Document ID: 13608
Introduction Prerequisites Requirements Components Used Conventions Secure Operations Monitor Cisco Security Advisories and Responses Leverage Authentication, Authorization, and Accounting Centralize Log Collection and Monitoring Use Secure Protocols When Possible Gain Traffic Visibility with NetFlow Configuration Management ManagementPlane General Management Plane Hardening Limiting Access to the Network with Infrastructure ACLs Securing Interactive Management Sessions Using Authentication, Authorization, and Accounting Fortifying the Simple Network Management Protocol Logging Best Practices Cisco IOS Software Configuration Management Control Plane General Control Plane Hardening Limiting CPU Impact of Control Plane TrafficSecuring BGP Securing Interior Gateway Protocols Securing First Hop Redundancy Protocols Data Plane General Data Plane Hardening Filtering Transit Traffic with Transit ACLs Anti−Spoofing Protections Limiting CPU Impact of Data Plane Traffic Traffic Identification and Traceback Access Control with VLAN Maps and Port Access Control Lists Using Private VLANs Conclusion Related InformationIntroduction
This document contains information to help you secure your Cisco IOS® system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation. The three functional planes of a network, themanagement plane, control plane, and data plane, each provide different functionality that needs to be protected.
• Management PlaneThe management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as SSH and SNMP. • Control PlaneThe control plane of a network device processes the traffic that is paramount to maintaining the functionality ofthe network infrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF). • Data PlaneThe data plane forwards data through a network device. The data plane does notinclude traffic that is sent to the local Cisco IOS device. The coverage of security features in this document often provides enough detail for you to configure the feature. However, in cases where it does not, the feature is explained in such a way that you can evaluate whether additional attention to the feature is required. Where possible and appropriate, this document contains recommendationsthat, if implemented, help secure a network.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
Refer to Cisco Technical Tips Conventions for more information on document conventions. Some command line examples in this document are wrapped to enhancereadability.
Secure network operations is a substantial topic. Although most of this document is devoted to the secure configuration of a Cisco IOS device, configurations alone do not completely secure a network. The operational procedures in use on the network contribute as much to security as the configuration of the underlying devices. These topics contain operationalrecommendations that you are advised to implement. These topics highlight specific critical areas of network operations and are not comprehensive.
Monitor Cisco Security Advisories and Responses
The Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as PSIRT Advisories, for security−related issues in Cisco products. The method used for...