Control Plane Security Overview
This chapter contains the following sections:
•About This Guide
Preview the topics in this guide.
•Creating Effective Security Policies
Learn tips and hints for creating a security policy for your organization. Before you configure any security features, you should make sure that your security policy is complete and up to date.
•Identifying Security Risks and Cisco IOS Solutions
Identify common security risks that might be present in your network and find the right Cisco IOS security feature to prevent security breakins.
About This Guide
The Cisco IOS Security Configuration Guide: Securing the Control Plane describes how to configure Cisco IOS control plane security features for your Cisco networking devices. These security features can protect your network against degradation or failure and also against data loss or compromise that is caused by intentional attacks or unintended (but damaging) mistakes by well-meaning network users.
This guide is divided into the following parts:
•Neighbor Router Authentication
•Control Plane Policing
The following sections briefly describe the security benefits and operation of the features contained in the above parts.
Neighbor Router Authentication
When neighbor authentication is configured on a router, the router authenticates its neighbor router before accepting any route updates from that neighbor. This ensures that a router always receives reliable routing update information from a trusted source.
Control Plane Policing
Control Plane Policing consists of the following features:
•Control Plane Policing
•Control Plane Protection
•Control Plane Logging
Control Plane Policing
The Control Plane Policing feature lets users configure a Quality of Service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
Control Plane Protection
The Control Plane Protection feature is an extension of the policing functionality that the existing Control Plane Policing feature provides. The Control Plane Policing feature allows QoS policing of aggregate control plane traffic destined to the route processor. The Control Plane Protection feature extends this policing functionality by allowing finer policing granularity.
Control Plane Protection includes a traffic classifier, which intercepts traffic and classifies it into three control plane categories. It also includes new port filtering and queue thresholding features. Port filtering feature allows policing of packets going to closed or nonlistened TCP/UDP ports, while queue thresholding limits the number of packets for a specified protocol that is allowed in the control-plane IP input queue.
Control Plane Logging
The Control Plane Protection features let you filter and rate-limit the packets that are going to the router's control plane and discard malicious and error packets (or both). The Control Plane Logging feature enables logging of the packets that these features drop or permit. The Control Plane Logging feature provides the logging mechanism that you need to deploy, monitor, and troubleshoot Control Plane Protection features efficiently.
You can turn on logging for some or all packets that the control plane processes, without feature or class restrictions, or you can enable logging for specific Control Plane Protection features such as control plane policing, port filtering, and queue thresholding.
Creating Effective Security Policies
An effective security policy protects your network assets from sabotage and from inappropriate access (intentional or accidental).
You should configure all network security features according to your security policy. If you do not have a security policy, or it is out of date, you should ensure that a policy is created or updated before you decide how to configure security on your Cisco device.
The following sections provide guidelines to help you create an effective security policy:
•The Nature of Security Policies
•Two Levels of Security Policies
•Tips for Developing an Effective Security Policy
The Nature of Security Policies
You should recognize these aspects of security policies:
•Security policies represent tradeoffs. With all security policies, there are tradeoffs between user productivity and security measures that can be restrictive and time consuming. Any security design should provide maximum security with minimum impact on user access and productivity. Some security measures, such as network data encryption, do not restrict access and productivity. On the other hand, cumbersome or unnecessarily redundant verification and authorization systems can frustrate users and even prevent access to critical network resources.
•Security policies should be determined by business needs. A security policy should not determine how a business operates.
•Security policies are living documents. Because organizations are constantly changing, you must update security policies systematically to reflect new business directions, technological changes, and resource allocations.
Two Levels of Security Policies
A security policy has two levels: requirements and implementation.
•At the requirements level, a policy defines how much you must protect your network assets against intrusion or destruction and also estimates the consequences of a security breach. For example, the policy could state that only human resources personnel can access personnel records or that only IS personnel can configure the backbone routers. The policy could also address the consequences of a network outage (because of sabotage) and the consequences of inadvertently making sensitive information public.
•At the implementation level, a policy defines guidelines to implement the requirements-level policy by using specific technology in a predefined way. For example, the implementation-level policy could require that you configure access lists so that only traffic from human resources host computers can access the server containing personnel records.
When creating a policy, you must define security requirements before defining security implementations to avoid merely justifying particular technical solutions that you do not need.
Tips for Developing an Effective Security Policy
To develop an effective security policy, you must consider the recommendations in the following sections:
•Identifying Your Network Assets to Protect
•Determining Points of Risk
•Limiting the Scope of Access
•Determining the Cost of Security Measures
•Considering Human Factors
•Keeping a Limited Number of Secrets
•Implementing Pervasive and Scalable Security
•Understanding Typical Network Functions
•Remembering Physical Security
Identifying Your Network Assets to Protect
The first step in developing a security policy is to understand and identify your network assets, which include the following:
•Networked hosts (such as PCs, which include the hosts' operating systems, applications, and data)
•Networking devices (such as routers)
•Data that travels across the network
You must identify your network's assets and determine how much you must protect each of these assets. For example, one subnetwork of hosts might contain extremely sensitive data that you must protect at all costs, while a different subnetwork of hosts might require only modest protection against security risks, because it is less costly if the subnetwork is compromised.
Determining Points of Risk
You must understand how potential intruders can enter the network or sabotage it. Special areas of consideration are network connections, dialup access points, and misconfigured hosts. Misconfigured hosts, which are frequently overlooked as points of network entry, can be systems that have unprotected login accounts (guest accounts), extensive trust in remote commands (such as rlogin and rsh), unauthorized modems attached to them, and easy-to-break passwords.
Limiting the Scope of Access
You can create multiple barriers within networks so that unlawful entry to one part of the system does not automatically grant entry to the entire infrastructure. Although maintaining high security for the entire network can be prohibitively expensive (in terms of systems and equipment as well as productivity), you can often provide higher security to the more sensitive areas of your network.
Every security system has underlying assumptions. For example, an organization might assume that its network is not tapped, that intruders are not very knowledgeable or are using standard software, or that a locked room is safe. You must identify, examine, and justify your assumptions, because any hidden assumption is a potential security hole.
Determining the Cost of Security Measures
In general, providing security comes at a cost. You can measure this cost in terms of increased connection times or inconveniences to legitimate users accessing the assets, increased network management requirements, and sometimes actual money spent on equipment or software upgrades.
Some security measures will inevitably inconvenience some sophisticated users. Security can delay work, create expensive administrative and educational overhead, use significant computing resources, and require dedicated hardware.
When you decide which security measures to implement, you must understand their costs and weigh these against potential benefits. If the security costs are out of proportion to the actual dangers, it is a disservice to the organization to implement them.
Considering Human Factors
If security measures interfere with essential uses of the system, users resist these measures and sometimes even circumvent them. Many security procedures fail because their designers do not take this fact into account. For example, because automatically-generated "nonsense" passwords can be difficult to remember, users often write them on the undersides of keyboards. A "secure" door that leads to a system's only tape drive is sometimes propped open. For convenience, unauthorized modems are often connected to a network to avoid cumbersome dialin security procedures. To ensure compliance with your security measures, users must be able to get their work done as well as understand and accept the need for security.
Any user can compromise system security to some degree. For example, an intruder might learn passwords by simply calling legitimate users on the telephone claiming to be a systems administrator and asking for them. If users understand security issues and understand the reasons for them, they are far less likely to compromise security in this way.
A complete security policy must define such human factors and include corresponding policies.
At a minimum, you must teach users never to release passwords or other secrets over unsecured telephone lines (especially through cordless or cellular telephones) or electronic mail. They should be wary of questions asked by people who call them on the telephone. Some companies do not allow employees to use the network until they have completed a formal network security training program.
Keeping a Limited Number of Secrets
Most security is based on secrets (for example, passwords and encryption keys). But the more secrets there are, the harder it is to keep all of them. Therefore, you should design a security policy that relies on few secrets. An organization's most important secret is the information that can help someone circumvent its security.
Implementing Pervasive and Scalable Security
You must use a systematic approach to security that includes multiple, overlapping security methods.
Almost any system change can affect security (especially when you create new services). Systems administrators, programmers, and users must consider the security implications of every change. Understanding the security implications of a change takes practice and requires lateral thinking and a willingness to explore every way that a service could be manipulated. The goal of any security policy is to create an environment that is not susceptible to every minor change.
