Professional Documents
Culture Documents
I. Foundation Topics
II. Using Network Foundation Protection to Secure Networks
1. How to harden the network to maintain the control, data, and management planes to
keep the network healthy.
4. Interdependence
1. A failure of the control plane could result a lack of routing updates which would
result in some traffic not being able to be forwarded by the data plane. A failure in
the management plane could result in an attacker gaining access to maliciously
configure a router causing a failure in both control and data planes.
5. Implementing NFP
1. Secure measures that can be used for secure each plane:
Table 4-2 Components of a Threat Control and Mitigation Strategy
Plane
Security Measures
Protection Objectives
Management
Plane
Control Plane
-Control Plane Policing (CoPP) -The control plane tools can be implemented to
and Control Plane Protection
limit the damage an attacker can attempt to
(CPPr)
implement directly at the router's IP address (traffic
addressed directly to the router, which the router
must spend CPU resources to process).
-Authenticated routing protocol -Routing protocol updates should be authenticated
updates
to remove the possibility of an attacker
manipulating routing tables by putting a rogue
router running the same routing protocol on your
network. The attacker could be doing
reconnaissance to learn the routes, or the attacker
could be attempting to manipulate the resulting data
plane by changing the routing on the network.
Data plane
-IOS IPS, Zone-Based Firewall -Firewall filtering and services can also control
exactly what traffic is flowing through your
network. An example is using an IOS Zone-Based
Firewall to implement policy about the data plane
and what is allowed
Control plane policing. You can configure this as a filter for any traffic destined to an
IP address on the router itself. For example, you can specify that management traffic,
such as SSH/HTTPS/SSL and so on, can be rate-limited (policed) down to a specific
level. This way, if an attack occurs that involves an excessive amount of this traffic,
the excess traffic above the threshold set could simply be ignored and not have to be
processed directly by the CPU. Another way to think of this is as applying quality of
service (QoS) to the valid management traffic and policing to the bogus management
traffic.
This is applied to a logical control plane interface (not directly to any Layer 3
interface) so that the policy can be applied globally to the router.
CPPr
Control plane protection. This allows for a more detailed classification of traffic
(more than CoPP) that is going to use the CPU for handling. The three specific
subcategories that can be classified are traffic to one of the physical or logical
interfaces of the router, certain data plane traffic that requires CPU intervention
before forwarding (such as IP options), and Cisco Express Forwarding (CEF)
exceptions (traffic related to network operations, such as keepalives or packets with
Time-To-Live (TTL) mechanisms that are expiring) that have to involve the CPU.
The benefit of CPPr is that you can rate-limit and filter this type of traffic with a
more fine-toothed comb than CoPP.
This is also applied to a logical control plane interface, so that regardless of the
logical or physical interface the packets come in on, the router processor can still
have the protection.
Routing
protocol
authentication
There are many types of ACLs and many ways to apply them for filtering. Note that an
ACL can be used as a classification mechanism used in other features, such as an IOS
firewall, identifying traffic for control plane protection, identifying who is allowed to
connect to a vty line, where SNMP is allowed, and so on. In the discussion of
protecting the data plane, we focus primarily on ACLs applied directly to interfaces for
the purpose of filtering.
IOS firewall
support
The firewall features on an IOS router have grown over the years. The older
technology for implementing a firewall on IOS routers was called context-based access
control (CBAC). CBAC has been replaced with the more current Zone-Based Firewall
on IOS.
IOS IPS
TCP
Intercept
This tool allows the router to look at the number of half-formed sessions that are in
place and intervene on behalf of the destination device. This can protect a destination
device from a SYN-flood attack that is occurring on your network. The Zone-Based
Firewall on an IOS router includes this feature.
Unicast
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this
Reverse Path feature is enabled on an interface, as packets enter that interface the router spends an
Forwarding extra moment considering the source address of the packet. It then considers its own
routing table, and if the routing table does not agree that the interface that just received
this packet is also the best egress interface to use for forwarding to the source address
of the packet, it then denies the packet.
This is a good way to limit IP spoofing.
1-3
4-5
6-8
9-10
1. Which of the following is not a core element addressed by NFP (network foundation
protection)?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane
2. If you add authentication to your routing protocol so that only trusted authorized
routers share information, which plane in the NFP are you securing?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane
3. If you use authentication and authorization services to control which administrators
can access which networked devices and control what they are allowed to do, which
primary plane of NFP are you protecting?
a. Management plane
b. Control plane
c. Data plane
d. Executive plane
4. Which of the following is not a best practice to protect the management plane?
(Choose all that apply.)
a. HTTP
b. Telnet
c. HTTPS
d. SSH
5. Which of the following is a way to implement role-based access control related to
the management plane? (Choose all that apply.)
a. Views
b. AAA services
c. Access lists
d. IPS
6. What do CoPP and CPPr have in common? (Choose all that apply.)
a. They both focus on data plane protection
b. They both focus on management plane protection
c. They both focus on control plane protection
d. They both can identify traffic destined for the router that will likely require
direct CPU resources to be used by the router
7. Which type of attack can you mitigate by authenticating a routing protocol? (Choose
all that apply.)
