Security

ccde-written
Published

April 23, 2026

Overview

Designing a modern network that is secure is one of the most complicated tasks that network designers confront. Mobility and communication over the Internet are becoming one of the primary methods of communications and are essential requirements for many businesses. To address these trends, sophisticated security countermeasures are required. A good security design follows a structured approach that divides the network into domains and applies security in layers — this is known as defense in depth, where multiple layers of protection are strategically located across the network so that a failure of one layer does not leave the network at risk (Figure 1).

Protection and inspection atapplications layer with morespecialized functionsNetwork-based solutionbetween physical or logicaldomains or networks(at the chokepoints)Technologies running on theend system to protect theoperating system, file system,and applicationsFor advanced network security,network-based deep packetinspection can be introduced(signature- or anomaly-based)To protect against DoS type ofattacks, traffic control (who canaccess what and how muchbandwidth can be used) alsocontrol what device can connectand communicate across thenetworkProxy systems, web proxy/filtering,email proxy/filtering,web application firewall (WAF)To maintain security at thephysical level where onlyauthorized people permitted tohave physical accessHost-based firewalls,host-based IPS,file system integrity checking,host antivirus/anti-spywareRouter with iACL or with trafficinspection capabilities such as:Zone based Firewall (ZBFW),stateless and stateful firewall,next generation firewall (NGNFW)IPS, IDSLayer 3: L3 iACL, L3 routingsecurity, CoPPLayer 2: MAC security,STP BPDU, L2 iALCSecure access management system,CCTVApplication LayerSecurityHost LevelSecurityHost LevelSecurityNetworkFirewallingInfrastructureSecurityPhysicalSecurity
Confidentiality and Integrity (Cryptography)
 L2 to L7 crypto such as MACSec, IPSec, SSL
Confidential...Text is not SVG - cannot display
Figure 1: Elements of Layered Network and Information Security

Infrastructure Security

This section covers infrastructure security and network firewall considerations, focusing on the integration and impact with regard to network design.

Device Hardening Techniques

Securing network devices is the first and essential consideration to protect any network. Even with a very secure control plane and network edge design, if one or two network devices are compromised, the network can be taken down easily — for example, by introducing black-holing routes, generating large amounts of malicious traffic from a trusted internal device, or accessing internal zones that are not accessible externally. Additionally, if someone can access a network device, all traffic passing through that device can be sniffed and copied, which is dangerous for organizations handling sensitive information such as credit card numbers or personal data.

To approach device-level protection in a structured manner, a network designer must understand the following types of traffic that network devices normally handle (Figure 2):

  • Transit IP traffic: Traffic for which a network device makes a typical routing and forwarding decision regarding whether to send the traffic over its interfaces.
  • Receive IP traffic: Traffic destined to the network node itself, such as toward a router’s IP address, and requires CPU processing.
  • Exception IP traffic: Any IP traffic carrying a nonstandard “exception” attribute.
  • Non-IP traffic: Typically related to non-IP packets and almost always is not forwarded.
Traffic for which a network device makes a typical routing and forwarding decision regarding
whether to send the traffic over its interfaces
Traffic for which a network device makes...
A frame that is typically forwarded based on a destination MAC address or any IP packet subject to destination IP address forwarding
A frame that is typically forwarded based...
Traffic destined to the network node itself, such as toward a router’s IP address, and requires CPU
processing
Traffic destined to the network node itse...
Traffic belongs to a management plane of the device, such as telnet or SSH, as well as a control plane, such as BGP peering session
Traffic belongs to a management plane of...
Any IP traffic carrying a nonstandard “exception” attribute
Any IP traffic carrying a nonstandard “exc...
A transit IP packet with expired TTL or with IP packet options (for example, requires fragmentation)
A transit IP packet with expired TTL or w...
Typically related to non-IP packets and almost always not forwarded
Typically related to non-IP packets and a...
MPLS, IS-IS (CLNP), Layer 2 keepalives, PPP Link Control Protocol (LCP), CDP, IPX
MPLS, IS-IS (CLNP), Layer 2 keepalives, P...
Non-IP Traffic
Non-IP Traffic
Example
Example
Attributes
Attributes
Exception IP Traffic
Exception IP Traff...
Example
Example
Attributes
Attributes
Receive IP Traffic
Receive IP Traffic
Example
Example
Attributes
Attributes
Transit IP Traffic
Transit IP Traffic
Example
Example
Attributes
AttributesText is not SVG - cannot display
Figure 2: Types of Traffic Handled by Network Devices

Each traffic type maps to a specific device plane, each with its own security considerations, as summarized in Table 1.

