SlideShare a Scribd company logo

Securing management, control & data plane

NetProtocol Xpert
NetProtocol Xpert

The document discusses securing the management, control, and data planes of a network. It describes: 1. Securing the management plane through strong passwords, encrypted protocols like SSH, user authentication using AAA, role-based access control, logging, and network time protocol. 2. Securing the control plane using control plane policing and protection to minimize CPU load and protect against denial of service attacks. 3. Securing the data plane using access control lists, antispoofing features, port security, DHCP snooping, dynamic ARP inspection, and IP source guard to filter traffic and prevent spoofing and man-in-the-middle attacks.

1 of 18
SECURING MANAGEMENT, CONTROL & DATA PLANE Security | www.netprotocolxpert.in
Management Plane • The management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network. • Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical. • There are many methods you can manage a device “VTY, AUX, and Console” lines and ports and you should do your best to keep access through it more secure as you can among some procedures such as :-
• Strong passwords • Make passwords very difficult to break, An attacker can break a password in several ways, including a dictionary and/or a brute force attack. In addition to this, you should use the encrypted password “enable secret” instead of plain text password “enable password”; Enable secrets are hashed using the MD5 algorithm. Also, work on enforcing password policy, including features such as maximum number of login attempts and minimum password length. • Encrypted management protocols • Undoubtedly, accessing devices through “Telnet or HTTP” is not secure anymore as the password sent in plain text, so encrypted communications should be used, such as Secure Shell (SSH) or HypertextTransfer Protocol Secure (HTTPS). • User authentication and AAA • AAA stands for Authentication, Authorization and Accounting. In large networks it isn’t logic to depend on the local user database for authenticating users. The goal of AAA is to identify who users are before giving them any kind of access to the network, and once they are identified, only give them access to the part they are authorized to use, see, or manage. Cisco provides many ways to implement AAA services for Cisco devices, such as ACS server, TACACS server, or RADIUS server and we will cover this point in more details at our next sessions.
• Role-based access control (RBAC) • With RBAC, we can create a role (like a group) and assign that role to the users who will be acting in that role. With the role comes the permissions and access. Ways to implement RBACs include using Access Control Server (ACS) and CLI parser views. • Logging • Logging is a way to create an audit trail, Logging may be done in many different ways, logging includes not only what administrators have changed or done, but also system events that are generated by the router or switch because of some problem that has occurred or some threshold that has been reached. This logging information may be sent to a syslog server. SNMP one of the most important protocols can be used here. • Network Time Protocol (NTP) • NTP is a protocol which is used widely in networking industry to synchronize the clocks of network infrastructure devices (Servers, Routers, Switches, Computers) over a network, This becomes very important to correlate logs between devices in case there is ever a breach and you need to reconstruct (or prove in a court of law) what occurred.
1. How to enable SSH to access a router or switch • To enable SSH on a router or switch, the following items need to be in place: • Hostname other than the default name of router. • Domain name. • Generating a public/private key pair, used behind the scenes by SSH. • Requiring user login via the vty lines, instead of just a password. Local authentication or authentication using anACS server are both options. • Having at least one user account to log in with, either locally on the router, or on anACS server.
2. User Authentication with AAA • There are two models to implement AAA server:- 1. Self-ContainedAAA • AAA services in this model is a self-contained in the router. It is also known as local authentication. 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.
2. Server-Based AAA • Uses an external database server to authenticate the username/Password. 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. • There are many names and access methods associated with the central server, including calling it an authentication server, AAA server, ACS server,TACACS server, or RADIUS server. • The following list describes a few of these centralized server types: 1. Cisco Secure ACS Solution Engine: It’s a server appliance with the Access Control Server (ACS) software preinstalled, Cisco ACS uses the two distinct protocols for AAA services RADIUS &TACACS+. 2. Cisco Secure ACS for Windows Server: This software package may be used for user and administrator authentication, AAA services on the router contact an external Cisco Secure ACS (running on a Microsoft Windows system).
Securing Control Plane • Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself. • From the perspective of the network device, control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP). • So, The fateful issue to protect the control plane is minimizing the amount of CPU load as much as we can.
Some of the packets and traffic which handled by the CPU: • Receive adjacency traffic: This indication is for any IP address that requires direct handling by the Cisco device CPU which is refereed by the term receive in the show ip cef command- line interface (CLI) output. • Access control list (ACL) logging: The log and log-input options apply to an ACL entries and cause packets that match the ACL entry to be logged. • Unicast Reverse Path Forwarding (uRPF): Security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. • IP options: Any IP packets with options included must be processed by the CPU. • Fragmentation: Any IP packet that requires fragmentation must be passed to the CPU for processing.
• Time-To-Live (TTL) expiry: Packets that have aTTL value less than or equal to 1. • Traffic requiring an ARP request: Destinations for which an ARP entry does not exist require processing by the CPU. • Non-IP traffic: All non-IP traffic is processed by the CPU. • Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can secure the control plane.
Control Plane Policing(CoPP): • It’s a feature designed to allow users to manage the flow of traffic handled by the router processor of their network devices. • Control plane policing can be performed through the use of granular classification ACLs and the use of the show policymap control-plane command to display it. Benefits of Control Plane Policing • Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits: • Protection against DoS attacks at infrastructure routers and switches. • QoS control for packets that are destined to the control plane of Cisco routers or switches. • Ease of configuration for control plane policies. • Better platform reliability and availability
• In below example we are about permit only the BGP and OSPF and discard any ip packet has a ttl less than 2 to reach the Cisco device CPU.
Control Plane Protection(CPPr): • The Control Plane Protection feature is an extension of the policing functionality provided by the existing Control-plane Policing feature.The Control-plane Policing feature allows Quality of Service (QoS) policing of aggregate control-plane traffic destined to the route processor. • Additionally , the CPPr feature provides the following: • Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non- listeningTCP or UDP ports. • Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue. • For more details about this technique, you can refer to below link. http://www.cisco.com/c/en/us/about/security-center/understanding-cppr.html
Securing Data Plane • Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane. • Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic. • Actually, the routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets. • A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.
Securing management, control & data plane
Securing the Data plane • NowWe are about cover the methods available for implementing policy related to traffic allowed through (transit traffic) network devices . As mentioned, For the data plane, this discussion concerns traffic that is going through your network device. • There are some ways to control and protect data plane- • Access Control list (ACL) used for filtering ACLs are used to secure the data plane in a variety of ways such as Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control. • Antispoofing IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
• Port security To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the sameVLAN.This might give the attacker the opportunity to eavesdrop. • DHCP Snooping Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
• Dynamic ARP inspection (DAI) It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks. DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”. • IP source Guard This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to. Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses “DHCP snooping binding database” in order to validate and restrict spoofed source addresses.
Ad

