Router Security Strategies: Securing IP Network Traffic Planes
Customer Reviews: 2 Average Customer Rating:  Write a Review and tell the world about this title! People who purchase this book frequently purchase: - Interconnecting Cisco Network Devices, Part 1 (ICND1) Exam 640-822, 2nd Edition; Stephen McQuerry, $46.50, 22% Off!
- Interconnecting Cisco Network Devices, Part 2 (ICND2) 3rd Edition; Stephen McQuerry, $46.50, 22% Off!
- VMware ESX Server in the Enterprise; Edward L. Haletky, $38.95, 22% Off!
- LAN Switch Security: What Hackers Know About Your Switches; Eric Vyncke, et al, $46.50, 22% Off!
Books on similar topics, in best-seller order:Books from the same publisher, in best-seller order:
Router Security Strategies: Securing IP Network Traffic Planes provides a compre-hensive
approach to understand and implement IP traffic plane separation and protection
on IP routers. This book details the distinct traffic planes of IP networks
and the advanced techniques necessary to operationally secure them. This includes
the data, control, management, and services planes that provide the infrastructure
for IP networking.
The first section provides a brief overview of the essential components of
the Internet Protocol and IP networking. At the end of this section, you will
understand the fundamental principles of defense in depth and breadth security
as applied to IP traffic planes. Techniques to secure the IP data plane, IP
control plane, IP management plane, and IP services plane are covered in detail
in the second section.
The final section provides case studies from both the enterprise network and
the service provider network perspectives. In this way, the individual IP traffic
plane security techniques reviewed in the second section of the book are brought
together to help you create an integrated, comprehensive defense in depth and
breadth security architecture.
“Understanding and securing IP traffic planes are critical to the overall
security posture of the IP infrastructure. The techniques detailed in this book
provide protection and instrumentation enabling operators to understand and
defend against attacks. As the vulnerability economy continues to mature, it
is critical for both vendors and network providers to collaboratively deliver
these protections to the IP infrastructure.”
-- Russell Smoak, Director, Technical Services, Security Intelligence Engineering,
Cisco
• Understand the operation of IP networks and routers
• Learn about the many threat models facing IP networks, Layer 2 Ethernet switching
environments, and IPsec and MPLS VPN services
• Learn how to segment and protect each IP traffic plane by applying defense
in depth and breadth principles
• Use security techniques such as ACLs, rate limiting, IP Options filtering,
uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched
Ethernet networks
• Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques
and Layer 2 switched Ethernet-specific techniques
• Protect the IP management plane with password management, SNMP, SSH, NTP,
AAA, as well as other VPN management, out-of-band management, and remote access
management techniques
• Secure the IP services plane using recoloring, IP fragmentation control,
MPLS label control, and other traffic classification and process control techniques
This security book is part of the Cisco Press® Networking Technology Series.
Security titles from Cisco Press help networking professionals secure critical
data and resources, prevent and mitigate network attacks, and build end-to-end
self-defending networks.
Table of Contents
Foreword xix
Introduction xx
Part I
IP Network and Traffic Plane Security Fundamentals 3
Chapter 1
Internet Protocol Operations Fundamentals 5
IP Network Concepts 5
Enterprise Networks 7
Service Provider Networks 9
IP Protocol Operations 11
IP Traffic Concepts 19
Transit IP Packets 20
Receive-Adjacency IP Packets 21
Exception IP and Non-IP Packets 22
Exception IP Packets 22
Non-IP Packets 23
IP Traffic Planes 24
Data Plane 25
Control Plane 27
Management Plane 29
Services Plane 30
IP Router Packet Processing Concepts 32
Process Switching 36
Fast Switching 39
Cisco Express Forwarding 44
Forwarding Information Base 44
Adjacency Table 45
CEF Operation 46
General IP Router Architecture Types 50
Centralized CPU-Based Architectures 50
Centralized ASIC-Based Architectures 52
