Customer Reviews

Router Security Strategies: Securing IP Network Traffic Planes

5 star:		(4)
4 star:		(1)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

Router Security Strategies (RSS) is the sort of Cisco security book I like to read. Some of you were surprised by my three star review of another recent Cisco security book -- LAN Switch Security (LSS). I suggest the authors of that book take a look at RSS as a model for writing a second edition of LSS. RSS is well-organized, very clear, and backed by plenty of actionable command syntax. Were it not for a tendency to unnecessarily repeat and summarize material, I would have rated RSS five stars. Nevertheless, anyone operating Cisco routers would do well to consider how RSS approaches the network security problem.

RSS focuses on ways to protect transit, receive, and exception IP traffic in the data, control, management, and service planes of Enterprise and Service Provider (SP) networks. That one sentence almost summarizes the entire table of contents, where Chs 4-7 cover the four planes, Chs 8 and 9 provide case studies for Enterprise and SP networks, respectively, and Chs 1-3 provide introductory and conceptual material. This is how to write a technical book! Tangential material appears in four appendices, and the authors keep the reader on track through the entire text.

RSS makes a compelling case for network security in a world where applications and Web 2.0 are all the rage. I believe many people who scoff at network security have no real idea of the complexities inherent in modern network infrastructure. Too many application-centric people take it for granted that they can reach whatever Web victim they're attacking; perhaps that is a credit to network engineers who've made their creations just work and not be the center of attention. Should attackers decide to focus on network infrastructure, RSS provides plenty of techniques for defending routers and even some switches. I enjoyed learning more about several uRPF techniques, Flexible Pattern Matching (FPM), Selective Packet Discard, Receive ACLS, Control Plane Policing, Dynamic APR Inspection (DAI), and CLI Views. Many of these methods exist to protect the network itself, not necessarily the endpoints. While the authors do mention a desire to protect hosts, I liked seeing such a focus on defending infrastructure. Perhaps "network security" should be a term transitioned to solely mean protecting network platforms?

I thought Appendix B would be the standard catalog of TCP/IP header diagrams, but I was pleasantly described to see a different approach. App B did depict IP, TCP, UDP, ICMP, IEEE 802.3, and 802.1Q headers, but the authors provide a security implication for each field in these headers. I found that to be original and informative.

I subtracted one star for two aspects of the book which bothered me. First, the authors tend to use the term "threat" in a manner which is not consistent with real threat terminology. For example, p 87 speaks of "the potential threat and impact of a given vulnerability". Threat, impact, and vulnerability are all separate concepts. Ch 2, where such terminology appears, is titled "Threat Models for IP Networks." If you read the chapter it is a catalog of attacks, which sections titled "Resource Exhaustion Attacks", "Spoofing Attacks", and so on. Clearly Ch 2 is "Attack Models for IP Networks".

Second, although the material in RSS is excellent, the authors' tendency to repeat concepts wore me down. It's usually acceptable to begin a section by referencing and/or rephrasing material from an earlier chapter, or at worst farther back in the same chapter. It's simply annoying to be told the same material that appeared in the last paragraph. Any time the reader encounters "as stated in the last section" or similar, the authors should reconsider discussing the concept again. Edits like these wouldn't necessarily shrink the book that much, but the text would not treat the reader as if he or she has too short an attention span to remember what he or she just read.

Despite those two concerns, I still very much enjoyed reading RSS. You will probably get more out of the book if you have MPLS experience, but the authors provide plenty of background anyway. One of the best aspects of RSS is the presentation of extensive IOS syntax for all of the major concepts in the book. The authors do not talk about a technique and then leave it as an exercise for the reader to determine how that idea should be implemented in IOS. Those trying to protect data, control, management, and service IP traffic will be well-served by reading RSS.

That's just yet another great title from Cisco Press!. This book does a great job of logically dividing the overall router security into each logical context by way of describing the router's planes. I also found very elaborate and diverse "Further Reading" towards the end of each chapter very useful. I particularly liked the idea of overall structure and quality of contents in the book which relate to both a casual and an advanced reader!

Book is structured into four Parts;

Part I focuses on laying the foundation for the rest of the book. It achieves this purpose by talking about the Enterprise and SP network fundamentals. This also includes day-in-the-life-of-a-packet through various router switching mechanisms. Chapter 2 re-hashes the network security/threat models but does a nice job of dividing it into various aspects of architectures including various IP VPNs scenarios.

For an advanced reader, this should serve as a nice refresher!

Part II introduces you to real meat of router security, i.e., securing the router planes in both IP and MPLS networks. Authors do a good job of describing the details of each component. Chapters in this section contain working details and IOS configuration snippets to enhance the understanding of various concepts discussed. An advanced user will find all the details given here very useful, and prefer read them cover to cover.

Part III walks you through various case studies to further the concepts explained in the prior chapters. I particularly like the idea of covering both Enterprise and SP case studies. It provides use cases, application examples, and best practices guidelines for the key concepts discussed in the whole book

In Part IV, I very much like the idea of not just copying pasting the headers as-is, rather adding the security implications of each and putting them into its context. Cisco IOS to IOS-XR Security transition is also useful although to mostly SP audience.

This book discusses security as in Router planes for both IP and MPLS VPNs Security. A few times you can notice that authors are repeating themselves.

Overall, I strongly recommend this book to all network security engineers as MPLS (due to its inherent advantages and applications) is gaining momentum not only in the service provider space but also in the enterprise market segment.

Router Security Strategies is a book about protecting ip networks by dividing them into different segments. Network engineers for service providers and larger enterprise networks will benefit most from this manual.

Chapters 1 through 7 are not a cookbook that you can look up sample configurations, but a broad coverage of security concerns. The authors spend these chapters leading the reader to an understanding of how ip traffic can be broken down into different categories, and how to define them as well as the particular vulnerabilities each has.

Schudel and Smith describe a three dimensional way of looking at security. Whereas we may have previously thought of securing each interface in a path, this book explodes this view into a multi-dimensional paradigm of data, control, management, and services. Like parallel universes each must be addressed separately while maintaining a big picture of how each plane can affect the other. The data plane is the actual payload for applications. The control plane indicates protocols that keep the traffic flowing to their destination. The management plane concerns the network administrator's access to the equipment. Special features such as Virtual Private Networks and Quality of Service constitute the services plane.
Chapters 8 and 9 give case studies that include diagrams, numbered line configurations, with documentation.

Appendix B details of each section of IP, TCP, and other protocol packets with vulnerabilities for each part. This is the first time I have seen this type of break down and found it made several aspects of attacks clearer to me. There are several other appendices that cover the IOS XR image and an excellent section on security incident handling that one could use as an outline for their company to use. I give Router Security Strategy 5 stars.

We finally have a book that pulls several different IOS security strategies together. So many references prior to this one touch on these topics sporadically but I have yet to find a better resource that covers all the bases as does this one.

The things I like about this book:

So many authors tend to try to spread their subject matter out too wide and take too broad of an approach when writing about network security. Schudel and Smith didn't do that. Instead they focused on specific areas and worked diligently to stay on target. It was very refreshing to read a book that actually didn't wander off on tangential subjects on a regular basis.

As for actual subject matter I was very pleased to find a book that discussed the various "planes" within Cisco IOS. In my opinion Cisco has not been very good about documenting this subject and so this book has cleared up several knowledge gaps I had prior to reading it. All of the bits of information I've heard or read about in the past were pulled together in a clear and concise manner. It was also pleasing to see just the right amount of configuration "shows" rather than pages and pages of them.

I also was very happy that this book was not full of fluff. The authors used just enough background info to convey their message but did not go overboard in non-essential detail. As with any technical reference I prefer thorough and correct information but many times there is just too much description that just gets in the way.

Some reviewers stated that the authors repeated themselves within this book. For me this was not a negative. There are certain topics that I very much need repeated in order to retain it thoroughly and so this was not a problem for me. The repetitious content was neither significant nor time consuming so I consider it to be a positive rather than a negative.

The things I do not like about this book:

This is trivial but I would have much preferred a hardback book rather than a paperback. This is a personal preference of course but hardbacks tend to last longer for me.

Gregg Schudel's and David Smith's book, "Sec Router Security Strategies: Securing IP Network Traffic Planes (Networking Technology: Security)", provided some of the best layering of security technologies I've read to date. It provides the needed understanding of security concerns and the methods to control them, from the bottom of the stack within the box to the top, deep into the application layers. Because it includes both IT and SP network considerations, I'm able to recommend this to all my consulting engineers.

D. Stewart, Engineering Manager
DeBrick Consulting