A Cisco Powered Managed Internet service delivers secure Internet connectivity. The service:
Is based on the Cisco self-defending network architecture and is built upon a secure infrastructure.
Delivers connectivity for users regardless of location and access methods. It is backed by comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.
Offers service-level agreements for network performance and service availability, supports quality of service (QoS) techniques, access control lists, and other industry best practices.
Partner must demonstrate that the following capabilities have been implemented to protect the data plane on each device:
Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic
Unicast Reverse Path Forwarding (URPF)—mitigates problems caused by the introduction of malformed or spoofed IP Source addresses
Remotely Triggered Black Hole (RTBH)—drops packets based on source address and can be used while device is under attack
QoS tools—used to protect against flooding attacks
Clearly defined and documented security procedures that describe how the following are implemented as part of an overall security policy:
Infrastructure ACLs are applied to the network core
Drops packets without a verified source address
A filtering method for dropping malicious traffic at the peering edge of the network
Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)
Note: Current specifications are applicable, but newer releases and revisions may supersede the herein outlined requirements.
Control Plane
Partner must demonstrate the following capabilities have been implemented to protect the control plane on each device:
Receive ACLs—limits the type of traffic that can be forwarded to the processor
Control Plane Policing (CPP)—provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols
Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks
Auto secure procedures in place
Partner must
Demonstrate use of ACLs in security policy
Demonstrate use of QoS control in security policy
Demonstrate use of MD5 neighbor authentication in security policy
Demonstrate lock down of devices using industry best practices (NSA)
Management Plane
Partner must demonstrate the following capabilities have been implemented to protect the management plane on each device:
CPU and memory thresholding— protects CPU and memory resources of IOS devices against DDoS attacks
Dual export syslog—increases availability by exporting information to dual collectors
Procedures to prevent unauthorized management access to devices
Procedure in place to react to thresholds being exceeded or documentation in support of functionality
Part of design for collection of management information from each device
Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+
Device-Level Security
Requirement
Auditor Instructions (What to Look for)
Data Plane
Policy for protection against security attacks
Clearly defined and documented security policy covering protection of infrastructure from security attacks
Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic
Infrastructure ACLs are applied to the network core
QoS tools—used to protect against flooding attacks
Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)
Control Plane
Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks
Demonstrated use of MD5 neighbor authentication in security policy
Auto secure procedures in place
Demonstrated lock down of devices using industry best practices (NSA)
Management Plane
Procedures to prevent unauthorized management access to devices
Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+. Demonstrated in Technical Service Description (TSD) or other available document
No device-level security requirements at this level