Table 1: IP Traffic and Device Planes
Device Plane Security Concern Example
Data plane Responsible for controlling fast-forwarding of traffic passing through a network device. Limited to a certain number of packets per second (PPS) based on hardware throughput. Common protections: iACLs, QoS, RTBH, uRPF. Transit IP traffic
Control plane Controls and handles all path selection functions. Issues such as a flapping BGP session with a large number of prefixes impact both network stability and device CPU. Common protections: iACLs, routing protection, CoPP. BGP peering, routing updates
Management plane Relates to management traffic: device access, configuration, troubleshooting, and monitoring. Unauthorized access can lead to device- and network-wide crises. Common protections: CPU/memory thresholding, AAA, CoPP. SSH, SNMP, Telnet

The following points should be considered as general and foundational guidance to achieving the desired level of device hardening (Figure 3). These points should not conflict with or breach the security policy or company standards.

  • Physical security: Network devices must be placed physically in a secure location where only authorized people can access them.
  • Authentication, authorization, and accounting (AAA): Network devices must be accessible only by authorized people. Ideally, access privileges must be multilevel role-based access combined with reliable accounting (logging) to track who has accessed the devices and what has been done.
  • Secure the device management plane: Management sessions and activities must be performed over protected protocols such as SSH, SSL, SFTP, or IPsec. Out-of-band management access should be provisioned to offer secure, guaranteed direct access to critical network devices during DDoS attacks when in-band management access may be impossible.
  • Protect the hardware resources: Protecting hardware resources such as CPU is an essential countermeasure. CoPP protects the CPU from spikes caused by excessive control plane traffic. Control plane protection (CPP) also helps protect from exception and transit traffic.
  • Disable unused services: Unused services should be disabled to limit the chances that an intruder can compromise them to generate malicious traffic or DoS attacks.
  • Disable unused ports: Unused ports should be disabled and placed into a dedicated VLAN with no traffic allowed. Avoid using the default VLAN 1 or leveraging native VLAN hopping.
  • Monitoring: Network and device monitoring helps operators optimize device security proactively or reactively. SNMP and NetFlow are the most common protocols used for this purpose.
Normally the organization security policy dictates the security standards for network devices, which must be considered.
Normally the organization security policy...
The location of the device within the network plays a vital role to specify the potential risks a device needs to be protected against. For instance, a device located in the DMZ performing packet inspection will require high level of protection compared to access switches located within the internal network connecting some endpoints.
The location of the device within the netw...
There might be two network nodes located at the enterprise Internet edge block; one node is a Layer 3 routing node, while the other one performs inspections at the application layer. Based on the role and functional attributes of each device, different hardening standards should be defined here even through both devices are located within the same network segment or logical zone.
There might be two network nodes located a...

Organization’s

Security Policy

Organization’s...
Device- Level Security
Device- Level Sec...
Device Role and Location
Device Role and Locati...Text is not SVG - cannot display
Figure 3: Influencing Factors on Device-Level Security

Layer 2 Security Considerations

Securing Layer 2 or the data link layer is as critical as securing higher layers. A highly secure network at the higher layers can be easily taken out of service by simple Layer 2 flooding across its switched network. Therefore, it is critical to secure the network in a bottom-up manner to achieve a reliable and self-healing network security design.

Layer 2 is the simplest with regard to security considerations and one of the most dangerous at the same time. If a hacker compromises a data center switch, they can sniff all traffic passing through it, flood the TCAM table, or send malicious Layer 2 traffic storms. IPv6 also raises a number of first-hop security (FHS) concerns not present in IPv4.