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack
8. What is a significant difference between CoPP and CPPr?
a. One works at Layer 3, and the other works at Layer 2
b. CPPr can classify and act on more-specific traffic than CoPP
c. CoPP can classify and act on more-specific traffic than CPPr
d. One protects the data plane and the other protects the management plane
Page
Number
List
52
Table 4-2
53
List
55
Table 4-3
57
Table 4-4
58
List
59
List
59
Interface
Select the interface that is used to reach the configured server from the
drop-down list of available interfaces.
Authentication
Key
Enter a number for the authentication key used between the ASA device and the
NTP server.
Trusted
Select this option to confirm that this authentication key is trusted. For
authentication to function correctly, this box must be checked.
Key Value
Re-Enter Key
Value
Table 4-4 Cisco AnyConnect Profile Editor Certificate Enrollment Fields and Values
Field
Value
Certificate Enrollment
Checked = enabled.
Unchecked = disabled. (For our example, this option is selected.)
Certificate Expiration
Threshold
Enter the FQDN of the ASA, followed by the name of the connection profile
set up only for enrollment. The two values
should be separated by a slash. (In our configuration for this
task, we have entered ccnp.vpn.lab/enrollment.) When the AnyConnect client sees a connection attempt to this host and connection profile,
the SCEP process begins.
CA URL
As you saw earlier, SCEP has two modes available for client authentication. Check this box if you are using pre-shared key authentication and want your clients to enter a password when
prompted during the certificate request phase.
Thumbprint
If you have chosen to use message digest authentication (Manual mode) rather than pre-shared keys, you can enter the
thumbprint generated by the client here. (For our example, we
have chosen pre-shared key authentication, so this field is left
blank [default].)
Certificate Contents
Name (CN)
Certificate Contents
Department (OU)
Enter the department of the connecting user for entry into the
certificate. For our example, we entered Support.
Certificate Contents
Company (O)
Enter the company of the user for entry into the certificate. For
our example, we entered LAB.
Certificate Contents
State (ST)
Enter the state of the user for entry into the certificate.
Certificate Contents
Country (UK)
Enter the country of the user for entry into the certificate. For
our example, we entered UK.
Certificate Contents
Email (EA)
Enter the users email address for entry into the certificate.
Certificate Contents
Domain (DC)
Certificate Contents
Surname (SN)
Certificate Contents
GivenName (GN)
Enter the users first name for entry into the certificate.
Certificate Contents
UnstructName (N)
Use this field to enter any other name the user may be known
by (for example, a nickname) for entry into the certificate.
Certificate Contents
Initials (I)
Certificate Contents
Qualifier (GEN)
Use this field to enter the generation of the user (for example,
Jr.) for entry into the certificate.
Certificate Contents
Qualifier (DN)
Enter a qualifier (version) for the entire DN string for entry into
the certificate.
Certificate Contents
City (L)
Enter the city where the user resides for entry into the certificate.
Certificate Contents
Title (T)
Enter the users title (for example, Mr, Mrs, Miss, Dr) for entry
into the certificate.
Certificate Contents
CA Domain
Use this field to enter the domain of the CA server. (For example, our entry would be vpn.lab.)
Certificate Contents
Key Size
Select the key size you require to be used for client key generation used with the certificate file (for example, 512, 1024,
2048).
Display Get Certificate Check this box to enable the display of the Get Certificate butButton
ton to users if you want to enable them to manually request a
certificate. However, if using an automatic process with a dedicated VPN tunnel, it is generally recommended not to enable
this function because the Get Certificate button will become
available to users as their certificate approaches its validity date
or becomes valid, allowing them to request a certificate directly
outside of a VPN tunnel.
Data plane
The firewall features on an IOS router have grown over the years. The
older technology for implementing a firewall on IOS routers was called
context-based access control (CBAC). CBAC has been replaced with the
more current Zone-Based Firewall on the IOS.
IOS IPS
TCP Intercept
This tool allows the router to look at the number of half-formed sessions
that are in place and intervene on behalf of the destination device. This
can protect against a destination device from a SYN-flood attack that is
occurring on your network. The Zone-Based Firewall on an IOS router
includes this feature.
Unicast
Reverse Path
Forwarding
management plane control plane data plane NFP Unicast Reverse Path Forwarding -