Examining the
Cisco Network
Foundation
Protection Strategy
Network Platform Security with Routers
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-1
What Has Changed in the World of
Security?
A secure infrastructure is now
assumed.
The Internet has changed from
an environment of trust to one of
distrust.
– No packet can be trusted.
– All packets earn trust through
network device inspection.
– It is no longer enough to
forward traffic. Packets often
need to be marked and
classified.
Availability requirements have
increased.
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-2
Securing the Router Plane-by-Plane
Continuous service delivery requires a methodical
approach to protecting router planes.
Data Plane
Ability to forward data
Control Plane Service Delivery
Ability to route Network availability
and performance
Cisco Network Management Plane
Foundation Ability to manage
Protection
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-3
Cisco Network Foundation Protection
Protects infrastructure and enables continuous service delivery
Detects traffic anomalies and responds to attacks in real time
Data Plane
Technologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, FPM, QoS
Defense-in-depth protection for routing control plane
Control Plane
Technologies: Receive ACLs, control plane policing, routing protection
Management Secure and continuous management of Cisco IOS network infrastructure
Plane Technologies: CPU and memory thresholding, dual export syslog
NetFlow, IP source Internet
tracker, ACLs, uRPF, NetFlow, IP source
RTBH, QoS tools, tracker, ACLs, uRPF,
encryption RTBH, QoS tools
NetFlow,
ACLs, uRPF
Customer Service
Provider
Core
Control Plane and Management Plane Protection
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-4
Cisco Network Foundation Protection
Services and Benefits
Cisco IOS Services Benefits
NetFlow Provides macro-level, anomaly-based DDoS detection
Identifies the source interface from which an attack is
IP source tracker
coming
ACL Protects edge routers from malicious traffic
Data Plane Mitigates problems from malformed or spoofed IP source
uRPF
addresses
RTBH Drops packets based on source IP address
QoS tools Protects against flooding attacks
Controls the type of traffic that can be forwarded to the
Receive ACLs
processor
Control plane Provides QoS control for packets destined to the control
Control policing plane of the routers
Plane
MD5 neighbor authentication protection
Routing protection Redistribution protection
Overload protection
CPU and memory
Management thresholding Protects CPU and memory resources against DoS attacks
Plane
Dual export syslog Exports syslog to dual collectors
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-5
Cisco AutoSecure
router#
auto secure [management | forwarding] [no-interact |
full] [ntp | login | ssh | firewall | tcp-intercept]
Launches Cisco AutoSecure
If you enter the full parameter, you are presented with the
following main steps:
– Identify outside interfaces
– Secure the management plane
– Create a security banner
– Configure passwords, AAA, and SSH
– Secure the interface settings
– Secure the forwarding plane
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-6
Supported Platforms
Cisco 800 Series Routers
Cisco 1800 Series Integrated
Services Routers
Cisco 2800 Series Integrated
Services Routers
Cisco 3800 Series Integrated
Services Routers
Cisco Catalyst 6500 Series
Switches
Cisco 7200 Series Routers
Cisco 7600 Series Routers
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-7
Summary
The features of Cisco Network Foundation Protection provide a
strategy for infrastructure protection.
Cisco Network Foundation Protection controls the risk incurred
from interconnected global networks.
Cisco AutoSecure allows you to choose which router components
to secure.
Cisco integrated services routers support the Cisco Network
Foundation Protection feature set for device-level protection.
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-8
© 2008 Cisco Systems, Inc. All rights reserved. SNRS v3.0—2-9