BRKSEC-2170 Router Security Strategies Securing IP Network Traffic Planes

Router Security Strategies:
Securing IP Network Traffic Planes

BRKSEC-2170
Abstract
 This intermediate session discusses how to implement

IP traffic plane separation and protection on routers
 This session details the distinct traffic planes of IP
networks and the advanced techniques necessary to
operationally secure them. This includes the data,
control, management, and services planes
 At the end of this session, you will understand the
fundamental principles of defense in depth and breadth
security as applied to IP traffic planes
 Prerequisites
It is assumed that the audience has a good understanding of
various security techniques and tools used to secure routers
and large networks.
BRKSEC-2170 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
 Internet Protocol Operations Fundamentals

 Threat Models for IP Networks
 IP Network Traffic Plane Security Concepts
IP Control Plane Security
IP Data Plane Security
IP Management Plane Security
IP Services Plane Security
 Summary
Internet Protocol Operations
Fundamentals
It’s All About the Packet
FIB
Prefix Next Hop Interface
a.b.c.0/24 1.1.1.1 POS0/0
g.h.i.0/30 attached POS0/0
g.h.i.1/32 receive
p.q.r.s/32 attached Null0
255.255.255.255/32 receive
IP – S: a.b.c.1
D: d.e.f.1
Proto: 17 (udp)
UDP -- S: xxxx
-- D: yyy
PAYLOAD
interface interface
pos0/0 pos1/0
 Once a packet gets into the Internet, some device, somewhere has to do
one of two things: [1] Forward the Packet* or [2] Drop the Packet
 In the context of security, the questions are more granular:
Who forwarded the packet, and what resources were required to do so…
Who dropped the packet, and why was it dropped…
* Forwarding Could Entail Adding a Service to the Packet as well…

Transit Packets
Transit Packets
 Well-formed IP packets that follow standard, destination IP address-based
forwarding processes. No extra processing by the route processor is
required to forward these packets.
 The destination IP address of these packets is located downstream from
the network device and thus, the packet is forwarded out an egress
interface
Route Processor AAA
SSH
SNMP
OSPF
BGP
CPU
CEF
Fast
Transit IP path
Ingress Egress
Interface Interface
Receive Packets
Receive Packets
 Packets that are destined to the network device itself (e.g. control and
management packets) must be handled by the route processor CPU since
they ultimately are destined for and handled by applications running at the
process level.
 All of the packets in this set must be handled by the route processor
Route Processor AAA

SSH
SNMP
OSPF
BGP
CPU
Slow
path
Receive IP
CEF
Transit IP
Ingress Egress
Interface Interface
Exceptions IP Packets
Exceptions IP Packets
 Exception IP packets include, for example, IPv4 and IPv6 packets
containing IP header options, IP packets with expiring TTLs, and certain
transit IP packets under specific conditions, such as the first packet of a
multicast flow or a new NAT session
Route Processor AAA

SSH
SNMP
OSPF
BGP
CPU
Slow
path
Receive IP
CEF
Exceptions IP Fast
Transit IP path
Ingress Egress
Interface Interface
Non-IP Packets
Non-IP Packets
 Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP)
packets, and PPP Link Control Protocol (LCP) packets are examples of
non-IP packets
Route Processor AAA

SSH
SNMP
OSPF
BGP
CPU
Slow
path
Receive IP
CEF
Non-IP
Exceptions IP
Transit IP
Ingress Egress
Interface Interface
IP Data Plane
IP Data Plane
 The logical group containing all ―customer‖ application traffic generated
by hosts, clients, servers, and applications that are sourced from and
destined to other devices
 Data plane traffic is always be seen as transit packets by network
elements. Most will be forwarded in the fast path; some may be
―exceptions IP‖ packets.
Peer B Internet Peer A
CE
CE
IP/MPLS Core
PE PoP P
AS 123 P PoP PE
CE CE
CE
CE
P P
PE PE CE
CE
IP Control Plane
IP Control Plane
 The logical group containing all routing, signaling, link-state, and other
control protocols used to create and maintain the state of the network and
interfaces.
 Control plane traffic always includes receive packets from the perspective
of the src/dst network element, but logically includes certain transit
packets
CE
CE
IP/MPLS Core
PE PoP P
AS 123 P PoP PE
CE CE
iBGP iBGP iBGP

iBGP
iBGP
LDP
LDP
LDP
ISIS
ISIS
ISIS
LDP
ISIS
LDP LDP LDP

CE
ISIS ISIS ISIS
CE
P P
PE PE CE
CE
IP Management Plane
IP Management Plane
 The logical group containing all management traffic supporting
provisioning, maintenance, and monitoring functions for the network..
 Management plane traffic always includes receive packets from the
perspective of the src/dst network element, but logically includes certain
transit packets
NetworkInternet
Ops Center (NOC) Peer A
Peer B
In-Band
Mgmt Out-of-
CE Band
Mgmt CE
IP/MPLS Core
PE PoP P
AS 123 P PoP PE
CE CE
CE
CE
P P
PE PE CE
CE
IP Services Plane
IP Services Plane
 The logical group containing ―customer‖ traffic (like the data plane), but
with the major difference that this traffic requires specialized forwarding
functions applied it, and possibly consistent handling applied end to end.
 Services plane traffic is ―transit‖ traffic, but network elements use special
handling to apply or enforce the intended policies for various service types
CE
IP/MPLS Core CE
PE PoP AS 123 PoP PE
CE P P
CE
CE
CE
P P
CE
CE PE PE
Threat Models for IP Networks
Threats Against IP Networks
 There are many factors that threaten network

