Scribd
Upload
21 views18 pages

SECS03L04 - Securing The Data Plane

The document discusses Cisco's Flexible Packet Matching (FPM) technology for data plane protection. It describes how FPM uses protocol header definition files and traffic classes to match packets and apply security policies like dropping malicious traffic.

Uploaded by

Khoa Huynh Dang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
21 views18 pages

SECS03L04 - Securing The Data Plane

The document discusses Cisco's Flexible Packet Matching (FPM) technology for data plane protection. It describes how FPM uses protocol header definition files and traffic classes to match packets and apply security policies like dropping malicious traffic.

Uploaded by

Khoa Huynh Dang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Cisco Network

Foundation Protection

Securing the Data Plane

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-1


Data Plane Attacks
System
Slammer
Under Attack

router# show processes cpu


CPU utilization for five seconds: 99%/85%; one minute: 99%; five minutes: 78%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 2 0 0.00% 0.00% 0.00% 0 Chunk Manager
2 12 3744 3 0.08% 0.03% 0.02% 0 Load Meter
3 100 203 492 0.16% 0.09% 0.03% 0 Exec
4 10048 1896 5299 0.32% 0.06% 0.06% 0 Check heaps
5 0 2 0 0.00% 0.00% 0.00% 0 Pool Manager
6 0 2 0 0.00% 0.00% 0.00% 0 Timers
7 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler
8 0 625 0 0.00% 0.00% 0.00% 0 Environmental mo
9 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
10 24 343 69 0.00% 0.00% 0.00% 0 ARP Input

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-2


Data Plane Protection

 ACLs
– FPM
 uRPF
– For antispoofing mitigation
 QoS
– Class-based policing

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-3


Flexible Packet Matching

Slammer

Filter Match
t!
er
Al

PHDF
+
Custom Filters Attacker
Administrator

System Under
Attack

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-4


IP Header

IP Header

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Version
IHL TOS Total Length

Identification Flags Fraqment Offset

TTL Protocol Header Checksum

Source IP Address

Destination IP Address

Options and Padding

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-5


Configuring FPM

 Load a PHDF
– For header field matching
 Create a traffic class
– Define a protocol stack and specify exact parameters to match
– Using class map type “stack” and “access-control”
 Create a traffic policy
– Define a service policy
 Apply the service policy to an interface

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-6


PHDFs and Class Map

router(config)# load protocol flash:ip.phdf


router(config)# load protocol flash:udp.phdf
router(config)# class-map type stack match-all ip-udp
router(config-cmap)# description match UDP over IP packets
router(config-cmap)# match field ip protocol eq 0x11 next udp
router(config-cmap)# exit
router(config)# class-map type access-control match-all slammer
router(config-cmap)# description “match on slammer packets”
router(config-cmap)# match field udp dest-port eq 0x59A
router(config-cmap)# match field ip length eq 0x194
router(config-cmap)# match start l3-start offset 224 size 4 eq
0x4011010

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-7


Traffic Policies

router(config)# policy-map type access-control fpm-udp-policy


router(config-pmap)# description “policy for UDP based attacks”
router(config-pmap)# class slammer
router(config-pmap-c)# drop
router(config-pmap-c)# exit
router(config-pmap)# exit
router(config)# policy-map type access-control fpm-policy
router(config-pmap)# description “drop worms and malicious attacks”
router(config-pmap)# class ip-udp
router(config-pmap-c)# service-policy fpm-udp-policy
router(config-pmap-c)# exit
router(config-pmap)# exit

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-8


Applying a Service Policy to an Interface

router(config)# interface FastEthernet 0/1


router(config-if)# service-policy type access-control input fpm-policy

Fa0/1

Attacker

System Under
Attack

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-9


show protocols phdf Command
router# show protocols phdf ip
Protocol ID: 1
Protocol name: IP
Description: Definition-for-the-IP-protocol
Original file name: disk2:ip.phdf
Header length: 20
Constraint(s):
Total number of fields: 12
Field id: 0, version, IP-version
Fixed offset. offset 0
Constant length. Length: 4
Field id: 1, ihl, IP-Header-Length
Fixed offset. offset 4
Constant length. Length: 4
Field id: 2, tos, IP-Type-of-Service
Fixed offset. offset 8
Constant length. Length: 8
Field id: 3, length, IP-Total-Length
Fixed offset. offset 16
Constant length. Length: 16
Field id: 4, identification, IP-Identification
Fixed offset. offset 32

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-10


show protocols phdf Command (Cont.)
Constant length. Length: 16
Field id: 5, flags, IP-Fragmentation-Flags
Fixed offset. offset 48
Constant length. Length: 3
Field id: 6, fragment-offset, IP-Fragmentation-Offset
Fixed offset. offset 51
Constant length. Length: 13
Field id: 7, ttl, Definition-for-the-IP-TTL
Fixed offset. offset 64
Constant length. Length: 8
Field id: 8, protocol, IP-Protocol
Fixed offset. offset 72
Constant length. Length: 8
Field id: 9, checksum, IP-Header-Checksum
Fixed offset. offset 80
Constant length. Length: 16
Field id: 10, source-addr, IP-Source-Address
Fixed offset. offset 96
Constant length. Length: 32
Field id: 11, dest-addr, IP-Destination-Address
Fixed offset. offset 128
Constant length. Length: 32

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-11


show flash:*.phdf Command
R1# show flash:
-#- --length-- -----date/time------ path
1 2679 Jun 8 2006 13:23:30 -06:00 ip.phdf
2 2444 Jun 8 2006 13:23:44 -06:00 tcp.phdf
3 1644 Mar 15 2006 21:33:30 -06:00 sdmconfig-18xx.cfg
4 4052480 Mar 15 2006 21:34:04 -06:00 sdm.tar
5 812032 Mar 15 2006 21:34:26 -06:00 es.tar
6 1007616 Mar 15 2006 21:34:50 -06:00 common.tar
7 1038 Mar 15 2006 21:35:08 -06:00 home.shtml
8 113152 Mar 15 2006 21:35:26 -06:00 home.tar
9 511939 Mar 15 2006 21:35:50 -06:00 128MB.sdf
10 21121484 May 18 2006 15:04:20 -06:00 c1841-advsecurityk9-mz.124-
6.T1.bin
11 1159 Jun 8 2006 13:24:02 -06:00 udp.phdf
12 949 Jun 8 2006 13:24:32 -06:00 icmp.phdf
13 1002 Jun 8 2006 13:24:44 -06:00 ether.phdf

36356096 bytes available (27656192 bytes used)

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-12


show class-map type Command

router# show class-map type stack


Class Map type stack match-all ip-udp (id 4)
Description: match UDP over IP packets
Match field IP protocol eq 0x11 next UDP

router# show class-map type access-control


Class Map type access-control match-all slammer (id 5)
Description: match on slammer packets
Match field UDP dest-port eq 0x59A
Match field IP length eq 0x194
Match start l3-start offset 224 size 4 eq 0x4011010

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-13


show policy-map Command

router# show policy-map type access-control


Policy Map type access-control fpm-udp-policy
Description: policy for UDP based attacks
Class slammer
drop
Policy Map type access-control fpm-policy
Description: drop worms and malicious attacks
Class ip-udp
service-policy fpm-udp-policy

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-14


show policy-map Command (Cont.)
router# show policy-map type access-control interface FastEthernet 0/1
FastEthernet0/1
Service-policy access-control input: fpm-policy
Class-map: ip-udp (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: field IP version eq 4
Match: field IP ihl eq 5
Match: field IP protocol eq 0x11 next UDP
Service-policy access-control : fpm-udp-policy
Class-map: slammer (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: field UDP dest-port eq 0x59A
Match: field IP length eq 0x194
Match: start l3-start offset 224 size 4 eq 0x4011010
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-15


Troubleshooting FPM

router# debug fpm event


*Jun 21 09:22:21.607: policy-classification-inline(): matches class: class-default
*Jun 21 09:22:21.607: packet-access-control(): policy-map: fpm-policy, dir: input, match.
retval: 0x0, ip-flags: 0x80000000

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-16


Summary

 There have been many well-known attacks that have affected the
data plane of infrastructure devices.
 There are several tools used to secure the data plane.
 FPM is one tool used to protect the data forwarding plane.
 There are several steps used to configure FPM.
 There are several show commands used to verify FPM.
 Use debug commands are used to troubleshoot FPM.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-17


© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-18

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy