Router Security Strategies: Securing IP Network Traffic
Planes provides a compre-hensive approach to understand and
implement IP traffic plane separation and protection on IP routers.
This book details the distinct traffic planes of IP networks and
the advanced techniques necessary to operationally secure them.
This includes the data, control, management, and services planes
that provide the infrastructure for IP networking. http://www.dropshippers.co.za/
The first section provides a brief overview of the essential
components of the Internet Protocol and IP networking. At the end
of this section, you will understand the fundamental principles of
defense in depth and breadth security as applied to IP traffic
planes. Techniques to secure the IP data plane, IP control plane,
IP management plane, and IP services plane are covered in detail in
the second section. http://www.dropshippers.co.za/
The final section provides case studies from both the enterprise
network and the service provider network perspectives. In this way,
the individual IP traffic plane security techniques reviewed in the
second section of the book are brought together to help you create
an integrated, comprehensive defense in depth and breadth security
architecture. http://www.dropshippers.co.za/
“Understanding and securing IP traffic planes are critical to
the overall security posture of the IP infrastructure. The
techniques detailed in this book provide protection and
instrumentation enabling operators to understand and defend against
attacks. As the vulnerability economy continues to mature, it is
critical for both vendors and network providers to collaboratively
deliver these protections to the IP infrastructure.” http://www.dropshippers.co.za/
–Russell Smoak, Director, Technical Services, Security
Intelligence Engineering, Cisco http://www.dropshippers.co.za/
Gregg Schudel, CCIE® No. 9591, joined Cisco in 2000 as a
consulting system engineer supporting the U.S. service provider
organization. Gregg focuses on IP core network security
architectures and technology for interexchange carriers and web
services providers. http://www.dropshippers.co.za/
David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a
consulting system engineer supporting the service provider
organization. David focuses on IP core and edge architectures
including IP routing, MPLS technologies, QoS, infrastructure
security, and network telemetry. http://www.dropshippers.co.za/
- Understand the operation of IP networks and routers
- Learn about the many threat models facing IP networks, Layer 2
Ethernet switching environments, and IPsec and MPLS VPN
services
- Learn how to segment and protect each IP traffic plane by
applying defense in depth and breadth principles
- Use security techniques such as ACLs, rate limiting, IP Options
filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the
data plane of IP and switched Ethernet networks
- Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and
ICMP techniques and Layer 2 switched Ethernet-specific
techniques
- Protect the IP management plane with password management, SNMP,
SSH, NTP, AAA, as well as other VPN management, out-of-band
management, and remote access management techniques
- Secure the IP services plane using recoloring, IP fragmentation
control, MPLS label control, and other traffic classification and
process control techniques
http://www.dropshippers.co.za/
This security book is part of the Cisco Press® Networking
Technology Series. Security titles from Cisco Press help networking
professionals secure critical data and resources, prevent and
mitigate network attacks, and build end-to-end self-defending
networks. http://www.dropshippers.co.za/
Table of Contents
Part I
Chapter 1
- Internet Protocol Operations Fundamentals 5
- IP Network Concepts 5
- Enterprise Networks 7
- Service Provider Networks 9
- IP Protocol Operations 11
- IP Traffic Concepts 19
- Transit IP Packets 20
- Receive-Adjacency IP Packets 21
- Exception IP and Non-IP Packets 22
- Exception IP Packets 22
- Non-IP Packets 23
- IP Traffic Planes 24
- Data Plane 25
- Control Plane 27
- Management Plane 29
- Services Plane 30
- IP Router Packet Processing Concepts 32
- Process Switching 36
- Fast Switching 39
- Cisco Express Forwarding 44
- Forwarding Information Base 44
- Adjacency Table 45
- CEF Operation 46
- General IP Router Architecture Types 50
- Centralized CPU-Based Architectures 50
- Centralized ASIC-Based Architectures 52
- Distributed CPU-Based Architectures 54
- Distributed ASIC-Based Architectures 56
- Summary 62
- Review Questions 62
- Further Reading 63