Distributed CPU-Based Architectures 54
Distributed ASIC-Based Architectures 56
Summary 62
Review Questions 62
Further Reading 63
Chapter 2
Threat Models for IP Networks 65
Threats Against IP Network Infrastructures 65
Resource Exhaustion Attacks 66
Direct Attacks 67
Transit Attacks 70
Reflection Attacks 74
Spoofing Attacks 75
Transport Protocol Attacks 76
UDP Protocol Attacks 78
TCP Protocol Attacks 78
Routing Protocol Threats 81
Other IP Control Plane Threats 83
Unauthorized Access Attacks 85
Software Vulnerabilities 87
Malicious Network Reconnaissance 88
Threats Against Layer 2 Network Infrastructures 89
CAM Table Overflow Attacks 89
MAC Spoofing Attacks 90
VLAN Hopping Attacks 92
Private VLAN Attacks 93
STP Attacks 94
VTP Attacks 95
Threats Against IP VPN Network Infrastructures 96
MPLS VPN Threat Models 96
Threats Against the Customer Edge 98
Threats Against the Provider Edge 99
Threats Against the Provider Core 101
Threats Against the Inter-Provider Edge 103
Carrier Supporting Carrier Threats 103
Inter-AS VPN Threats 105
IPsec VPN Threat Models 108
Summary 111
Review Questions 112
Further Reading 113
Chapter 3
IP Network Traffic Plane Security Concepts 117
Principles of Defense in Depth and Breadth 117
Understanding Defense in Depth and Breadth Concepts 118
What Needs to Be Protected? 119
What Are Defensive Layers? 119
What Is the Operational Envelope of the Network? 122
What Is Your Organization’s Operational Model? 123
IP Network Traffic Planes: Defense in Depth and Breadth 123
Data Plane 124
Control Plane 124
Management Plane 125
Services Plane 126
Network Interface Types 127
Physical Interfaces 128
Logical Interfaces 131
Network Edge Security Concepts 133
Internet Edge 133
MPLS VPN Edge 136
Network Core Security Concepts 138
IP Core 139
MPLS VPN Core 140
Summary 141
Review Questions 141
Further Reading 142
Part II
Security Techniques for Protecting IP Traffic Planes 145
Chapter 4
IP Data Plane Security 147
Interface ACL Techniques 147
Unicast RPF Techniques 156
Strict uRPF 157
Loose uRPF 161
VRF Mode uRPF 163
Feasible uRPF 167
Flexible Packet Matching 168
QoS Techniques 170
Queuing 170
IP QoS Packet Coloring (Marking) 171
Rate Limiting 173
IP Options Techniques 174
Disable IP Source Routing 175
IP Options Selective Drop 175
ACL Support for Filtering IP Options 177
Control Plane Policing 178
ICMP Data Plane Mitigation Techniques 178
Disabling IP Directed Broadcasts 181
IP Sanity Checks 182
BGP Policy Enforcement Using QPPB 183
IP Routing Techniques 187
IP Network Core Infrastructure Hiding 187
IS-IS Advertise-Passive-Only 187
IP Network Edge External Link Protection 189
Protection Using More Specific IP Prefixes 190
Protection Using BGP Communities 191
Protection Using ACLs with Discontiguous Network Masks 192
Remotely Triggered Black Hole Filtering 193
IP Transport and Application Layer Techniques 200
TCP Intercept 200
Network Address Translation 201
IOS Firewall 203
IOS Intrusion Prevention System 205
Traffic Scrubbing 206
Deep Packet Inspection 207
Layer 2 Ethernet Security Techniques 208
Port Security 208
MAC Address—Based Traffic Blocking 209
Disable Auto Trunking 210
VLAN ACLs 211
IP Source Guard 212
Private VLANs 212
Traffic Storm Control 213
Unknown Unicast Flood Blocking 214
Summary 214
Review Questions 214
Further Reading 215
Chapter 5
IP Control Plane Security 219
Disabling Unused Control Plane Services 220
ICMP Techniques 220
Selective Packet Discard 222
SPD State Check 223
SPD Input Queue Check 226
SPD Monitoring and Tuning 226
IP Receive ACLs 230
IP Receive ACL Deployment Techniques 232
Activating an IP Receive ACL 233
IP Receive ACL Configuration Guidelines 234
IP Receive ACL Feature Support 241
Control Plane Policing 241
CoPP Configuration Guidelines 243
Defining CoPP Policies 243
Tuning CoPP Policies 252
Platform-Specific CoPP Implementation Details 260
Cisco 12000 CoPP Implementation 260
Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264
Neighbor Authentication 269
MD5 Authentication 270
Generalized TTL Security Mechanism 273
Protocol-Specific ACL Filters 277
BGP Security Techniques 279
BGP Prefix Filters 280
IP Prefix Limits 282
AS Path Limits 283
BGP Graceful Restart 283
Layer 2 Ethernet Control Plane Security 285
VTP Authentication 285
DHCP Snooping 286
Dynamic ARP Inspection 289
Sticky ARP 291
Spanning Tree Protocol 292
Summary 294
Review Questions 294
