{"id":349,"date":"2015-08-06T21:44:10","date_gmt":"2015-08-06T21:44:10","guid":{"rendered":"https:\/\/learncisco.net\/index.php\/data-plane-security-controls\/"},"modified":"2023-01-19T20:20:41","modified_gmt":"2023-01-19T13:20:41","slug":"data-plane-security-controls","status":"publish","type":"page","link":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","title":{"rendered":"Data Plane Security Controls"},"content":{"rendered":"<p>One of our most basic and fundamental protections for the data plane is an interface ACL \u2013 an access control list that&#8217;s applied in a certain direction \u2013 inbound or outbound, ingress or egress \u2013 on an interface to block unwanted traffic or to block particular users. This will help us mitigate against denial-of-service attacks, it&#8217;s an antispoofing mechanism as well. We can also use ACLs to provide bandwidth control, and we can classify the traffic to protect other planes. So we can use the interface ACL to control access to VTY lines for management, that would be reducing the attack surface is what we call that, or we can restrict the content of routing updates, that can help protect the control plane.<\/p>\n<p>Here is a list with the most common use cases of the ACLs:<\/p>\n<ul>\n<li><strong>Block unwanted traffic or users<\/strong> &#8211; Access lists can filter incoming or outgoing packets on an interface, and control access using source addresses, destination addresses, or user authentication. You can also use access lists to determine which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.<\/li>\n<li><strong>Reduce the chance of DoS attacks<\/strong> &#8211; There are a number of ways to reduce the chance of DoS attacks. For example, by specifying IP source addresses, you can control whether traffic from hosts, networks, or users access your network. You can filter on specific Time to Live (TTL) values in packets to control how many hops a packet can take before reaching a router in your network. By configuring the TCP Intercept feature, you can prevent servers from being flooded with requests for a connection.<\/li>\n<li><strong>Mitigate spoofing attacks<\/strong> &#8211; ACLs allow security practitioners to implement recommended practices to mitigate spoofing attacks. The guidelines that are found in several RFCs provide basic filtering, and can be easily deployed using ACLs.<\/li>\n<li><strong>Provide bandwidth control<\/strong> &#8211; An access list on a slow link can prevent excess traffic.<\/li>\n<\/ul>\n<p>Classify traffic to protect other planes &#8211; You can place an access list on inbound VTY (Telnet) line access from certain nodes or networks. For the control plane, access lists can control routing updates being sent, received, or redistributed.<\/p>\n<p>For years now, we have used access control list as antispoofing mechanisms basically discarding traffic that has an invalid source address. It&#8217;s either trying to masquerade as a legitimate host on the inside of our network or you can prevent your internal users from spoofing addresses that are legitimate on the outside. Bottom line is they can be done in both directions \u2013 either for external users or for mischievous internal users.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Spoofing\" src=\"\/wp-content\/themes\/learncisco\/assets\/images\/iins\/027-spoofing.jpg\" alt=\"Spoofing\" width=\"651\" height=\"273\" \/><\/p>\n<p>Basically, people spoof source IP addresses to either evade traceability and bypass access controls or the actual source IP address \u2013 maybe the ultimate target \u2013 as we flood servers and routers and force them to send error messages back to that spoofed IP address. It&#8217;s a reflection attack, okay, so they can be used in a wide variety of methods. Now these can be invalid IP addresses, can be RFC 1918 addresses \u2013 the special use addresses, or 224, for example. You should never source IP address \u2013 that&#8217;s the multicast range, nor should it be from the private IP address space, okay, let&#8217;s say 192.168.1 for example. But it could also be a valid network address range, but it&#8217;s not coming from a legitimate network. So we want to implement BCP 38 or RFC 2827 ingress traffic filtering to deal with source IP address spoofing to make invalid source IP addresses ineffective. It forces attacks to be initiated from valid reachable IP addresses.<\/p>\n<p>The traditional method for doing this is to use an interface ACL; however, they&#8217;re not dynamic and you have to configure them manually. They may also have a pretty big impact especially because if you have to read through a long list of access control entries. So you could use features like URPF \u2013 Unicast Reverse Path Forwarding \u2013 to complement your antispoofing strategy.<\/p>\n<h2>Layer 2 data plane protection<\/h2>\n<p>Now depending upon how advanced your platform is and the feature availability \u2013 and which could, by the way, also be a licensed feature, there are other mechanisms as well that you can use to protect the data plane. For example, if it&#8217;s a Cisco Catalyst switch or a multilayer switch, you may have other features as well. So we&#8217;ve got port security which we can apply on our basic configuration of our access ports, for example. We have DHCP snooping, which builds a mapping table between legitimate IP addresses and MAC addresses. We have dynamic ARP inspection to inspect the behavior of the ARP protocol and then IP source guard which can be used on things like HTTP traffic. Preventing IP spoofing, using that same DHCP database snooping table \u2013 whether it applies to more than just ARP traffic and DHCP traffic \u2013 it protects all IP traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"One of our most basic and fundamental protections for the data plane is an interface ACL \u2013 an access control list that&#8217;s applied in a certain direction \u2013 