Đang tải... (xem toàn văn)
This chapter deals with Cisco IOS Network Foundation Protection (NFP) as a framework for infrastructure protection, all its components, and commonly used countermeasures asfound in Cisco IOS devices. More precisely, this chapter differentiates the security measures to be implemented on the three conceptual planes of Cisco IOS devices: the control plane, the data plane, and the management plane. This chapter also discusses using Cisco Configuration Professional (CCP) to implement security controls on Cisco IOS routers.
Network Foundation Protection and Cisco Configuration Professional © 2012 Cisco and/or its affiliates All rights reserved Threats Against the Network Infrastructure • Cisco Network Foundation Protection (NFP) provides an umbrella strategy for infrastructure protection by encompassing Cisco IOS security features © 2012 Cisco and/or its affiliates All rights reserved Cisco NFP Framework © 2012 Cisco and/or its affiliates All rights reserved Some Components of Cisco NFP © 2012 Cisco and/or its affiliates All rights reserved Some of Cisco NFP in a Network © 2012 Cisco and/or its affiliates All rights reserved Control Plane Security Goal of CoPP: Treat the CPU as an Interface • Control Plane Policing (CoPP) is a Cisco IOS feature designed to allow users to manage the flow of traffic that is managed by the route processor of their network devices © 2012 Cisco and/or its affiliates All rights reserved Cisco AutoSecure Cisco AutoSecure allows two modes of operation: • Interactive mode: Prompts users to select their own configuration of router services and other security-related features • Noninteractive mode: Configures security-related features of the router based on a set of Cisco defaults Cisco AutoSecure protects the router functional planes by doing the following: • Disabling often unnecessary and potentially insecure global services • Enabling certain services that help further secure often necessary global services • Disabling often unnecessary and potentially insecure interface services, which can be configured on a per-interface level • Securing administrative access to the router • Enabling appropriate security-related logging © 2012 Cisco and/or its affiliates All rights reserved Cisco AutoSecure Protection for All Three Planes © 2012 Cisco and/or its affiliates All rights reserved Secure Management and Reporting © 2012 Cisco and/or its affiliates All rights reserved Role-Based Access Control © 2012 Cisco and/or its affiliates All rights reserved 10 Deploying AAA • AAA servers are typically used as a central repository of authentication credentials (the users, answering the question “who is trying to access the device?”), authorization rules (the “what” users can accomplish), and accounting logs (the “what users did” part of the equation) © 2012 Cisco and/or its affiliates All rights reserved 11 Data Plane Security Among the laundry list of ways to protect the data plane, some that we will see in this book include • Access control lists • Private VLAN ã Firewalling ã Intrusion Prevention System (IPS) â 2012 Cisco and/or its affiliates All rights reserved 12 Access Control List Filtering The following are the most common reasons to use ACLs: • Block unwanted traffic or users • Reduce the chance of DoS attacks for internal devices • Mitigate spoofing attacks • Provide bandwidth control • Classify traffic to protect other planes © 2012 Cisco and/or its affiliates All rights reserved 13 Antispoofing © 2012 Cisco and/or its affiliates All rights reserved 14 Layer Data Plane Protection Data plane protection mechanisms depend on feature availability for specific devices In a switching infrastructure, these Cisco Catalyst integrated security capabilities provide data plane security on the Cisco Catalyst switches using integrated tools: • Port security prevents MAC flooding attacks • DHCP snooping prevents client attacks on the DHCP server and switch • Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks • IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table © 2012 Cisco and/or its affiliates All rights reserved 15 Cisco Configuration Professional © 2012 Cisco and/or its affiliates All rights reserved 16 CCP Initial Configuration © 2012 Cisco and/or its affiliates All rights reserved 17 Command to Provision a Deployed Device with CCP Support © 2012 Cisco and/or its affiliates All rights reserved 18 Using CCP to Harden Cisco IOS Devices Security Audit Tools © 2012 Cisco and/or its affiliates All rights reserved 19 © 2012 Cisco and/or its affiliates All rights reserved 20 ... the Network Infrastructure • Cisco Network Foundation Protection (NFP) provides an umbrella strategy for infrastructure protection by encompassing Cisco IOS security features © 2012 Cisco and/ or... 2012 Cisco and/ or its affiliates All rights reserved 15 Cisco Configuration Professional © 2012 Cisco and/ or its affiliates All rights reserved 16 CCP Initial Configuration © 2012 Cisco and/ or... Planes © 2012 Cisco and/ or its affiliates All rights reserved Secure Management and Reporting © 2012 Cisco and/ or its affiliates All rights reserved Role-Based Access Control © 2012 Cisco and/ or its