infrastructures…
Natural disasters
Unintentional, man-made attacks based on human error
Malicious attacks
 Clear distinction between human error and

malicious attacks is intent
 Protection against malicious and unintentional
attacks must both be considered
At the end of the day, an outage is an outage
Threat and Attack Models
Description
Resource  DoS attack makes target unavailable for its intended service
Exhaustion
Attacks  Attempted by direct, transit, or reflection-based attack
 Uses packets that masquerade with false data (such as source
Spoofing Attacks
IP address) to exploit a trust relationship
 Prevents upper-layer communication between hosts or hijacks
established session
Transport
Protocol Attacks  Exploits previous authentication measures
 Enables eavesdropping or false data injection
 Prevents or disrupts routing protocol peering or redirects traffic

Routing Protocol flows
Attacks  Attempts to inject false information, alter existing information,
or remove valid information
Threat and Attack Models (Cont.)
Description
Attacks Against
 Attacks against DHCP, DNS, and NTP
IP control-plane
 Affects network availability and operations
Services
Unauthorized  Attempts to gain unauthorized access to restricted systems
Access Attacks and networks
Software  Software defect that may compromise confidentiality, integrity,

Vulnerabilities or availability of the device and data plane traffic
Malicious  Gathering info about a target device, network, or organization

Network  Enables attacker to id specific security weaknesses that may be
Reconnaissance exploited in a future attack.
Additional Damage
 Attacks may have additional consequences beyond

the intended target
 A denial-of-service (DoS) attack against one remote
network may adversely affect other networks
resulting in additional damage and a wider impact
 Additional damage must also be considered when
evaluating risk
Bandwidth Concepts—PPS Engineering
In Network Design, We Always Consider Bandwidth…
This Is Much Different Than This
x
Network Network
Device Device
Packet Packet
Ingress Egress
Packet Packet
E.g., E1 Egress Ingress E.g., 1 Gbps
E.g., 100 Mbps E.g., 10 Gbps
In Security Design, We Also Need to Consider PPS…
Fast Path This Is Much Different Than This

E.g., 1.4M PPS
(One Way)
Network
Device
x
Packet
Ingress Slow Path
E.g., 100K PPS
E.g., 1 Gbps
1.4 Mpps
 What are the relevant metrics for network engineering?

Bandwidth?........................... Bits per Second… (bps).
Packet Rate?........................ Packets per Second… (pps)
Connection Setup Rate?....... Connections per second… (cps)
Transaction Rate?................. Transactions per second… (tps)
Total Number of Sessions?... Concurrent connections… (cc)
Payload inspection?............... Inspections per second.… (ips)
 Why is this important from a security point of view?

Because these numbers decide if a network device is able to stay
up under attacks (or high loads)!
Understanding the Relevance of BPS, PPS, CPS, TPS, CC
 You have to know if a device is stateful or stateless:

Stateless? Router, switch, etc.
Stateful? Firewall, IPS, load balancer, etc.
 And the environment the device operates in:

Web Queries: short–lived, high connection rate, some state,
PPS/CPS
Financials: short-lived, high transaction rate, high state,
CPS/TPS
Video Streaming: long-lived, low connection rate, some
state, PPS/concurrent conns
VPN: long-lived, temporally high connection rate, high state,
PPS/concurrent conns
See http://www.cisco.com/web/about/security/intelligence/network_performance_metrics.html
IP Network Traffic Plane
Security Concepts
Defense in Depth and Breadth
 Defense in depth and breadth describes the

technique of using multiple layers for constructing
and deploying network security policies
Depth: If one layer protects against a
particular attack vector and a second
layer protects against the same attack
vector, the second layer provides depth
against that specific attack vector
Breadth: If one layer protects against one

specific attack vector and a second layer
protects against a completely different
attack vector against that same service,
these layers are considered as providing
breadth.
Defense in Depth and Breadth (Cont.)
The Key Concepts Regarding Defensive Layers Are:

 Which layers are available per device?
 What attack vectors are each layer effective
against?
 How does adding layers impact each IP network
traffic plane?
 Do layers combine to provide depth and breadth
as a system?
 What implications and interactions do each layer
have on other layers and the system as a whole?
Defense in Depth and Breadth For Your
Cisco IOS Features “Order of Operations” Reference
Ingress Routing Egress
Ingress IOS Features Egress IOS Features

