS security features Table 3-1 Common Issues for Network Infrastructure
Vulnerabilities Threats impact
Design errors Trust exploitation Exposed management credentials
attacks
Protocol weaknesses Login, authentication, High route processor CPU utilization
and password attacks (near 100 percent)
Software vulnerabilities Routing protocol Loss of protocol updates keepalives
exploits and routing
Misconfiguration Spoofing Route flaps and major network transi- tions Multiple categories of | Denial of service attacks Slow or unresponsive management vulnerabilities sessions
Multiple categories of | Confidentiality and Indiscriminate packet drops
Trang 4Some Components of Cisco NFP
Plane Feature Benefit
Control Control Plane Policing (CoPP) Filter or rate limit control plane traffic
plane with no regard to physical interface Control Plane Protection (CPPr) Extend CoPP with granular traffic classification Routing protocol authentication Integrity of routing and forwarding
Cisco AutoSecure Automate device hardening
Management NTP, syslog, SNMP, SSH Secure management and reporting
plane CLI views Obtain the benefits of role-based
access control (RBAC) for command line
Authentication, authorization, and A comprehensive framework for RBAC
accounting (AAA)
Data plane Access control lists Traffic filtering consistent across secu-
rity device platforms
Layer 2 controls (private VLANs, Protect the switching infrastructure
STP guards, others)
Zone-based firewall, Cisco IOS Deployment flexibility in Cisco IOS
Trang 5Some of Cisco NFP in a Network
Trang 6
Control Plane Security
Control Plane Management Plane
£- cà :8: hà
Routing Slow Management
Protocols | Data Path Process
Process Level
\ CPPr, an extension of
CoPP, subdivides CPU- bound traffic into three queues that can be controlled individually CoPP treats the CPU as
an interface Filters and 5
rate-limits can therefore ie be applied 4| ( Non-CEF () : CEF GEO/1 x — Incoming Outgoing Packets Packets
Goal of CoPP: Treat the CPU as an Interface
¢ Control Plane Policing (COPP) Is a Cisco IOS feature designed to allow users to manage the flow of traffic that is managed by the route
processor of their network devices
Trang 7Cisco AutoSecure
Cisco AutoSecure allows two modes of operation:
e Interactive mode: Prompts users to select their own configuration of router services and other security-related features
e Noninteractive mode: Configures security-related features of the router based on a set of Cisco defaults
Cisco AutoSecure protects the router functional planes by doing the following:
e Disabling often unnecessary and potentially insecure global services e Enabling certain services that help further secure often necessary global services
e Disabling often unnecessary and potentially insecure interface services, which can be configured on a per-interface level
e Securing administrative access to the router
Trang 8Cisco AutoSecure Protection for All Three Planes
Plane Action
Control plane Disables often unnecessary and potentially insecure global services (finger, HTTP, Cisco Discovery Protocol, and so on)
Management plane Secures administrative access to the router (password existence and minimum length, AAA, SSH, and others)
Data plane Disables often unnecessary and potentially insecure interface ser-
Trang 9Secure Management and Reporting Protected Management Network (Behind Firewall) SNMP To All Server Device oi OOB Configuration Console Management Ports Cisco Terminal
Foor NHƯ ' Encrypted In-Band Network
Private VLANs | Management (VPN) | A arcs Cisco |OS Firewall with Server VPN Syslog Server | = Stateful Packet
System Configuration and Filtering and IPsec
Administrator Content Management Termination for
Trang 10Role-Based Access Control
Trang 11Deploying AAA Perimeter WỀ ie ae @ <©Ẩ———> va Đ ' By arse < > Remote 0 Client
Trang 12Data Plane Security
Among the laundry list of ways to protect the data plane, some that we will see in this book include
e Access control lists
e Private VLAN
e Firewalling
Trang 13Access Control List Filtering
The following are the most common reasons to use ACLS: ¢ Block unwanted traffic or users
e Reduce the chance of DoS attacks for internal devices e Mitigate spoofing attacks
e Provide bandwidth control
Trang 15Layer 2 Data Plane Protection
Data plane protection mechanisms depend on feature availability for specific devices In a switching infrastructure, these Cisco Catalyst
integrated security capabilities provide data plane security on the Cisco Catalyst switches using integrated tools:
e Port security prevents MAC flooding attacks
¢ DHCP snooping prevents client attacks on the DHCP server and switch ¢ Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing
attacks
Trang 16Cisco Configuration Professional
fy aa || 5S) configure | BB monitor | | fe «» 2 @ Cisco Configuration Professional
Trang 17CCP Initial Configuration Default Configuration 10.10.10.1 Ly) 10.10.10.2 DHCP Server
\ DHCP Server by Default Manual IP Address Needed
Trang 18Command to Provision a Deployed Device with CCP Support Feature Requirement Configuration Secure SSH and Access HTTPS Router(config)# ip http secure-server
Router(config)# ip http authentication local Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh Router(config-line)# transport output ssh Nonsecure Telnet and Access HTTP (clear text) Router(config)# ip http server
Router(config)# ip http authentication local Router(config)# line vty 0 4
Router(config-line)# login local
Trang 19Using CCP to Harden Cisco IOS Devices
sco Configuration Prolessional = = tome |[ enters || Bre | | Ye © Cisco Configuration Professional ‘!!'*! - cisco [massa [>] « Configure > Security > Security Audit 10.10.01 |v -ˆ # ` Security Audit ey
Use Case Scenario
> (Interface Management Security Audit
" Gà Rovter Cisco CP will run a series of predefined checklist to assess
v Bp seawty your router's security configuration Once finished, Cisco CP
= will present you with a list of recommended actions, which
» Ö Firewall you may choose to apply Or, you may directly perform one
» Gy ven step router lock-down by using the below option > By Public Key Infrastructure >» Gy nac _ Web Filter Configuration 18 \ Perform security audit J Intrusion Prevention (3 902.1x
L Port to Applhca9on Mapping One-step lockdown
> Gy o3PL One-step lockdown configures the router with set of defined
b i security features with recommendes settings Clicking the
° below button will deliver the configurations to the router J Flash File Management
Trang 201|1I1|1,