4.1 Key Terms
Management
plane = The management plane refers to traffic and technologies involved
in being able to manage the network and its devices. This could include
management sessions with SSH, HTTPS, and so on, and could also include
information-gathering tools such as SNMP or NetFlow.
Control
plane = The logic systems in a device that are responsible for the
routing or switching decisions (control). Routing protocols are a prime
example.
Data
plane = The logic systems in a device that are responsible for the
actual movement (post-decision) of information. End users sending traffic to
their servers is one example of traffic on the data plane.
NFP
= Network foundation protection. The concept of breaking down the network into
functional components, such as – control plane, management plane, and data
plane – and then providing protection for each of those components.
uRPF
= Unicast Reverse Path Forwarding. Comparing the entry point of a packet’s
source address against the routing table and making sure the ingress interface
matches what the egress interface would be to reach the source of the packet.
If the interface does not match, the router assumes the source address is bogus
(spoofed) and can drop the packet.
4.2 Things to
Remember
4.2.1 Components of a Threat Control and Mitigation
Strategy
Plane >
+ Security Measures
Protection
Objectives
Management plane >
+
Authentication, authorization, accounting (AAA)
+
Authenticated Network Time Protocol (NTP)
+
Secure Shell (SSH)
+
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
+
Protected syslog
+
Simple Network Management Protocol Version 3 (SNMPv3)
+
Parser views
Authenticate and
authorize any administrators. Protect time synchronization by using
authenticated NTP. Use only encrypted remote-access protocols, such as SSH for
CLI and SSL/TLS for GUI tools, and use secure versions of SNMP. If plaintext
tools are used (such as syslog or Telnet), they should be protected by
encryption protocols such as IPsec or should be used out of band (a separate
network just for management traffic). A parser “view” is a way to limit what
a specific
individual, based on his role, can do on the router.
Control plane >
+ Control
plane policing (CoPP) and control plane protection (CPPr)
+ Authenticated
routing protocol updates
The control plane
tools can be implemented to limit the damage an attacker can attempt to
implement directly at the router’s IP address (traffic addressed directly to
the router, which the router must spend CPU resources to process). Routing
protocol updates should be authenticated to remove the possibility of an
attacker manipulating routing tables by putting a rogue router running the same
routing protocol on your network. The attacker could be doing reconnaissance to
learn the routes, or the attacker could be attempting to manipulate the
resulting data plane by changing the routing on the network.
Data plane >
+
Access control lists (ACL)
+
Layer 2 controls, such as private VLANs, Spanning Tree Protocol (STP) guards
+
IOS IPS, Zone-Based Firewall
ACLs, when applied
as filters on interfaces, can control which traffic (transit traffic) is
allowed on the data plane. At Layer 2, by protecting the infrastructure there,
you can avoid a rogue switch from becoming the root of your spanning tree,
which would affect the data plane at Layer 2. Firewall filtering and services
can also control exactly what traffic is flowing through your network. An
example is using an IOS Zone-Based Firewall to implement policy about the data
plane and what is allowed.
4.2.2 Protecting the Data Plane
Feature >
Explanation
ACLs
used for filtering > There are many types of ACLs and many ways to
apply them for filtering. Note that an ACL can be used as a classification
mechanism used in other features, such as an IOS firewall, identifying traffic
for control plane protection, identifying who is allowed to connect to a vty
line, where SNMP is allowed, and so on. In the discussion of protecting the
data plane, we focus primarily on ACLs applied directly to interfaces for the
purpose of filtering.
IOS
firewall support > The firewall features on an IOS router have grown
over the years. The older technology for implementing a firewall on IOS routers
was called context-based access control (CBAC). CBAC has been replaced with the
more current Zone-Based Firewall on the IOS.
IOS
IPS > IOS IPS is a software implementation of an intrusion prevention
system (IPS) that is overlaid on top of the existing routing platform, to
provide additional security. IOS IPS uses signature matches to look for
malicious traffic. When an alert goes off because of a signature match, the
router can prevent the packet from being forwarded, thus preventing the attack
from reaching the final destination.
TCP
Intercept > This tool allows the router to look at the number of
half-formed sessions that are in place and intervene on behalf of the
destination device. This can protect against a destination device from a
SYN-flood attack that is occurring on your network. The Zone-Based Firewall on
an IOS router includes this feature.
Unicast
Reverse Path Forwarding > Unicast Reverse Path Forwarding (uRPF) can
mitigate spoofed IP packets. When this feature is enabled on an interface, as
packets enter that interface the router spends an extra moment considering the
source address of the packet. It then considers its own routing table, and if
the routing table does not agree that the interface that just received this
packet is also the best egress interface to use for forwarding to the source
address of the packet, it then denies the packet. This is a good way to limit
IP spoofing.
Comments
Post a Comment