Protect data plane

The data plane traffic is the traffic that is going through your network, but not to a network device. For example, the traffic going from a user to a server, with the router acting only as a forwarding device. Here are some of the security measures you can employ to protect the data plane traffic:

  • Block unwanted traffic using ACLs (Access Control Lists) – implement ACLs on routers in your network to deny unwanted traffic. You should filter protocols and traffic known to be used for malicious purposes.
  • Prevent the DoS (Denial-of-Service) attacks – to prevent DoS attacks, use techniques such as TCP Intercept. This feature prevents SYN-flooding attacks by intercepting and validating TCP connection request.
  • Prevent spoofing attacks – filter packets coming from the outside trying to enter your network claiming that they have a source IP address from your internal network range.
  • Implement bandwidth management – rate-limit certain types of traffic known to be used in attacks (e.g. ICMP).
  • Use IDS and IPS – use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect and prevent attacks on your network.
  • Implement port security – use the port security feature on Cisco switches to protect against MAC address flooding and CAM (Content-Addressable Memory) overflow attacks.
Geek University 2021