The Cisco 7600 router is in my opinion one of the most versatile High End routing machines on the planet!! It is one of my favorite networking devices.
If you take a look at Cisco website under the Routers Product Category, you will notice that the 7600 can be used in Data Centers, in Service Provider networks, in WAN aggregation or as Internet Edge router.
In Service Providers can be used as Provider Edge (PE) in IP MPLS networks aggregating many Customer Edge (CE) router devices. Its modularity and high port capacity allows the 7600 to work as both Layer2 aggregation and as Layer3 high performance router.
In Service Provider networks one of the main concerns of network administrators is to protect the networking infrastructure from Denial of Service attacks.
These DoS attacks are actually the most serious and popular security threat against Service Providers. Botnets are frequently the main source of such attacks. ICMP attcks, UDP packet attacks, spoofed addresses DoS, SYN attacks etc are a few examples of DoS or DDos (Distributed Denial of Service) attacks.
Fortunately the Cisco 7600 router has many robust features and mechanisms to protect itself from such attacks.
In the company that I work (Service Provider) we have already implemented several security protection features on 7600 which are really effective against DoS attacks. A summary of the DoS protection mechanisms on 7600 follows below:
- Security Access Control Lists (ACL): Applied on interfaces to block traffic at Layer3/4 layers.
- QoS Rate Limiting: Using class-maps and policy-maps you can apply rate limiting to specific type of traffic (e.g ICMP)
- uRPF (unicast Reverse Path Forwarding): protects against spoofing attacks.
- Traffic Storm Control: Protects against broadcast storm attacks.
- TCP Intercept: Protects against SYN attacks.
- Hardware-Based Rate Limiters: Work on PFC3 engines. These rate limiters protect the MSFC routing engine from various packets that can overload its CPU (configured with the mls rate-limit command)
- Control Plane Policing (CoPP)::Again used for protection of the MSFC routing engine by applying rate limiting to packets that flow from the data plane to the control plane.
Of course in addition to the above you must not forget other important security mechanisms such as strong password policy, proper Authentication and Accounting, logging, SNMP security, Routing Protocols security (MD5 authentication in OSPF, BGP etc) etc. All of these technical issues must be based on a thorough and carefully written security policy.
General DoS Protection on Cisco IP Networks
There are several mechanisms that can be used to protect a Cisco IP network from Denial of Service attacks.
Especially for Service Provider networks, DoS Attacks, as I said above, are the biggest threat the network administrators face today.
Worms, flooding attacks, Distributed Denial of Service by BotNets etc are some forms of DoS attacks that can hit a Service Provider IP Network. The two most effective security features on Cisco routers to mitigate DoS attacks are the following:
Receive Access Control Lists (rACL)
The Receive ACL feature is applicable on the GSR model routers. It is used to increase security on Cisco 12000 by protecting the router’s gigabit route processor (GRP) from unnecessary and potentially malicious traffic.
The rACL feature can be used in combination with Control Plane Policing and Routing Protection to implement a successful defence-in-depth strategy for Control Plane Protection in the Core. This feature is supported in IOS version 12.0(24)S (and newer) of the GSR platform.
The traffic inspected by the rACL is the one passing through the GSR Line Cards (LC) towards the LC CPU (ICMP and Logging) and also traffic passing through the LC towards the route processor (GRP) (Routing Protocols, SSH, Telnet, SNMP, NTP).
Because the GRP has limited capacity to handle excessive traffic coming from the Line Cards, there is a danger of a Denial-of-Service attack on the GRP.
Receive ACLs explicitly permit or deny traffic destined to the GRP, while transit traffic in the Forwarding (Data) Plane is not affected. Traffic is filtered on the ingress LC prior to RP processing. Deploying rACLs has helped defend against several security advisories in all US Service Providers Network Infrastructure.
Control Plane Policing (CoPP)
The Control Plane Policing mechanism is complementary to the rACL feature. The later controls what protocols and traffic are allowed to flow towards the router processor, while the CoPP feature controls how much traffic is allowed to flow.
This feature is applicable on both the GSR 12000 and 7600 routers.
The Control Plane Policing feature treats the CP as a separate entity with its own ingress (input) and egress (output) ports, which are like ports on a router and switch.
Because the Control Plane Policing feature treats the CP as a separate entity, a set of rules can be established and associated with the ingress and egress port of the CP.
These rules are applied only after the packet has been determined to have the CP as its destination or when a packet exits from the CP.
Thereafter, you can configure a service policy to prevent unwanted packets from progressing after a specified rate limit has been reached; for example, a system administrator can limit all TCP/SYN packets that are destined for the CP to a maximum rate of 1 megabit per second.
Related Posts
- EIGRP Variance and Unequal Cost Load Balancing in Networking
- Comparison of Reported Distance vs Feasible Distance in EIGRP
- Explanation and Comparison of OSPF E1 vs E2 Routes
- Discussion and Explanation of OSPF Graceful Restart and Shutdown
- Explanation and Configuration of OSPF MD5 Authentication on Cisco Networks