http://www.dropshippers.co.za/
Chapter 2
- Threat Models for IP Networks 65
- Threats Against IP Network Infrastructures 65
- Resource Exhaustion Attacks 66
- Direct Attacks 67
- Transit Attacks 70
- Reflection Attacks 74
- Spoofing Attacks 75
- Transport Protocol Attacks 76
- UDP Protocol Attacks 78
- TCP Protocol Attacks 78
- Routing Protocol Threats 81
- Other IP Control Plane Threats 83
- Unauthorized Access Attacks 85
- Software Vulnerabilities 87
- Malicious Network Reconnaissance 88
- Threats Against Layer 2 Network Infrastructures 89
- CAM Table Overflow Attacks 89
- MAC Spoofing Attacks 90
- VLAN Hopping Attacks 92
- Private VLAN Attacks 93
- STP Attacks 94
- VTP Attacks 95
- Threats Against IP VPN Network Infrastructures 96
- MPLS VPN Threat Models 96
- Threats Against the Customer Edge 98
- Threats Against the Provider Edge 99
- Threats Against the Provider Core 101
- Threats Against the Inter-Provider Edge 103
- Carrier Supporting Carrier Threats 103
- Inter-AS VPN Threats 105
- IPsec VPN Threat Models 108
- Summary 111
- Review Questions 112
- Further Reading 113
http://www.dropshippers.co.za/
Chapter 3
- IP Network Traffic Plane Security Concepts 117
- Principles of Defense in Depth and Breadth 117
- Understanding Defense in Depth and Breadth Concepts 118
- What Needs to Be Protected? 119
- What Are Defensive Layers? 119
- What Is the Operational Envelope of the Network? 122
- What Is Your Organization’s Operational Model? 123
- IP Network Traffic Planes: Defense in Depth and Breadth
123
- Data Plane 124
- Control Plane 124
- Management Plane 125
- Services Plane 126
- Network Interface Types 127
- Physical Interfaces 128
- Logical Interfaces 131
- Network Edge Security Concepts 133
- Internet Edge 133
- MPLS VPN Edge 136
- Network Core Security Concepts 138
- IP Core 139
- MPLS VPN Core 140
- Summary 141
- Review Questions 141
- Further Reading 142
http://www.dropshippers.co.za/
Part II
Chapter 4
- IP Data Plane Security 147
- Interface ACL Techniques 147
- Unicast RPF Techniques 156
- Strict uRPF 157
- Loose uRPF 161
- VRF Mode uRPF 163
- Feasible uRPF 167
- Flexible Packet Matching 168
- QoS Techniques 170
- Queuing 170
- IP QoS Packet Coloring (Marking) 171
- Rate Limiting 173
- IP Options Techniques 174
- Disable IP Source Routing 175
- IP Options Selective Drop 175
- ACL Support for Filtering IP Options 177
- Control Plane Policing 178
- ICMP Data Plane Mitigation Techniques 178
- Disabling IP Directed Broadcasts 181
- IP Sanity Checks 182
- BGP Policy Enforcement Using QPPB 183
- IP Routing Techniques 187
- IP Network Core Infrastructure Hiding 187
- IS-IS Advertise-Passive-Only 187
- IP Network Edge External Link Protection 189
- Protection Using More Specific IP Prefixes 190
- Protection Using BGP Communities 191
- Protection Using ACLs with Discontiguous Network Masks 192
- Remotely Triggered Black Hole Filtering 193
- IP Transport and Application Layer Techniques 200
- TCP Intercept 200
- Network Address Translation 201
- IOS Firewall 203
- IOS Intrusion Prevention System 205
- Traffic Scrubbing 206
- Deep Packet Inspection 207
- Layer 2 Ethernet Security Techniques 208
- Port Security 208
- MAC Address—Based Traffic Blocking 209
- Disable Auto Trunking 210
- VLAN ACLs 211
- IP Source Guard 212
- Private VLANs 212
- Traffic Storm Control 213
- Unknown Unicast Flood Blocking 214
- Summary 214
- Review Questions 214
- Further Reading 215
http://www.dropshippers.co.za/
Chapter 5
- IP Control Plane Security 219
- Disabling Unused Control Plane Services 220
- ICMP Techniques 220
- Selective Packet Discard 222
- SPD State Check 223
- SPD Input Queue Check 226
- SPD Monitoring and Tuning 226
- IP Receive ACLs 230
- IP Receive ACL Deployment Techniques 232
- Activating an IP Receive ACL 233
- IP Receive ACL Configuration Guidelines 234
- IP Receive ACL Feature Support 241
- Control Plane Policing 241
- CoPP Configuration Guidelines 243
- Defining CoPP Policies 243
- Tuning CoPP Policies 252
- Platform-Specific CoPP Implementation Details 260
- Cisco 12000 CoPP Implementation 260
- Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264
- Neighbor Authentication 269
- MD5 Authentication 270
- Generalized TTL Security Mechanism 273
- Protocol-Specific ACL Filters 277
- BGP Security Techniques 279
- BGP Prefix Filters 280
- IP Prefix Limits 282
- AS Path Limits 283
- BGP Graceful Restart 283
- Layer 2 Ethernet Control Plane Security 285
- VTP Authentication 285
- DHCP Snooping 286
- Dynamic ARP Inspection 289
- Sticky ARP 291
- Spanning Tree Protocol 292
- Summary 294
- Review Questions 294
- Further Reading 295
http://www.dropshippers.co.za/
