The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).
If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.
The configuration categories for the router are:
Patches and updates
Protocols
Administrative access
Services
Auditing and logging
Intrusion detection
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found ” and they inevitably will be found ” good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:
Use ingress and egress filtering.
Screen ICMP traffic from the internal network.
Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.
This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid ” and legitimately reachable ” source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfc-editor.org/rfc/rfc2267.txt .
ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 15.1.
Message | Description |
---|---|
Echo request | Determines whether an IP node (a host or a router) is available on the network |
Echo reply | Replies to an ICMP echo request |
Destination unreachable | Informs the host that a datagram cannot be delivered |
Source quench | Informs the host to lower the rate at which it sends datagrams because of congestion |
Redirect | Informs the host of a preferred route |
Time exceeded | Indicates that the time to live (TTL) of an IP datagram has expired |
Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo-reply mode only.
Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes.
Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 15.2.
Source address | Description |
---|---|
0.0.0.0/8 | Historical broadcast |
10.0.0.0/8 | RFC 1918 private network |
127.0.0.0/8 | Loopback |
169.254.0.0/16 | Link local networks |
172.16.0.0/12 | RFC 1918 private network |
192.0.2.0/24 | TEST-NET |
192.168.0.0/16 | RFC 1918 private network |
224.0.0.0/4 | Class D multicast |
240.0.0.0/5 | Class E reserved |
248.0.0.0/5 | Unallocated |
255.255.255.255/32 | Broadcast |
For more information on broadcast suppression using Cisco routers, see "Configuring Broadcast Suppression" on the Cisco Web site at http://www.cisco.com/en/US/products/hw/switches/ps708/products_ configuration_guide_chapter09186a00800eb778.html .
From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet- facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:
Disable unused interfaces.
Apply strong password policies.
Use static routing.
Audit Web facing administration interfaces.
Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces.
Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords.
Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes.
Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs.
On a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger , which are rarely required. You should also scan your router to detect which ports are open.
By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing.
With restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify asystem administrator of the attack.
Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks.