Cisco Network Foundation Protection (NFP) is a concept designed to protect the network infrastructure. Today our networks must connect to the Internet, and because we’re connected to the Internet, we are open to numerous risks. NFP protects your network by providing security for your network infrastructure devices themselves. Your network devices are typically broken down into three pieces. The control plane routes your traffic. The data plane forwards your packets. And the management plane provides you management access. If any of these planes is inaccessible, that becomes a problem. NFP provides protection for each one of these planes. NFP uses the following IOS tools and features:
Cisco AutoSecure, which provides you an easy way to secure your devices
Control Plane Policing (CoPP)
Control Plane Protection (CPPr)
Flexible Packet Matching (FPM)
Management Plane Protection (MPP)
Quality of service (QoS) tools
Unicast Reverse Path Forwarding (uRPF)
Although each of these features is important to the network, they are not all covered on the SNRS exam. The following site provides more information about NFS:
http://www.cisc.com/en/US/products/ps6642/products_ios_protocol_group_home.html
The following configuration creates a policy that polices the control plane. This policy defines a trusted host with the address 172.30.101.1. This host can forward traffic to the control plane without constraint. Other traffic that is sent to the control plane will be policed at 50,000 packets per second.
Create an ACL that denies the trusted host from being matched, and matches on all other untrusted addresses:
cisco_router(config)#ip access-list extended CP-acl cisco_router(config-ext-nacl)#deny tcp host 172.30.101.1 any eq telnet cisco_router(config-ext-nacl)#deny tcp host 172.30.101.1 any eq www cisco_router(config-ext-nacl)#permit tcp any any eq telnet cisco_router(config-ext-nacl)#permit tcp any any eq www cisco_router(config-ext-nacl)#exit
Create a class map that matches the traffic from the ACL:
cisco_router(config)#class-map match-any CP-class cisco_router(config-cmap)#match access-group name CP-acl cisco_router(config-cmap)#exit
Create a policy map that calls the traffic from the ACL and polices it:
cisco_router(config)#policy-map CP-policy cisco_router(config-pmap)#class CP-class cisco_router(config-pmap-c)#police rate 50000 pps conform-action transmit exceed-action drop cisco_router(config-pmap-c-police)#exit cisco_router(config-pmap-c)#exit cisco_router(config-pmap)#exit
Access the control plane and apply the policy using the service-policy command:
cisco_router(config)#control-plane host cisco_router(config-cp-host))#service-policy input CP-policy cisco_router(config-cp-host)#end
You can find a more detailed discussion about control plane protection at the following site:
http://www.cisc.com/en/US/products/ps6642/products_white_paper0900aecd805ffde8.shtml
The management plane handles communication with the router itself, using protocols such as Telnet, Secure Shell (SSH), Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), and HTTP over Secure Sockets Layer (HTTPS). If you lose management plane access, you cannot configure the device (and thus you essentially lose control of the device). You can use the following tools to protect the management plane:
Cisco Management Plane Protection (MPP)
SSH (allow SSH only)
ACLs to filter the vty ports
Cisco IOS Software login enhancement
Role-based command-line interface (CLI) views
The Cisco MPP feature enables you to specify one or more interfaces as the management interface. What this configuration does is allow SSH and SNMP traffic to only access the device on interface Fast Ethernet 0/0. To configure MPP, enter the following commands:
control-plane host management-interface FastEthernet 0/0 allow ssh snmp
You can find a more detailed discussion about MPP at the following site:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080617022.html
The data plane, also called the forwarding plane, is what moves most of your traffic that passes through the router. You can prevent certain attacks by denying them from passing through the router. To secure the data plane on Cisco routers, use Flexible Packet Matching (FPM). FPM provides deeper inspection than standard IOS tools to protect against data plane attacks such as Code Red, Nimda, the SQL Slammer, and Blaster. FPM uses Protocol Header Definition File (PHDF), which is nothing more than an Extensible Markup Language (XML) file that is ready-packaged by Cisco and used to match patterns in traffic. When deploying FPM, follow these steps (taken from the FPM deployment guide):
Determine the characteristics of the attack. Some questions that may help in understanding the nature of the attack include these: Does the attack use a specific protocol? Are unique patterns present at specific places within the packets? Does the attack always target a specific port? Are the packets always a specific length?
If the results of Step 1 conclude that FPM is useful for mitigating the attack, determine whether existing PHDFs, a custom PHDF, or no PHDFs are required to define the FPM policy. If existing PHDFs are acceptable, skip Step 3 and proceed to Step 4. If a custom PHDF is required, proceed to Step 3. If no PHDFs are required (in which case class maps must only use the two permanently defined starting points from the Layer 2 header or the Layer 3 header), skip Steps 3 and 4 and proceed directly to Step 5.
Write a custom PHDF for any protocol involved in the attack that is not already covered by an existing PHDF.
Load all PHDFs needed to describe the packet contents so that match statements can be written based on convenient PHDF-defined offsets.
Configure class maps, policy maps, and services policies to identify the traffic and take an action.
Apply the service policies to appropriate interfaces.
The preceding six steps detail how to design and implement FPM. To configure FPM, follow these steps:
Load a PHDF from flash memory.
It is loaded into the router to define additional protocols that the router can filter.
router(config)#load protocol flash:ip.phdf router(config)#load protocol flash:udp.phdf
After the appropriate PHDFs have been loaded, you must define a class-map command with type stack so that FPM knows which headers are present and in which order.
After the stack of protocols has been defined, a class map of type access-control is defined for classifying packets.
Create a traffic class by defining class maps:
router(config)#class-map type stack match-all ip-udp router(config-cmap)#description match UDP over IP packets router(config-cmap)#match field ip protocol eq 0x11 next udp router(config-cmap)#exit router(config)#class-map type access-control match-all slammer router(config-cmap)#description "match on slammer packets" router(config-cmap)#match field udp dest-port eq 0x59A router(config-cmap)#match field ip length eq 0x194 router(config-cmap)#match start l3-start offset 224 size 4 eq 0x4011010
A policy map is an ordered set of classes that are associated to actions. The policy binds the class and action. Actions can be drop, Internet Control Message Protocol (ICMP) response, and log, or service policy to nest another policy.
Create a traffic policy by defining a service policy:
router(config)#policy-map type access-control fpm-udp-policy router(config-pmap)#description "policy for UDP based attacks" router(config-pmap)#class slammer router(config-pmap-c)#drop router(config-pmap-c)#exit router(config-pmap)#exit router(config)#policy-map type access-control fpm-policy router(config-pmap)#description "drop worms and malicious attacks" router(config-pmap)#class ip-udp router(config-pmap-c)# service-policy fpm-udp-policy router(config-pmap-c)#exit router(config-pmap)#exit
Apply the service policy to an interface:
router(config)#interface FastEthernet 0/1 router(config-if)#service-policy type access-control input fpm-policy
To verify FPM, use the commands show protocols phdf ip, show flash, show class-map type stack, show class-map type access-control, show policy-map type access-control, and show policy-map type access-control interface interface.
You can find the FPM deployment guide at the following site:
http://www.cisco.com/en/US/products/ps6723/products_white_paper0900aecd803936f6.shtml