Maintaining Security in the Network Control Plane
Over at TechTarget, Joel Snyder writes about configuring access control lists on your routers to maintain security in the network control plane.
Do you have SNMP enabled on edge devices? Fine… so long as you also have an access list saying that those SNMP packets can only come from your management station. Is the management interface, whether HTTP, HTTPS, SSH or (heaven forbid) Telnet running?
Fine … so long as no one outside our network can ever get there.
We call this the “control plane” or “management plane.” Think of it as a different network that runs in parallel to your data network, and is used to control, monitor and manage the data network. In huge networks, there is a true network control plane that is completely separate from the data that the device sees. But in many smaller networks, control plane, management plane, and data plane run on the same wire.
You can, and should, secure your network control plane in many ways, but they mostly come down to two techniques: access control lists and self-protection.
ACCESS CONTROL LISTS MANAGE TRAFFIC TO EDGE DEVICES
Access control list protections usually occur when you put a block of some sort in non-firewall devices at the edge and core of your network. A good example is SNMP. Let’s say you have an SNMP management station at 10.20.30.161. That represents the one valid flow to and from that management station to network and security devices. Now, any other SNMP traffic floating around on your network, or coming in from the edge, should be blocked. If you have intermediate routers in your network, and certainly if you have firewalls, you should use them to block SNMP traffic — and any other management traffic — to your security and network devices, except from authorized sources.
Good advice, and an excellent example of best practices for securing your network infrastructure. To ensure that your network infrastructure remains secure, you will want to configure and enforce access control restrictions like these on all of your non-firewall devices. Furthermore, you will want to routinely audit the network devices to ensure that they continue to follow these best practices. When changes are made to a device’s access control lists, you will want to be notified when changes cause the device to fail to meet these practices.
Of course, auditing all of the devices in your network infrastructure can be a huge job. The attention to detail required to make sure you get it right and don’t miss something takes a lot of time. It’s difficult to perform the audits frequently enough to be effective without tools and automation to facilitate the process. Fortunately, the security checks in Athena FirePAC provide a perfect vehicle for implementing these kinds of network best practices.
For example, FirePAC provides a standard security checks for SNMP that can be customized to ensure that the device policy allows SNMP messages from only the management station and to flag the check if any the policy allows any other source. FirePAC provides other standard checks for various management protocols that can be similarly customized to check for restrictions to allow only access from the management station. These kinds of customizations to the standard security checks in FirePAC will help you tailor the Security Audit report to your organization’s network policy and simplify the task of ensuring the security of your network.