CCNA-SEC Lec#4 | Securing Data Plane

After we finished the discussion of securing the management plane and control plane at the two previous lectures, We are about discuss how to protect the Data plane in the upcoming lines to cover all about the Network Foundation Protection “NFP” Framework.
What’s the Data plane ?

Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane.
Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic.
Actually, t
he routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets.
A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.


Securing the Data plane
Now We are about cover the methods available for implementing policy related to traffic allowed
through (transit traffic) network devices .
As mentioned,  For the data plane, this discussion concerns traffic that is going through your network device.
There are some ways to control and protect data plane-

■ Access Control list (ACL) used for filtering
ACLs are used to secure the data plane in a variety of ways such as 
Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control.

■ Antispoofing
IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, 
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
■ Port security
To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the same VLAN. This might give the attacker the opportunity to eavesdrop.
■ DHCP Snooping
Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
For more info about this feature and how to implement it you can refer to below link.
■ Dynamic ARP inspection (DAI)
It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks.
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”.

■ IP source Guard
This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to.
Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses 
“DHCP snooping binding database”  in order to validate and restrict spoofed source addresses.
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#3 | Securing Control Plane

We will discuss in this topic how to secure the control plane after we finished at the previous lecture  Securing the Management Plane“.
Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself.
From the perspective of the network device,control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP).
So, The fateful issue to protect the control plane is minimizing the amount of CPU load as much as we can.
Some of the packets and traffic which handled by the CPU:
Receive adjacency traffic:  This indication is for any IP address that requires direct handling by the Cisco device CPU which is refereed by the term receive in the show ip cef command-line interface (CLI) output.

■ Access control list (ACL) logging:
The log and log-input options apply to an  ACL entries and cause packets that match the ACL entry to be logged.

■ Unicast Reverse Path Forwarding (URPF):
Security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.

■ IP options:
Any IP packets with options included must be processed by the CPU.

■ Fragmentation:
Any IP packet that requires fragmentation must be passed to the CPU for processing.

■ Time-To-Live (TTL) expiry:
Packets that have a TTL value less than or equal to 1.

■ Traffic requiring an ARP request:
Destinations for which an ARP entry does not exist require processing by the CPU.

Non-IP traffic:
All non-IP traffi c is processed by the CPU.

Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can secure the control plane.
Control Plane Policing(CoPP):
It’s a  feature designed to allow users to manage the flow of traffic handled by the router processor of their network devices.
Control plane policing can be performed through the use of granular classification ACLs  and the use of the show policymap control-plane command to display it.
Benefits of Control Plane Policing
Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits:
• Protection against DoS attacks at infrastructure routers and switches.
• QoS control for packets that are destined to the control plane of Cisco routers or switches.
• Ease of configuration for control plane policies.
• Better platform reliability and availability
In below example we are about permit only the BGP and OSPF and discard any ip packet has a ttl less than 2 to  reach the Cisco device CPU.
Control Plane Protection(CPPr):
The Control Plane Protection feature is an extension of the policing functionality provided by the existing Control-plane Policing feature. The Control-plane Policing feature allows Quality of Service (QoS) policing of aggregate control-plane traffic destined to the route processor.

Additionally , the CPPr feature provides the following:

• Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non-listening TCP or UDP ports.
Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue.
For more details about this technique, you can refer to below link.

By: Hatem Farag | CCIE#54446