Layer 2 security can be categorized as follows:

  • Authentication and authorization: Only authorized devices must be permitted to connect to the network at the switch port level. This can be achieved using IEEE 802.1X (which can integrate with a NAC system), port ACLs, dynamic ARP inspection (DAI), DHCP snooping, IP device tracking (IPDT), and other port security features. IPv6 RA guard, DHCPv6 guard, and IPv6 snooping help mitigate IPv6 FHS concerns. IEEE 802.1AE (MACsec) can authenticate and encrypt packets between MACsec-capable devices, such as at DCI edges of interconnected data centers.
  • VLAN design: Layer 2 domains should be contained to a limited range within the network to create smaller failure domains and avoid ARP or unicast flooding. Private VLANs (PVLANs) offer a more advanced level of controlled traffic separation between VLANs and between endpoints within the same VLAN. VTP should be secured or set to transparent mode to avoid the risk of a rogue switch rewriting VLANs across the entire switched network.
  • Layer 2 control plane: STP provides protective mechanisms against Layer 2 loops but is a double-edged sword — with no reliable authentication built in, an attacker can attach a switch with better attributes to become the root bridge, causing instability and potential traffic black-holing. Protecting the root bridge by denying rogue switches from participating and filtering BPDU messages at the network edge is essential.

IPv6 First-Hop Security (FHS)

IPv6 introduces security concerns at the first hop that do not exist in IPv4. Because IPv6 relies heavily on Neighbor Discovery Protocol (NDP) for address resolution, router discovery, and address autoconfiguration, an attacker on the local segment can exploit these mechanisms to intercept traffic, redirect flows, or exhaust resources. Several features work together to mitigate these threats.

IPv6 RA Guard filters rogue Router Advertisement messages. Only authorized routers should be sending RAs on a segment. RA Guard blocks RAs arriving on ports that are not connected to legitimate routers, preventing attackers from injecting themselves as a default gateway.

DHCPv6 Guard blocks rogue DHCPv6 server responses. Similar to DHCP snooping in IPv4, it ensures that only authorized DHCPv6 servers can assign addresses and configuration to hosts on the segment.

IPv6 Source Guard validates that the source address of incoming packets matches the binding table (built from NDP snooping, DHCPv6 snooping, or static entries). If a packet arrives with a source address that is valid but on the wrong port (topologically incorrect), Source Guard drops it. This prevents address spoofing even when the attacker uses a legitimate address from elsewhere in the network.

IPv6 Destination Guard prevents the switch from sending Neighbor Solicitation messages for destination addresses that are not in the binding table. Without this, an attacker can send traffic to many nonexistent IPv6 addresses, forcing the switch to flood NS messages and potentially exhaust the neighbor cache (NDP table exhaustion attack).

IPv6 Prefix Guard is a variant of Source Guard that operates at the prefix level. Instead of validating exact addresses, it checks whether the source address belongs to a prefix that is authorized for that link (learned via RA or DHCPv6). This is useful when exact address bindings are impractical but prefix-level validation is sufficient.

IPv6 Snooping (also called IPv6 NDP Inspection) builds and maintains the binding table by monitoring NDP and DHCPv6 exchanges. It is the foundation that other FHS features (Source Guard, Destination Guard) rely on for their binding information.

Note

These features are complementary. A typical deployment enables IPv6 snooping to build the binding table, RA Guard and DHCPv6 Guard to block rogue infrastructure devices, and Source Guard or Destination Guard (or both) to validate traffic against the binding table.

Review Questions

Which two IPv6 security features are recommended for a company with these design requirements? (Choose two.)

  1. A switch or router must deny access to traffic from sources with addresses that are correct, but are topologically incorrect.
  2. Devices must block Neighbor Discovery Protocol resolutions for destination addresses that are not found in the binding table.
  1. IPv6 Source Guard
  2. IPv6 Destination Guard
  3. IPv6 RA Guard
  4. IPv6 Prefix Guard
  5. IPv6 DHCP Guard

a and b. IPv6 Source Guard (a) validates that the source address of a packet is legitimate for the port it arrived on, dropping traffic from addresses that are correct but topologically incorrect. IPv6 Destination Guard (b) prevents the switch from resolving destination addresses not found in the binding table, blocking NDP exhaustion attacks. IPv6 Prefix Guard (d) is also a plausible answer for requirement 1 since it validates at the prefix level, but Source Guard is more precise for per-address topological validation.

