Router Security Strategies
12%
off

Router Security Strategies : Securing IP Network Traffic Planes

4.62 (8 ratings by Goodreads)
By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 11 business days
When will my order arrive?

Description

Router Security Strategies: Securing IP Network Traffic Planes provides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. "Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure." -Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIE(R) No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. * Understand the operation of IP networks and routers * Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services* Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles* Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks* Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques * Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques* Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.show more

Product details

  • Paperback | 672 pages
  • 185.42 x 228.6 x 40.64mm | 1,065.94g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587053365
  • 9781587053368
  • 1,550,276

Back cover copy

"Router Security Strategies: Securing IP Network Traffic Planes" provides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. "Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure." -Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIE(R) No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.show more

About Gregg Schudel

Gregg Schudel,CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer supporting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security architectures and technology for inter-exchange carriers, web services providers, and mobile providers. Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where he supported network security research and development, most notably in conjunction with DARPA and other federal agencies involved in security research. Gregg holds an MS in engineering from George Washington University, and a BS in engineering from Florida Institute of Technology. Gregg can be contacted through e-mail at gschudel@cisco.com. David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a consulting system engineer supporting the Service Provider Organization. Since 1999 David has focused on service provider IP core and edge architectures, including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at Bellcore developing systems software and experimental ATM switches. David holds an MS in information networking from Carnegie Mellon University, and a BS in computer engineering from Lehigh University. David can be contacted through e-mail at dasmith@cisco.com.show more

