nerdexam
Cisco

352-001 · Question #596

Which two items are required for data plane hardening of an infrastructure device? (Choose two)

The correct answer is E. Infrastructure ACLs G. Control Plane Policing. Infrastructure ACLs and Control Plane Policing are the two primary mechanisms used to harden infrastructure devices against unauthorized data plane traffic reaching critical device resources.

Designing Security

Question

Which two items are required for data plane hardening of an infrastructure device? (Choose two)

Options

  • ADisable unused services
  • BRouting protocol authentication
  • CSNMPv3
  • DRedundant AAA servers
  • EInfrastructure ACLs
  • FWarning banners
  • GControl Plane Policing

How the community answered

(24 responses)
  • A
    4% (1)
  • D
    4% (1)
  • E
    92% (22)

Why each option

Infrastructure ACLs and Control Plane Policing are the two primary mechanisms used to harden infrastructure devices against unauthorized data plane traffic reaching critical device resources.

ADisable unused services

Disabling unused services is a management plane hardening technique that reduces attack surface on the device itself but does not harden the data plane.

BRouting protocol authentication

Routing protocol authentication secures control plane adjacencies against injection attacks but does not filter or police data plane traffic.

CSNMPv3

SNMPv3 provides authenticated and encrypted management plane access but has no role in data plane hardening.

DRedundant AAA servers

Redundant AAA servers improve management plane availability and resilience but are not a data plane hardening control.

EInfrastructure ACLsCorrect

Infrastructure ACLs (iACLs) are deployed at network ingress points to explicitly permit only authorized traffic destined for infrastructure address space and drop everything else, directly filtering data plane traffic before it can reach the device.

FWarning banners

Warning banners are a legal deterrent and management plane control and provide no technical data plane protection.

GControl Plane PolicingCorrect

Control Plane Policing (CoPP) rate-limits or drops traffic that is punted from the data plane up to the route processor, preventing CPU exhaustion attacks and protecting the control plane from data plane-sourced floods.

Concept tested: Infrastructure device data plane hardening with iACLs and CoPP

Source: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Topics

#data plane hardening#infrastructure ACL#control plane policing#device security

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice