Infrastructure Security

Chapter Overview

Infrastructure security forms the bedrock of any robust enterprise network defense. Without adequately securing the core components that route, switch, and process data, even the most advanced perimeter firewalls or endpoint protection solutions can be undermined. This chapter dives deep into protecting network devices themselves — hardening them against sophisticated attacks and unauthorized access that can cripple an organization.

Our focus centers on Network Foundation Protection (NFP), a framework that dissects device security into distinct management, control, and data planes. Each plane presents unique attack vectors and requires tailored security controls. We’ll explore how to safeguard administrative access, prevent denial-of-service attacks against critical routing processes, and ensure the integrity and confidentiality of user data flowing through the network.

Core Concepts

Network Foundation Protection (NFP) Framework

NFP is a holistic approach to securing network infrastructure devices by categorizing their functions into three distinct planes: Management, Control, and Data. This segmentation allows for targeted security policies, recognizing that each plane has different vulnerabilities and operational requirements.

💡 Real-world Example: On a critical core router, the Management Plane is secured via SSH and AAA for administrators, the Control Plane is protected by CoPP to prevent routing protocol manipulation, and the Data Plane uses ACLs and Unicast Reverse Path Forwarding (uRPF) to filter unwanted user traffic — each with its own specialized defense.

Securing the Management Plane

The Management Plane encompasses all traffic related to accessing, configuring, and monitoring network devices. Protecting it prevents unauthorized administrative control that could lead to misconfiguration, data exfiltration, or complete network disruption. Key strategies include strong authentication (AAA), granular authorization (RBAC), and using only secure protocols.

💡 Real-world Example: An authorized engineer logs into a production switch using SSH with multi-factor authentication against a centralized TACACS+ server. The server authenticates credentials and grants access based on role — allowing only specific configuration commands appropriate for that engineer’s responsibilities.

Securing the Control Plane

The Control Plane handles network intelligence — routing updates, ARP requests, and protocol signaling essential for network operation. Attacks against this plane can disrupt connectivity, misdirect traffic, or overwhelm the device CPU. Control Plane Policing (CoPP) and Control Plane Protection (CPPr) are vital tools for rate-limiting and filtering traffic destined for the CPU.

💡 Real-world Example: An attacker floods a router with malformed OSPF packets attempting a CPU exhaustion attack. CoPP detects the excessive control plane traffic, rate-limits it below the threshold that would impact the CPU, and the router continues forwarding legitimate user traffic unaffected.

Securing the Data Plane

The Data Plane is responsible for forwarding user traffic through network devices. Securing it ensures legitimate traffic flows efficiently while malicious traffic is blocked. This includes ACLs, Unicast Reverse Path Forwarding (uRPF), flood protection, and IPv6 first-hop security features.

💡 Real-world Example: An internal user attempts to spoof an IP address from a critical server on a different subnet. The router configured with uRPF checks the source IP against its routing table — since the packet arrives on an interface that is not the expected inbound path for that source IP, the packet is immediately dropped.

Secure Network Management Protocols

Modern network management requires protocols offering confidentiality, integrity, and authentication to protect sensitive configuration and monitoring data. SNMPv3, NETCONF, and RESTCONF replace older insecure versions like Telnet or SNMPv2c, enabling secure programmatic interaction with network devices essential for automation and compliance.

💡 Real-world Example: A network operations team replaces all SNMPv2c monitoring with SNMPv3 using AuthPriv mode (SHA authentication + AES encryption). Now all SNMP polling and trap data is authenticated and encrypted, preventing attackers from reading community strings or injecting false monitoring data.

Real World Analogy

🏦 Think of a network device as a bank branch. The Management Plane is like the bank manager’s office — access is strictly controlled, only authorized staff with proper credentials can enter, and all actions are logged. The Control Plane is like the internal communication system between branches — if flooded with fake messages it gets overwhelmed, so there are filters (CoPP) to rate-limit suspicious communications. The Data Plane is the bank tellers processing customer transactions — they follow strict rules (ACLs) about which transactions to process and verify that customer IDs (source IPs via uRPF) are legitimate before proceeding.

Chapter Recap

This chapter explored infrastructure security through the NFP framework — dissecting network device protection into Management, Control, and Data planes, each with distinct threats and countermeasures. We covered secure administrative access via SSH, SNMPv3, NETCONF, and RESTCONF; Control Plane protection using CoPP and CPPr; and Data Plane security through ACLs, uRPF, and IPv6 first-hop security.

Secure logging with proper timestamps and NTP authentication emerged as indispensable practices — inaccurate or tampered logs undermine incident response and forensic analysis. Device hardening, routing protocol authentication, and image integrity protection complete the comprehensive suite of infrastructure security strategies.

Key Exam Points

• NFP planes: Management (configuration, monitoring), Control (routing, signaling), Data (forwarding user traffic).
• Management Plane: Use AAA via TACACS+/RADIUS, RBAC, SSH (TCP 22), SNMPv3 (UDP 161/162), NETCONF (TCP 830), RESTCONF (HTTPS 443).
• Control Plane: CoPP applies a single QoS policy to all control plane traffic; CPPr offers more granular classification (host, transit, punt queues).
• Routing protocol authentication: MD5 or SHA for OSPFv2, EIGRP, and BGP; BGP keychain authentication enables hitless key rollover.
• Secure logging: Use syslog over TCP 6514 with TLS or VPN tunneling; accurate timestamps are critical for event correlation and forensics.
• Device hardening: Secure console access, disable unused services, configure login banners, protect device image (Cisco Resilient Configuration).
• Data Plane security: ACLs filter traffic; uRPF prevents IP address spoofing; IPv6 First-Hop Security (Destination Guard) protects against IPv6 attacks.
• Always use SNMPv3 AuthPriv mode (SHA + AES) in production — SNMPv2c community strings are transmitted in plaintext.

Common Mistakes to Avoid

⚠️ A perimeter firewall is not sufficient — Infrastructure security protects devices within the network. Even after a perimeter breach, hardened internal devices prevent further lateral movement and compromise.

⚠️ Never use Telnet or SNMPv2c in production — These protocols transmit credentials and data in plaintext. Always use SSH for CLI access and SNMPv3 for monitoring.

⚠️ Don’t neglect CoPP/CPPr on critical devices — Without Control Plane Policing, a device CPU can be overwhelmed by malicious or excessive control traffic, causing service disruption even without a data plane attack.

⚠️ Local accounts alone are insufficient — Centralized AAA with RBAC provides superior accountability, scalability, and granular control over administrative privileges compared to local usernames and passwords.

⚠️ Unsecured NTP and syslog undermine forensics — Inaccurate timestamps compromise log correlation during incidents, while insecure logging allows attackers to tamper with crucial evidence. NTP authentication is not optional.