Reader Shaun wrote in with 10 points he'd like to see in router security (our responses are below):

1. Stand-alone Router secured

2. Stand-alone switch secured. Including Port Security features.

3. Stand-alone Router supporting a single secured incoming VPN connection

4. Stand-alone Router supporting maximum secured Wireless

5. Stand-alone Router supporting a VPN across a maximum secured Wireless

6. RIP2/OSPF/EIGRP routing between 2 or more routers done securely with full explanation on how key chains works and what are the relevent/significant parts of configuring key chains.

7. Securing Multiple switches, VLAN's and VTP Domains.

8. Setting up secure in band Managment Networks

9. Setting up secure out of band Managment Networks

10. Packet sniffing for Cisco dummies. There is a lot out there telling you how to do it, there is a lot less out there telling you what you should be looking for and more importantly, how to find it without killing your router/switch! i.e. Flexiable Packet Matching & Deep Packet Inspection is great in theory....

I've probably got a lot more that this seems like a good start. Also it is not enough to explain how to do something, what is probably more important in my opinion is explaining why you do some things a specific way.

I hope this helps & thanks in advance.

David: Hi Shaun, thanks again for your questions. I'll respond to each point by point.

>1. Stand-alone Router secured

David: The security policies required vary depending upon the router application (e.g., core versus edge). In both cases, however, you need to secure each of the four (4) traffic planes including the data plane, control plane, management plane and services plane. Techniques to secure the data plane include: interface ACLs, unicast RPF, flexible packet matching, QoS, IP options filtering, disabling IP directed broadcasts, and edge link protection techniques (ie, PE-CE link). Techniques to secure the control plane include: receive ACLs, control plane policing, MD5 authentication, ICMP techniques and BGP best common practices (eg, TTL security check, prefix filters, prefix lists, AS Path limits, graceful restart). Techniques to secure the management plane include: password security, SNMP security, remote terminal access security, disabling unused management plane Services, disabling idle user sessions, system banners, secure IOS file systems, role-based CLI access and AAA. Securing the services plane will vary depending upon the IP services deployed (eg, MPLS VPN, IPsec, etc.). How and why each of the above techniques are applied are detailed in our new book entitled Router Security Strategies: Securing IP Network Traffic Planes. Note, these techniques should be deployed in combination to provide defense in depth and breadth security. Defense in depth and breadth provides multiple layers of defense in the event one layer is bypassed. It also provides protection against the wide variety of attack vectors that may be leveraged to target your routers and/or network infrastructure. We've covered each of these (and others in the book) in great detail. In addition to describing each, we've also included explanations of "why" each is used (as you've asked about below). It isn't really practical to go into depth here on each of these, as it would basically entail re-writing the book...

>2. Stand-alone switch secured. Including Port Security features.

David: The techniques outlined above (#1) for stand-alone routers also apply to layer 3 switches. Further, additional security techniques are available to mitigate the risk of layer 2 based attacks including port security, MAC address-based traffic blocking, disable auto trunking, VLAN ACLs, IP source guard, private VLANs, traffic storm control, unknown unicast flood blocking, VTP authentication, DHCP snooping, dynamic ARP inspection, sticky ARP and spanning tree protocol techniques. Again, each of these are also covered in detail in our new book.

>3. Stand-alone Router supporting a single secured incoming VPN connection

David: The techniques outlined above (#1) for stand-alone routers also apply to here. Additionally, techniques to secure the IPsec services plane are required including IKE Security techniques, fragmentation mitigation techniques and IPsec VPN access control. Please see Chapter 7 of the book for detailed descriptions on each of these.

>4. Stand-alone Router supporting maximum secured Wireless

David: This is outside the scope of what we've covered in the book. Wireless security has additional Layer 2 components that we've chosen to not cover since this topic is so broad (and important) in and of itself. Many excellent references are available for Wireless access network security.

>5. Stand-alone Router supporting a VPN across a maximum secured Wireless

David: Same comment as #4 above. Wireless is outside the scope of what we've covered in the book.

>6. RIP2/OSPF/EIGRP routing between 2 or more routers done securely with full explanation on how key chains works and what are the relevent/significant parts of configuring key chains.

David: We cover many of these components in Chapter 5 of the book. Secure routing (or control plane security) includes more than just key chains. Key chains are an important component as they provide an operationally efficient technique for key migration, however, other concepts such as Control Plane Policing are critically important as well. Please review Chapter 5 of the book. We think you'll find the explanations quite informative.

>7. Securing Multiple switches, VLANs and VTP Domains.

David: Applicable techniques were referenced in #2 above. These topics are reviewed in detail within Chapters 4 and 5 of the book.

>8. Setting up secure in band Managment Networks

David: This is dependent upon securing the IP management plane using the various management plane security techniques outlined in #1 above as well as Chapter 6 of the book. However, securing the management plane alone is not enough. Data plane techniques such as infrastructure ACLs, for example, also help to protect the management plane, given that authorized management plane protocol traffic is generally limited to well-known, trusted, and internal sources. Using data plane security techniques such as ACLs, you can prevent unauthorized external traffic from gaining IP reachability to internal network infrastructure, including IP edge router addresses used for in-band management plane protocols. You must also ensure the network is physically secure. Network-based security measures become ineffective if physical security has been breached. These topics are reviewed in detail within Chapters 6 of the book.

>9. Setting up secure out of band Managment Networks

David: While out-of-band (OOB) management networks are dedicated to carrying management plane traffic, the same IP traffic plane security principles apply including defense in depth and breadth. Additionally, it is critically important to prevent traffic forwarding between the OOB network and the in-band network. We strongly recommend against enabling CEF routing functions on OOB ports to prevent IP reachability between the in-band and OOB networks. With CEF enabled, an in-band network failure may cause in-band data plane traffic to be inadvertently rerouted across the OOB management network. In this scenario, the OOB network no longer exclusively carries management plane traffic, as intended. In-band and OOB security techniques are reviewed in detail in Chapter 6 of the book.

>10. Packet sniffing for Cisco dummies. There is a lot out there telling you how to do it, there is a lot less out there telling you what you should be looking for and more importantly, how to find it without killing your router/switch! i.e. Flexible Packet Matching; Deep Packet Inspection is great in theory....

David: With respect to network telemetry, I would suggest beginning with NetFlow. NetFlow facilitates network and security monitoring, network planning, traffic analysis, and IP accounting. It is the primary technology for network anomaly detection technology and network accounting in the industry. It reports IP flow information similarly to a telephone bill, indicating who is talking to whom, over what interfaces, protocols, and ports, for how long, at what transmission rate, and so on. It is also widely available across IOS platforms, enabling each IOS device to act as a traffic analysis probe. Many hardware-based IOS platforms have dedicated hardware for NetFlow processing, minimizing the adverse impact, if any, on the router itself. The many benefits and broad software and hardware support have driven NetFlow’s wide adoption. NetFlow is also widely supported within the industry today by third-party routers, NetFlow collectors, and traffic analysis management systems. Support is also not limited to IP routers.

I hope you find the above information useful. Thanks for your questions. /Dave