Recommended

Ping-and-Traceroute.ppt
Ping-and-Traceroute.pptPing-and-Traceroute.ppt
Ping-and-Traceroute.ppt
MathewSanJuan
 
Acl
AclAcl
Acl
Raghu Kiran
 
Cdpd
CdpdCdpd
Cdpd
Sri Manakula Vinayagar Engineering College
 
4. tcp header.ppt
4. tcp header.ppt4. tcp header.ppt
4. tcp header.ppt
SurajKumar732187
 
Telnet & SSH
Telnet & SSH Telnet & SSH
Telnet & SSH
NetProtocol Xpert
 
Transport Layer In Computer Network
Transport Layer In Computer NetworkTransport Layer In Computer Network
Transport Layer In Computer Network
Destro Destro
 
IP Routing
IP RoutingIP Routing
IP Routing
Peter R. Egli
 
TCP/IP Protocol Architeture
TCP/IP Protocol ArchitetureTCP/IP Protocol Architeture
TCP/IP Protocol Architeture
Manoj Kumar
 
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSDay 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
anilinvns
 
UMTS, Introduction.
UMTS, Introduction.UMTS, Introduction.
UMTS, Introduction.
Mateen Shahid
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Routing Information Protocol
Routing Information ProtocolRouting Information Protocol
Routing Information Protocol
Kashif Latif
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Nil Menon
 
Presentation on telnet
Presentation on telnetPresentation on telnet
Presentation on telnet
Amandeep Kaur
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
Bhagyashri Dhoke
 
Mobile transportlayer
Mobile transportlayerMobile transportlayer
Mobile transportlayer
Rahul Hada
 
Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS) Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS)
Reza Farahani
 
Quality of Service
Quality of ServiceQuality of Service
Quality of Service
silenceIT Inc.
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
Kishore Kumar
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
Dsunte Wilson
 
