Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Router Security Strategies: Securing IP Network Traffic Planes provides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking.
The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section.
The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture.
“Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.”
–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco
Gregg Schudel, CCIE® No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers.
David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Foreword xix
Introduction xx
Part I
IP Network and Traffic Plane Security Fundamentals 3
Chapter 1
Internet Protocol Operations Fundamentals 5
IP Network Concepts 5
Enterprise Networks 7
Service Provider Networks 9
IP Protocol Operations 11
IP Traffic Concepts 19
Transit IP Packets 20
Receive-Adjacency IP Packets 21
Exception IP and Non-IP Packets 22
Exception IP Packets 22
Non-IP Packets 23
IP Traffic Planes 24
Data Plane 25
Control Plane 27
Management Plane 29
Services Plane 30
IP Router Packet Processing Concepts 32
Process Switching 36
Fast Switching 39
Cisco Express Forwarding 44
Forwarding Information Base 44
Adjacency Table 45
CEF Operation 46
General IP Router Architecture Types 50
Centralized CPU-Based Architectures 50
Centralized ASIC-Based Architectures 52
Distributed CPU-Based Architectures 54
Distributed ASIC-Based Architectures 56
Summary 62
Review Questions 62
Further Reading 63
Chapter 2
Threat Models for IP Networks 65
Threats Against IP Network Infrastructures 65
Resource Exhaustion Attacks 66
Direct Attacks 67
Transit Attacks 70
Reflection Attacks 74
Spoofing Attacks 75
Transport Protocol Attacks 76
UDP Protocol Attacks 78
TCP Protocol Attacks 78
Routing Protocol Threats 81
Other IP Control Plane Threats 83
Unauthorized Access Attacks 85
Software Vulnerabilities 87
Malicious Network Reconnaissance 88
Threats Against Layer 2 Network Infrastructures 89
CAM Table Overflow Attacks 89
MAC Spoofing Attacks 90
VLAN Hopping Attacks 92
Private VLAN Attacks 93
STP Attacks 94
VTP Attacks 95
Threats Against IP VPN Network Infrastructures 96
MPLS VPN Threat Models 96
Threats Against the Customer Edge 98
Threats Against the Provider Edge 99
Threats Against the Provider Core 101
Threats Against the Inter-Provider Edge 103
Carrier Supporting Carrier Threats 103
Inter-AS VPN Threats 105
IPsec VPN Threat Models 108
Summary 111
Review Questions 112
Further Reading 113
Chapter 3
IP Network Traffic Plane Security Concepts 117
Principles of Defense in Depth and Breadth 117
Understanding Defense in Depth and Breadth Concepts 118
What Needs to Be Protected? 119
What Are Defensive Layers? 119
What Is the Operational Envelope of the Network? 122
What Is Your Organization’s Operational Model? 123
IP Network Traffic Planes: Defense in Depth and Breadth 123
Data Plane 124
Control Plane 124
Management Plane 125
Services Plane 126
Network Interface Types 127
Physical Interfaces 128
Logical Interfaces 131
Network Edge Security Concepts 133
Internet Edge 133
MPLS VPN Edge 136
Network Core Security Concepts 138
IP Core 139
MPLS VPN Core 140
Summary 141
Review Questions 141
Further Reading 142
Part II
Security Techniques for Protecting IP Traffic Planes 145
Chapter 4
IP Data Plane Security 147
Interface ACL Techniques 147
Unicast RPF Techniques 156
Strict uRPF 157
Loose uRPF 161
VRF Mode uRPF 163
Feasible uRPF 167
Flexible Packet Matching 168
QoS Techniques 170
Queuing 170
IP QoS Packet Coloring (Marking) 171
Rate Limiting 173
IP Options Techniques 174
Disable IP Source Routing 175
IP Options Selective Drop 175
ACL Support for Filtering IP Options 177
Control Plane Policing 178
ICMP Data Plane Mitigation Techniques 178
Disabling IP Directed Broadcasts 181
IP Sanity Checks 182
BGP Policy Enforcement Using QPPB 183
IP Routing Techniques 187
IP Network Core Infrastructure Hiding 187
IS-IS Advertise-Passive-Only 187
IP Network Edge External Link Protection 189
Protection Using More Specific IP Prefixes 190
Protection Using BGP Communities 191
Protection Using ACLs with Discontiguous Network Masks 192
Remotely Triggered Black Hole Filtering 193
IP Transport and Application Layer Techniques 200
TCP Intercept 200
Network Address Translation 201
IOS Firewall 203
IOS Intrusion Prevention System 205
Traffic Scrubbing 206
Deep Packet Inspection 207
Layer 2 Ethernet Security Techniques 208
Port Security 208
MAC Address—Based Traffic Blocking 209
Disable Auto Trunking 210
VLAN ACLs 211
IP Source Guard 212
Private VLANs 212
Traffic Storm Control 213
Unknown Unicast Flood Blocking 214
Summary 214
Review Questions 214
Further Reading 215
Chapter 5
IP Control Plane Security 219
Disabling Unused Control Plane Services 220
ICMP Techniques 220
Selective Packet Discard 222
SPD State Check 223
SPD Input Queue Check 226
SPD Monitoring and Tuning 226
IP Receive ACLs 230
IP Receive ACL Deployment Techniques 232
