Additional Router Controls-Layer 3

The following are additional controls for routers, or layer 3 devices.

1 Verify that inactive interfaces on the router are disabled.

Interactive interfaces that should be disabled include LAN and WAN interfaces such as Ethernet, Serial, and Asynchronous Transfer Mode (ATM). Open interfaces are possible sources of attack should someone plug into the interface.

How

Discuss policies and procedures with the network administrator to ensure that this is a common practice. Ask the administrator for examples. The command shutdown is used to disable interfaces.

2 Ensure that the router is configured to save all core dumps.

Having a core dump (an image of the router's memory at the time of the crash) can be extremely useful to Cisco tech support in diagnosing a crash and possibly detecting that an attack was the root cause.

How

Discuss how the router handles core dumps with the network administrator. The core dumps should be located in a protected area that is accessible only to network administrator because disclosure of important information could occur. You might review the configuration file for something similar to the following. Note that TFTP and RCP also may be options here, but FTP is recommended.

 exception protocol ftp exception dump <ip address of server> ftp username <username> ftp password <password> 

3 Verify that all routing updates are authenticated.

Authentication ensures that the receiving router incorporates into its tables only the route information that the trusted sending router actually intended to send. It prevents a legitimate router from accepting and then employing unauthorized, malicious, or corrupted routing tables that would compromise the security or availability of the network. Such a compromise might lead to rerouting traffic, a denial of service, or simply giving access to certain packets of data to an unauthorized person.

How

The authentication of routing advertisements is available with RIPv2, OSPF, IS-IS, EIGRP, and BGP. Most allow the use of plaintext authentication or an MD5 hash. The MD5 method should be used to prevent passwords from being sniffed.

RIPv2 authentication is configured on a per-interface basis. Look in the configuration file for something like this:

 router rip version 2 key chain name_of_keychain key 1 key-string string interface ethernet 0 ip rip authentication key-chain name_of_keychain ip rip authentication mode md5 

OSPF authentication is configured on a per-area basis with keys additionally specified per interface. Look in the configuration file for something like this:

 router ospf 1 area 0 authentication message-digest interface ethernet 0 ip ospf message-digest-key 1 md5 authentication_key 

BGP authentication is configured on a per-neighbor basis. Look in the configuration file for something like this (MD5 is the only option, so it does not need to be specified):

 router bgp 1 neighbor ip_address or peer_group_name password password 

4 Verify that IP source routing and IP directed broadcasts are disabled.

IP source routing allows the sender of an IP packet to control the route of the packet to the destination, and IP directed broadcasts allow the network to be used as an unwitting tool in a Smurf or Fraggle attack.

How

Discuss the router configuration with the network administrator. An example configuration for disabling IP source routing might look something like this for Cisco routers:

 no ip source-route 

You should see the following on each interface in the configuration file for Cisco routers to disable IP directed broadcasts:

 no ip directed-broadcast