Contents
Part I IP Network and Traffic Plane Security Fundamentals
Chapter 1 Internet Protocol Operations Fundamentals
Exception IP and Non-IP Packets
IP Router Packet Processing Concepts
General IP Router Architecture Types
Centralized CPU-Based Architectures
Centralized ASIC-Based Architectures
Distributed CPU-Based Architectures
Distributed ASIC-Based Architectures
Chapter 2 Threat Models for IP Networks
Threats Against IP Network Infrastructures
Other IP Control Plane Threats
Malicious Network Reconnaissance
Threats Against Layer 2 Network Infrastructures
Threats Against IP VPN Network Infrastructures
Threats Against the Customer Edge
Threats Against the Provider Edge
Threats Against the Provider Core
Threats Against the Inter-Provider Edge
Carrier Supporting Carrier Threats
Chapter 3 IP Network Traffic Plane Security Concepts
Principles of Defense in Depth and Breadth
Understanding Defense in Depth and Breadth Concepts
What Is the Operational Envelope of the Network?
What Is Your Organization’s Operational Model?
IP Network Traffic Planes: Defense in Depth and Breadth
Network Edge Security Concepts
Network Core Security Concepts
Part II Security Techniques for Protecting IP Traffic Planes
Chapter 4 IP Data Plane Security
IP QoS Packet Coloring (Marking)
ACL Support for Filtering IP Options
ICMP Data Plane Mitigation Techniques
Disabling IP Directed Broadcasts
BGP Policy Enforcement Using QPPB
IP Network Core Infrastructure Hiding
IP Network Edge External Link Protection
Protection Using More Specific IP Prefixes
Protection Using BGP Communities
Protection Using ACLs with Discontiguous Network Masks
Remotely Triggered Black Hole Filtering
IP Transport and Application Layer Techniques
IOS Intrusion Prevention System
Layer 2 Ethernet Security Techniques
MAC Address–Based Traffic Blocking
Unknown Unicast Flood Blocking
Chapter 5 IP Control Plane Security
Disabling Unused Control Plane Services
IP Receive ACL Deployment Techniques
IP Receive ACL Configuration Guidelines
IP Receive ACL Feature Support
Platform-Specific CoPP Implementation Details
Cisco 12000 CoPP Implementation
Cisco Catalyst 6500/Cisco 7600 CoPP Implementation
Generalized TTL Security Mechanism
Layer 2 Ethernet Control Plane Security
Chapter 6 IP Management Plane Security
Remote Terminal Access Security
Disabling Unused Management Plane Services
Authentication, Authorization, and Accounting
Network Telemetry and Security
Chapter 7 IP Services Plane Security
IP Fragmentation and Reassembly
Disable IP TTL to MPLS TTL Propagation at the Network Edge
Carrier Supporting Carrier Security
Other IPsec Security-Related Features
Chapter 8 Enterprise Network Case Studies
Case Study 1: IPsec VPN and Internet Access
Network Topology and Requirements
Network Topology and Requirements
Chapter 9 Service Provider Network Case Studies
Case Study 1: IPsec VPN and Internet Access
Network Topology and Requirements
Network Topology and Requirements
Appendix A Answers to Chapter Review Questions
Appendix B IP Protocol Headers
ICMP Echo Request/Echo Reply Query Message Headers
ICMP Time to Live Exceeded in Transit Error Message Header
ICMP Destination Unreachable, Fragmentation Needed and Don’t Fragment was Set Error Message Header
Other ICMP Destination Unreachable Error Message Headers
IEEE 802.3 Ethernet Frame Header Format
IEEE 802.1Q VLAN Header Format
Appendix C Cisco IOS to IOS XR Security Transition
Control Plane Security Commands
Management Plane Security Commands
Services Plane Security Commands
Appendix D Security Incident Handling
Six Phases of Incident Response
Deploy Defense in Depth and Breadth Security Strategies
Establish Well-Defined Incident Response Procedures
Establish an Incident Response Team
Cisco Security Vulnerability Policy
Cisco Computer and Network Security
Cisco IPS Signature Pack Updates and Archives
Cisco IntelliShield Alert Manager Service
Industry Security Organizations