For today’s businesses, connecting to the Internet is imperative, but it also exposes their network elements and infrastructure to threats. To address the increasing complexity of attacks in this environment, Cisco Systems® has enhanced Cisco IOS® Software features and capabilities for network elements and infrastructure, helping to ensure their availability under any circumstances. Cisco® Network Foundation Protection (NFP) provides the tools, technologies, and services that enable organizations to secure their network foundation. This, in turn, delivers the ability to control packet flows and protect the network core against security threats such as distributed denial-of-service (DDoS) attacks.
A secure infrastructure also forms the foundation for service delivery. Continuous service delivery requires a methodical approach to protecting router planes. A router is typically segmented into three planes, each with a clearly identified objective. The data plane provides the ability to forward data packets; the control plane provides the ability to route data correctly; and the management plane provides the ability to manage network elements.
In securing the foundation, Cisco recommends that service providers take the “security toolkit” approach—selecting security tools and techniques based on assessing and identifying risks and threats to the network infrastructure. The security toolkit should also be flexible enough so that new tools and techniques can be added when a security threat warrants them. With careful consideration to meet the objectives for each router plane, service providers can select the right tool for the right job when dealing with security incidents.
Each router plane requires its own protective tools:
Data plane protection requires detecting traffic anomalies and responding to attacks in real time. Some of the tools associated with securing the data plane are NetFlow, IP Source Tracker, access control lists (ACLs), Unicast Reverse Path Forwarding (uRPF), Remotely Triggered Blackhole (RTBH) Filtering, and quality-of-service (QoS) tools.
Control plane protection calls for a defense-in-depth approach to routing control. Some of the tools for securing the control plane are Receive ACL (rACL) and Control Plane Policing (CoPP).
Management plane protection allows secure, continuous management of Cisco IOS Software-based network infrastructure. Among the tools for securing the management plane are CPU and memory thresholding and dual export syslog.
When it comes to securing the network foundation, Cisco NFP should be considered a proactive security measure. In addition, methodical segmentation of router planes combined with the security toolkit approach will go far in providing flexibility and strengthening tactical help for security issues.
For more information about Cisco IOS Threat Defense features that protect the network elements that are connected to Cisco IOS Software-based routers, visit: http://www.cisco.com/go/iossecurity
This article was contributed by
Tom Guerrette, Product Manager, Cisco Systems, Inc.
