Lecture CCNA security partner - Chapter 3: Network Foundation Protection and Cisco Configuration Professional

This chapter deals with Cisco IOS Network Foundation Protection (NFP) as a framework for infrastructure protection, all its components, and commonly used countermeasures asfound in Cisco IOS devices. More precisely, this chapter differentiates the security measures to be implemented on the three conceptual planes of Cisco IOS devices: the control plane, the data plane, and the management plane. This chapter also discusses using Cisco Configuration Professional (CCP) to implement security controls on Cisco IOS routers.

© 2012 Cisco and/or its affiliates All rights reserved

Threats Against the Network

Infrastructure

¢ Cisco Network Foundation Protection (NFP) provides an umbrella Strategy for infrastructure protection by encompassing Cisco lOS security features

Table 3-1 Common Issues for Network Infrastructure

attacks

tions

Multiple categories of | Denial of service attacks Slow or unresponsive management

Cisco NFP Framework

Management |;

Plane |

a oe

‘| Control Plane

Exchange of Routing

Information

_ Management

Sessions

Incoming IP

he

Figure 3-1 Device Planes

© 2012 Cisco and/or its affiliates All rights reserved 3

Some Components of Cisco NFP

classification

access control (RBAC) for command line

Authentication, authorization, and A comprehensive framework for RBAC

accounting (AAA)

rity device platforms

STP guards, others)

Some of Cisco NFP in a Network

Applied to All Devices: Secure

Management and Reporting

Layer 2 Controls,

ACL Filtering

Routing Protocol

Authentication

Limiting

CoPP, Rate |

© 2012 Cisco and/or its affiliates All rights reserved.

Control Plane Security

Protocols | Data Path Process

Process Level

CoPP, subdivides CPU- bound traffic into three queues that can be controlled individually

CoPP treats the CPU as

GEO/1

Goal of CoPP: Treat the CPU as an Interface

¢ Control Plane Policing (COPP) Is a Cisco IOS feature designed to allow users to manage the flow of traffic that is managed by the route

processor of their network devices

© 2012 Cisco and/or its affiliates All rights reserved.

Cisco AutoSecure

Cisco AutoSecure allows two modes of operation:

e Interactive mode: Prompts users to select their own configuration of

router services and other security-related features

e Noninteractive mode: Configures security-related features of the router based on a set of Cisco defaults

Cisco AutoSecure protects the router functional planes by doing the following:

e Disabling often unnecessary and potentially insecure global services

e Enabling certain services that help further secure often necessary global services

e Disabling often unnecessary and potentially insecure interface services, which can be configured on a per-interface level

e Securing administrative access to the router

° Enabliag.aÐpprOpidaie secudl2ielal©QUUMODQ 8

Cisco AutoSecure Protection for All Three Planes

Control plane Disables often unnecessary and potentially insecure global services

(finger, HTTP, Cisco Discovery Protocol, and so on)

Management plane Secures administrative access to the router (password existence and

minimum length, AAA, SSH, and others)

Data plane Disables often unnecessary and potentially insecure interface ser-

vices, which can be configured on a per-interface level (IP redirects,

IP proxy ARP, and others)

Secure Management and Reporting

Protected Management Network

(Behind Firewall) SNMP To All Server Device oi OOB Configuration

Console Management

Ports

Foor NHƯ ' Encrypted In-Band Network

Private VLANs | Management (VPN)

|

A

Firewall with

Syslog

Server

|

Administrator Content Management Termination for

Host (SSH If Possible) Management

© 2012 Cisco and/or its affiliates All rights reserved.

Role-Based Access Control

R le is

1 `

” |

t21

š

Deploying AAA

Perimeter

<©Ẩ———>

va Đ ' By arse

Client

° AAA Servers are typically used as a central repository of authentication credentials (the users, answering the question “who Is trying to access the device?”), authorization rules (the “what” users can accomplish), and accounting logs (the “what users did” part of the equation)

Data Plane Security

Among the laundry list of ways to protect the data plane, some that we will see in this book include

e Access control lists

e Private VLAN

e Firewalling

e Intrusion Prevention System (IPS)

Access Control List Filtering

The following are the most common reasons to use ACLS:

¢ Block unwanted traffic or users

e Reduce the chance of DoS attacks for internal devices

e Mitigate spoofing attacks

e Provide bandwidth control

¢ Classify traffic to protect other planes

Antispoofing

—

“ —

fim Target

ra ¥

ICMP ECHO

rr Te RFC 2827 and Others

—

Oo

© 2012 Cisco and/or its affiliates All rights reserved.

Layer 2 Data Plane Protection

Data plane protection mechanisms depend on feature availability for

specific devices In a switching infrastructure, these Cisco Catalyst

integrated security capabilities provide data plane security on the Cisco Catalyst switches using integrated tools:

e Port security prevents MAC flooding attacks

¢ DHCP snooping prevents client attacks on the DHCP server and switch

¢ Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing

attacks

¢ |P Source Guard prevents IP spoofing addresses by using the DHCP snooping table

Cisco Configuration Professional

fy aa || 5S) configure | BB monitor | | fe «» 2 @ Cisco Configuration Professional

ele Community Member:

10.10.01 |v

Configure > Interface Management > Interface and Connections

¥ © interface Management

t

> Dy Router

> Cả Security

> Gy License Management

7 Flash File Management

J Configuration Editor

4? Save Configuration to PC lš |

J Hite to Startup Configurati

Telnet

De aha a d Raine

Est GAd~ [JF Oewte Boummay VẢ Detals Sf Test Cormecion © Disable

AdtwedrdveiyvUp Q AdrwisrdvelyDơen

| ttem Value

200 200 1 2/255 255 255 0 Outside

“None>

inspect Rule - inbound

” *

© 2012 Cisco and/or its affiliates All rights reserved

16

CCP Initial Configuration

Default Configuration

10.10.10.2

DHCP Server

on Some Models if No DHCP Server

17

© 2012 Cisco and/or its affiliates All rights reserved.

Command to Provision a Deployed Device with CCP Support

Router(config)# ip http secure-server

Router(config)# ip http authentication local Router(config)# line vty 0 4

Router(config-line)# login local

Router(config-line)# transport input ssh Router(config-line)# transport output ssh

Nonsecure Telnet and

(clear text)

Router(config)# ip http server Router(config)# ip http authentication local Router(config)# line vty 0 4

Router(config-line)# login local Router(config-line)# transport input telnet Router(config-line)# transport output telnet

© 2012 Cisco and/or its affiliates All rights reserved 18

Using CCP to Harden Cisco IOS Devices

sco Configuration Prolessional

tome |[ enters || Bre | | Ye © Cisco Configuration Professional ‘!!'*! -

cisco

#

` Security Audit

ey

Use Case Scenario

= will present you with a list of recommended actions, which

> By Public Key Infrastructure

>» Gy nac

_ Web Filter Configuration

18 \ Perform security audit

J Intrusion Prevention

(3 902.1x

> Gy o3PL One-step lockdown configures the router with set of defined

° below button will deliver the configurations to the router

J Flash File Management

or’ Configuration Editor

ef’ Write to Startup Configuration

“Talnet

Security Audit Tools

© 2012 Cisco and/or its affiliates All rights reserved.

1|1I1|1,

CISCO.