Layer 3 Control Plane Security Considerations

The Layer 3 control plane steers traffic toward its intended destination. Any wrong information can lead to traffic black-holing and packet drops. In a network with unprotected routing, anyone can bring it down by flooding prefixes, inserting a rogue router, or redirecting traffic to a black-holing next hop. The following are general rules for Layer 3 control plane security:

  • Secure the control plane against rogue Layer 3 peers by authenticating routing sessions. This is strongly recommended when peering with an external routing domain.
  • Limit the maximum number of routes accepted by a node to prevent memory exhaustion and CPU overload. This is common in MPLS L3VPN SP design, where PE nodes limit the maximum number of prefixes per VRF/VPN.
  • Accept only the routes that are expected to be received. ISPs, for example, will only permit the PA or PI address space the customer has agreed to advertise with the agreed subnet length, sometimes combined with uRPF checks.
  • Advanced BGP techniques such as QoS policy propagation with BGP (QPPB) and remote black-holing trigger can be used in SP-style networks to offer a more dynamic, flexible, and secure control plane design.
  • QoS can guarantee a minimum amount of bandwidth during congestion, ensuring routing sessions are not torn down, and can limit bandwidth to a predefined maximum to protect against DoS attacks from rogue routers. This should ideally be applied across the entire routing domain.
  • CoPP should be considered on every network node to relax the impact of control plane flooding and protect network nodes from CPU spikes.
Note

Although CoPP uses modular QoS CLI (MQoC), QoS provides network-wide per-hop treatment for Layer 3 control plane traffic flows, whereas CoPP is focused only at the device level. Marking down the DSCP value of out-of-profile packets can impact how those packets are treated by other nodes across the network.

Remote-Access and Network Overlays (VPN) Security Considerations

The most common and proven mechanism for providing secure remote access over the public Internet is the overlaid virtual private network (VPN). One common misconception is that VPN is always synonymous with IPsec. In fact, IPsec offers cryptography at the network layer, whereas VPN can take different forms such as MPLS L3VPN, MPLS L2VPN, SSL VPN, and DMVPN. Secured VPN with IPsec is the most common and proven combination used to protect the various types of VPN solutions.

Table 2: Overlay VPN Solutions Comparison
IPsec GRE DMVPN Remote Access (Client Based)
Standard Yes Yes No (Cisco proprietary) Yes
Overlay transport P2P IPsec tunnel P2P GRE tunnel mGRE tunnel P2P IPsec
Protection model Peer to peer with IPsec Peer to peer Peer to peer with IPsec Peer to peer with IPsec
Dynamic routing Tunneled Standard IP WAN Tunneled Tunneled
Supports NATing Yes Yes, with IPsec Yes, with IPsec Yes
Offers protected VPN over public Internet Yes Yes, with IPsec Yes, with IPsec Yes*
Requires additional network equipment No No No No

* This VPN is commonly used to provide connectivity over the Internet.

Figure 4 illustrates the packet overhead introduced by each VPN encapsulation type.

IP Payload
IP Payload
IP HDR
IP HDR
IP Payload
IP Payload
IP HDR
IP HDR
GRE
GRE
IP HDR
IP HDR
IP Payload
IP Payload
IP HDR
IP HDR
ESP HDR
ESP HDR
New IP HDR
New IP HDR
ESP TLR
ESP TLR
ESP Auth
ESP Auth
GRE IP HDR
GRE IP HDR
IPsec Transport Mode
IPsec Transport Mode
IP Payload
IP Payload
IP HDR
IP HDR
ESP HDR
ESP HDR
ESP TLR
ESP TLR
ESP Auth
ESP Auth
IPsec Tunnel Mode
IPsec Tunnel Mode
IP HDR
IP HDR
IP Payload
IP Payload
IP HDR
IP HDR
ESP HDR
ESP HDR
New IP HDR
New IP HDR
ESP TLR
ESP TLR
ESP Auth
ESP Auth
IPsec Transport Mode
IPsec Transport Mode
IP Payload
IP Payload
IP HDR
IP HDR
ESP HDR
ESP HDR
ESP TLR
ESP TLR
ESP Auth
ESP Auth
IPsec Tunnel Mode
IPsec Tunnel Mode
GRE
GRE
GRE
GRE
GRE IP HDR
GRE IP HDR
IP Packet
IP Packet
GRE
GRE
IPsec
IPsec
IPsec
IPsec
GRE + IPsec
GRE + IPsec
GRE + IPsec
GRE + IPsecText is not SVG - cannot display
Figure 4: IP Packet Overhead with VPN Solutions

