Protect data plane
The data plane traffic is the traffic that is going through your network, but not to a network device. For example, the traffic going from a user to a server, with the router acting only as a forwarding device. Here are some of the security measures you can employ to protect the data plane traffic:
- Block unwanted traffic using ACLs (Access Control Lists) – implement ACLs on routers in your network to deny unwanted traffic. You should filter protocols and traffic known to be used for malicious purposes.
- Prevent the DoS (Denial-of-Service) attacks – to prevent DoS attacks, use techniques such as TCP Intercept. This feature prevents SYN-flooding attacks by intercepting and validating TCP connection request.
- Prevent spoofing attacks – filter packets coming from the outside trying to enter your network claiming that they have a source IP address from your internal network range.
- Implement bandwidth management – rate-limit certain types of traffic known to be used in attacks (e.g. ICMP).
- Use IDS and IPS – use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect and prevent attacks on your network.
- Implement port security – use the port security feature on Cisco switches to protect against MAC address flooding and CAM (Content-Addressable Memory) overflow attacks.