IPv6
IPv6IPv6
IPv6
Suman Bose
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 
Umts system architecture
Umts system architectureUmts system architecture
Umts system architecture
Midhun S
 
Mobile IP
Mobile IPMobile IP
Mobile IP
Mukesh Chinta
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
NetProtocol Xpert
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
NetProtocol Xpert
 
Ad

More Related Content

What's hot (20)

Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSDay 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
anilinvns
 
UMTS, Introduction.
UMTS, Introduction.UMTS, Introduction.
UMTS, Introduction.
Mateen Shahid
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Routing Information Protocol
Routing Information ProtocolRouting Information Protocol
Routing Information Protocol
Kashif Latif
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Nil Menon
 
Presentation on telnet
Presentation on telnetPresentation on telnet
Presentation on telnet
Amandeep Kaur
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
Bhagyashri Dhoke
 
Mobile transportlayer
Mobile transportlayerMobile transportlayer
Mobile transportlayer
Rahul Hada
 
Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS) Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS)
Reza Farahani
 
Quality of Service
Quality of ServiceQuality of Service
Quality of Service
silenceIT Inc.
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
Kishore Kumar
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
Dsunte Wilson
 
IPv6
IPv6IPv6
IPv6
Suman Bose
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 
Umts system architecture
Umts system architectureUmts system architecture
Umts system architecture
Midhun S
 
Mobile IP
Mobile IPMobile IP
Mobile IP
Mukesh Chinta
 
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSDay 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
anilinvns
 
UMTS, Introduction.
UMTS, Introduction.UMTS, Introduction.
UMTS, Introduction.
Mateen Shahid
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Routing Information Protocol
Routing Information ProtocolRouting Information Protocol
Routing Information Protocol
Kashif Latif
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Nil Menon
 
Presentation on telnet
Presentation on telnetPresentation on telnet
Presentation on telnet
Amandeep Kaur
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
Bhagyashri Dhoke
 
Mobile transportlayer
Mobile transportlayerMobile transportlayer
Mobile transportlayer
Rahul Hada
 
Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS) Fundamental of Quality of Service(QoS)
Fundamental of Quality of Service(QoS)
Reza Farahani
 
Quality of Service
Quality of ServiceQuality of Service
Quality of Service
silenceIT Inc.
 
Internal & External of Routers
Internal & External of RoutersInternal & External of Routers
Internal & External of Routers
Kishore Kumar
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
CCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch ConfigurationCCNA Basic Switching and Switch Configuration
CCNA Basic Switching and Switch Configuration
Dsunte Wilson
 
IPv6
IPv6IPv6
IPv6
Suman Bose
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 
Umts system architecture
Umts system architectureUmts system architecture
Umts system architecture
Midhun S
 
Mobile IP
Mobile IPMobile IP
Mobile IP
Mukesh Chinta
 

Viewers also liked (20)

Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
NetProtocol Xpert
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
NetProtocol Xpert
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
NetProtocol Xpert
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
NetProtocol Xpert
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
NetProtocol Xpert
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example
3Anetwork com
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
NetProtocol Xpert
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
NetProtocol Xpert
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
NetProtocol Xpert
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
jww330015
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
Cisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) SolutionCisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) Solution
Cisco Russia
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
Ahmed Habib
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protection
Ahmed Habib
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
NetProtocol Xpert
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
NetProtocol Xpert
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
NetProtocol Xpert
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
NetProtocol Xpert
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
NetProtocol Xpert
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example
3Anetwork com
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
NetProtocol Xpert
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
NetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
NetProtocol Xpert
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
NetProtocol Xpert
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
jww330015
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
Cisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) SolutionCisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) Solution
Cisco Russia
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
Ahmed Habib
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protection
Ahmed Habib
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
Ad

Similar to Securing management, control & data plane (20)

Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
Mac An
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
Ble overview and_implementation
Ble overview and_implementationBle overview and_implementation
Ble overview and_implementation
Stanley Chang
 
Installation et configuration de système
Installation et configuration de systèmeInstallation et configuration de système
Installation et configuration de système
khadijaguebsi45
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
Joel W. King
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
Chiradeep Vittal
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
Beny Haddad
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptx
Angel Garcia
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdf
PhiliphaHaldline
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
ITN_Module_17.pptx
ITN_Module_17.pptxITN_Module_17.pptx
ITN_Module_17.pptx
ssuserf7cd2b
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
MenakaDevi14
 
INT_Ch17.pptx
INT_Ch17.pptxINT_Ch17.pptx
INT_Ch17.pptx
NguyenLong773850
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
suddenven
 
Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)
ManageEngine, Zoho Corporation
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
slavenvvv
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
Basic network training2
Basic network training2Basic network training2
Basic network training2
Arunchai Seangparch
 
UNIT 2.pdf
UNIT 2.pdfUNIT 2.pdf
UNIT 2.pdf
PRANAVMALAKARRA20110
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
Mac An
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
Ble overview and_implementation
Ble overview and_implementationBle overview and_implementation
Ble overview and_implementation
Stanley Chang
 
Installation et configuration de système
Installation et configuration de systèmeInstallation et configuration de système
Installation et configuration de système
khadijaguebsi45
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
Joel W. King
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
Chiradeep Vittal
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
Beny Haddad
 
M1-C17-Armando una red.pptx
M1-C17-Armando una red.pptxM1-C17-Armando una red.pptx
M1-C17-Armando una red.pptx
Angel Garcia
 
17 - Building small network.pdf
17 - Building small network.pdf17 - Building small network.pdf
17 - Building small network.pdf
PhiliphaHaldline
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
ITN_Module_17.pptx
ITN_Module_17.pptxITN_Module_17.pptx
ITN_Module_17.pptx
ssuserf7cd2b
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
MenakaDevi14
 
INT_Ch17.pptx
INT_Ch17.pptxINT_Ch17.pptx
INT_Ch17.pptx
NguyenLong773850
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
suddenven
 
Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)
ManageEngine, Zoho Corporation
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
slavenvvv
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
Iftach Schonbaum
 
Basic network training2
Basic network training2Basic network training2
Basic network training2
Arunchai Seangparch
 
UNIT 2.pdf
UNIT 2.pdfUNIT 2.pdf
UNIT 2.pdf
PRANAVMALAKARRA20110
 
Ad

More from NetProtocol Xpert (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
NetProtocol Xpert
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
NetProtocol Xpert
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
NetProtocol Xpert
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
NetProtocol Xpert
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
NetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
NetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
NetProtocol Xpert
 
Regular expression examples
Regular expression examplesRegular expression examples
Regular expression examples
NetProtocol Xpert
 
Eigrp is restricted to stub connections
Eigrp is restricted to stub connections Eigrp is restricted to stub connections
Eigrp is restricted to stub connections
NetProtocol Xpert
 
Converting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versaConverting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versa
NetProtocol Xpert
 
Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850
NetProtocol Xpert
 
Cisco 2960x switch password recovery
Cisco 2960x switch password recoveryCisco 2960x switch password recovery
Cisco 2960x switch password recovery
NetProtocol Xpert
 
VMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation ProcessVMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation Process
NetProtocol Xpert
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)
NetProtocol Xpert
 
OSPF External Route Summarization
OSPF External Route Summarization OSPF External Route Summarization
OSPF External Route Summarization
NetProtocol Xpert
 
OSPF Internal Route Summarization
OSPF Internal Route SummarizationOSPF Internal Route Summarization
OSPF Internal Route Summarization
NetProtocol Xpert
 
Redistribution into OSPF
Redistribution into OSPFRedistribution into OSPF
Redistribution into OSPF
NetProtocol Xpert
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
NetProtocol Xpert
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
NetProtocol Xpert
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
NetProtocol Xpert
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
NetProtocol Xpert
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
NetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
NetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
NetProtocol Xpert
 
Regular expression examples
Regular expression examplesRegular expression examples
Regular expression examples
NetProtocol Xpert
 
Eigrp is restricted to stub connections
Eigrp is restricted to stub connections Eigrp is restricted to stub connections
Eigrp is restricted to stub connections
NetProtocol Xpert
 
Converting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versaConverting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versa
NetProtocol Xpert
 
Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850
NetProtocol Xpert
 
Cisco 2960x switch password recovery
Cisco 2960x switch password recoveryCisco 2960x switch password recovery
Cisco 2960x switch password recovery
NetProtocol Xpert
 
VMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation ProcessVMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation Process
NetProtocol Xpert
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)
NetProtocol Xpert
 
OSPF External Route Summarization
OSPF External Route Summarization OSPF External Route Summarization
OSPF External Route Summarization
NetProtocol Xpert
 
OSPF Internal Route Summarization
OSPF Internal Route SummarizationOSPF Internal Route Summarization
OSPF Internal Route Summarization
NetProtocol Xpert
 
Redistribution into OSPF
Redistribution into OSPFRedistribution into OSPF
Redistribution into OSPF
NetProtocol Xpert
 

Recently uploaded (20)

DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
Avnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights FlyerAvnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights Flyer
WillDavies22
 
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G..."Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
Infopitaara
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
The Gaussian Process Modeling Module in UQLab
The Gaussian Process Modeling Module in UQLabThe Gaussian Process Modeling Module in UQLab
The Gaussian Process Modeling Module in UQLab
Journal of Soft Computing in Civil Engineering
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
Data Structures_Searching and Sorting.pptx
Data Structures_Searching and Sorting.pptxData Structures_Searching and Sorting.pptx
Data Structures_Searching and Sorting.pptx
RushaliDeshmukh2
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITYADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ijscai
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
Compiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptxCompiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptx
RushaliDeshmukh2
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.
anuragmk56
 
Oil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdfOil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdf
M7md3li2
 
π0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalizationπ0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalization
NABLAS株式会社
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
Avnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights FlyerAvnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights Flyer
WillDavies22
 
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G..."Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
"Feed Water Heaters in Thermal Power Plants: Types, Working, and Efficiency G...
Infopitaara
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
The Gaussian Process Modeling Module in UQLab
The Gaussian Process Modeling Module in UQLabThe Gaussian Process Modeling Module in UQLab
The Gaussian Process Modeling Module in UQLab
Journal of Soft Computing in Civil Engineering
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
Data Structures_Searching and Sorting.pptx
Data Structures_Searching and Sorting.pptxData Structures_Searching and Sorting.pptx
Data Structures_Searching and Sorting.pptx
RushaliDeshmukh2
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITYADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ijscai
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
Compiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptxCompiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptx
RushaliDeshmukh2
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.
anuragmk56
 
Oil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdfOil-gas_Unconventional oil and gass_reseviours.pdf
Oil-gas_Unconventional oil and gass_reseviours.pdf
M7md3li2
 
π0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalizationπ0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalization
NABLAS株式会社
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 

