Security Intelligence Operations

Service Provider Security Best Practices

Service Provider Security Best Practices assist service providers as they protect and secure the Internet Infrastructure through the design and deployment of security and operational practices, techniques, and capabilities.

CVSS Usage Within Cisco

The Common Vulnerability Scoring System (CVSS) is a public standard maintained by the Forum of Incident Response and Security Teams (FIRST) that provides a method for scoring IT-related vulnerabilities. This document focuses on how Cisco uses CVSS in the scoring of Cisco vulnerabilities.


Interface Access Control Lists
Protecting Your Core: Infrastructure Protection Access Control Lists
Access List Performance Improvements for Cisco 12000 Gigabit Switch Routers
Implementing Access Lists and Prefix Lists using Cisco IOS XR Software Version 4.3

Interface QoS Policies
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4
Implementing QoS for IPv6 - Cisco IOS IPv6 Configuration Guide, Release 12.4
Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide - Configuring PFC QoS

Unicast Reverse Path Forwarding
Understanding Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
Unicast RPF for IPv6 on the Cisco 12000 Series
Unicast Reverse Path Forwarding Enhancements for the Internet Service Provider-Internet Service Provider Network Edge
URPF MIB
CISCO-IP-URPF-MIB Support

IPv4 Options Handling
Cisco IOS 12.0S - IP Options Selective Drop
IP Options Selective Drop
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values

IPv6 Extension Headers
IPv6 Extension Headers Review and Considerations
Countermeasures for the Malicious Use of IPv6 Type 0 Routing Headers
ICMPv6 Packet Types and Codes

Flexible Packet Matching
Catalyst 6500 - Cisco IOS Software Security: Flexible Packet Matching
Cisco IOS Flexible Packet Matching Deployment Guide
Flexible Packet Matching XML Configuration

Remotely Triggered Black Hole Filtering
Remotely Triggered Black Hole Filtering in IPv6 for Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software
Remotely Triggered Black Hole Filtering - Destination Based and Source Based

Receive Access Control Lists
Cisco IOS Software Releases 12.0 S IP Receive ACL
GSR: Receive Access Control Lists

Control Plane Policing
Understanding Control Plane Protection
Control Plane Policing Implementation Best Practices
Control Plane Policing
Configuring Control Plane Policing
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.1 - Configuring Control Plane Policing
Cisco IOS Software Releases 12.2 SB Control Plane Policing

Local Packet Transport Services
Implementing LPTS on Cisco IOS XR Software

Selective Packet Discard
Understanding and Using Selective Packet Discard
Troubleshooting Input Drops on the Cisco 12000 Series Internet Router

Routing Protocol Security - BGP
Neighbor Router Authentication: Overview and Guidelines
BGP Neighbor Router Authentication
BGP Support for TTL Security Check
Cisco IOS Software Releases 12.2 S BGP Support for TTL Security Check
Cisco IOS Software Releases 12.0 S - BGP Enforce the First Autonomous System Path
How to Block One or More Networks From a BGP Peer
BGP Prefix-Based Outbound Route Filtering
Configuring the BGP Maximum-Prefix Feature

Routing Protocol Security - IS-IS
Configuring IS-IS Authentication
Cisco IOS XR Routing Command Reference, Release 3.7 IS-IS Authentication (Hello-Password)
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
IPv6 Multi-Topology IS-IS
Cisco IOS Software Releases 12.0 S IS-IS Mechanisms to Exclude Connected IP Prefixes from LSP Advertisements
Overview of IS-IS Fast Convergence
Setting Best Practice Parameters for IS-IS Fast Convergence

Routing Protocol Security - OSPF
Cisco IOS XR Routing Command Reference, Release 3.7 OSPF Authentication
Sample Configuration for Authentication in OSPF
Cisco IOS XR Software - Configuring Generalized TTL Security Mechanism (GTSM) for OSPF

Routing Protocol Security - OSPFv3
Cisco IOS XR Routing Command Reference, Release 3.7 OSPFv3 Authentication