One main consideration with regard to an enterprise VPN is whether to enable it across the enterprise WAN. The typical answer depends on business requirements, security policy, and functional requirements. A network designer must consider the impact on business-critical applications due to increased packet overhead from VPN tunneling, especially when combined with IPsec. Security devices in the path, such as firewalls running NAT, add a layer of design and operational complexity.

Introducing a VPN across the WAN can also increase design and operational complexity in scenarios where dual WAN connectivity is required. In these cases, routing redundancy design moves from the typical IGP or BGP to IPsec redundancy.

IPsec packet payloads can be encrypted, and IPsec receivers can authenticate packet origins. Internet Key Exchange (IKE) and Public Key Infrastructure (PKI) can also be used with IPsec. IKE is the protocol used to set up a security association (SA) with IPsec. PKI is an arrangement that provides for third-party verification of identities.

The decision of whether to enable secure IP communications across the WAN is almost always based on the business type, priorities, and impact on the overall network and application performance, in addition to operational complexity.

Wireless Security Considerations

Wireless security has evolved over the years, starting with Wired Equivalent Privacy (WEP), which was quickly identified as highly vulnerable and replaced by Wi-Fi Protected Access (WPA). WPA2 was created as the new wireless security standard in 2004, with the most impactful change being the implementation of the Advanced Encryption Standard (AES). WPA3 was subsequently created, providing the same level of authentication as WPA2 but with increased cryptographic strength for highly sensitive use cases.

Table 3: Wireless Security Comparison
WEP WPA WPA2 WPA3
Encryption RC4 TKIP with RC4 CCMP and AES AES
Key size 40-bit 128-bit 128-bit 128-bit (Personal) / 192-bit (Enterprise)
Cipher method Stream Stream Block Block
Data integrity CRC-32 Message Integrity Code CBC-MAC Secure Hash Algorithm (SHA)
Key management None 4-way handshaking 4-way handshaking SAE handshake
Client authentication WPE-Open / WPE-Shared PSK and 802.1X (EAP variant) PSK and 802.1X (EAP variant) SAE and 802.1X (EAP variant)

WPA3 is the best option from both a security and performance standpoint. At the time of writing, not all wireless devices support WPA3, in which case WPA2 is the preferred option.

Review Questions

1. Which of the following planes is responsible for controlling the fast-forwarding of traffic passing through a network device?

  1. Management plane
  2. Control plane
  3. Data plane

c. The data plane is responsible for controlling fast-forwarding of traffic passing through a network device.

2. Which of the following planes is like the brain of the network device and usually controls and handles path selection functions?

  1. Management plane
  2. Control plane
  3. Data plane

b. The control plane is like the brain of the network node and usually controls and handles path selection functions.

3. Which of the following planes focuses on how a device is accessed and monitored?

  1. Management plane
  2. Control plane
  3. Data plane

a. The management plane is the plane that is focused on the management traffic of the device, such as device access, configuration troubleshooting, and monitoring.

4. For which type of traffic does a network device make a typical routing and forwarding decision regarding whether to send the traffic over its interfaces to directly attached nodes?

  1. Non-IP traffic
  2. Receive IP traffic
  3. Transit IP traffic
  4. Exception IP traffic

c. Transit IP traffic is traffic for which a network device makes a typical routing and forwarding decision regarding whether to send the traffic over its interfaces to directly attached nodes.

5. Which of the following types of traffic carries nonstandard attributes, such as a transit IP packet with an expired TTL?

  1. Non-IP traffic
  2. Receive IP traffic
  3. Transit IP traffic
  4. Exception IP traffic

d. Exception IP traffic is any IP traffic carrying a nonstandard “exception” attribute, such as a transit IP packet with an expired TTL.

6. Which of the following types of traffic is traffic destined to the network node itself?

  1. Non-IP traffic
  2. Receive IP traffic
  3. Transit IP traffic
  4. Exception IP traffic

b. Receive IP traffic is traffic destined to the network node itself, such as toward a router’s IP address, and requires CPU processing.