Chapter 6
- IP Management Plane Security 299
- Management Interfaces 300
- Password Security 303
- SNMP Security 306
- Remote Terminal Access Security 309
- Disabling Unused Management Plane Services 311
- Disabling Idle User Sessions 315
- System Banners 316
- Secure IOS File Systems 319
- Role-Based CLI Access 320
- Management Plane Protection 324
- Authentication, Authorization, and Accounting 326
- AutoSecure 329
- Network Telemetry and Security 330
- Management VPN for MPLS VPNs 335
- Summary 341
- Review Questions 342
- Further Reading 343
http://www.dropshippers.co.za/
Chapter 7
- IP Services Plane Security 347
- Services Plane Overview 347
- Quality of Service 350
- QoS Mechanisms 351
- Classification 353
- Marking 353
- Policing 354
- Queuing 354
- MQC 355
- Packet Recoloring Example 356
- Traffic Management Example 358
- Securing QoS Services 361
- MPLS VPN Services 362
- MPLS VPN Overview 363
- Customer Edge Security 364
- Provider Edge Security 365
- Infrastructure ACL 366
- IP Receive ACL 366
- Control Plane Policing 367
- VRF Prefix Limits 367
- IP Fragmentation and Reassembly 368
- Provider Core Security 370
- Disable IP TTL to MPLS TTL Propagation at the Network Edge
370
- IP Fragmentation 371
- Router Alert Label 371
- Network SLAs 372
- Inter-Provider Edge Security 372
- Carrier Supporting Carrier Security 373
- Inter-AS VPN Security 374
- IPsec VPN Services 376
- IPsec VPN Overview 376
- IKE 377
- IPsec 378
- Securing IPsec VPN Services 386
- IKE Security 386
- Fragmentation 387
- IPsec VPN Access Control 391
- QoS 393
- Other IPsec Security-Related Features 394
- Other Services 394
- SSL VPN Services 395
- VoIP Services 396
- Video Services 397
- Summary 399
- Review Questions 399
- Further Reading 400
http://www.dropshippers.co.za/
Part III
Chapter 8
- Enterprise Network Case Studies 405
- Case Study 1: IPsec VPN and Internet Access 406
- Network Topology and Requirements 407
- Router Configuration 409
- Data Plane 418
- Control Plane 420
- Management Plane 422
- Services Plane 424
- Case Study 2: MPLS VPN 426
- Network Topology and Requirements 426
- Router Configuration 428
- Data Plane 435
- Control Plane 437
- Management Plane 438
- Services Plane 440
- Summary 441
- Further Reading 441
- Chapter 9
- Service Provider Network Case Studies 443
- Case Study 1: IPsec VPN and Internet Access 444
- Network Topology and Requirements 445
- Router Configuration 448
- Data Plane 455
- Control Plane 458
- Management Plane 460
- Services Plane 463
- Case Study 2: MPLS VPN 463
- Network Topology and Requirements 464
- Router Configuration 467
- Data Plane 474
- Control Plane 474
- Management Plane 477
- Services Plane 481
- Summary 483
- Further Reading 483
http://www.dropshippers.co.za/
Part IV
Appendix A
Appendix B
- IP Protocol Headers 497
- IP Version 4 Header 499
- TCP Header 510
- UDP Header 518
- ICMP Header 521
- ICMP Echo Request/Echo Reply Query Message Headers 525
- ICMP Time to Live Exceeded in Transit Error Message Header
529
- ICMP Destination Unreachable, Fragmentation Needed and Don’t
Fragment was
- Set Error Message Header 533
- Other ICMP Destination Unreachable Error Message Headers
539
- Ethernet/802.1Q Header 543
- IEEE 802.3 Ethernet Frame Header Format 543
- IEEE 802.1Q VLAN Header Format 547
- MPLS Protocol Header 551
- Further Reading 554
- Appendix C
- Cisco IOS to IOS XR Security Transition 557
- Data Plane Security Commands 558
- Control Plane Security Commands 562
- Management Plane Security Commands 578
- Services Plane Security Commands 592
- Further Reading 595
http://www.dropshippers.co.za/
Appendix D
- Security Incident Handling 597
- Six Phases of Incident Response 597
- Preparation 598
- Understand the Threats 598
- Deploy Defense in Depth and Breadth Security Strategies
598
- Establish Well-Defined Incident Response Procedures 599
- Establish an Incident Response Team 600
- Identification 600
- Classification 600
- Traceback 601
- Reaction 601
- Post-Mortem Analysis 602
- Cisco Product Security 602
- Cisco Security Vulnerability Policy 603
- Cisco Computer and Network Security 603
- Cisco Safety and Security 603
- Cisco IPS Signature Pack Updates and Archives 603
- Cisco Security Center 603
- Cisco IntelliShield Alert Manager Service 603
- Cisco Software Center 604
- Industry Security Organizations 604
- Regional Network Operators Groups 605
- Further Reading 606
http://www.dropshippers.co.za/
Index
Router Security Strategies - Securing IP Network Traffic Planes descriptions were created by Router Security Strategies - Securing IP Network Traffic Planes wholesale priced dropshippers.
