About Network Infrastructure Hardening
A network device typically comprises a general-purpose management CPU (or custom processor) and one or more forwarding engines. The former is in charge of the so-called control plane, which includes any network management function. The latter manage the high-speed switching and routing of packets, that is, the so-called data plane (also known as forwarding plane).
The management processor is in charge of communication exchanges with other networking devices as well as of interactions with a portion of the traffic coming from the rest of the network (that is, from the data plane). In general, all the traffic that is natively directed or purposefully redirected to such management processor is commonly referred to as control plane.
When the amount of any class or classes of traffic belonging to the control plane becomes abnormal (e.g., due to a DoS attempt), or the traffic itself is maliciously altered, then the network device needs to take some protective action, lest a portion (or even the entirety) of the network be severely affected.
In addition, a network device can apply security and quality of service (QoS) policies to the data plane traffic too in order to protect and/or optimize the traffic for any device in the network.
In other words, security and QoS data plane features can be considered as an additional tool for infrastructure hardening, with the goal of optimizing any traffic flows and blocking or limiting the malicious ones.
As a consequence, a full-blown network hardening strategy has to apply to both networking planes: control plane as well as data plane.
It should also be apparent how it is critically important to first start to harden the control plane of a networking device, and subsequently to leverage such hardened plane to securely apply traffic policies to the data plane too. Following this logical order, this chapter will start by describing the control plane hardening features first, to then move to cover any data plane ones.
In order to be able to take advantage of the latest security features and bug fixes, it is imperative to keep NetVisor OS up to date. Customers are encouraged to use the latest software release with the most recent security fixes. Arista Networks runs a vulnerability assessment on each NetVisor OS release and publishes security patches for any security issue. Software upgrades are signed and encrypted to prevent installation of rogue software. For more details on the upgrade procedure, refer to the Upgrading the NetVisor OS Software section.