The document discusses securing the management, control, and data planes of a network. It describes: 1. Securing the management plane through strong passwords, encrypted protocols like SSH, user authentication using AAA, role-based access control, logging, and network time protocol. 2. Securing the control plane using control plane policing and protection to minimize CPU load and protect against denial of service attacks. 3. Securing the data plane using access control lists, antispoofing features, port security, DHCP snooping, dynamic ARP inspection, and IP source guard to filter traffic and prevent spoofing and man-in-the-middle attacks.

1. SECURING MANAGEMENT, CONTROL
& DATA PLANE
Security | www.netprotocolxpert.in

2. Management Plane
• The management plane performs management functions for a network and coordinates functions
among all the planes (management, control, data). The management plane also is used to
manage a device through its connection to the network.
• Examples of protocols processed in the management plane are Simple Network Management
Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are
used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted
networks) is critical.
• There are many methods you can manage a device “VTY, AUX, and Console” lines and ports and
you should do your best to keep access through it more secure as you can among some procedures
such as :-

3. • Strong passwords
• Make passwords very difficult to break, An attacker can break a password in several ways,
including a dictionary and/or a brute force attack. In addition to this, you should use the
encrypted password “enable secret” instead of plain text password “enable password”; Enable
secrets are hashed using the MD5 algorithm. Also, work on enforcing password policy,
including features such as maximum number of login attempts and minimum password
length.
• Encrypted management protocols
• Undoubtedly, accessing devices through “Telnet or HTTP” is not secure anymore as the
password sent in plain text, so encrypted communications should be used, such as Secure
Shell (SSH) or HypertextTransfer Protocol Secure (HTTPS).
• User authentication and AAA
• AAA stands for Authentication, Authorization and Accounting.
In large networks it isn’t logic to depend on the local user database for authenticating users.
The goal of AAA is to identify who users are before giving them any kind of access to the network, and
once they are identified, only give them access to the part they are authorized to use, see, or manage.
Cisco provides many ways to implement AAA services for Cisco devices, such as ACS server, TACACS
server, or RADIUS server and we will cover this point in more details at our next sessions.

4. • Role-based access control (RBAC)
• With RBAC, we can create a role (like a group) and assign that role to the users who will be
acting in that role. With the role comes the permissions and access. Ways to implement RBACs
include using Access Control Server (ACS) and CLI parser views.
• Logging
• Logging is a way to create an audit trail, Logging may be done in many different
ways, logging includes not only what administrators have changed or done, but also system
events that are generated by the router or switch because of some problem that has occurred
or some threshold that has been reached. This logging information may be sent to a syslog
server. SNMP one of the most important protocols can be used here.
• Network Time Protocol (NTP)
• NTP is a protocol which is used widely in networking industry to synchronize the clocks of
network infrastructure devices (Servers, Routers, Switches, Computers) over a network, This
becomes very important to correlate logs between devices in case there is ever a breach and
you need to reconstruct (or prove in a court of law) what occurred.

5. 1. How to enable SSH to access a router or switch
• To enable SSH on a router or switch, the following items need to be in place:
• Hostname other than the default name of router.
• Domain name.
• Generating a public/private key pair, used behind the scenes by SSH.
• Requiring user login via the vty lines, instead of just a password. Local authentication or
authentication using anACS server are both options.
• Having at least one user account to log in with, either locally on the router, or on anACS server.

6. 2. User Authentication with AAA
• There are two models to implement AAA server:-
1. Self-ContainedAAA
• AAA services in this model is a self-contained in the router. It is also known as local authentication.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is
authorized to access the network based on information in the local database.

7. 2. Server-Based AAA
• Uses an external database server to authenticate the username/Password.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.
• There are many names and access methods associated with the central server, including calling it an
authentication server, AAA server, ACS server,TACACS server, or RADIUS server.
• The following list describes a few of these centralized server types:
1. Cisco Secure ACS Solution Engine: It’s a server appliance with the Access Control Server (ACS) software
preinstalled, Cisco ACS uses the two distinct protocols for AAA services RADIUS &TACACS+.
2. Cisco Secure ACS for Windows Server: This software package may be used for user and administrator
authentication, AAA services on the router contact an external Cisco Secure ACS (running on a Microsoft
Windows system).

8. Securing Control Plane
• Control plane packets are network device–generated or received packets that are used for
the creation and operation of the network itself.
• From the perspective of the network device, control plane packets always have a receive
destination IP address and are handled by the CPU in the network device route processor.
Some examples of control plane functions include routing protocols (for example, BGP,
OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the
Resource Reservation Protocol (RSVP).
• So, The fateful issue to protect the control plane is minimizing the amount of CPU load as
much as we can.