1. IP Traffic Export (RITE) 1. WCCP Redirect
2. QoS Policy Propagation thru BGP (QPPB) 2. NAT Inside-to-Outside
3. Ingress Flexible NetFlow 3. Network Based Application
4. Network Based Application Recognition (NBAR)
Recognition (NBAR) 4. BGP Policy Accounting
5. Input QoS Classification 5. Output QoS Classification
6. Ingress NetFlow 6. Output ACL Check
7. IOS IPS Inspection 7. Output Flexible Packet Matching (FPM)
8. Input Stateful Packet Inspection (IOS FW) 8. DoS Tracker
9. Input ACL 9. Output Stateful Packet Inspection (IOS FW)
10. Input Flexible Packet Matching (FPM) 10. TCP Intercept
11. IPsec Decryption (if encrypted) 11. Output QoS Marking
12. Unicast RPF Check 12. Output Policing (CAR)
13. Input QoS Marking 13. Output MAC/Precedence Accounting
14. Input Policing (CAR) 14. IPSec Encryption
15. Input MAC/Precedence Accounting 15. Egress NetFlow
16. NAT Outside-to-Inside 16. Egress Flexible NetFlow
17. Policy Routing 17. Egress RITE
18. Output Queuing (CBWFQ, LLQ, WRED)
Protecting Network Devices
Building the Security Layers
 Securing network devices

requires implementing security Data
on all layers
Physical
Management plane
Control
Service Plane
Control Plane
Data Plane Service
 If one of the lower layers is
breached, implementing
security on higher layers is Management
useless
Physical Security
Physical Security
Physical Security
 Without Physical Security, you run the risk of:

Someone connecting directly to the Console port
Someone doing password recovery on the device
Someone adding hardware based sniffers to cables
Someone stealing the linecards!
Someone stealing the router/switch itself!!
 Also, simply turning off the power is a VERY
powerful Denial-of-Service attack
 The control plane is the logical group containing all

routing, signaling, link-state, and other control protocols
used to create and maintain the state of the network
and interfaces
 It is, therefore, critical that control plane resources and
protocols are protected to:
Keep the network up and running at all times
Prevent traffic redirection which could result in a DoS
condition, eavesdropping or manipulation of application
layer (data) content
 The control plane also enables other protection

mechanisms to help mitigate the risk of security attacks
IP Control Plane Security Techniques
 Disable unused control plane services
 ICMP techniques
 Selective packet discard
 IP receive ACL
 Control plane policing & protection
 LPTS
 CoPPr
 MD5 authentication
 BGP techniques
 Protocol specific filters
Note: Not All of These Techniques Will be Covered in This Session,

See Reference Section for More Details
Disable Unused Control Plane Services
 IP Source Routing: prevent source IP hosts from

being able to specify an explicit route it wishes a
packet to traverse through the network
 Proxy ARP: generally only required on shared LANs
 CDP: Turn it off where you don‘t need it (usually at
the edge)
 Others as appropriate
ICMP Techniques
 ICMP is handled at the Cisco IOS process level,

hence, is often leveraged within DoS attacks
 By default, Cisco IOS software enables certain
ICMP processing functions in accordance with IETF
standards
 These default configurations may not conform to
security best practices or to security policies you
may have for your network
 Remember however that when deploying IPv6,
ICMP is heavily used for signaling, don‘t block all
ICMP packets
Control Plane Policing (CoPP)
 Network Devices handle traffic in the Data Plane, Control Plane, and
Management Plane…
– We need to assert positive control over the types and quantity of packets
that can reach to RP of the network device
Route Processor AAA

SYSLOG
SNMP
OSPF
BGP
CPU
CoPP
Interface ACL
Non-IP
CEF
Receive IP
Exceptions IP
Transit IP
Ingress Egress
Interface Interface
Control Plane Policing (CoPP)
 CoPP provides filtering and rate-limiting capabilities for

all packets ―punted‖ to the route processor
 Uses the Modular QoS CLI (MQC) syntax for QoS policy
definition
 Dedicated control-plane ―interface‖ for applying QoS
policies—single point of application
Router(config)# control-plane [slot slot-number]
Router(config-cp)# service-policy input control-plane-policy
 CoPP is widely available within IOS, including Cisco IOS

12.0S, 12.2S, 12.2SX, 12.2SBC, 12.3T and later
releases
Implementing Control Plane Policing
 Implementing CoPP for the first time can be

challinging as you need to understand your traffic
and how it behaves over time.
 Can be easier to begin with a more simpler CoPP
policy and then use the information gathered to
build more stricter policies.
 A simpler deployment may help bridge the gap
while gaining traffic knowledge and operational
experience
Traffic Classification
1. Undesirable Traffic—drop
malicious traffic we expect to see
fragments and the like
2. Critical Traffic—no rate limit

Control plane
routing protocols
Management plane
SNMP, SSH, AAA, NTP
3. Non-Critical Traffic—maybe rate-limit

remaining unclassified IP traffic
Undesirable Traffic
 Undesirable—Traffic that should never touch the RP

ip access-list extended undesirable-acl
permit icmp any any information-request
permit icmp any any timestamp-request
permit icmp any any mask-request
permit tcp any any eq 20
permit udp any any eq 1434
 Permit means match, it does NOT mean allow

 Security vulnerabilities go in this class
Critical Traffic
 Critical—Defined as control and management protocols
ip access-list extended critical-acl

