CCNA-SEC Lec#4 | Securing Data Plane

After we finished the discussion of securing the management plane and control plane at the two previous lectures, We are about discuss how to protect the Data plane in the upcoming lines to cover all about the Network Foundation Protection “NFP” Framework.
What’s the Data plane ?

Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane.
Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic.
Actually, t
he routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets.
A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.


Securing the Data plane
Now We are about cover the methods available for implementing policy related to traffic allowed
through (transit traffic) network devices .
As mentioned,  For the data plane, this discussion concerns traffic that is going through your network device.
There are some ways to control and protect data plane-

■ Access Control list (ACL) used for filtering
ACLs are used to secure the data plane in a variety of ways such as 
Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control.

■ Antispoofing
IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, 
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
■ Port security
To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the same VLAN. This might give the attacker the opportunity to eavesdrop.
■ DHCP Snooping
Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
For more info about this feature and how to implement it you can refer to below link.
■ Dynamic ARP inspection (DAI)
It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks.
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”.

■ IP source Guard
This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to.
Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses 
“DHCP snooping binding database”  in order to validate and restrict spoofed source addresses.
By: Hatem Farag | CCIE#54446