Further Reading 295
Chapter 6
IP Management Plane Security 299
Management Interfaces 300
Password Security 303
SNMP Security 306
Remote Terminal Access Security 309
Disabling Unused Management Plane Services 311
Disabling Idle User Sessions 315
System Banners 316
Secure IOS File Systems 319
Role-Based CLI Access 320
Management Plane Protection 324
Authentication, Authorization, and Accounting 326
AutoSecure 329
Network Telemetry and Security 330
Management VPN for MPLS VPNs 335
Summary 341
Review Questions 342
Further Reading 343
Chapter 7
IP Services Plane Security 347
Services Plane Overview 347
Quality of Service 350
QoS Mechanisms 351
Classification 353
Marking 353
Policing 354
Queuing 354
MQC 355
Packet Recoloring Example 356
Traffic Management Example 358
Securing QoS Services 361
MPLS VPN Services 362
MPLS VPN Overview 363
Customer Edge Security 364
Provider Edge Security 365
Infrastructure ACL 366
IP Receive ACL 366
Control Plane Policing 367
VRF Prefix Limits 367
IP Fragmentation and Reassembly 368
Provider Core Security 370
Disable IP TTL to MPLS TTL Propagation at the Network Edge 370
IP Fragmentation 371
Router Alert Label 371
Network SLAs 372
Inter-Provider Edge Security 372
Carrier Supporting Carrier Security 373
Inter-AS VPN Security 374
IPsec VPN Services 376
IPsec VPN Overview 376
IKE 377
IPsec 378
Securing IPsec VPN Services 386
IKE Security 386
Fragmentation 387
IPsec VPN Access Control 391
QoS 393
Other IPsec Security-Related Features 394
Other Services 394
SSL VPN Services 395
VoIP Services 396
Video Services 397
Summary 399
Review Questions 399
Further Reading 400
Part III
Case Studies 403
Chapter 8
Enterprise Network Case Studies 405
Case Study 1: IPsec VPN and Internet Access 406
Network Topology and Requirements 407
Router Configuration 409
Data Plane 418
Control Plane 420
Management Plane 422
Services Plane 424
Case Study 2: MPLS VPN 426
Network Topology and Requirements 426
Router Configuration 428
Data Plane 435
Control Plane 437
Management Plane 438
Services Plane 440
Summary 441
Further Reading 441
Chapter 9
Service Provider Network Case Studies 443
Case Study 1: IPsec VPN and Internet Access 444
Network Topology and Requirements 445
Router Configuration 448
Data Plane 455
Control Plane 458
Management Plane 460
Services Plane 463
Case Study 2: MPLS VPN 463
Network Topology and Requirements 464
Router Configuration 467
Data Plane 474
Control Plane 474
Management Plane 477
Services Plane 481
Summary 483
Further Reading 483
Part IV
Appendixes 485
Appendix A
Answers to Chapter Review Questions 487
Appendix B
IP Protocol Headers 497
IP Version 4 Header 499
TCP Header 510
UDP Header 518
ICMP Header 521
ICMP Echo Request/Echo Reply Query Message Headers 525
ICMP Time to Live Exceeded in Transit Error Message Header 529
ICMP Destination Unreachable, Fragmentation Needed and Don’t Fragment
was
Set Error Message Header 533
Other ICMP Destination Unreachable Error Message Headers 539
Ethernet/802.1Q Header 543
IEEE 802.3 Ethernet Frame Header Format 543
IEEE 802.1Q VLAN Header Format 547
MPLS Protocol Header 551
Further Reading 554
Appendix C
Cisco IOS to IOS XR Security Transition 557
Data Plane Security Commands 558
Control Plane Security Commands 562
Management Plane Security Commands 578
Services Plane Security Commands 592
Further Reading 595
Appendix D
Security Incident Handling 597
Six Phases of Incident Response 597
Preparation 598
Understand the Threats 598
Deploy Defense in Depth and Breadth Security Strategies 598
Establish Well-Defined Incident Response Procedures 599
Establish an Incident Response Team 600
Identification 600
Classification 600
Traceback 601
Reaction 601
Post-Mortem Analysis 602
Cisco Product Security 602
Cisco Security Vulnerability Policy 603
Cisco Computer and Network Security 603
Cisco Safety and Security 603
Cisco IPS Signature Pack Updates and Archives 603
Cisco Security Center 603
Cisco IntelliShield Alert Manager Service 603
Cisco Software Center 604
Industry Security Organizations 604
Regional Network Operators Groups 605
Further Reading 606
Index
About the Authors
Gregg Schudel, CCIE® No. 9591, joined Cisco in 2000 as a consulting system
engineer supporting the U.S. service provider organization. Gregg focuses on
IP core network security architectures and technology for interexchange carriers
and web services providers.
