Router Security Strategies

Router Security Strategies : Securing IP Network Traffic Planes

4.62 (8 ratings by Goodreads)
By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 3 business days
When will my order arrive?

Description

Router Security Strategies: Securing IP Network Traffic Planes provides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. "Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure."-Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIE (R) No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN servicesLearn how to segment and protect each IP traffic plane by applying defense in depth and breadth principlesUse security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networksSecure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniquesSecure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.show more

Product details

  • Paperback | 672 pages
  • 185.42 x 228.6 x 40.64mm | 1,065.94g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587053365
  • 9781587053368
  • 1,633,633

Back cover copy

"Router Security Strategies: Securing IP Network Traffic Planes" provides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. "Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure." -Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIE(R) No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.show more

About Gregg Schudel

Gregg Schudel,CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer supporting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security architectures and technology for inter-exchange carriers, web services providers, and mobile providers. Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where he supported network security research and development, most notably in conjunction with DARPA and other federal agencies involved in security research. Gregg holds an MS in engineering from George Washington University, and a BS in engineering from Florida Institute of Technology. Gregg can be contacted through e-mail at gschudel@cisco.com. David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a consulting system engineer supporting the Service Provider Organization. Since 1999 David has focused on service provider IP core and edge architectures, including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at Bellcore developing systems software and experimental ATM switches. David holds an MS in information networking from Carnegie Mellon University, and a BS in computer engineering from Lehigh University. David can be contacted through e-mail at dasmith@cisco.com.show more