Understanding Typical Network Functions
You must understand how your network system normally functions, what is expected and unexpected behavior, and how devices are usually used. This kind of awareness helps you detect security problems. Noticing unusual events can help catch intruders before they damage the system. Software auditing tools can help detect, log, and track unusual events. In addition, you should know exactly what software you use to provide auditing trails, and your security system should not assume that all software is bug-free.
Remembering Physical Security
You cannot neglect the physical security of your network devices and hosts. For example, many facilities implement physical security by using security guards, closed-circuit television, cardkey entry systems, or other means to control physical access to network devices and hosts. Physical access to a computer or router usually gives a sophisticated user complete control over that device. Physical access to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. An intruder can often circumvent software security measures when you do not control access to the hardware.
Identifying Security Risks and Cisco IOS Solutions
Cisco IOS software provides a comprehensive set of security features to guard against specific security risks. This section describes a few common security risks that might be present in your network and describes how to use Cisco IOS software to protect against each of these risks:
•Preventing Unauthorized Access into Networking Devices
•Preventing Unauthorized Access into Networks
•Preventing Network Data Interception
•Preventing Fraudulent Route Updates
Preventing Unauthorized Access into Networking Devices
If someone gains console or terminal access into a networking device (such as a router, switch, or network access server) they could significantly damage your network—perhaps by reconfiguring the device or even by simply viewing the device's configuration information.
You typically want administrators to have access to your networking device, but you do not want other users on your local-area network or those dialing in to the network to have access to the router.
Users can access Cisco networking devices by dialing in from outside the network through an asynchronous port, connecting from outside the network through a serial port, or connecting via a terminal or workstation from within the local network.
To prevent unauthorized access into a networking device, you should configure one or more of the following security features:
•At a minimum, you should configure passwords and privileges at each networking device for all device lines and ports. This is described in the "Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices" chapter in the Cisco IOS Security Configuration Guide: Securing User Services. The networking device stores these passwords. When users attempt to access the device through a particular line or port, they must first enter the password applied to the line or port.
•For an additional layer of security, you can also configure username and password pairs that are stored in a database on the networking device, as described in the "Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices" chapter in the Cisco IOS Security Configuration Guide: Securing User Services. You assign these pairs to lines or interfaces, and they authenticate each user before that user can access the device. If you define privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
•If you want to use username and password pairs, but you want to store them centrally instead of locally on each individual networking device, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if needed, authorization) information. Cisco supports a variety of security server protocols, such as RADIUS, TACACS+, and Kerberos. If you decide to use the database on a security server to store login username and password pairs, you must configure your router or access server to support the applicable protocol; in addition, because most supported security protocols must be administered through the AAA security services, you probably need to enable AAA. For more information about security protocols and AAA, refer to the chapters in the "Authentication, Authorization, and Accounting (AAA)" part of the Cisco IOS Security Configuration Guide: Securing User Services.
Note Whenever possible, you should use AAA to implement authentication.
•To authorize individual users for specific rights and privileges, you can implement AAA's authorization feature by using a security protocol such as TACACS+ or RADIUS. For more information about security protocol features and AAA, refer to the chapters in the "Authentication, Authorization, and Accounting (AAA)" part of the Cisco IOS Security Configuration Guide: Securing User Services.
•For a backup authentication method, you must configure AAA. AAA lets you specify the main user authentication method (for example, a username-and-password database stored on a TACACS+ server) and then specify backup methods (for example, a locally-stored username-and-password database). The backup method is used if the networking device cannot access the primary method's database. You can configure up to four sequential backup methods. To configure AAA, refer to the chapters in the "Authentication, Authorization, and Accounting (AAA)" part of the Cisco IOS Security Configuration Guide: Securing User Services.
Note If you have not configured backup methods, you will be denied access to the device if the username-and-password database cannot be accessed for any reason.
•To keep an audit trail of user access, you must configure AAA accounting, which is described in the "Configuring Accounting" chapter of the Cisco IOS Security Configuration Guide: Securing User Services.
Preventing Unauthorized Access into Networks
If someone gains unauthorized access to your internal network, they could cause damage in many ways, perhaps by accessing sensitive files from a host, planting a virus, or hindering network performance by flooding your network with illegitimate packets.
