Cisco AutoSecure Cisco AutoSecure allows two modes of operation: • Interactive mode: Prompts users to select their own configuration of router services and other security-related features • Noninteractive mode: Configures security-related features of the router based on a set of Cisco defaults Cisco AutoSecure protects the router functional planes by doing the following: • Disabling often unnecessary and potentially insecure global services
• AAA servers are typically used as a central repository of authentication
credentials (the users, answering the question “who is trying to access the device?”), authorization rules (the “what” users can accomplish), and accounting logs (the “what users did” part of the equation).
Data Plane Security Among the laundry list of ways to protect the data plane, some that we will see in this book include • Access control lists • Private VLAN • Firewalling • Intrusion Prevention System (IPS)
Layer 2 Data Plane Protection Data plane protection mechanisms depend on feature availability for specific devices. In a switching infrastructure, these Cisco Catalyst integrated security capabilities provide data plane security on the Cisco Catalyst switches using integrated tools: • Port security prevents MAC flooding attacks. • DHCP snooping prevents client attacks on the DHCP server and switch. • Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks. • IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table.