Chapter 6 The Role of the Router

droppercauseΔίκτυα και Επικοινωνίες

28 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

72 εμφανίσεις

Chapter 6

The Role of the Router

Router

-

A router is a device that interconnects two or more networks


-

Main function


to route packets through the network


-

Role the router plays in the security structure depends on the placement and the networks that it jo
ins



A simple border router that joins your network to the Internet and relies on an internal firewall for
security



Router is used as the lone perimeter security device


-

The Router as a Perimeter Device



Main function of router is the forwarding of packets b
etween two network segments




Many additional duties are thrust onto the router, and ultimately, performance suffers




Router


have processors, memory, and storage space




Prices vary


lots of features expensive


less features more reasonably priced


chec
k under the hood
for what is needed




Storage is limited


can get upgrades at a premium




Most router use Syslog for remote logging and Trivial File Transfer Protocol (TFTP) for transfer of
configuration files and operation software updates




Routing

o

Easy to

do if only two interfaces


router knows the IP address of 2 interfaces and forward traffic
send from one network to the other


o

Segments can be added to the routing table manually by an administrator(static routes) or
dynamically by updates form other rou
ters


o

May need to add a default route


the gateway of last resort


o

As the network grows not feasible to configure manually



Solution



Dynamic routing protocols allowing configured routers to learn from each other
about available routing paths



Routing Inf
ormation Protocol

version 1 (RIPv1),Open Shortest Path First (OSPF), RIPv2,
Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol
(EIGRP)



Problems
: performance standpoint (updates travel around the network using resources)


security standpoint (how do we know the update is real)




Secure Dynamic Routing

o

Most routing protocols can be configured to secure routing information


o

If not configured correctly, can be an easily exploited security hole


o

Route Authentication



Some dynam
ic routing protocols offer advanced protection known as
route authentication



RIPv2, OSPF, EIGRP, BGP


have routing authentication



RIPv1, and IGRP do not support routing authentication



OSPF

1.

No authentication

2.

Simple password

3.

Checksum



In addition you may co
nfigure the router not to accept (deny) any routing updates from a
specific place


-

The Router as a Security Device




Router as a Part of Defense in Depth

o

Good in conjunction with a stateful firewall using router for ingress/egress filtering


o

Ingress filters

at the furthermost point on your perimeter, which is most likely your border router


o

Egress filtering is also a good choice for a router tat is working in conjunction with other perimeter
firewalls; blocking or allowing entire network ranges is something
that packet filters are well
suited for



Network
-
based Application Recognition (NBAR)

o

Designed to help quality of service (QoS)


o

Created to allocate bandwidth based on the applications (streaming multimedia )


o

Security


provides protection against DoS due
to lack of bandwidth (could be used to limit
bandwidth used by worms)




The Router as a Lone Perimeter Security Solution

o

Border Router


all in one security solution


o

Doing packet filtering, stateful inspect, handling VPN connection


o

Could be placed at an
internal Subnetting points


to facilitate communication


enforcing resource
separation


o

NAT device is responsible for translating the traffic between the public outside and private inside
addressing


one to one mapping


o

PAT maps multiple internal addre
sses to one external public address by tracking the
communication sessions by the port number in use

Source IP/port
-

Translated IP/port
-

Contracted IP/port

192.168.1.5:1035 200.200.200.2:1111 225.225.225.1:80


o

PAT more secure because it al
so tracks the port numbers that are used for each connection and
logs them in its translation table


o

Rather safe as long as the source port that your internal station is using is a dynamically generated
ephemeral ports


o

Problem with NAT is the lack of inhe
rent outbound filtering


o

When used in conjunction with other technologies, such as static packet filtering, dynamic packet
filtering ,and even stateful inspection methods


provide excellent privacy and security


o

CBAC is a full
-
featured method of stateful

inspection for Cisco router


o

CBAC supports most popular protocols and keeps full track of the state of connections,
dynamically creating access list to allow return traffic from outside sources


-

Router Hardening




Router itself has to be protected




Imperat
ive to be up to date with patch




Locking Down Administration Points

o

Telnet

is probably the most popular way to remotely configure a router



Properly securing the Telnet server from outside access to prevent remote nefarious users from
reconfiguring your ro
uter



Ensuring that all information including login and password are sent in cleartext



Advisable to apply access lists that limit where Telnet sessions can originate


o

SSH

secure alternative to Telnet


uses encryption to protect login names and passwords wh
ile
authentication


supported by Cisco


o

TFTP/FTP



used to transfer configuration information



TFTP


dangerous protocol


No login or authentication is needed


should be disabled by
default



FTP


a little bit more secure [advised to block in bound ftp tr
affic]


o

SNMP



(simple Network Management Protocol)


popular way to manage network devices



Allowing Internet access to SNMP, while convenient opens a potential security hole



Highly advisable to simply block all SNMP traffic at the entrance to the network



Blocking UDP ports 161 and 162



TCP [161,162,199,391,705, and 1993] UDP [199,391,1993]



Disable SNMP in environments where it is not required



Implement at least SNMPv3 which supports encryption and cryptographic authentication , and
is significantly more sec
ure than its predecessors



Carefully pick community string names


o

CDP


Cisco Discovery Protocol



means by which Cisco routers discover specific details about each other



major security concern because detailed configuration information is propagated througho
ut
the network



if you do not specifically need it disable it


o

Disabling Servers



Bootp server is a forerunner of DHCP



Tftp server on supported routers



HTTP server offers alternative means to manage the router via a web browsers



HTTP used for management, au
thentication can be enabled



ACLs can be applied to allow only specified addresses access to the HTTP



Change the HTTP server’s ort address


o

Disable Unneeded services



Small services



ports below 20 TCP and UDP and
time

(TCP and UDP port 37)



NTP


Network T
ime Protocol


allow synchronization of time sources on a network



Finger


a service that allows users to query a network device to discover information about a
user by their email address, or about currently logged on users


be able to find out currentl
y
logged on, or more personal information including the last time the user retrieved his mail, his
telephone number, full name, address and so on


o

Internet Control Message Protocol Blocking (ICMP)




Unreachable


filtering of “host unreachable” (ICMP type 3
)
-

disabling all caused problems



Packet too big


often necessary for proper network functionality


if you can’t let outside
parties know that they need to fragment their information or adjust their maximum
transmission unit (MTU) size to communicate wit
h you (ICMP type 3 code 4)




Echo replies and request


are of the most concern, but with properly patched,
configured, and hardened servers, they shouldn’t be a problem either




Direct Broadcasts



This command disallow traffic to broadcast addresses, prevent
ing amplification of Smurf
-
like attacks, where one echo request can generate hundreds of responses




Redirect



this command is often used in conjunction with anti
-
spoofing access lists and is
applied to any router interface from which malicious traffic can

enter your network




Spoofing and Source Routing


source routing and spoofing can be an effective and
hazardous combination




Router Logging Basic


Logging is an important feature of any firewall


router doesn’t have
much space onboard for logs (installi
ng IDS or some other type of sniffer to log) (set up or use
an existing Syslog server