Securing management, control & data plane

  • 1. SECURING MANAGEMENT, CONTROL & DATA PLANE Security | www.netprotocolxpert.in
  • 2. Management Plane • The management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network. • Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical. • There are many methods you can manage a device “VTY, AUX, and Console” lines and ports and you should do your best to keep access through it more secure as you can among some procedures such as :-
  • 3. • Strong passwords • Make passwords very difficult to break, An attacker can break a password in several ways, including a dictionary and/or a brute force attack. In addition to this, you should use the encrypted password “enable secret” instead of plain text password “enable password”; Enable secrets are hashed using the MD5 algorithm. Also, work on enforcing password policy, including features such as maximum number of login attempts and minimum password length. • Encrypted management protocols • Undoubtedly, accessing devices through “Telnet or HTTP” is not secure anymore as the password sent in plain text, so encrypted communications should be used, such as Secure Shell (SSH) or HypertextTransfer Protocol Secure (HTTPS). • User authentication and AAA • AAA stands for Authentication, Authorization and Accounting. In large networks it isn’t logic to depend on the local user database for authenticating users. The goal of AAA is to identify who users are before giving them any kind of access to the network, and once they are identified, only give them access to the part they are authorized to use, see, or manage. Cisco provides many ways to implement AAA services for Cisco devices, such as ACS server, TACACS server, or RADIUS server and we will cover this point in more details at our next sessions.
  • 4. • Role-based access control (RBAC) • With RBAC, we can create a role (like a group) and assign that role to the users who will be acting in that role. With the role comes the permissions and access. Ways to implement RBACs include using Access Control Server (ACS) and CLI parser views. • Logging • Logging is a way to create an audit trail, Logging may be done in many different ways, logging includes not only what administrators have changed or done, but also system events that are generated by the router or switch because of some problem that has occurred or some threshold that has been reached. This logging information may be sent to a syslog server. SNMP one of the most important protocols can be used here. • Network Time Protocol (NTP) • NTP is a protocol which is used widely in networking industry to synchronize the clocks of network infrastructure devices (Servers, Routers, Switches, Computers) over a network, This becomes very important to correlate logs between devices in case there is ever a breach and you need to reconstruct (or prove in a court of law) what occurred.
  • 5. 1. How to enable SSH to access a router or switch • To enable SSH on a router or switch, the following items need to be in place: • Hostname other than the default name of router. • Domain name. • Generating a public/private key pair, used behind the scenes by SSH. • Requiring user login via the vty lines, instead of just a password. Local authentication or authentication using anACS server are both options. • Having at least one user account to log in with, either locally on the router, or on anACS server.
  • 6. 2. User Authentication with AAA • There are two models to implement AAA server:- 1. Self-ContainedAAA • AAA services in this model is a self-contained in the router. It is also known as local authentication. 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.
  • 7. 2. Server-Based AAA • Uses an external database server to authenticate the username/Password. 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. • There are many names and access methods associated with the central server, including calling it an authentication server, AAA server, ACS server,TACACS server, or RADIUS server. • The following list describes a few of these centralized server types: 1. Cisco Secure ACS Solution Engine: It’s a server appliance with the Access Control Server (ACS) software preinstalled, Cisco ACS uses the two distinct protocols for AAA services RADIUS &TACACS+. 2. Cisco Secure ACS for Windows Server: This software package may be used for user and administrator authentication, AAA services on the router contact an external Cisco Secure ACS (running on a Microsoft Windows system).
  • 8. Securing Control Plane • Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself. • From the perspective of the network device, control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP). • So, The fateful issue to protect the control plane is minimizing the amount of CPU load as much as we can.
  • 9. Some of the packets and traffic which handled by the CPU: • Receive adjacency traffic: This indication is for any IP address that requires direct handling by the Cisco device CPU which is refereed by the term receive in the show ip cef command- line interface (CLI) output. • Access control list (ACL) logging: The log and log-input options apply to an ACL entries and cause packets that match the ACL entry to be logged. • Unicast Reverse Path Forwarding (uRPF): Security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. • IP options: Any IP packets with options included must be processed by the CPU. • Fragmentation: Any IP packet that requires fragmentation must be passed to the CPU for processing.
  • 10. • Time-To-Live (TTL) expiry: Packets that have aTTL value less than or equal to 1. • Traffic requiring an ARP request: Destinations for which an ARP entry does not exist require processing by the CPU. • Non-IP traffic: All non-IP traffic is processed by the CPU. • Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can secure the control plane.
  • 11. Control Plane Policing(CoPP): • It’s a feature designed to allow users to manage the flow of traffic handled by the router processor of their network devices. • Control plane policing can be performed through the use of granular classification ACLs and the use of the show policymap control-plane command to display it. Benefits of Control Plane Policing • Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits: • Protection against DoS attacks at infrastructure routers and switches. • QoS control for packets that are destined to the control plane of Cisco routers or switches. • Ease of configuration for control plane policies. • Better platform reliability and availability
  • 12. • In below example we are about permit only the BGP and OSPF and discard any ip packet has a ttl less than 2 to reach the Cisco device CPU.
  • 13. Control Plane Protection(CPPr): • The Control Plane Protection feature is an extension of the policing functionality provided by the existing Control-plane Policing feature.The Control-plane Policing feature allows Quality of Service (QoS) policing of aggregate control-plane traffic destined to the route processor. • Additionally , the CPPr feature provides the following: • Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non- listeningTCP or UDP ports. • Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue. • For more details about this technique, you can refer to below link. http://www.cisco.com/c/en/us/about/security-center/understanding-cppr.html
  • 14. Securing Data Plane • Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane. • Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic. • Actually, the routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets. • A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.
  • 16. Securing the Data plane • NowWe are about cover the methods available for implementing policy related to traffic allowed through (transit traffic) network devices . As mentioned, For the data plane, this discussion concerns traffic that is going through your network device. • There are some ways to control and protect data plane- • Access Control list (ACL) used for filtering ACLs are used to secure the data plane in a variety of ways such as Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control. • Antispoofing IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
  • 17. • Port security To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the sameVLAN.This might give the attacker the opportunity to eavesdrop. • DHCP Snooping Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
  • 18. • Dynamic ARP inspection (DAI) It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks. DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”. • IP source Guard This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to. Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses “DHCP snooping binding database” in order to validate and restrict spoofed source addresses.