Activating an IP Receive ACL 233
IP Receive ACL Configuration Guidelines 234
IP Receive ACL Feature Support 241
Control Plane Policing 241
CoPP Configuration Guidelines 243
Defining CoPP Policies 243
Tuning CoPP Policies 252
Platform-Specific CoPP Implementation Details 260
Cisco 12000 CoPP Implementation 260
Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264
Neighbor Authentication 269
MD5 Authentication 270
Generalized TTL Security Mechanism 273
Protocol-Specific ACL Filters 277
BGP Security Techniques 279
BGP Prefix Filters 280
IP Prefix Limits 282
AS Path Limits 283
BGP Graceful Restart 283
Layer 2 Ethernet Control Plane Security 285
VTP Authentication 285
DHCP Snooping 286
Dynamic ARP Inspection 289
Sticky ARP 291
Spanning Tree Protocol 292
Summary 294
Review Questions 294
Further Reading 295
Chapter 6
IP Management Plane Security 299
Management Interfaces 300
Password Security 303
SNMP Security 306
Remote Terminal Access Security 309
Disabling Unused Management Plane Services 311
Disabling Idle User Sessions 315
System Banners 316
Secure IOS File Systems 319
Role-Based CLI Access 320
Management Plane Protection 324
Authentication, Authorization, and Accounting 326
AutoSecure 329
Network Telemetry and Security 330
Management VPN for MPLS VPNs 335
Summary 341
Review Questions 342
Further Reading 343
Chapter 7
IP Services Plane Security 347
Services Plane Overview 347
Quality of Service 350
QoS Mechanisms 351
Classification 353
Marking 353
Policing 354
Queuing 354
MQC 355
Packet Recoloring Example 356
Traffic Management Example 358
Securing QoS Services 361
MPLS VPN Services 362
MPLS VPN Overview 363
Customer Edge Security 364
Provider Edge Security 365
Infrastructure ACL 366
IP Receive ACL 366
Control Plane Policing 367
VRF Prefix Limits 367
IP Fragmentation and Reassembly 368
Provider Core Security 370
Disable IP TTL to MPLS TTL Propagation at the Network Edge 370
IP Fragmentation 371
Router Alert Label 371
Network SLAs 372
Inter-Provider Edge Security 372
Carrier Supporting Carrier Security 373
Inter-AS VPN Security 374
IPsec VPN Services 376
IPsec VPN Overview 376
IKE 377
IPsec 378
Securing IPsec VPN Services 386
IKE Security 386
Fragmentation 387
IPsec VPN Access Control 391
QoS 393
Other IPsec Security-Related Features 394
Other Services 394
SSL VPN Services 395
VoIP Services 396
Video Services 397
Summary 399
Review Questions 399
Further Reading 400
Part III
Case Studies 403
Chapter 8
Enterprise Network Case Studies 405
Case Study 1: IPsec VPN and Internet Access 406
Network Topology and Requirements 407
Router Configuration 409
Data Plane 418
Control Plane 420
Management Plane 422
Services Plane 424
Case Study 2: MPLS VPN 426
Network Topology and Requirements 426
Router Configuration 428
Data Plane 435
Control Plane 437
Management Plane 438
Services Plane 440
Summary 441
Further Reading 441
Chapter 9
Service Provider Network Case Studies 443
Case Study 1: IPsec VPN and Internet Access 444
Network Topology and Requirements 445
Router Configuration 448
Data Plane 455
Control Plane 458
Management Plane 460
Services Plane 463
Case Study 2: MPLS VPN 463
Network Topology and Requirements 464
Router Configuration 467
Data Plane 474
Control Plane 474
Management Plane 477
Services Plane 481
Summary 483
Further Reading 483
Part IV
Appendixes 485
Appendix A
Answers to Chapter Review Questions 487
Appendix B
IP Protocol Headers 497
IP Version 4 Header 499
TCP Header 510
UDP Header 518
ICMP Header 521
ICMP Echo Request/Echo Reply Query Message Headers 525
ICMP Time to Live Exceeded in Transit Error Message Header 529
ICMP Destination Unreachable, Fragmentation Needed and Don’t Fragment was
Set Error Message Header 533
Other ICMP Destination Unreachable Error Message Headers 539
Ethernet/802.1Q Header 543
IEEE 802.3 Ethernet Frame Header Format 543
IEEE 802.1Q VLAN Header Format 547
MPLS Protocol Header 551
Further Reading 554
Appendix C
Cisco IOS to IOS XR Security Transition 557
Data Plane Security Commands 558
Control Plane Security Commands 562
Management Plane Security Commands 578
Services Plane Security Commands 592
Further Reading 595
Appendix D
Security Incident Handling 597
Six Phases of Incident Response 597
Preparation 598
Understand the Threats 598
Deploy Defense in Depth and Breadth Security Strategies 598
Establish Well-Defined Incident Response Procedures 599
Establish an Incident Response Team 600
Identification 600
Classification 600
Traceback 601
Reaction 601
Post-Mortem Analysis 602
Cisco Product Security 602
Cisco Security Vulnerability Policy 603
Cisco Computer and Network Security 603
Cisco Safety and Security 603
Cisco IPS Signature Pack Updates and Archives 603
Cisco Security Center 603
Cisco IntelliShield Alert Manager Service 603
Cisco Software Center 604
Industry Security Organizations 604
Regional Network Operators Groups 605
Further Reading 606
Index
608