Lecture CCNA security partner - Chapter 3: Network Foundation Protection and Cisco Configuration Professional
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (24.66 MB, 20 trang )
Network Foundation Protection and
Cisco Configuration Professional
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Threats Against the Network
Infrastructure
• Cisco Network Foundation Protection (NFP) provides an umbrella
strategy for infrastructure protection by encompassing Cisco IOS
security features
© 2012 Cisco and/or its affiliates. All rights reserved.
2
Cisco NFP Framework
© 2012 Cisco and/or its affiliates. All rights reserved.
3
Some Components of Cisco NFP
© 2012 Cisco and/or its affiliates. All rights reserved.
4
Some of Cisco NFP in a Network
© 2012 Cisco and/or its affiliates. All rights reserved.
5
Control Plane Security
Goal of CoPP: Treat the CPU as an Interface
• Control Plane Policing (CoPP) is a Cisco IOS feature designed to allow
users to manage the flow of traffic that is managed by the route
processor of their network devices
© 2012 Cisco and/or its affiliates. All rights reserved.
6
Cisco AutoSecure
Cisco AutoSecure allows two modes of operation:
• Interactive mode: Prompts users to select their own configuration of
router services and other security-related features
• Noninteractive mode: Configures security-related features of the router
based on a set of Cisco defaults
Cisco AutoSecure protects the router functional planes by doing the
following:
• Disabling often unnecessary and potentially insecure global services
• Enabling certain services that help further secure often necessary global
services
• Disabling often unnecessary and potentially insecure interface services,
which can be configured on a per-interface level
• Securing administrative access to the router
• Enabling appropriate security-related logging
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Cisco AutoSecure Protection for All Three
Planes
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Secure Management and Reporting
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Role-Based Access Control
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Deploying AAA
• AAA servers are typically used as a central repository of authentication
credentials (the users, answering the question “who is trying to access
the device?”), authorization rules (the “what” users can accomplish), and
accounting logs (the “what users did” part of the equation).
© 2012 Cisco and/or its affiliates. All rights reserved.
11
Data Plane Security
Among the laundry list of ways to protect the data plane, some that we will
see in this book include
• Access control lists
• Private VLAN
• Firewalling
• Intrusion Prevention System (IPS)
© 2012 Cisco and/or its affiliates. All rights reserved.
12
Access Control List Filtering
The following are the most common reasons to use ACLs:
• Block unwanted traffic or users
• Reduce the chance of DoS attacks for internal devices
• Mitigate spoofing attacks
• Provide bandwidth control
• Classify traffic to protect other planes
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Antispoofing
© 2012 Cisco and/or its affiliates. All rights reserved.
14
Layer 2 Data Plane Protection
Data plane protection mechanisms depend on feature availability for
specific devices. In a switching infrastructure, these Cisco Catalyst
integrated security capabilities provide data plane security on the Cisco
Catalyst switches using integrated tools:
• Port security prevents MAC flooding attacks.
• DHCP snooping prevents client attacks on the DHCP server and switch.
• Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP
snooping table to minimize the impact of ARP poisoning and spoofing
attacks.
• IP Source Guard prevents IP spoofing addresses by using the DHCP
snooping table.
© 2012 Cisco and/or its affiliates. All rights reserved.
15
Cisco Configuration Professional
© 2012 Cisco and/or its affiliates. All rights reserved.
16
CCP Initial Configuration
© 2012 Cisco and/or its affiliates. All rights reserved.
17
Command to Provision a Deployed Device with CCP Support
© 2012 Cisco and/or its affiliates. All rights reserved.
18
Using CCP to Harden Cisco IOS Devices
Security Audit Tools
© 2012 Cisco and/or its affiliates. All rights reserved.
19
© 2012 Cisco and/or its affiliates. All rights reserved.
20