7. Which of the following types of traffic would MPLS and CLNP be categorized into?

  1. Non-IP traffic
  2. Receive IP traffic
  3. Transit IP traffic
  4. Exception IP traffic

a. Non-IP traffic is typically related to non-IP packets and almost always is not forwarded, such as MPLS, IS-IS (CLNP), and Layer 2 keepalives.

8. Which type of attack would a web application firewall (WAF) mitigate?

  1. Network direct access
  2. Layer 2 attack
  3. Network DoS attack
  4. Application targeted attack

d. Application targeted attacks are mitigated by web proxy/filtering, e-mail proxy/filtering, and a web application firewall (WAF).

9. Which of the following types of attack would an infrastructure ACL (iACL) mitigate? (Choose two.)

  1. Network direct access
  2. Layer 2 attack
  3. Network DoS attack
  4. Application targeted attack

a and b. A network direct access attack is mitigated by a Layer 2 iACL, Layer 3 iACL, and a firewall. Layer 2 attacks are mitigated by iACL, CoPP, and system and topological redundancy.

10. Which type of attack would remotely triggered black hole (RTBH) mitigate?

  1. Network direct access
  2. Layer 2 attack
  3. Network DoS attack
  4. Application targeted attack

c. A network DoS attack is mitigated by Layer 3 and Layer 2 network and device security considerations, and remotely triggered black hole (RTBH) anomaly-based IDS/IPS.

Perimeter Security and Intrusion Prevention

A firewall is primarily intended to perform security functions such as packet filtering, inspection, and VPN termination. Although almost all firewalls nowadays support static and dynamic routing, the nature of these devices almost always impacts the network design. The following are the primary and most common influencing factors that network designers must consider whenever there is a firewall in the network path:

  • Stateful versus stateless firewall: Stateless firewalls deal with traffic in a static manner, monitoring and filtering based on static information such as IP source, IP destination, or port numbers. Every single traffic flow needs to be included in both directions as part of the firewall entry rules, and they are not friendly with applications that automatically negotiate ports (such as RTP). Stateful firewalls offer traffic monitoring and filtering that is more aware of traffic flows, overcoming the limitations of stateless firewalls for applications requiring dynamic port negotiation such as FTP, VoIP, and video RTP media streams. The benefit of stateless firewalls is that they provide a high level of scalability and can easily support asymmetric routing designs.
  • Stateful versus stateless firewall failover: With stateless failover, the state table is not replicated to the standby peer firewall, meaning all active connections must be reinitiated after a failover. Stateful failover replicates the state table between active and standby firewalls to avoid reinitiation of active sessions following a failover event. The decision should be driven by design and application requirements.
  • Routed versus transparent firewall modes: Firewalls can operate as a Layer 3 or Layer 2 node. Introducing a Layer 3 node into a routed network requires changes to IP addressing and considerations about whether the firewall supports dynamic routing. Firewalls operating in Layer 2 (transparent mode) can be inserted transparently into the routing domain with no change required to existing routing, IP addressing, or host default gateways. However, transparent mode firewalls often lose some functions such as VPN termination, though this is vendor- and device model–dependent.
  • Virtualization: With the adoption of hypervisors, virtual firewall appliances can be deployed within a hypervisor to secure the virtualization environment from east–west security propagation. These virtual firewalls can provide NAT, isolation, application inspection, policy-based routing, TLS inspection, and many more security capabilities within application-specific traffic zones.
Note

Hypervisors have taken virtualized firewall appliances a step further; instead of leveraging a dedicated virtual firewall, the hypervisor has this functionality built-in, allowing security capabilities to be instantiated at any location, at any layer, and at any virtual machine within the hypervisor’s management control.