Routing Protocol Security - Keychain Management
Implementing Keychain Management on Cisco IOS XR Software
Keychain Management Commands on Cisco IOS XR Software

Label Distribution Protocol Security
MPLS LDP - Lossless MD5 Session Authentication
MPLS LDP Session Protection
MPLS LDP MD5 Global Configuration
MPLS LDP - Local Label Allocation Filtering

Resource Reservation Protocol Security
Deploying RSVP in Multiple Security Domains Networks: Securing Application Quality of Service
RSVP Message Authentication
Cisco IOS Software Releases 12.0 S RSVP Message Authentication
Cisco IOS XR MPLS Command Reference, Release 3.7 RSVP Authentication

Simple Network Management Protocol
Securing Simple Network Management Protocol
How to Configure SNMP Community Strings
SNMPv3

Syslog
Implementing Logging Services on Cisco IOS XR Software 4.1

SSH
Secure Shell Version 2 Support
Configuring Secure Shell on Routers and Switches Running Cisco IOS
Implementing Secure Shell on Cisco IOS XR Software for the Cisco XR 12000 Series Router, Release 4.2.x
Secure Copy

Secure Sockets Layer
Implementing Secure Socket Layer (SSL) on Cisco IOS XR Software for the Cisco CRS Router, Release 4.3.x

TACACS+
Authentication Protocols - TACACS+ and RADIUS Comparison
Basic TACACS+ Configuration Example
Configure a Cisco Router with TACACS+ Authentication
How to Assign Privilege Levels with TACACS+ and RADIUS
Cisco IOS XR System Security Configuration Guide, Release 3.7 Configuring a TACACS+ Server

Cisco Discovery Protocol
Configuring Cisco Discovery Protocol on Cisco Routers and Switches Running Cisco IOS
Configure the Cisco Discovery Protocol
Configuring Cisco Discovery Protocol
Implementing CDP on Cisco IOS XR Software for the Cisco CRS Router, Release 4.3.x

Management Plane Protection
Cisco IOS XR System Security Command Reference, Release 3.7 Management Plane Protection Commands on Cisco IOS XR Software

Authentication, Authorization, and Accounting
Configuring AAA Services on Cisco IOS XR Software for the Cisco XR 12000 Series Router, Release 4.0
Cisco AAA Implementation Case Study
Security Baseline Checklist--Infrastructure Device Access

IP Backscatter Traceback
Service Provider Infrastructure Security Techniques - Backscatter Traceback

Network Design
Cisco IOS and NX-OS Software Reference Guide
Network Security Baseline
Bandwidth, Packets Per Second, and Other Network Performance Metrics
Understanding 4-Byte AS Support in C12K and CRS-1
A Security-Oriented Approach to IP Addressing
Secure Network Infrastructure: Protect Video over IP Services
Secure Multivendor Networks
Cisco IPv6 Solutions Integration & Co-Existence
Service Provider Quality of Service Design Guide
VPN Architectures - Comparing MPLS and IPSec
Fixed Mobile Convergence for Integrated-Service Providers
Migration Guide for Explaining 4-Byte Autonomous System
Protecting Border Gateway Protocol for the Enterprise

Operations Security
Understanding Operational Security
Cisco IOS Image Verification
CVSS Usage Within Cisco
Embedded Event Manager in a Security Context
Understanding Access Control List Logging
Identifying Incidents Using Firewall and IOS Router Syslog Events
TTL Expiry Attack Identification and Mitigation
Protect Against Worms
Network Management System: Best Practices White Paper
Cisco IOS XR System Management Configuration Guide, Release 3.7
Cisco XR 12000 Manageability
Operational Best Practices for the Cisco Catalyst 6500 Series
Device Manageability Instrumentation (DMI)

