{"id":349,"date":"2015-08-06T21:44:10","date_gmt":"2015-08-06T21:44:10","guid":{"rendered":"https:\/\/learncisco.net\/index.php\/data-plane-security-controls\/"},"modified":"2023-01-19T20:20:41","modified_gmt":"2023-01-19T13:20:41","slug":"data-plane-security-controls","status":"publish","type":"page","link":"https:\/\/www.learncisco.net\/courses\/iins\/security-on-cisco-routers\/data-plane-security-controls.html","title":{"rendered":"Data Plane Security Controls"},"content":{"rendered":"
One of our most basic and fundamental protections for the data plane is an interface ACL \u2013 an access control list that’s applied in a certain direction \u2013 inbound or outbound, ingress or egress \u2013 on an interface to block unwanted traffic or to block particular users. This will help us mitigate against denial-of-service attacks, it’s an antispoofing mechanism as well. We can also use ACLs to provide bandwidth control, and we can classify the traffic to protect other planes. So we can use the interface ACL to control access to VTY lines for management, that would be reducing the attack surface is what we call that, or we can restrict the content of routing updates, that can help protect the control plane.<\/p>\n
Here is a list with the most common use cases of the ACLs:<\/p>\n
Classify traffic to protect other planes – You can place an access list on inbound VTY (Telnet) line access from certain nodes or networks. For the control plane, access lists can control routing updates being sent, received, or redistributed.<\/p>\n
For years now, we have used access control list as antispoofing mechanisms basically discarding traffic that has an invalid source address. It’s either trying to masquerade as a legitimate host on the inside of our network or you can prevent your internal users from spoofing addresses that are legitimate on the outside. Bottom line is they can be done in both directions \u2013 either for external users or for mischievous internal users.<\/p>\n
<\/p>\n
Basically, people spoof source IP addresses to either evade traceability and bypass access controls or the actual source IP address \u2013 maybe the ultimate target \u2013 as we flood servers and routers and force them to send error messages back to that spoofed IP address. It’s a reflection attack, okay, so they can be used in a wide variety of methods. Now these can be invalid IP addresses, can be RFC 1918 addresses \u2013 the special use addresses, or 224, for example. You should never source IP address \u2013 that’s the multicast range, nor should it be from the private IP address space, okay, let’s say 192.168.1 for example. But it could also be a valid network address range, but it’s not coming from a legitimate network. So we want to implement BCP 38 or RFC 2827 ingress traffic filtering to deal with source IP address spoofing to make invalid source IP addresses ineffective. It forces attacks to be initiated from valid reachable IP addresses.<\/p>\n
The traditional method for doing this is to use an interface ACL; however, they’re not dynamic and you have to configure them manually. They may also have a pretty big impact especially because if you have to read through a long list of access control entries. So you could use features like URPF \u2013 Unicast Reverse Path Forwarding \u2013 to complement your antispoofing strategy.<\/p>\n
Now depending upon how advanced your platform is and the feature availability \u2013 and which could, by the way, also be a licensed feature, there are other mechanisms as well that you can use to protect the data plane. For example, if it’s a Cisco Catalyst switch or a multilayer switch, you may have other features as well. So we’ve got port security which we can apply on our basic configuration of our access ports, for example. We have DHCP snooping, which builds a mapping table between legitimate IP addresses and MAC addresses. We have dynamic ARP inspection to inspect the behavior of the ARP protocol and then IP source guard which can be used on things like HTTP traffic. Preventing IP spoofing, using that same DHCP database snooping table \u2013 whether it applies to more than just ARP traffic and DHCP traffic \u2013 it protects all IP traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"One of our most basic and fundamental protections for the data plane is an interface ACL \u2013 an access control list that’s applied in a certain direction \u2013 inbound or outbound, ingress or egress \u2013 on an interface to block unwanted traffic or to block particular users. This will help us mitigate against denial-of-service attacks, … Read more<\/a>","protected":false},"author":5,"featured_media":0,"parent":345,"menu_order":217,"comment_status":"closed","ping_status":"closed","template":"cisco-page.php","meta":{"_acf_changed":false,"footnotes":""},"acf":[],"yoast_head":"\n