9. Some of the packets and traffic which handled by the CPU:
• Receive adjacency traffic: This indication is for any IP address that requires direct handling
by the Cisco device CPU which is refereed by the term receive in the show ip cef command-
line interface (CLI) output.
• Access control list (ACL) logging: The log and log-input options apply to an ACL entries and
cause packets that match the ACL entry to be logged.
• Unicast Reverse Path Forwarding (uRPF): Security feature works by enabling a router to verify
the reachability of the source address in packets being forwarded.
• IP options: Any IP packets with options included must be processed by the CPU.
• Fragmentation: Any IP packet that requires fragmentation must be passed to the CPU for
processing.

10. • Time-To-Live (TTL) expiry: Packets that have aTTL value less than or equal to 1.
• Traffic requiring an ARP request: Destinations for which an ARP entry does not exist require
processing by the CPU.
• Non-IP traffic: All non-IP traffic is processed by the CPU.
• Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can
secure the control plane.

11. Control Plane Policing(CoPP):
• It’s a feature designed to allow users to manage the flow of traffic handled by the router
processor of their network devices.
• Control plane policing can be performed through the use of granular classification ACLs and
the use of the show policymap control-plane command to display it.
Benefits of Control Plane Policing
• Configuring the Control Plane Policing feature on your Cisco router or switch provides the
following benefits:
• Protection against DoS attacks at infrastructure routers and switches.
• QoS control for packets that are destined to the control plane of Cisco routers or switches.
• Ease of configuration for control plane policies.
• Better platform reliability and availability

12. • In below example we are about permit only the BGP and OSPF and discard any ip packet has a
ttl less than 2 to reach the Cisco device CPU.

13. Control Plane Protection(CPPr):
• The Control Plane Protection feature is an extension of the policing functionality provided by
the existing Control-plane Policing feature.The Control-plane Policing feature allows Quality
of Service (QoS) policing of aggregate control-plane traffic destined to the route processor.
• Additionally , the CPPr feature provides the following:
• Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non-
listeningTCP or UDP ports.
• Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in
the control-plane IP input queue.
• For more details about this technique, you can refer to below link.
http://www.cisco.com/c/en/us/about/security-center/understanding-cppr.html

14. Securing Data Plane
• Data plane is the name of the router/switch part which responsible to handle traffic that is
being forwarded through the network (sometimes called transit traffic), so it sometimes data
plane called as a forwarding plane.
• Data Plane is taking charge of Forward traffic to the next hop along the path to the selected
destination network according to control plane logic.
• Actually, the routers/switches use what the control plane built to dispose of incoming and
outgoing frames and packets.
• A failure of some component in the data plane results in the customer’s traffic not being able
to be forwarded. Other times, based on policy, you might want to deny specific types of traffic
that is traversing the data plane.

16. Securing the Data plane
• NowWe are about cover the methods available for implementing policy related to traffic
allowed through (transit traffic) network devices . As mentioned, For the data plane, this
discussion concerns traffic that is going through your network device.
• There are some ways to control and protect data plane-
• Access Control list (ACL) used for filtering
ACLs are used to secure the data plane in a variety of ways such as Block unwanted traffic or
users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control.
• Antispoofing
IP spoofing is a technique of generating IP packets with a source address that belongs to someone
else, Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the
antispoofing strategy.

17. • Port security
To prevent MAC address spoofing and MAC address flooding attacks which occur when a
switch has no more room in its tables for dynamically learned MAC addresses, there is the
possibility of the switch not knowing the destination Layer 2 address (for the user’s frames)
and forwarding a frame to all devices in the sameVLAN.This might give the attacker the
opportunity to eavesdrop.
• DHCP Snooping
Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets.
DHCP servers are often used in man in the middle or denial of service attacks for malicious
purposes.

18. • Dynamic ARP inspection (DAI)
It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which
is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2
man-in-the-middle attacks.
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and
discards ARP packets with invalid IP-t o-MAC address bindings.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in a trusted database “DHCP snooping binding database”.
• IP source Guard
This feature helps to prevent IP spoofing, which is when an attacker claims the IP address
of a server or device on your network. By pretending to be that device, the attacker could
potentially direct sensitive data towards a port he’s connected to.
Also, source guard relies on a switch’s knowledge of DHCP-assigned host
addresses “DHCP snooping binding database” in order to validate and restrict spoofed
source addresses.