Service Provider Security Best Practices
Cisco Guide to Harden Cisco IOS XR Devices
Cisco Guide to Harden Cisco IOS Devices
Service Provider Infrastructure Security Techniques
Securing Tool Command Language on Cisco IOS
Infrastructure Protection on Cisco IOS Software-Based Platforms
Cisco IOS XR System Security Configuration Guide, Release 3.7
Protecting the Cisco Catalyst 6500 Series Switches Against Denial-Of-Service Attacks
Cisco CRS-1 Carrier Routing System Security Application Note
Cisco IOS and NX-OS Software Reference Guide

Data Center Security
Data Center Security
Cisco Service Delivery Center Infrastructure 2.1 Design Guide
Service Module Design with ACE and FWSM

Multiprotocol Label Switching
Multiprotocol Label Switching Security Overview
Security of the MPLS Architecture
MPLS Security - Multiprotocol Label Switching for the Federal Government
RFC 4381: Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs)
Managed VPN - Analysis and Comparisons of MPLS-Based IP VPN Security
Analysis of MPLS-Based IP VPN Security: Comparison to Traditional L2VPNs such as ATM and Frame Relay, and Deployment Guidelines
Cisco IOS XR MPLS Configuration Guide, Release 3.7 - Implementing IPv6 VPN Provider Edge Transport over MPLS on Cisco IOS XR Software
MPLS VPN - Inter-AS Option AB
Configuring Multicast VPN Inter-AS Support
Cisco IOS Software Releases 12.0 S BGP Multicast Inter-AS (IAS) VPN
Cisco IOS Software Releases 12.0 S - MPLS-aware NetFlow
Cisco IOS Software Releases 12.0 S - SNMP Notification Support for VPNs
Cisco IOS Software High-Availability Enhancements for IP/MPLS Provider Edge
Cisco Multiprotocol Label Switching Management Strategy

Multicast
The Multicast Security Tool Kit
Securing IP Multicast Services in Triple-Play and Mobile Networks

DNS
DNS Best Practices, Network Protections, and Attack Identification
Geographic Implications of DNS Infrastructure Distribution

NetFlow Instrumentation Techniques
Introduction to Cisco IOS NetFlow - A Technical Overview
NetFlow and Security
NetFlow Performance Analysis
Configuring NetFlow BGP Next Hop Support for Accounting and Analysis
Network Management Case Study: How Cisco IT Uses NetFlow to Capture Network Behavior, Security, and Capacity Data
Configuring MPLS-aware NetFlow
Cisco IOS NetFlow Features Roadmap
NetFlow Layer 2 and Security Monitoring Exports

NetFlow Version 9 Instrumentation Techniques
NetFlow Version 9 Flow-Record Format
NetFlow v9 Export Format
NetFlow v9 for IPv6
Getting Started with Configuring NetFlow and NetFlow Data Export

Flexible NetFlow Instrumentation Techniques
Cisco IOS Flexible NetFlow Technology White Paper

Embedded Event Manager Instrumentation Techniques
Embedded Event Manager in a Security Context
Understanding Cisco IOS Software Embedded Self-Management Capabilities
Cisco IOS XR System Monitoring Configuration Guide, Release 3.7 - Configuring and Managing Embedded Event Manager Policies on Cisco IOS XR Software
Cisco IOS XR System Monitoring Configuration Guide, Release 3.7 - Implementing Performance Management on Cisco IOS XR Software
Cisco IOS Software Releases 12.0 S - Component Outage On-Line (COOL) Measurement for the Cisco 12000

SNMP Instrumentation Techniques
CISCO-IP-URPF-MIB Support
URPF MIB
Network Management System: Best Practices White Paper

Syslog Instrumentation Techniques
Identifying Incidents Using Firewall and IOS Router Syslog Events

Lawful Intercept Instrumentation Techniques
Lawful Interception for 3GPP: Cisco Service Independent Intercept in the GGSN
Lawful Intercept Architecture
Cisco Service Independent Intercept Architecture Version 3.0
Cisco IOS Software Releases 12.0 S - Lawful Intercept on Cisco 12000 Series Router, ISE Line Cards
Cisco IOS Software Releases 12.2 SB - Lawful Intercept Architecture
Cisco 7600 Lawful Intercept Configuration Guide