Also, someone within your network could try to access another internal network such as an R&D subnetwork that contains sensitive or critical data. That person could intentionally or inadvertently cause damage; for example, they might access confidential files or tie up a time-critical printer.
To prevent unauthorized access through a networking device into a network, you should configure one or both of these security features:
Cisco uses access lists to filter traffic at networking devices. Basic access lists allow only specified traffic through the device; other traffic is simply dropped. You can specify individual hosts or subnets or types of traffic that should be allowed into the network. Basic access lists generally filter traffic based on source and destination addresses and the protocol type of each packet.
Advanced traffic filtering is also available to provide additional filtering capabilities; for example, the Lock-and-Key Security feature requires each user to be authenticated via a username and password before that user's traffic is allowed onto the network.
For descriptions of the Cisco IOS traffic filtering capabilities, refer to the chapters in the "Traffic Filtering, Firewalls, and Virus Detection" part of the Cisco IOS Security Configuration Guide: Securing the Data Plane.
You can require users to be authenticated before they gain access into a network. When users attempt to access a service or host (such as a web site or file server) within the protected network, they must first enter certain data (such as a username and password) and possibly additional information such as their date of birth or mother's maiden name. After successful authentication (depending on the method of authentication), you assign users specific privileges, which let them access specific network assets. In most cases, this type of authentication is facilitated by CHAP or PAP over a serial PPP connection in conjunction with a specific security protocol such as TACACS+ or RADIUS.
Just as in preventing unauthorized access to specific network devices, you must decide if you want the authentication database to reside locally or on a separate security server. In this case, a local security database is useful if you have very few routers providing network access. A local security database does not require a separate (and costly) security server. A remote, centralized security database is convenient when you have numerous routers providing network access, because it prevents you from having to update each router with new or changed username authentication and authorization information for potentially hundreds of thousands of dialin users. A centralized security database also helps establish consistent remote access policies throughout a corporation.
Cisco IOS software supports a variety of authentication methods. Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA. For more information, refer to the "Configuring Authentication" chapter in the Cisco IOS Security Configuration Guide: Securing User Services.
Preventing Network Data Interception
When packets travel across a network, they might be read, altered, or "hijacked." (Hijacking occurs when a hostile party intercepts a network traffic session and poses as one of the session endpoints.)
If the data is traveling across an unsecured network such as the Internet, the data is exposed to a fairly significant risk. Sensitive or confidential data could be exposed, critical data could be modified, and communications could be interrupted if data is altered.
To protect data as it travels across a network, you must configure network data encryption, which is described in the chapters in the "Internet Key Exchange for IPsec VPNs" part of the Cisco IOS Security Configuration Guide: Secure Connectivity.
IPSec provides the following network security services. These services are optional. In general, local security policy dictates the use of one or more of the following services:
•Data confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.
•Data integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that no one has altered the data during transmission.
•Data origin authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service depends on the data integrity service.
•Anti-replay—The IPSec receiver can detect and reject replayed packets.
Cisco IPSec prevents routed traffic from being examined or tampered with as it travels across a network. This feature encrypts IP packets at a Cisco router, routes them across a network as encrypted information, and decrypts them at the destination Cisco router. Between the two routers, the packets are in encrypted form, and therefore no one can read or alter the packets' contents. You define what traffic to encrypt between the two routers based on what data is more sensitive or critical.
To protect traffic for protocols other than IP, you can encapsulate those other protocols into IP packets using GRE encapsulation and then encrypt the IP packets.
You do not typically use IPSec for traffic that is routed through networks that are secure. You should consider using IPSec for traffic that is routed across unsecured networks, such as the Internet, if your organization could be damaged if the traffic is examined or tampered with by unauthorized individuals.
Preventing Fraudulent Route Updates
All routing devices determine where to route individual packets by using information stored in route tables. This route table information is created using route updates from neighboring routers.
If a router receives a fraudulent update, the router could be tricked into forwarding traffic to the wrong destination. This could cause sensitive data to be exposed or could cause network communications to be interrupted.
To ensure that route updates are received only from known, trusted neighbor routers, configure neighbor router authentication as described in the "Neighbor Router Authentication: Overview and Guidelines" chapter in this guide.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.