! IGP
permit ospf 192.168.60.0 0.0.0.255 host 224.0.0.5
permit ospf 192.168.60.0 0.0.0.255 host 224.0.0.6
permit ospf 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
! Management protocols
permit tcp 192.168.60.0 0.0.0.255 eq 22 any established
permit tcp 192.168.60.0 0.0.0.255 any eq 22
permit udp host 192.168.100.2 any eq snmp
 192.168.60.0/24 is your core address space, 192.168.100.1 is

the AAA server and 192.168.100.2 is Network Management
host/Server
Non-Critical Traffic
 Non-critical—Defined as any other traffic destined

for the router to track and potentially rate-limit
ip access-list extended non-critical-acl
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
 Access list entries can be as granular as needed

 Begin by tracking, rate limit when comfortable
CoPP—Class-Map
 Define a class for each ―type‖ of traffic and

associate the appropriate ACL
class-map match-all CoPP-undesirable
match access-group name undesirable-acl
class-map match-all CoPP-critical
match access-group name critical-acl
class-map match-all CoPP-non-critical
match access-group name non-critical-acl
CoPP—Policy-Map
 With recommended actions

policy-map Simpler-CoPP
<rate> can be any value,
class CoPP-undesirable typical 8000
police <rate> conform-action drop

exceed-action drop
<rate> can be any value,
class CoPP-critical typical 8000
police <rate> conform-action transmit
exceed-action transmit
class CoPP-non-critical
police <rate> conform-action transmit
exceed-action drop
<rate> has to be
appropriate for your traffic
patterns
CoPP—Apply Policy
 Applied Service-Policy to the Control Plane Interface
control-plane
service-policy input Simpler-CoPP
 In the inbound (input) direction
Step 4: Apply Policy to “Interface”
 Centralized
Router(config)# control-plane
Router(config-cp)# service-policy [input|output]
<policy-map-name>
 Distributed
Router(config)#control-plane slot <n>
Router(config-cp)#service-policy input <policy-map-name>
! Example
! This applies the policy-map to the Control Plane
service-policy input CoPP
CoPP Hardware Specific Issues
 There are specific restrictions and caveats associated with

CoPP imposed by hardware
 This highlights the fact that you must fully understand how
your router handles packets and this is a whole topic itself
 Please see the following links for details
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708
/prod_white_paper0900aecd802ca5d6.html
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.ht
ml
Control Plane Policing on 6500/7600
Special-Case Rate Limiters Override Hardware Control Plane Policing!
PFC3/DFC3
Special
Cases Hardware
Rate-Limiters Special
Traffic Case Traffic
to CPU
Software
“Control- CPU
Plane”
Matches Hardware
Policy “Control-Plane”
Control Plane Policing on 6500/7600
Attack Traffic: IP Options

Catalyst 6500 Performance Chart
Performance
Example… 120
HW Protection vs.
100
SW Protection
80
CPU Usage
60
40
20
0
0
0
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
10
50
10
15
20
25
30
35
40
45
50
55
60
65
70
DoS Rate (PPS)
Service policy none hardware rate limiter Service policy Sw CPP
6500/7600 For Your
Hardware-Based Rate Limiters Reference
Unicast Rate Limiters Multicast Rate Limiters

CEF Receive Also
Traffic destined to IPv6
the router Multicast FIB-Miss Packets with no mroute in the FIB
CEF Glean ARP packets IGMP IGMP packets
CEF No Route Packets with not route in the FIB Partial Shortcut Partial shortcut entries
IP Errors Packets with IP checksum or length errors Directly Connected Local multicast on connected interface
ICMP Redirect Packets that require ICMP redirects
ICMP No Route ICMP unreachables for unroutable packets IP Options Multicast traffic with IP Options set
ICMP ACL Drop ICMP unreachables for admin deny packets V6 Directly Connect B/BXL
Packets with no mroute in the FIB
RPF Failure Packets that fail uRPF check V6*, G M Bridge IGMP packets
L3 Security CBAC, Auth-Proxy, and IPSec traffic V6*, G Bridge Partial shortcut entries
ACL Input NAT, TCP Int, Reflexive ACLs, Log on ACLs V6 S, G Bridge Partial shortcut entries
ACL Output NAT, TCP Int, Reflexive ACLs, Log on ACLs V6 Route Control Partial shortcut entries
VACL Logging CLI notification of VACL denied packets V6 Default Route Multicast traffic with IP Options set
IP Options Unicast traffic with IP Options set B/BXL V6 Second Drop Multicast traffic with IP Options set
Capture Used with optimized ACL logging
Shared Across the 10 Hardware Revocation Lists
Layer 2 Rate Limiters General Rate Limiters
L2PT L2PT encapsulation/decapsulation MTU Failure Packets requiring fragmentation
Also IPv6
PDU Layer 2 PDUs TTL Failure Packets with TTL<=1
Demo
DEMONSTRATION
IOS XR Local Packet Transport
Services (LPTS)
 LPTS is an automatic, built in firewall for
control plane traffic. Router bgp
 Every Control and Management packet from neighbor 202.4.48.99
the line card is rate limited in hardware to …
ttl_security
!
protect RP and LC-CPU from attacks mpls ldp
…
!
LC 1 IFIB TCAM HW Entries
Local port Remote port Rate Priority
Any ICMP ANY ANY 1000 low

