Router Security Strategies Securing IP Network Traffic Planes

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2007-12-29
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $79.99 Save up to $12.00
  • Buy New
    Add to Cart Free Shipping


Supplemental Materials

What is included with this book?

  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


Router Security Strategies: Securing IP Network Traffic Planesprovides a compre-hensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. "Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure." Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIEreg; No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco Pressreg; Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Gregg Schudel,CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer supporting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security architectures and technology for inter-exchange carriers, web services providers, and mobile providers. Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where he supported network security research and development, most notably in conjunction with DARPA and other federal agencies involved in security research. Gregg holds an MS in engineering from George Washington University, and a BS in engineering from Florida Institute of Technology. Gregg can be contacted through e-mail at gschudel@cisco.com.


David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a consulting system engineer supporting the Service Provider Organization. Since 1999 David has focused on service provider IP core and edge architectures, including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at Bellcore developing systems software and experimental ATM switches. David holds an MS in information networking from Carnegie Mellon University, and a BS in computer engineering from Lehigh University. David can be contacted through e-mail at dasmith@cisco.com.

Table of Contents

Forewordp. xix
Introductionp. xx
IP Network and Traffic Plane Security Fundamentalsp. 3
Internet Protocol Operations Fundamentalsp. 5
IP Network Conceptsp. 5
Enterprise Networksp. 7
Service Provider Networksp. 9
IP Protocol Operationsp. 11
IP Traffic Conceptsp. 19
Transit IP Packetsp. 20
Receive-Adjacency IP Packetsp. 21
Exception IP and Non-IP Packetsp. 22
Exception IP Packetsp. 22
Non-IP Packetsp. 23
IP Traffic Planesp. 24
Data Planep. 25
Control Planep. 27
Management Planep. 29
Services Planep. 30
IP Router Packet Processing Conceptsp. 32
Process Switchingp. 36
Fast Switchingp. 39
Cisco Express Forwardingp. 44
Forwarding Information Basep. 44
Adjacency Tablep. 45
CEF Operationp. 46
General IP Router Architecture Typesp. 50
Centralized CPU-Based Architecturesp. 50
Centralized ASIC-Based Architecturesp. 52
Distributed CPU-Based Architecturesp. 54
Distributed ASIC-Based Architecturesp. 56
Summaryp. 62
Review Questionsp. 62
Further Readingp. 63
Threat Models for IP Networksp. 65
Threats Against IP Network Infrastructuresp. 65
Resource Exhaustion Attacksp. 66
Direct Attacksp. 67
Transit Attacksp. 70
Reflection Attacksp. 74
Spoofing Attacksp. 75
Transport Protocol Attacksp. 76
UDP Protocol Attacksp. 78
TCP Protocol Attacksp. 78
Routing Protocol Threatsp. 81
Other IP Control Plane Threatsp. 83
Unauthorized Access Attacksp. 85
Software Vulnerabilitiesp. 87
Malicious Network Reconnaissancep. 88
Threats Against Layer 2 Network Infrastructuresp. 89
CAM Table Overflow Attacksp. 89
MAC Spoofing Attacksp. 90
VLAN Hopping Attacksp. 92
Private VLAN Attacksp. 93
STP Attacksp. 94
VTP Attacksp. 95
Threats Against IP VPN Network Infrastructuresp. 96
MPLS VPN Threat Modelsp. 96
Threats Against the Customer Edgep. 98
Threats Against the Provider Edgep. 99
Threats Against the Provider Corep. 101
Threats Against the Inter-Provider Edgep. 103
Carrier Supporting Carrier Threatsp. 103
Inter-AS VPN Threatsp. 105
IPsec VPN Threat Modelsp. 108
Summaryp. 111
Review Questionsp. 112
Further Readingp. 113
IP Network Traffic Plane Security Conceptsp. 117
Principles of Defense in Depth and Breadthp. 117
Understanding Defense in Depth and Breadth Conceptsp. 118
What Needs to Be Protected?p. 119
What Are Defensive Layers?p. 119
What Is the Operational Envelope of the Network?p. 122
What Is Your Organization s Operational Model?p. 123
IP Network Traffic Planes: Defense in Depth and Breadthp. 123
Data Planep. 124
Control Planep. 124
Management Planep. 125
Services Planep. 126
Network Interface Typesp. 127
Physical Interfacesp. 128
Logical Interfacesp. 131
Network Edge Security Conceptsp. 133
Internet Edgep. 133
MPLS VPN Edgep. 136
Network Core Security Conceptsp. 138
IP Corep. 139
MPLS VPN Corep. 140
Summaryp. 141
Table of Contents provided by Publisher. All Rights Reserved.

Rewards Program

Write a Review