Table of contents

Foreword xix Introduction xxPart IIP Network and Traffic Plane Security Fundamentals 3Chapter 1Internet Protocol Operations Fundamentals 5IP Network Concepts 5Enterprise Networks 7Service Provider Networks 9IP Protocol Operations 11IP Traffic Concepts 19Transit IP Packets 20Receive-Adjacency IP Packets 21Exception IP and Non-IP Packets 22Exception IP Packets 22Non-IP Packets 23IP Traffic Planes 24Data Plane 25Control Plane 27Management Plane 29Services Plane 30IP Router Packet Processing Concepts 32Process Switching 36Fast Switching 39Cisco Express Forwarding 44Forwarding Information Base 44Adjacency Table 45CEF Operation 46General IP Router Architecture Types 50Centralized CPU-Based Architectures 50Centralized ASIC-Based Architectures 52Distributed CPU-Based Architectures 54Distributed ASIC-Based Architectures 56Summary 62Review Questions 62Further Reading 63Chapter 2Threat Models for IP Networks 65Threats Against IP Network Infrastructures 65Resource Exhaustion Attacks 66Direct Attacks 67Transit Attacks 70Reflection Attacks 74Spoofing Attacks 75Transport Protocol Attacks 76UDP Protocol Attacks 78TCP Protocol Attacks 78Routing Protocol Threats 81Other IP Control Plane Threats 83Unauthorized Access Attacks 85Software Vulnerabilities 87Malicious Network Reconnaissance 88Threats Against Layer 2 Network Infrastructures 89CAM Table Overflow Attacks 89MAC Spoofing Attacks 90VLAN Hopping Attacks 92Private VLAN Attacks 93STP Attacks 94VTP Attacks 95Threats Against IP VPN Network Infrastructures 96MPLS VPN Threat Models 96Threats Against the Customer Edge 98Threats Against the Provider Edge 99Threats Against the Provider Core 101Threats Against the Inter-Provider Edge 103Carrier Supporting Carrier Threats 103Inter-AS VPN Threats 105IPsec VPN Threat Models 108Summary 111Review Questions 112Further Reading 113Chapter 3IP Network Traffic Plane Security Concepts 117Principles of Defense in Depth and Breadth 117Understanding Defense in Depth and Breadth Concepts 118What Needs to Be Protected? 119What Are Defensive Layers? 119What Is the Operational Envelope of the Network? 122What Is Your Organization's Operational Model? 123IP Network Traffic Planes: Defense in Depth and Breadth 123Data Plane 124Control Plane 124Management Plane 125Services Plane 126Network Interface Types 127Physical Interfaces 128Logical Interfaces 131Network Edge Security Concepts 133Internet Edge 133MPLS VPN Edge 136Network Core Security Concepts 138IP Core 139MPLS VPN Core 140Summary 141Review Questions 141Further Reading 142Part IISecurity Techniques for Protecting IP Traffic Planes 145Chapter 4IP Data Plane Security 147Interface ACL Techniques 147Unicast RPF Techniques 156Strict uRPF 157Loose uRPF 161VRF Mode uRPF 163Feasible uRPF 167Flexible Packet Matching 168QoS Techniques 170Queuing 170IP QoS Packet Coloring (Marking) 171Rate Limiting 173IP Options Techniques 174Disable IP Source Routing 175IP Options Selective Drop 175ACL Support for Filtering IP Options 177Control Plane Policing 178ICMP Data Plane Mitigation Techniques 178Disabling IP Directed Broadcasts 181IP Sanity Checks 182BGP Policy Enforcement Using QPPB 183IP Routing Techniques 187IP Network Core Infrastructure Hiding 187IS-IS Advertise-Passive-Only 187IP Network Edge External Link Protection 189Protection Using More Specific IP Prefixes 190Protection Using BGP Communities 191Protection Using ACLs with Discontiguous Network Masks 192Remotely Triggered Black Hole Filtering 193IP Transport and Application Layer Techniques 200TCP Intercept 200Network Address Translation 201IOS Firewall 203IOS Intrusion Prevention System 205Traffic Scrubbing 206Deep Packet Inspection 207Layer 2 Ethernet Security Techniques 208Port Security 208MAC Address-Based Traffic Blocking 209Disable Auto Trunking 210VLAN ACLs 211IP Source Guard 212Private VLANs 212Traffic Storm Control 213Unknown Unicast Flood Blocking 214Summary 214Review Questions 214Further Reading 215Chapter 5IP Control Plane Security 219Disabling Unused Control Plane Services 220ICMP Techniques 220Selective Packet Discard 222SPD State Check 223SPD Input Queue Check 226SPD Monitoring and Tuning 226IP Receive ACLs 230IP Receive ACL Deployment Techniques 232Activating an IP Receive ACL 233IP Receive ACL Configuration Guidelines 234IP Receive ACL Feature Support 241Control Plane Policing 241CoPP Configuration Guidelines 243Defining CoPP Policies 243Tuning CoPP Policies 252Platform-Specific CoPP Implementation Details 260Cisco 12000 CoPP Implementation 260Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264Neighbor Authentication 269MD5 Authentication 270Generalized TTL Security Mechanism 273Protocol-Specific ACL Filters 277BGP Security Techniques 279BGP Prefix Filters 280IP Prefix Limits 282AS Path Limits 283BGP Graceful Restart 283Layer 2 Ethernet Control Plane Security 285VTP Authentication 285DHCP Snooping 286Dynamic ARP Inspection 289Sticky ARP 291Spanning Tree Protocol 292Summary 294Review Questions 294Further Reading 295Chapter 6IP Management Plane Security 299Management Interfaces 300Password Security 303SNMP Security 306Remote Terminal Access Security 309Disabling Unused Management Plane Services 311Disabling Idle User Sessions 315System Banners 316Secure IOS File Systems 319Role-Based CLI Access 320Management Plane Protection 324Authentication, Authorization, and Accounting 326AutoSecure 329Network Telemetry and Security 330Management VPN for MPLS VPNs 335Summary 341Review Questions 342Further Reading 343Chapter 7IP Services Plane Security 347Services Plane Overview 347Quality of Service 350QoS Mechanisms 351Classification 353Marking 353Policing 354Queuing 354MQC 355Packet Recoloring Example 356Traffic Management Example 358Securing QoS Services 361MPLS VPN Services 362MPLS VPN Overview 363Customer Edge Security 364Provider Edge Security 365Infrastructure ACL 366IP Receive ACL 366Control Plane Policing 367VRF Prefix Limits 367IP Fragmentation and Reassembly 368Provider Core Security 370Disable IP TTL to MPLS TTL Propagation at the Network Edge 370IP Fragmentation 371Router Alert Label 371Network SLAs 372Inter-Provider Edge Security 372Carrier Supporting Carrier Security 373Inter-AS VPN Security 374IPsec VPN Services 376IPsec VPN Overview 376IKE 377IPsec 378Securing IPsec VPN Services 386IKE Security 386Fragmentation 387IPsec VPN Access Control 391QoS 393Other IPsec Security-Related Features 394Other Services 394SSL VPN Services 395VoIP Services 396Video Services 397Summary 399Review Questions 399Further Reading 400Part IIICase Studies 403Chapter 8Enterprise Network Case Studies 405Case Study 1: IPsec VPN and Internet Access 406Network Topology and Requirements 407Router Configuration 409Data Plane 418Control Plane 420Management Plane 422Services Plane 424Case Study 2: MPLS VPN 426Network Topology and Requirements 426Router Configuration 428Data Plane 435Control Plane 437Management Plane 438Services Plane 440Summary 441Further Reading 441Chapter 9Service Provider Network Case Studies 443Case Study 1: IPsec VPN and Internet Access 444Network Topology and Requirements 445Router Configuration 448Data Plane 455Control Plane 458Management Plane 460Services Plane 463Case Study 2: MPLS VPN 463Network Topology and Requirements 464Router Configuration 467Data Plane 474Control Plane 474Management Plane 477Services Plane 481Summary 483Further Reading 483Part IVAppendixes 485Appendix AAnswers to Chapter Review Questions 487Appendix BIP Protocol Headers 497IP Version 4 Header 499TCP Header 510UDP Header 518ICMP Header 521ICMP Echo Request/Echo Reply Query Message Headers 525ICMP Time to Live Exceeded in Transit Error Message Header 529ICMP Destination Unreachable, Fragmentation Needed and Don't Fragment wasSet Error Message Header 533Other ICMP Destination Unreachable Error Message Headers 539Ethernet/802.1Q Header 543IEEE 802.3 Ethernet Frame Header Format 543IEEE 802.1Q VLAN Header Format 547MPLS Protocol Header 551Further Reading 554Appendix CCisco IOS to IOS XR Security Transition 557Data Plane Security Commands 558Control Plane Security Commands 562Management Plane Security Commands 578Services Plane Security Commands 592Further Reading 595Appendix DSecurity Incident Handling 597Six Phases of Incident Response 597Preparation 598Understand the Threats 598Deploy Defense in Depth and Breadth Security Strategies 598Establish Well-Defined Incident Response Procedures 599Establish an Incident Response Team 600Identification 600Classification 600Traceback 601Reaction 601Post-Mortem Analysis 602Cisco Product Security 602Cisco Security Vulnerability Policy 603Cisco Computer and Network Security 603Cisco Safety and Security 603Cisco IPS Signature Pack Updates and Archives 603Cisco Security Center 603Cisco IntelliShield Alert Manager Service 603Cisco Software Center 604Industry Security Organizations 604Regional Network Operators Groups 605Further Reading 606Index608show more

Rating details

8 ratings
4.62 out of 5 stars
5 62% (5)
4 38% (3)
3 0% (0)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X