any 179 any any 100 medium
Socket
LPTS
any 179 202.4.48.99 any 1000 medium ttl BGP
202.4.48.1 179 202.4.48.99 2223 10000 medium 255
200.200.0.2 13232 200.200.0.1 646 100 medium
LDP
SSH
LC 2 IFIB TCAM HW Entries …
BRKSEC-2170 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
TCP Handshake
51
Trusting Your Neighbor
MD5 Neighbor Authentication
 A variety of IOS protocols support MD5

authentication including BGP, OSPF, LDP, RIPv2,
IS-IS, HSRP, EIGRP, MSDP, etc.
Configured Shared Key = X Configured Shared Key = X
If HMAC1 = HMAC2,
Then Routing
Advertisement
HMAC1 + Routing Authenticated.
Advertisement
Else Routing
2 Advertisement
Discarded.
Routing Advertisement + Routing Advertisement +
Shared Key Shared Key 4
MD5 MD5
HMAC1 HMAC2
Hash Hash
1 3
BGP Security Techniques
 BGP is the common external control protocol,

hence,
it is a common target for external attacks
 MD5 authentication is technique available to help
reduce the risk of BGP attacks
 Others include
Prefix filters
Prefix limits
AS-PATH limits
Graceful restart
BGP TTL security check (GTSM)
See http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Generalized TTL Security Mechanism
eBGP
AS2 Session
RTR-C
RTR-A
badnet AS1
RTR-B RTR-D
1
2
3 TTL Distance
(Diameter)
 The GTSM feature, also known as ―BGP TTL Security Hack‖

(BTSH), provides a lightweight security mechanism to protect
external eBGP peering sessions from attacks using forged
IP packets
 GTSM enforces a ―minimum TTL-value‖ on all BGP packets
associated with the eBGP session
Protocol Specific ACL Filters
 Protocol-specific ACL policies can be applied directly to

a specific IOS control plane protocol
IP interface ACL policies are applied to specific router interfaces
IP rACL and CoPP policies are applied to the IOS receive interface
 Protocol-specific ACL policies provide added control for
defining valid protocol peers
Protocol-specific ACL filters consider only the associated protocol,
which helps with policy management
Filtering is
 Example protocol specific ACL filters:
MPLS LDP
PIM
IGMP
SNMP
Telnet/SSH
 The data plane is the logical entity containing all

user traffic generated by hosts, clients, servers,
and applications that use the network
 Defense in depth and breadth security requires that
all packets going into (and in many cases, going out
of) a network be inspected and subject to policy
control
 A routing decision is the most basic form of
classification and policy enforcement applied to
data plane traffic
IP Data Plane Security Techniques
 Interface ACLs
 Unicast RPF
 Flexible packet matching
 QoS techniques
 IP header option techniques
 IP routing techniques
Unicast RPF Techniques
 Alternative technique for filtering ingress packets

that lack a verifiable source IP address, such as
spoofed
IP source addresses
 Unlike antispoofing ACLs, uRPF dynamically
adapts
to changing network conditions
By using the FIB for source address verification, no
reconfiguration changes are required as a result of topology
changes or new prefix assignments
 uRPF applies to all packets that ingress the
configured interface
May be configured in conjunction with interface ACLs
See http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
uRPF Strict and Loose Modes
router(config-if)# ip verify unicast source reachable-via rx
i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3
S D i/f 1
Data S D i/f 1
Data
FIB: FIB: “Strict Mode”
...
S  i/f 1
...
S  i/f 2
(a.k.a. “v1”)
D  i/f 3 D  i/f 3
... ...
Same i/f: Other i/f:
Forward Drop
router(config-if)# ip verify unicast source reachable-via any

i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3 “Loose Mode”
S D i/f 1
Data S D i/f 1
Data (a.k.a. “v2”)
FIB: FIB:
... ...
S  i/f x ... ?
D  i/f 3 D  i/f 3
... ...
Any i/f: Src not in FIB

Forward or route = null0:
Drop
uRPF VRF Mode
router(config-if)# ip verify unicast vrf peer999 permit
i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3
S D i/f 1
Data S D i/f 1
Data
Whitelist Whitelist “Whitelist”
VRF
...
VRF
...
?
Prefix s Prefix s
... ...
Prefix in VRF Prefix not in VRF
Forward Drop
router(config-if)# ip verify unicast vrf peer999 deny

i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3 “Blacklist”
S D i/f 1
Data S D i/f 1
Data (a.k.a. “v2”)
Blacklist Blacklist
VRF VRF
... ? ...
Prefix s Prefix s
... ...
Prefix not in VRF Prefix in VRF

Forward Drop
Flexible Packet Matching (FPM)
Can the Network Block Rogue Tunnels?
 Use Flexible Packet Matching (FPM)

