CCNA-SEC Lec#4 | Securing Data Plane

After we finished the discussion of securing the management plane and control plane at the two previous lectures, We are about discuss how to protect the Data plane in the upcoming lines to cover all about the Network Foundation Protection “NFP” Framework.
What’s the Data plane ?

Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane.
Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic.
Actually, t
he routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets.
A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.


Securing the Data plane
Now We are about cover the methods available for implementing policy related to traffic allowed
through (transit traffic) network devices .
As mentioned,  For the data plane, this discussion concerns traffic that is going through your network device.
There are some ways to control and protect data plane-

■ Access Control list (ACL) used for filtering
ACLs are used to secure the data plane in a variety of ways such as 
Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control.

■ Antispoofing
IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, 
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
■ Port security
To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the same VLAN. This might give the attacker the opportunity to eavesdrop.
■ DHCP Snooping
Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
For more info about this feature and how to implement it you can refer to below link.
■ Dynamic ARP inspection (DAI)
It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks.
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”.

■ IP source Guard
This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to.
Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses 
“DHCP snooping binding database”  in order to validate and restrict spoofed source addresses.
By: Hatem Farag | CCIE#54446

DHCP Snooping

DHCP snooping is a layer 2 security technology which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets.

DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.

DHCP snooping classify the switch ports to trusted and untrusted ports to prevent unauthorized DHCP servers.

Interfaces that connect to clients should never be allowed to offer a DHCP service ,We can enforce this by making them untrusted.An interface that is untrusted will block DHCP offer messages. Only an interface that has been configured as trusted is allowed to forward DHCP offer messages.

When a Cisco Catalyst Switch receives a DHCP Discover, it will only forward it on trusted interfaces. This prevents rogue DHCP servers on untrusted interfaces from receiving it in the first place.

Let’s see how we can configure DHCP snooping..

First, we need to enable DHCP snooping, both globally and per access VLAN:

SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 100
SW1# show ip dhcp snooping binding
MacAddress          IpAddress Lease(sec)    Type      VLAN    Interface
—————— ————— ———- ————- —- ——————————————–
00:19:AA:7D:E6:88 86250 dhcp-snooping 100 FastEthernet0/3

After enable the DHCP Snooping the default setting for the ports is untrusted. so, we need to tell the switch the port to which our trusted DHCP server is directly connected.

SW1(config)# interface Fastethernet0/3
SW1(config-if)# ip dhcp snooping trust

When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text “DHCP_SNOOPING” and you can configure the switch to send logs to a syslog server.

By: Hatem Farag | CCIE#54446