David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system
engineer supporting the service provider organization. David focuses on IP core
and edge architectures including IP routing, MPLS technologies, QoS, infrastructure
security, and network telemetry.
Customer Reviews
Customer Reviews: 2 Average Customer Rating: Mar 25, 2008 Rik Guyler, Solutions Architect from Dayton, Ohio USA
Excellent coverage of the intended subject matter
We finally have a book that pulls several different IOS security strategies together. So many references prior to this one touch on these topics sporadically but I have yet to find a better resource that covers all the bases as does this one.
The things I like about this book:
So many authors tend to try to spread their subject matter out too wide and take too broad of an approach when writing about network security. Schudel and Smith didnt do that. Instead they focused on specific areas and worked diligently to stay on target. It was very refreshing to read a book that actually didnt wander off on tangential subjects on a regular basis.
As for actual subject matter I was very pleased to find a book that discussed the various planes within Cisco IOS. In my opinion Cisco has not been very good about documenting this subject and so this book has cleared up several knowledge gaps I had prior to reading it. All of the bits of information Ive heard or read about in the past were pulled together in a clear and concise manner. It was also pleasing to see just the right amount of configuration shows rather than pages and pages of them.
I also was very happy that this book was not full of fluff. The authors used just enough background info to convey their message but did not go overboard in non-essential detail. As with any technical reference I prefer thorough and correct information but many times there is just too much description that just gets in the way.
Some reviewers stated that the authors repeated themselves within this book. For me this was not a negative. There are certain topics that I very much need repeated in order to retain it thoroughly and so this was not a problem for me. The repetitious content was neither significant nor time consuming so I consider it to be a positive rather than a negative.
The things I do not like about this book:
This is trivial but I would have much preferred a hardback book rather than a paperback. This is a personal preference of course but hardbacks tend to last longer for me.
Mar 23, 2008 Afaq Muhammad Khan from Santa Clara, CA, USA
Thats just yet another great title from Cisco Press!. This boo
Thats just yet another great title from Cisco Press!. This book does a great job of logically dividing the overall router security into each logical context by way of describing the router's planes. I also found very elaborate and diverse Further Reading towards the end of each chapter very useful. I particularly liked the idea of overall structure and quality of contents in the book which relate to both a casual and an advanced reader!
Book is structured into four Parts;
Part I focuses on laying the foundation for the rest of the book. It achieves this purpose by talking about the Enterprise and SP network fundamentals. This also includes day-in-the-life-of-a-packet through various router switching mechanisms. Chapter 2 re-hashes the network security/threat models but does a nice job of dividing it into various aspects of architectures including various IP VPNs scenarios.
For an advanced reader, this should serve as a nice refresher!
Part II introduces you to real meat of router security, i.e., securing the router planes in both IP and MPLS networks. Authors do a good job of describing the details of each component. Chapters in this section contain working details and IOS configuration snippets to enhance the understanding of various concepts discussed. An advanced user will find all the details given here very useful, and prefer read them cover to cover.
Part III walks you through various case studies to further the concepts explained in the prior chapters. I particularly like the idea of covering both Enterprise and SP case studies. It provides use cases, application examples, and best practices guidelines for the key concepts discussed in the whole book
In Part IV, I very much like the idea of not just copying pasting the headers as-is, rather adding the security implications of each and putting them into its context. Cisco IOS to IOS-XR Security transition is also useful although to mostly SP audience.
This book discusses security as in Router planes for both IP and MPLS VPNs Security. A few times you can notice that authors are repeating themselves.
Overall, I strongly recommend this book to all network security engineers as MPLS (due to its inherent advantages and applications) is gaining momentum not only in the service provider space but also in the enterprise market segment.
|