Blocking all Teredo addresses 2001::/32 in the UDP
payload
 FPM
Available in software since 12.4(4)T
Hardware implementation in PISA (requires Sup32 and
Cat6K)
Classify on multiple attributes within a packet
String match and regex
Expressed in XML
0111111010101010000111000100111110010001000100100010001001
Match Pattern And Or Not
www.cisco.com/go/fpm
For Your
FPM Configuration to Block Teredo Reference
load protocol bootdisk:ip.phdf

load protocol bootdisk:udp.phdf
The trick is to block
all packets class-map type stack match-all cm-ip-udp IP version = 6
match field IP protocol eq 17 next UDP
containing a
Teredo source or class-map type access-control match-all cm-teredo1
match start udp payload-start offset 0 size 1 eq 0x60 mask 15
destination match start udp payload-start offset 8 size 4 eq 0x20010000
address in the class-map type access-control match-all cm-teredo2
UDP payload. match start udp payload-start offset 0 size 1 eq 0x60 mask 15
match start udp payload-start offset 24 size 4 eq 0x20010000
policy-map type access-control pm-teredo

class cm-teredo1
Teredo addresses drop
class cm-teredo2 Teredo prefix as embedded
are in the 2001::/32 drop address
(note 32) prefix policy-map type access-control pm-udp-teredo
class cm-ip-udp
service-policy pm-teredo
interface GigabitEthernet1/36
service-policy type access-control in pm-udp-teredo
QoS Techniques
 Applicable QoS techniques from a security

perspective include:
Packet coloring
Queuing
Rate limiting
Packet Coloring (Marking)
 Recoloring means IP Precedence

changing the IP 000 (0)—Routine
precedence or DSCP 001 (1)—Priority
values within the packet
010 (2)—Immediate
as it comes into your
011 (3)—Flash
network
100 (4)—Flash Override
 IP precedence is actively 101 (5)—Critical
used on the Internet
110 (6)—Internetwork Control
Routing protocols are set to
prec 6 and used with Selective 111 (7)—Network Control
Packet Discard (SPD)
QoS/Diff-Serv (DSCP) are used
by some SP networks
Packet Coloring (Marking)
 With IP QoS mechanisms being more widely deployed within

network cores, recoloring, and/or traffic policing at the edge is
recommended
To prevent low priority traffic from adversely affecting high priority
traffic classes (e.g., VoIP, control plane)
 Recoloring changes the QoS marking of packets as they
ingress your network
 QoS markings used for DiffServ classification vary
IP precedence
DSCP
MPLS EXP
802.1P
 Without packet coloring at the network edge, isolation
between traffic classes and services within the network core
cannot be assured
Queuing
 Queuing provides
Bandwidth guarantees and isolation between DiffServ
traffic classes
Priority treatment of one traffic class over other traffic
classes
Isolation between high and low priority traffic classes within
the data plane
 Security benefits include:
Helps to prevent attacks from within the data plane from
adversely affecting control and management plane protocols
Attacks from within the best effort class do not adversely
affect tight SLA services
Reduces the risk of attacks causing collateral damage
Rate Limiting Q: What is the issue
with rate limiting in
general?
 Discards or recolors packets that do not conform to

an SLA or traffic rate
 Cisco IOS rate limiting may be configured using
either committed access rate (CAR) or MQC
policing
MQC is the recommended CLI syntax, as it allows you to
define a traffic class independently of QoS policies
 Although ACLs enable you to permit or deny a
traffic flow, rate limiting permits a traffic flow up to
a configurable maximum rate
From a security perspective, this may be useful for allowing
a traffic flow to pass while limiting its potential impact on the
network and destination
Queuing
!
QoS Techniques policy core-qos
class prec6-control
Marking bandwidth percent 25
! class prec0-data
policy isp-edge bandwidth percent 75
class class-default !
set ip prec 0 interface POS2/2/0
! service-policy output core-qos
interface POS1/1/0 ISP 1
service-policy input isp-edge
ISP 2
Customer 1
Policing & Marking

!
policy customer-edge
ISP 3 class icmp-pings
police 8000 conform set-ip-prec-transmit 0 exceed drop
class class-default
set ip prec 0
!
interface POS3/3/0
service-policy input customer-edge
IP Options Techniques
 The IP packet header provides for various IP

options
as specified in RFC 791
IP packets may or may not use IP headers option—they are
optional—but IP header option handling mechanisms must
be implemented by all IP protocol stacks (hosts and routers)
 Packets with IP header options are punted to the
IOS process level slow path (CPU) for data plane
forwarding due to their variable length and complex
processing requirements
May provide a potential attack vector given CPU processing
 In IPv6 this is done hop-by-hop
Demo
DEMONSTRATION
For Your
IP Options Techniques Reference
 Techniques to mitigate the risk of IP options attacks

include
Disable IP source routing (enabled by default)
Interface ACL filtering of IP options (12.3T, 12.2S, and later only)
IP options selective drop ( ip options [drop | ignore] ) CLI
Control plane policing
 For many networks, dropping the packets is best
 For other networks, IP options may be legitimate
Resource Reservation Protocol (RSVP)
Multiprotocol Label Switching Traffic Engineering (MPLS TE)
Internet Group Management Protocol version 2 and 3 (IGMP)
MPLS OAM (LSP ping and traceroute)
 The management plane is the logical group