Table of contents

Foreword xix Introduction xx Part I IP Network and Traffic Plane Security Fundamentals 3 Chapter 1 Internet Protocol Operations Fundamentals 5 IP Network Concepts 5 Enterprise Networks 7 Service Provider Networks 9 IP Protocol Operations 11 IP Traffic Concepts 19 Transit IP Packets 20 Receive-Adjacency IP Packets 21 Exception IP and Non-IP Packets 22 Exception IP Packets 22 Non-IP Packets 23 IP Traffic Planes 24 Data Plane 25 Control Plane 27 Management Plane 29 Services Plane 30 IP Router Packet Processing Concepts 32 Process Switching 36 Fast Switching 39 Cisco Express Forwarding 44 Forwarding Information Base 44 Adjacency Table 45 CEF Operation 46 General IP Router Architecture Types 50 Centralized CPU-Based Architectures 50 Centralized ASIC-Based Architectures 52 Distributed CPU-Based Architectures 54 Distributed ASIC-Based Architectures 56 Summary 62 Review Questions 62 Further Reading 63 Chapter 2 Threat Models for IP Networks 65 Threats Against IP Network Infrastructures 65 Resource Exhaustion Attacks 66 Direct Attacks 67 Transit Attacks 70 Reflection Attacks 74 Spoofing Attacks 75 Transport Protocol Attacks 76 UDP Protocol Attacks 78 TCP Protocol Attacks 78 Routing Protocol Threats 81 Other IP Control Plane Threats 83 Unauthorized Access Attacks 85 Software Vulnerabilities 87 Malicious Network Reconnaissance 88 Threats Against Layer 2 Network Infrastructures 89 CAM Table Overflow Attacks 89 MAC Spoofing Attacks 90 VLAN Hopping Attacks 92 Private VLAN Attacks 93 STP Attacks 94 VTP Attacks 95 Threats Against IP VPN Network Infrastructures 96 MPLS VPN Threat Models 96 Threats Against the Customer Edge 98 Threats Against the Provider Edge 99 Threats Against the Provider Core 101 Threats Against the Inter-Provider Edge 103 Carrier Supporting Carrier Threats 103 Inter-AS VPN Threats 105 IPsec VPN Threat Models 108 Summary 111 Review Questions 112 Further Reading 113 Chapter 3 IP Network Traffic Plane Security Concepts 117 Principles of Defense in Depth and Breadth 117 Understanding Defense in Depth and Breadth Concepts 118 What Needs to Be Protected? 119 What Are Defensive Layers? 119 What Is the Operational Envelope of the Network? 122 What Is Your Organization's Operational Model? 123 IP Network Traffic Planes: Defense in Depth and Breadth 123 Data Plane 124 Control Plane 124 Management Plane 125 Services Plane 126 Network Interface Types 127 Physical Interfaces 128 Logical Interfaces 131 Network Edge Security Concepts 133 Internet Edge 133 MPLS VPN Edge 136 Network Core Security Concepts 138 IP Core 139 MPLS VPN Core 140 Summary 141 Review Questions 141 Further Reading 142 Part II Security Techniques for Protecting IP Traffic Planes 145 Chapter 4 IP Data Plane Security 147 Interface ACL Techniques 147 Unicast RPF Techniques 156 Strict uRPF 157 Loose uRPF 161 VRF Mode uRPF 163 Feasible uRPF 167 Flexible Packet Matching 168 QoS Techniques 170 Queuing 170 IP QoS Packet Coloring (Marking) 171 Rate Limiting 173 IP Options Techniques 174 Disable IP Source Routing 175 IP Options Selective Drop 175 ACL Support for Filtering IP Options 177 Control Plane Policing 178 ICMP Data Plane Mitigation Techniques 178 Disabling IP Directed Broadcasts 181 IP Sanity Checks 182 BGP Policy Enforcement Using QPPB 183 IP Routing Techniques 187 IP Network Core Infrastructure Hiding 187 IS-IS Advertise-Passive-Only 187 IP Network Edge External Link Protection 189 Protection Using More Specific IP Prefixes 190 Protection Using BGP Communities 191 Protection Using ACLs with Discontiguous Network Masks 192 Remotely Triggered Black Hole Filtering 193 IP Transport and Application Layer Techniques 200 TCP Intercept 200 Network Address Translation 201 IOS Firewall 203 IOS Intrusion Prevention System 205 Traffic Scrubbing 206 Deep Packet Inspection 207 Layer 2 Ethernet Security Techniques 208 Port Security 208 MAC Address-Based Traffic Blocking 209 Disable Auto Trunking 210 VLAN ACLs 211 IP Source Guard 212 Private VLANs 212 Traffic Storm Control 213 Unknown Unicast Flood Blocking 214 Summary 214 Review Questions 214 Further Reading 215 Chapter 5 IP Control Plane Security 219 Disabling Unused Control Plane Services 220 ICMP Techniques 220 Selective Packet Discard 222 SPD State Check 223 SPD Input Queue Check 226 SPD Monitoring and Tuning 226 IP Receive ACLs 230 IP Receive ACL Deployment Techniques 232 Activating an IP Receive ACL 233 IP Receive ACL Configuration Guidelines 234 IP Receive ACL Feature Support 241 Control Plane Policing 241 CoPP Configuration Guidelines 243 Defining CoPP Policies 243 Tuning CoPP Policies 252 Platform-Specific CoPP Implementation Details 260 Cisco 12000 CoPP Implementation 260 Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264 Neighbor Authentication 269 MD5 Authentication 270 Generalized TTL Security Mechanism 273 Protocol-Specific ACL Filters 277 BGP Security Techniques 279 BGP Prefix Filters 280 IP Prefix Limits 282 AS Path Limits 283 BGP Graceful Restart 283 Layer 2 Ethernet Control Plane Security 285 VTP Authentication 285 DHCP Snooping 286 Dynamic ARP Inspection 289 Sticky ARP 291 Spanning Tree Protocol 292 Summary 294 Review Questions 294 Further Reading 295 Chapter 6 IP Management Plane Security 299 Management Interfaces 300 Password Security 303 SNMP Security 306 Remote Terminal Access Security 309 Disabling Unused Management Plane Services 311 Disabling Idle User Sessions 315 System Banners 316 Secure IOS File Systems 319 Role-Based CLI Access 320 Management Plane Protection 324 Authentication, Authorization, and Accounting 326 AutoSecure 329 Network Telemetry and Security 330 Management VPN for MPLS VPNs 335 Summary 341 Review Questions 342 Further Reading 343 Chapter 7 IP Services Plane Security 347 Services Plane Overview 347 Quality of Service 350 QoS Mechanisms 351 Classification 353 Marking 353 Policing 354 Queuing 354 MQC 355 Packet Recoloring Example 356 Traffic Management Example 358 Securing QoS Services 361 MPLS VPN Services 362 MPLS VPN Overview 363 Customer Edge Security 364 Provider Edge Security 365 Infrastructure ACL 366 IP Receive ACL 366 Control Plane Policing 367 VRF Prefix Limits 367 IP Fragmentation and Reassembly 368 Provider Core Security 370 Disable IP TTL to MPLS TTL Propagation at the Network Edge 370 IP Fragmentation 371 Router Alert Label 371 Network SLAs 372 Inter-Provider Edge Security 372 Carrier Supporting Carrier Security 373 Inter-AS VPN Security 374 IPsec VPN Services 376 IPsec VPN Overview 376 IKE 377 IPsec 378 Securing IPsec VPN Services 386 IKE Security 386 Fragmentation 387 IPsec VPN Access Control 391 QoS 393 Other IPsec Security-Related Features 394 Other Services 394 SSL VPN Services 395 VoIP Services 396 Video Services 397 Summary 399 Review Questions 399 Further Reading 400 Part III Case Studies 403 Chapter 8 Enterprise Network Case Studies 405 Case Study 1: IPsec VPN and Internet Access 406 Network Topology and Requirements 407 Router Configuration 409 Data Plane 418 Control Plane 420 Management Plane 422 Services Plane 424 Case Study 2: MPLS VPN 426 Network Topology and Requirements 426 Router Configuration 428 Data Plane 435 Control Plane 437 Management Plane 438 Services Plane 440 Summary 441 Further Reading 441 Chapter 9 Service Provider Network Case Studies 443 Case Study 1: IPsec VPN and Internet Access 444 Network Topology and Requirements 445 Router Configuration 448 Data Plane 455 Control Plane 458 Management Plane 460 Services Plane 463 Case Study 2: MPLS VPN 463 Network Topology and Requirements 464 Router Configuration 467 Data Plane 474 Control Plane 474 Management Plane 477 Services Plane 481 Summary 483 Further Reading 483 Part IV Appendixes 485 Appendix A Answers to Chapter Review Questions 487 Appendix B IP Protocol Headers 497 IP Version 4 Header 499 TCP Header 510 UDP Header 518 ICMP Header 521 ICMP Echo Request/Echo Reply Query Message Headers 525 ICMP Time to Live Exceeded in Transit Error Message Header 529 ICMP Destination Unreachable, Fragmentation Needed and Don't Fragment was Set Error Message Header 533 Other ICMP Destination Unreachable Error Message Headers 539 Ethernet/802.1Q Header 543 IEEE 802.3 Ethernet Frame Header Format 543 IEEE 802.1Q VLAN Header Format 547 MPLS Protocol Header 551 Further Reading 554 Appendix C Cisco IOS to IOS XR Security Transition 557 Data Plane Security Commands 558 Control Plane Security Commands 562 Management Plane Security Commands 578 Services Plane Security Commands 592 Further Reading 595 Appendix D Security Incident Handling 597 Six Phases of Incident Response 597 Preparation 598 Understand the Threats 598 Deploy Defense in Depth and Breadth Security Strategies 598 Establish Well-Defined Incident Response Procedures 599 Establish an Incident Response Team 600 Identification 600 Classification 600 Traceback 601 Reaction 601 Post-Mortem Analysis 602 Cisco Product Security 602 Cisco Security Vulnerability Policy 603 Cisco Computer and Network Security 603 Cisco Safety and Security 603 Cisco IPS Signature Pack Updates and Archives 603 Cisco Security Center 603 Cisco IntelliShield Alert Manager Service 603 Cisco Software Center 604 Industry Security Organizations 604 Regional Network Operators Groups 605 Further Reading 606 Index 608show more

Rating details

8 ratings
4.62 out of 5 stars
5 62% (5)
4 38% (3)
3 0% (0)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X