Table 4: Common Network Attacks and Mitigation Mechanisms
Attack/Risk Layer Mitigation
Applications Targeted Attacks Application Web Proxy/Filtering, E-Mail Proxy/Filtering, Web Application Firewall (WAF)
Identity Spoofing, Unauthorized Access or Privilege Access Device/Host Strong Password Policy (Local Passwords, RADIUS, TACACS+, OTP, PKI), Disabling Unused Services, CoPP Management Plane, Management ACLs, OOB Management Access
Virus/Worm/Trojan Host/Application IPS, Host-Based IPS/IDS, AV, Web/Mail Filtering
TCP SYN Flood Network-L4 Stateful Network Firewalls, Host-Based Firewalls/IPS, Network-Based IPS, Proxy Systems
IP Spoofing Network-L3 uRPF, Stateful FW, Signature-Based IDS/IPS, L3 Cryptography (e.g., Filtering Out RFC 2827 and 1918 at the Edge)
Network Direct Access Network L2-L4 L2 iACL, L3 iACL, Firewalls
Routing Protocol Attacks Network-L3 Router Neighbor Authentication, Route Filtering, iACL, CoPP, System and Topological Redundancy
Layer 2 Attacks Network-L2 iACL, CoPP, System and Topological Redundancy
Network DoS Attack Network L2-L3 L3 and L2 Network and Device Security Considerations, Remotely Triggered Black Hole (RTBH), Anomaly-Based IDS/IPS
Man-in-the-Middle, Sniffer At Different Layers Cryptography on Multiple Layers, Signature-Based IDS/IPS

Network Control and Identity Management

Network access control (NAC) is a critical infrastructure service just like DNS, DHCP, and NTP. Without it, user devices and users cannot authenticate to the network and access the resources they need. If NAC is also being leveraged for device administration (RADIUS/TACACS+), administrators lose the ability to make changes to network devices until the NAC systems are back online.

NAC is also referred to as transaction-based or session-based security, as all NAC solutions today provide the capabilities of authentication, authorization, and visibility.

Authentication

The first step in the NAC process is authentication. There are three parts to 802.1X authentication:

  1. Supplicant: A software client running on the end device that passes authentication information to the authentication server.
  2. Authenticator: A network device that the client is connecting to. In a wired deployment, this could be a network switch; in a wireless deployment, this could be the local access point or the wireless controller.
  3. Authentication server: A RADIUS server that contains an authentication database.

Extensible Authentication Protocol (EAP) is a protocol used to pass authentication information between the supplicant and the authentication server. There are a number of different EAP authentication options:

  • EAP-MD5: Provides base-level EAP support. Typically not recommended because it may allow the user’s password to be derived. Provides only one-way authentication with no mutual authentication and no means to derive dynamic per-session keys.
  • EAP-TLS: Provides certificate-based and mutual authentication of the client and the network. Relies on client-side and server-side certificates and can dynamically generate user-based and session-based keys. One limitation is that certificates must be managed on both the client and server sides.
  • EAP-TTLS: An extension of EAP-TLS that provides certificate-based, mutual authentication through an encrypted tunnel. Unlike EAP-TLS, requires only server-side certificates, making it easier to deploy but less secure.
  • PEAP: Protected Extensible Authentication Protocol provides a method to securely transport authentication data, including legacy password-based protocols, using tunneling between PEAP clients and an authentication server. Like TTLS, authenticates clients using only server-side certificates.
  • EAP-FAST: Uses a PAC (Protected Access Credential) managed dynamically by the authentication server instead of a certificate to achieve mutual authentication. The PAC can be distributed manually or automatically in-band over the network.
  • LEAP: Lightweight Extensible Authentication Protocol encrypts data transmissions using dynamically generated keys and supports mutual authentication. This is a Cisco proprietary protocol.
Table 5: 802.1X EAP Types Comparison
EAP-MD5 EAP-TLS EAP-TTLS PEAP EAP-FAST LEAP
Client-side certificate required No Yes No No No (PAC) No
Server-side certificate required No Yes Yes Yes No (PAC) No
WEP key management No Yes Yes Yes Yes Yes
Rogue AP detection No No No No Yes Yes
Deployment difficulty Easy Difficult (client certificate deployment) Moderate Moderate Moderate Moderate
Security Poor Very high High High High High when strong passwords are used

In some situations, there will be devices that do not support 802.1X authentication, in which case MAC Authentication Bypass (MAB) can be used. With MAB, the authenticator sends the MAC address of the client device to the authentication server to check if it permits the MAC address. MAB is a very insecure option but may be the only option for devices that have yet to adopt 802.1X support.