containing all management traffic supporting
provisioning, maintenance, and monitoring
functions for the network
 It is, therefore, critical that management plane
resources and protocols are:
Secured to mitigate the threat of unauthorized access and
malicious network reconnaissance, which inevitably leads to
attacks within the IP data, control, and services planes
Protected to mitigate the risk of DoS attacks
Remain available during attacks such that attack sources
can be identified and attacks themselves can be mitigated
 Out-of-band management
 Password security
 SNMP security
 Remote terminal access security
 Disable unused management plane services
 Disable idle user sessions
 System banners
 Secure IOS file systems
 Role-based CLI access
 Management plane protection
 AAA
 AutoSecure
 Network telemetry
Management Interface Types
 In-band: a physical (or logical) interface that carries

both management and data plane traffic
 Out-of-band: a physical interface that connects to
a physically separate, isolated network dedicated
exclusively to the operation and management of all
network elements
 Why Out-of-band?
Availability
Scalability
By default, no
Management Interfaces passwords are defined!
 In-band
Virtual terminal lines (VTY): have no associated physical
interface and are used exclusively for remote terminal
access (e.g., Telnet, SSH)
 Out-of-band
Console port: the console port (CTY) is an asynchronous
serial port that uses a DCE RJ-45 receptacle for connecting
a data terminal (DTE)
Auxiliary port: the auxiliary port (AUX) is also an
asynchronous serial port that uses a DTE RJ-45 receptacle
for connecting a modem or other DCE device
Management Ethernet port: on certain routers, a separate
Ethernet port is made available strictly
for OOB management connectivity
Management Plane Protection (MPP) on IOS XR
Management Protocols are secured at various levels
By default Management
protocols are off
MPP limits the interfaces

exposed for management
access
MPP Peer filtering
LPTS Rate Limits
Feature specific Rate/Session

Limits
MPP Overview
 Management Plane Protection allows network operator to reserve
a set of interfaces for management traffic either exclusively (ie,
out-of-band) or along with transit traffic (ie, in-band)
 MPP is supported on all IOS XR platforms and there is no
difference in terms of detailed MPP feature support
 IOS XR Management Plane protection offers the below features
– In-band Interface support
– Out-of-band Interface support
– Per interface and per protocol filtering
– Peer Filtering
•IPv4/IPv6 Host based
•IPv4/IPv6 Subnet based
 Management Protocols supported

- TFTP, TELNET, SSH (v1 & v2), SNMP and HTTP/HTTPS
For Your
IOS XR behavior without MPP Reference
Management Traffic
NOC Transit Traffic
 Management Services are
off by default DCN
 When management
services are enabled, they
are enabled on all
interfaces I/F 1
 LPTS rate limits

LPTS
management plane traffic
to RP CPU R I
 RP Ethernet/Console/Aux P RP /
CPU F
provide out-of-band
E
management 3
t
h
I/F 2
For Your
IOS XR with In-band MPP Reference
Management Traffic
NOC Transit Traffic

 I/F 1 is configured as MPP
in-band interface. I/F 1 is DCN
also part of global IP/MPLS
routing/forwarding.
In-band MPP
 Management traffic to RP
from all non-MPP I/F 1
interfaces is dropped (I/F 2
and I/F 3). LPTS
 RP Eth/Console/Aux R I
continues to operate as P RP /
dedicated out-of-band. CPU F
E
 LPTS still continues to Out-of-band t 3
provide rate limiting h
irrespective of MPP.
I/F 2
For Your
Reference
IOS XR with out-of-band MPP Management Traffic
Transit Traffic
NOC Transit Traffic
in OOB VRF
 I/F 1 and 3 are configured
as MPP out-of-band DCN
interface. I/F 1 and 3 are
no longer part of global Out-of-band
routing/forwarding
 Management traffic to RP I/F 1
from all non-MPP
interfaces is dropped (I/F
2) LPTS
 RP Eth interfaces R I
continues to operate as
dedicated out-of-band. P RP /
CPU F
 Routing/Forwarding E
allowed between OOB Out-of-band t 3
interfaces
h
 LPTS provides rate limiting
I/F 2
Disable Unused Management Services
 BOOTP services  NTP
 HTTP
 PAD
 Finger service
 EXEC mode on unused lines  Small TCP servers
 DHCP server and  Small UDP servers
relay functions
 CDP: best practice to disable on
external (untrusted) interfaces
 DNS-based host
name-to-address translation
(i.e., no ip domain lookup);
alternatively configure name
servers explicitly
Secure Cisco IOS File Systems
 Cisco IOS supports features to mitigate the risk of

malicious attempts to erase the contents of persistent
storage (NVRAM and flash) and features to prevent
corrupted Cisco IOS images from being loaded
secure boot-config (IOS Resilient Configuration): takes a
snapshot of the router running configuration and securely
archives it in persistent storage
secure boot-image (IOS Resilient Configuration): makes a
copy of the router image running and securely archives it
file verify auto (IOS Image Verification): enables automatic
image verification
ip scp server enable: the IOS Secure Copy (SCP) feature
provides a secure and authenticated method for copying router
configuration and IOS image files to and from an IOS router
Role-Based CLI Access
 Allows you to define CLI views, which provide

