Home > Articles > Cisco Certification > CCNA Security Portable Command Guide: Network Foundation Protection

CCNA Security Portable Command Guide: Network Foundation Protection

Chapter Description

This chapter lists some common threats against network infrastructures and goes on to discuss the Cisco Network Foundation Protection Framework, Control Plane Security, Management Plane Security, and Data Plane Security.

Management Plane Security

Management plane security can be implemented using the following features:

Login and password policy

Restrict device accessibility. Limit the accessible ports and restrict the “who” and “how” methods of access.

Role-based access control

Ensure access is only granted to authenticated users, groups, and services. Role-based access control (RBAC) and authentication, authorization, and accounting (AAA) services provide mechanisms to effectively authenticate access.

Authorize actions

Restrict the actions and views that are permitted by any particular user, group, or service.

Secure management access and reporting

Log and account for all access. Record who accessed the device, what occurred, and when it occurred.

Ensure the confidentiality of data

Protect locally stored sensitive data from being viewed or copied. Use management protocols with strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device configurations.

Present legal notification

Display legal notice developed with legal counsel.

Role-Based Access Control

RBAC restricts user access based on the role of the user. Roles are created for job or task functions and assigned access permissions to specific assets. Users are then assigned to roles and acquire the permissions that are defined for the role.

In Cisco IOS, the role-based CLI access feature implements RBAC for router management access. The feature creates different “views” that define which commands are accepted and what configuration information is visible. For scalability, users, permissions, and roles are usually created and maintained in a central repository server. This makes the access control policy available to multiple devices using it.

The central repository server can be a AAA server such as the Cisco Secure Access Control System (ACS) to provide AAA services to a network for management purposes.

Secure Management and Reporting

The management network is a very attractive target to hackers. For this reason, the management module has been built with several technologies designed to mitigate such risks.

The information flow between management hosts and the managed devices can be out-of-band (OOB) (information flows within a network on which no production traffic resides) or in-band (information flows across the enterprise production network, the Internet, or both).

5. Data Plane Security | Next Section Previous Section