inbound or outbound, ingress or egress \u2013 on an interface to block unwanted traffic or to block particular users. This will help us mitigate against denial-of-service attacks, &#8230; <a title=\"Data Plane Security Controls\" class=\"read-more\" href=\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\" aria-label=\"Read more about Data Plane Security Controls\">Read more<\/a>","protected":false},"author":5,"featured_media":0,"parent":345,"menu_order":217,"comment_status":"closed","ping_status":"closed","template":"cisco-page.php","meta":{"_acf_changed":false,"footnotes":""},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Data Plane Security Controls - learncisco.net<\/title>\n<meta name=\"description\" content=\"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Plane Security Controls - learncisco.net\" \/>\n<meta property=\"og:description\" content=\"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\" \/>\n<meta property=\"og:site_name\" content=\"learncisco.net\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-19T13:20:41+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\",\"url\":\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\",\"name\":\"Data Plane Security Controls - learncisco.net\",\"isPartOf\":{\"@id\":\"https:\/\/www.learncisco.net\/#website\"},\"datePublished\":\"2015-08-06T21:44:10+00:00\",\"dateModified\":\"2023-01-19T13:20:41+00:00\",\"description\":\"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.learncisco.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cisco Certification Courses\",\"item\":\"https:\/\/www.learncisco.net\/courses.html\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CCNA Security\",\"item\":\"https:\/\/www.learncisco.net\/courses\/ccna-security.html\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Security on Cisco Routers\",\"item\":\"https:\/\/www.learncisco.net\/courses\/ccna-security\/security-on-cisco-routers.html\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Data Plane Security Controls\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.learncisco.net\/#website\",\"url\":\"https:\/\/www.learncisco.net\/\",\"name\":\"learncisco.net\",\"description\":\"Free online tests for the Cisco CCNA and CCNP exams. Test yourself with more than 4300 different questions.\",\"publisher\":{\"@id\":\"https:\/\/www.learncisco.net\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.learncisco.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.learncisco.net\/#organization\",\"name\":\"learncisco.net\",\"url\":\"https:\/\/www.learncisco.net\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.learncisco.net\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.learncisco.net\/wp-content\/uploads\/2021\/12\/logo-1.png\",\"contentUrl\":\"https:\/\/www.learncisco.net\/wp-content\/uploads\/2021\/12\/logo-1.png\",\"width\":154,\"height\":24,\"caption\":\"learncisco.net\"},\"image\":{\"@id\":\"https:\/\/www.learncisco.net\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Plane Security Controls - learncisco.net","description":"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","og_locale":"en_US","og_type":"article","og_title":"Data Plane Security Controls - learncisco.net","og_description":"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.","og_url":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","og_site_name":"learncisco.net","article_modified_time":"2023-01-19T13:20:41+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","url":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","name":"Data Plane Security Controls - learncisco.net","isPartOf":{"@id":"https:\/\/www.learncisco.net\/#website"},"datePublished":"2015-08-06T21:44:10+00:00","dateModified":"2023-01-19T13:20:41+00:00","description":"This article explains the data plane security, one of our most basic and fundamental protections for the data plane is an interface ACL.","breadcrumb":{"@id":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.learncisco.net\/"},{"@type":"ListItem","position":2,"name":"Cisco Certification Courses","item":"https:\/\/www.learncisco.net\/courses.html"},{"@type":"ListItem","position":3,"name":"CCNA Security","item":"https:\/\/www.learncisco.net\/courses\/ccna-security.html"},{"@type":"ListItem","position":4,"name":"Security on Cisco Routers","item":"https:\/\/www.learncisco.net\/courses\/ccna-security\/security-on-cisco-routers.html"},{"@type":"ListItem","position":5,"name":"Data Plane Security Controls"}]},{"@type":"WebSite","@id":"https:\/\/www.learncisco.net\/#website","url":"https:\/\/www.learncisco.net\/","name":"learncisco.net","description":"Free online tests for the Cisco CCNA and CCNP exams. Test yourself with more than 4300 different questions.","publisher":{"@id":"https:\/\/www.learncisco.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.learncisco.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.learncisco.net\/#organization","name":"learncisco.net","url":"https:\/\/www.learncisco.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.learncisco.net\/#\/schema\/logo\/image\/","url":"https:\/\/www.learncisco.net\/wp-content\/uploads\/2021\/12\/logo-1.png","contentUrl":"https:\/\/www.learncisco.net\/wp-content\/uploads\/2021\/12\/logo-1.png","width":154,"height":24,"caption":"learncisco.net"},"image":{"@id":"https:\/\/www.learncisco.net\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/pages\/349"}],"collection":[{"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/comments?post=349"}],"version-history":[{"count":2,"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/pages\/349\/revisions"}],"predecessor-version":[{"id":1357,"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/pages\/349\/revisions\/1357"}],"up":[{"embeddable":true,"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/pages\/345"}],"wp:attachment":[{"href":"https:\/\/www.learncisco.net\/wp-json\/wp\/v2\/media?parent=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}