selective access and visibility to EXEC commands and
configuration information
 Similar to EXEC privilege levels, CLI views restrict user
access to EXEC mode commands and limit visibility of
router configuration information
 Unlike EXEC privilege levels, CLI views:
Are independent of one another
Multiple keyword commands can be assigned to a CLI view without the
view being automatically assigned the command associated with the
first keyword
May specify an interface or a group of interfaces to a CLI view, thereby
allowing command access on the basis of specified interfaces
Operates completely independently of EXEC mode privileges and lists
commands allowed within a CLI view can span multiple privilege levels
IP Services Plane Security
IP Services Plane
 The IP services plane refers to user traffic that is treated by

specialized handling beyond Best Effort Forwarding. This
includes services such as:
QoS
VPNs (IPSec VPNs, MPLS VPNs, GRE, etc.)
Policy-based routing
SSL, firewall, IPS, NAT, etc.
 Services typically require the application of ―premium‖
resources such as encryption/decryption, or extra
CPU-processing
Premium services usually cost more to deploy and use
finite-resources. Hence, premium services need to be ‗protected‘
so that those who aren‘t paying don‘t get preferential treatment.
 Services must also be protected to prevent any one service
from disrupting any other service, or best effort traffic form
disrupting premium services
Summary
Summary
 IP network traffic can be segmented into four ―traffic planes‖:

IP Data Plane
IP Control Plane
IP Management Plane
IP Services Plane
 Network elements have different handling processes,
including a fast path and a slow path
 IP network traffic planes are protected by specific
mechanisms, and when combined, provide a defense in
depth and breadth approach to securing IP networks
 Depth and breadth techniques enhance the overall security
of the infrastructure by providing multiple layers of protection
as well as protecting against many different types of attacks
Q&A
Related Sessions
 BRKSEC-2003: IPv6 Security Threats and

Mitigations
 BRKSEC-2077: What can Enterprises learn as
security practice from Service Providers
BRKSEC-2105 Recommended Reading
Enter to Win a 12-Book Library
of Your Choice from Cisco Press
Visit the Cisco Store in the

World of Solutions, where
you will be asked to enter
this Session ID code
Check the Recommended Reading brochure for

suggested products available at the Cisco Store
Complete Your Online
Session Evaluation
 Give us your feedback and you

could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don‘t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.

BRKSEC-2170 Router Security Strategies Securing IP Network Traffic Planes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-2170 Router Security Strategies Securing IP Network Traffic Planes

Uploaded by

Copyright:

Available Formats

Router Security Strategies:

Securing IP Network Traffic Planes

 This intermediate session discusses how to implement

 Internet Protocol Operations Fundamentals

* Forwarding Could Entail Adding a Service to the Packet as well…

Route Processor AAA

Route Processor AAA

Route Processor AAA

iBGP iBGP iBGP

LDP LDP LDP

Peer B Internet Peer A

 There are many factors that threaten network

 Clear distinction between human error and

 Prevents or disrupts routing protocol peering or redirects traffic

Software  Software defect that may compromise confidentiality, integrity,

Malicious  Gathering info about a target device, network, or organization

 Attacks may have additional consequences beyond

This Is Much Different Than This

E.g., 100 Mbps E.g., 10 Gbps

Fast Path This Is Much Different Than This

 What are the relevant metrics for network engineering?

 Why is this important from a security point of view?

 You have to know if a device is stateful or stateless:

 And the environment the device operates in:

 Defense in depth and breadth describes the

Breadth: If one layer protects against one

The Key Concepts Regarding Defensive Layers Are:

Ingress Routing Egress

Ingress IOS Features Egress IOS Features

 Securing network devices

 Without Physical Security, you run the risk of:

 The control plane is the logical group containing all

 The control plane also enables other protection

Note: Not All of These Techniques Will be Covered in This Session,

 IP Source Routing: prevent source IP hosts from

 ICMP is handled at the Cisco IOS process level,

Route Processor AAA

 CoPP provides filtering and rate-limiting capabilities for

 CoPP is widely available within IOS, including Cisco IOS

 Implementing CoPP for the first time can be

2. Critical Traffic—no rate limit

3. Non-Critical Traffic—maybe rate-limit

 Undesirable—Traffic that should never touch the RP

 Permit means match, it does NOT mean allow

ip access-list extended critical-acl

 192.168.60.0/24 is your core address space, 192.168.100.1 is

 Non-critical—Defined as any other traffic destined

 Access list entries can be as granular as needed

 Define a class for each ―type‖ of traffic and

 With recommended actions

police <rate> conform-action drop

 Applied Service-Policy to the Control Plane Interface

 In the inbound (input) direction

 There are specific restrictions and caveats associated with

Attack Traffic: IP Options

Service policy none hardware rate limiter Service policy Sw CPP

Unicast Rate Limiters Multicast Rate Limiters

Any ICMP ANY ANY 1000 low

 A variety of IOS protocols support MD5

 BGP is the common external control protocol,

 The GTSM feature, also known as ―BGP TTL Security Hack‖

 Protocol-specific ACL policies can be applied directly to

 The data plane is the logical entity containing all

 Alternative technique for filtering ingress packets