Review Questions

11. Which of the following authentication options would be the best design choice if a business wanted the highest level of security?

  1. EAP-MD5
  2. EAP-TLS
  3. LEAP
  4. PEAP + EAP-MSCHAP

b. EAP Transport Layer Security (EAP-TLS) authentication provides certificate-based and mutual authentication of the client and the network. It relies on client-side certificates (identity certificates) and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based keys to secure future communications. It is the most secure EAP type because of the mutual authentication of the client and network.

12. Which of the following authentication options would be the best design choice if a business wanted the easiest deployment?

  1. EAP-MD5
  2. EAP-TLS
  3. LEAP
  4. PEAP + EAP-MSCHAP

a. EAP Message Digest Challenge (EAP-MD5) authentication provides a base level of EAP support and typically is not recommended for implementation because it may allow the user’s password to be derived. However, it is the easiest of the EAP types to deploy because there is no requirement for certificate management on either the client or server sides.

Authorization

Once a device or user has properly completed authentication, they start the authorization process — determining what the device or user should have access to. The following are some of the most common authorization policies:

  • Downloadable ACL (dACL): Most NAC deployments can push a preconfigured ACL to the switchport on a switch, and in some cases to the specific client session on a switchport that has multiple active sessions concurrently. In the network printer use case, the printer’s session can have a dACL applied that only allows the printer to access the print server subnet.
  • VLAN override: Some deployments preconfigure a dead VLAN (such as VLAN 666) as the default access VLAN on all switchports with either limited or no access to anything on the network other than what is required to authenticate. Once a client has properly authenticated, the NAC solution can dynamically override the preconfigured VLAN to one that has the authorized access the session requires.
  • Voice domain: When authenticating and authorizing VoIP phones via a NAC solution, the voice domain option can be leveraged. Once a VoIP phone has been properly authenticated via 802.1X or MAB, the NAC solution can assign it to the voice domain configured on the switch.

From a network design perspective, how a resource is authenticated can be an important characteristic leveraged in the authorization process. For example, a NAC deployment where all business-owned and managed devices are authenticated via EAP-TLS can be easily distinguished from BYOD devices using PEAP-MSCHAPv2. This allows the design to provide full network access to business-owned devices while limiting BYOD devices to Internet-only or limited subnet access, meeting business outcomes while ensuring proper authentication and authorization of all devices.

Visibility

When a NAC solution is properly designed and deployed, the business starts to see where devices, users, and resources live, when they are connecting to the network, from which locations they are connecting, how they are authenticating, and what is being denied. For example, without a NAC solution, a corporate business might inadvertently allow a gaming system to connect to its network and consume all available bandwidth. With a NAC solution, this access can be denied from the start — or in a higher education environment, allowed but with bandwidth limits applied.

Another great example is third-party network switches and hubs. In a corporate environment, these devices can run wild unless port security is deployed (which can be a large management overhead). With a properly leveraged NAC solution, these third-party switches and hubs can be denied access to the network right from the start.

The visibility provided by a NAC deployment is really the first step toward real-time visibility.

Summary

Security and network design are extremely interweaved. Every security-focused network design decision will have its trade-offs — security can be taken too far, making the network unusable, or not far enough, leaving vulnerabilities wide open. There has to be a happy middle ground where the network and the data on top of it are properly secured to maintain confidentiality, integrity, and availability while not limiting the ability of the business and its users to complete their approved functions.

The topics covered in this chapter focused primarily on infrastructure- and device-level security. If a device hasn’t been properly hardened, it is much easier to compromise. The simple task of removing or disabling all services, protocols, and functions that are not being utilized can save the entire network from a catastrophic outage. Leveraging different security-focused protocols to secure not only the device but also the Layer 2 and Layer 3 control planes limits the overall attack surface of the infrastructure.

Having purpose-built security devices that provide specific security capabilities such as firewall, IDS, and NAC helps secure not only what is being connected to the LAN but also what is being allowed into the perimeter of the network. Knowing the role a NAC solution plays — that it is an infrastructure service like DNS, DHCP, and NTP — allows a network designer to ensure it is properly designed and the network it supports is properly designed for it.

Previous: Network Virtualization | Next: Wireless