Troubleshoot Security

There are three planes of a router that need to be secured, the management plane, control plane and data plane.

Management Plane
Used to access and configure a switch or router. It is secured through SNMPv3, TACACS+, VTY ACLs and SSH. It is also a best practice to have role based CLI views.

TACACS+ and RADIUS are used in part to secure user access to the management plane, the major differences between them:

Characteristic

TACACS+

RADIUS
Transport

TCP

UDP
Modularity

Separates authentication, authorization and accounting

Combines authentication and authorization
Security

Limit commands

No command limit
Encryption

Entire packet

Only encrypts password
Accounting

Basic

Robust
Standard

No

Yes

Sources:
Cisco Document ID 13838
TSHOOT Book p.287

Control plane
Includes routing protocols and spanning tree used between routers and switches, it is the ability of a router to route. The control plane can be secured by the command auto secure, routing protocol authentication, and CPU/memory thresholding.

See each routing protocol discussion for troubleshooting steps.

Securing STP
Root Guard — Is enabled on a per-port basis. When a port receives a superior BPDU, with a lower bridge ID, the local switch will not allow the new switch to become the root. Instead the port is changed to root-inconsistent state, no data can be sent or received until the BPDUs stop.

BPDU Guard — PortFast moves an end-user port to forwarding state without going through all of the STP checks and can induce loops in the network. If any BPDU is received on a port where BPDU guard is enabled that port is put into errdisable state. It can then be recovered manually or through the errdisable timeout function.

Data plane
Forwards data through a router or switch. The data plane can be secured through ACLs, 802.1x, Unicast Reverse Path Forwarding (uRPF), IPsec VPN tunnels.

Securing DHCP and ARP:
DHCP snooping — With DHCP snooping enabled a switch port is either trusted or untrusted. Any DHCP replies coming from an untrusted port are discarded because they must have come from a rogue DHCP server. Additionally that switch port is shut in the errdisable state.

Dynamic ARP Inspection (DAI) — Helps to prevent ARP spoofing attacks. DHCP snooping keeps track of completed DHCP bindings including MAC address, IP address offered and lease time. This database is used by DAI to stop man-in-the-middle style attacks.

802.1X
Port-based authentication is a combination of AAA authentication and port security. An 802.1x port begins in an unauthorized state and requires the client to authenticate before it is allowed to communicate. The three components of an 802.1x network are:
Supplicant — Device trying to gain access.
Authenticator — Acts as an intermediary (proxy) between the host and the authentication server, requesting identity information from the host, verifying that information with the authentication server, and relaying a response to the host.
Authentication Server — Performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the switch if it is authorized to communicate on the network.
Source:
TSHOOT Book
6500 802.1X Configuration Guide

This entry was posted in Routing. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s