Chapter 3: Network Foundation Protection and Cisco Configuration Professional

Network Foundation Protection and Cisco Configuration ProfessionalCisco Network Foundation Protection (NFP) provides an umbrella strategy for infrastructure protection by encompassing Cisco IOS security featuresThreats Against the Network InfrastructureCisco NFP FrameworkSome Components of Cisco NFPSome of Cisco NFP in a NetworkControl Plane Policing (CoPP) is a Cisco IOS feature designed to allow users to manage the flow of traffic that is managed by the route processor of their network devicesControl Plane SecurityGoal of CoPP: Treat the CPU as an InterfaceCisco AutoSecure allows two modes of operation:• Interactive mode: Prompts users to select their own configuration of router services and other security-related features• Noninteractive mode: Configures security-related features of the router based on a set of Cisco defaultsCisco AutoSecure protects the router functional planes by doing the following:• Disabling often unnecessary and potentially insecure global services• Enabling certain services that help further secure often necessary global services• Disabling often unnecessary and potentially insecure interface services, which can be configured on a per-interface level• Securing administrative access to the router• Enabling appropriate security-related loggingCisco AutoSecureCisco AutoSecure Protection for All Three PlanesSecure Management and ReportingRole-Based Access ControlAAA servers are typically used as a central repository of authentication credentials (the users, answering the question “who is trying to access the device?”), authorization rules (the “what” users can accomplish), and accounting logs (the “what users did” part of the equation).Deploying AAAAmong the laundry list of ways to protect the data plane, some that we will see in this book include• Access control lists• Private VLAN• Firewalling• Intrusion Prevention System (IPS)Data Plane SecurityThe following are the most common reasons to use ACLs:• Block unwanted traffic or users• Reduce the chance of DoS attacks for internal devices• Mitigate spoofing attacks• Provide bandwidth control• Classify traffic to protect other planesAccess Control List FilteringAntispoofingData plane protection mechanisms depend on feature availability for specific devices. In a switching infrastructure, these Cisco Catalyst integrated security capabilities provide data plane security on the Cisco Catalyst switches using integrated tools:• Port security prevents MAC flooding attacks.• DHCP snooping prevents client attacks on the DHCP server and switch.• Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks.• IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table.Layer 2 Data Plane ProtectionCisco Configuration ProfessionalCCP Initial ConfigurationCommand to Provision a Deployed Device with CCP SupportUsing CCP to Harden Cisco IOS DevicesSecurity Audit Tools