1.4.

1 Cisco Network Foundation Protection

The Cisco Network Foundation Protection (NFP) framework provides comprehensive guidelines for
protecting the network infrastructure. These guidelines form the foundation for continuous delivery of
service.

NFP logically divides routers and switches into three functional areas:

Control Plane - Responsible for routing data correctly. Control plane traffic consists of device-generated
packets required for the operation of the network itself such as ARP message exchanges or OSPF routing
advertisements.
Management Plane - Responsible for managing network elements. Management plane traffic is
generated either by network devices or network management stations using processes and protocols
such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+, RADIUS, and NetFlow.
Data Plane (Forwarding Plane) - Responsible for forwarding data. Data plane traffic normally consists of
user-generated packets being forwarded between endstations. Most traffic travels through the router,
or switch, via the data plane. Data plane packets are typically processed in fast-switching cache.

Control plane traffic consists of device-generated packets required for the operation of the network
itself. Control plane security can be implemented using the following features:

Cisco AutoSecure - Cisco AutoSecure provides a one-step device lockdown feature to protect the control
plane as well as the management and data planes. It is a script that is initiated from the CLI to configure
the security posture of routers. The script disables nonessential system processes and services. It first
makes recommendations to address security vulnerabilities and then modifies the router configuration.
Routing protocol authentication - Routing protocol authentication, or Neighbor authentication,
prevents a router from accepting fraudulent routing updates. Most routing protocols support neighbor
authentication.
Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to allow users to control the flow of
traffic that is handled by the route processor of a network device.


CoPP is designed to prevent unnecessary traffic from overwhelming the route processor. The CoPP
feature treats the control plane as a separate entity with its own ingress (input) and egress (output)
ports. A set of rules can be established and associated with the ingress and egress ports of the control
plane.

CoPP consists of the following features:

Control Plane Policing (CoPP) - lets users configure a QoS filter that manages the traffic flow of control
plane packets. This protects the control plane against reconnaissance and DoS attacks.
Control Plane Protection (CPPr) - an extension of CoPP but allows for policing granularity. For example,
CPPr can filter and rate-limit the packets that are going to the control plane of the router and discard
malicious and error packets (or both).
Control Plane Logging - enables logging of the packets that CoPP or CPPr drop or permit. It provides the
logging mechanism needed to deploy, monitor, and troubleshoot CoPP features efficiently.

Note: Further detail on securing the control plane is beyond the scope of this course.

Management plane traffic is generated either by network devices or network management stations
using processes and protocols such as Telnet, SSH, TFTP, and FTP, etc. The management plane is a very
attractive target to hackers. For this reason, the management module was built with several
technologies designed to mitigate such risks.
The information flow between management hosts and the managed devices can be out-of-band (OOB)
(information flows within a network on which no production traffic resides) or in-band (information
flows across the enterprise production network, the Internet, or both).

Management plane security can be implemented using the following features:

Login and password policy - Restricts device accessibility. Limits the accessible ports and restricts the
"who" and "how" methods of access.
Present legal notification - Displays legal notices. These are often developed by legal counsel of a
corporation.
Ensure the confidentiality of data - Protects locally stored sensitive data from being viewed or copied.
Uses management protocols with strong authentication to mitigate confidentiality attacks aimed at
exposing passwords and device configurations.
Role-based access control (RBAC) - Ensures access is only granted to authenticated users, groups, and
services. RBAC and authentication, authorization, and accounting (AAA) services provide mechanisms to
effectively manage access control.
Authorize actions - Restricts the actions and views that are permitted by any particular user, group, or
service.
Enable management access reporting - Logs and accounts for all access. Records who accessed the
device, what occurred, and when it occurred.
RBAC restricts user access based on the role of the user. Roles are created according to job or task
functions, and assigned access permissions to specific assets. Users are then assigned to roles, and are
granted the permissions that are defined for that role.
In Cisco IOS, the role-based CLI access feature implements RBAC for router management access. The
feature creates different "views" that define which commands are accepted and what configuration
information is visible. For scalability, users, permissions, and roles are usually created and maintained in
a central repository server. This makes the access control policy available to multiple devices. The
central repository server can be a AAA server, such as the Cisco Secure Access Control System (ACS),
which provides AAA services to a network for management purposes.

Data plane traffic consists mostly of user-generated packets being forwarded through the router via the
data plane. Data plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2
security features.

ACLs perform packet filtering to control which packets move through the network and where those
packets are allowed to go. ACLs are used to secure the data plane in a variety of ways, including:

Blocking unwanted traffic or users - ACLs can filter incoming or outgoing packets on an interface. They
can be used to control access based on source addresses, destination addresses, or user authentication.
Reducing the chance of DoS attacks - ACLs can be used to specify whether traffic from hosts, networks,
or users access the network. The TCP intercept feature can also be configured to prevent servers from
being flooded with requests for a connection.
Mitigating spoofing attacks - ACLs allow security practitioners to implement recommended practices to
mitigate spoofing attacks.
Providing bandwidth control - ACLs on a slow link can prevent excess traffic.
Classifying traffic to protect the Management and Control planes - ACLs can be applied on VTY line.

ACLs can also be used as an antispoofing mechanism by discarding traffic that has an invalid source
address. This forces attacks to be initiated from valid, reachable IP addresses, allowing the packets to be
traced to the originator of an attack.

Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing
strategy.
Cisco Catalyst switches can use integrated features to help secure the Layer 2 infrastructure. The
following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port security - Prevents MAC address spoofing and MAC address flooding attacks.
DHCP snooping - Prevents client attacks on the DHCP server and switch.
Dynamic ARP Inspection (DAI) - Adds security to ARP by using the DHCP snooping table to
minimize the impact of ARP poisoning and spoofing attacks.
IP Source Guard - Prevents spoofing of IP addresses by using the DHCP snooping table.


This course focuses on the various technologies and protocols used to secure the Management and Data
planes.