Guest

Partner Central

Managed Internet

Cisco Powered Managed Services

A Cisco Powered Managed Internet service delivers secure Internet connectivity. The service:

  • Is based on the Cisco self-defending network architecture and is built upon a secure infrastructure.
  • Delivers connectivity for users regardless of location and access methods. It is backed by comprehensive SLAs covering the overall performance of the service, and online access to real-time and historical service-performance reports.
  • Offers service-level agreements for network performance and service availability, supports quality of service (QoS) techniques, access control lists, and other industry best practices.

To view a complete list of requirements for this service, please visit the Managed Services: Portfolio Requirements

To view the full Bills of Material for this service, please visit the MSCP Portfolio: Bills of Material



Device-Level Security

Requirement Auditor Instructions (What to Look for)
Data Plane
Partner must demonstrate that the following capabilities have been implemented to protect the data plane on each device:
  • Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic
  • Unicast Reverse Path Forwarding (URPF)—mitigates problems caused by the introduction of malformed or spoofed IP Source addresses
  • Remotely Triggered Black Hole (RTBH)—drops packets based on source address and can be used while device is under attack
  • QoS tools—used to protect against flooding attacks
Clearly defined and documented security procedures that describe how the following are implemented as part of an overall security policy:
  • Infrastructure ACLs are applied to the network core
  • Drops packets without a verified source address
  • A filtering method for dropping malicious traffic at the peering edge of the network
  • Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)
Note: Current specifications are applicable, but newer releases and revisions may supersede the herein outlined requirements.
Control Plane
Partner must demonstrate the following capabilities have been implemented to protect the control plane on each device:
  • Receive ACLs—limits the type of traffic that can be forwarded to the processor
  • Control Plane Policing (CPP)—provides QoS control for the packets destined to the control plane of the device. Ensures adequate bandwidth reserved for high priority traffic such as routing protocols
  • Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks
  • Auto secure procedures in place
Partner must
  • Demonstrate use of ACLs in security policy
  • Demonstrate use of QoS control in security policy
  • Demonstrate use of MD5 neighbor authentication in security policy
  • Demonstrate lock down of devices using industry best practices (NSA)
Management Plane
Partner must demonstrate the following capabilities have been implemented to protect the management plane on each device:
  • CPU and memory thresholding— protects CPU and memory resources of IOS devices against DDoS attacks
  • Dual export syslog—increases availability by exporting information to dual collectors
  • Procedures to prevent unauthorized management access to devices
  • Procedure in place to react to thresholds being exceeded or documentation in support of functionality
  • Part of design for collection of management information from each device
  • Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+

Device-Level Security

Requirement Auditor Instructions (What to Look for)
Data Plane
Policy for protection against security attacks Clearly defined and documented security policy covering protection of infrastructure from security attacks
Access Control Lists (ACL)—protects devices from malicious traffic by explicitly permitting legitimate traffic Infrastructure ACLs are applied to the network core
QoS tools—used to protect against flooding attacks Defined QoS policies to rate limit or drop offending traffic (identify, classify and rate limit)
Control Plane
Routing protection—MD5 neighbor authentication protects routing domains from spoofing attacks Demonstrated use of MD5 neighbor authentication in security policy
Auto secure procedures in place Demonstrated lock down of devices using industry best practices (NSA)
Management Plane
Procedures to prevent unauthorized management access to devices Partner must have security procedure in place. Can use features such as Secure Shell only access (SSH), VTY access control list, Cisco IOS software login enhancements, SNMP V3, TACACS+. Demonstrated in Technical Service Description (TSD) or other available document

No device-level security requirements at this level