Additional Router Controls-Layer 3

The following are additional controls for routers, or layer 3 devices.

1 Verify that inactive interfaces on the router are disabled.

Interactive interfaces that should be disabled include LAN and WAN interfaces such as Ethernet, Serial, and Asynchronous Transfer Mode (ATM). Open interfaces are possible sources of attack should someone plug into the interface.


Discuss policies and procedures with the network administrator to ensure that this is a common practice. Ask the administrator for examples. The command shutdown is used to disable interfaces.

2 Ensure that the router is configured to save all core dumps.

Having a core dump (an image of the router's memory at the time of the crash) can be extremely useful to Cisco tech support in diagnosing a crash and possibly detecting that an attack was the root cause.


Discuss how the router handles core dumps with the network administrator. The core dumps should be located in a protected area that is accessible only to network administrator because disclosure of important information could occur. You might review the configuration file for something similar to the following. Note that TFTP and RCP also may be options here, but FTP is recommended.

 exception protocol ftp exception dump <ip address of server> ftp username <username> ftp password <password> 

Note that core dumps will cause the router to take longer to reboot after a crash because of the time it takes to dump the core file to the server.

3 Verify that all routing updates are authenticated.

Authentication ensures that the receiving router incorporates into its tables only the route information that the trusted sending router actually intended to send. It prevents a legitimate router from accepting and then employing unauthorized, malicious, or corrupted routing tables that would compromise the security or availability of the network. Such a compromise might lead to rerouting traffic, a denial of service, or simply giving access to certain packets of data to an unauthorized person.


The authentication of routing advertisements is available with RIPv2, OSPF, IS-IS, EIGRP, and BGP. Most allow the use of plaintext authentication or an MD5 hash. The MD5 method should be used to prevent passwords from being sniffed.

RIPv2 authentication is configured on a per-interface basis. Look in the configuration file for something like this:

 router rip version 2 key chain name_of_keychain key 1 key-string string interface ethernet 0 ip rip authentication key-chain name_of_keychain ip rip authentication mode md5 

OSPF authentication is configured on a per-area basis with keys additionally specified per interface. Look in the configuration file for something like this:

 router ospf 1 area 0 authentication message-digest interface ethernet 0 ip ospf message-digest-key 1 md5 authentication_key 

BGP authentication is configured on a per-neighbor basis. Look in the configuration file for something like this (MD5 is the only option, so it does not need to be specified):

 router bgp 1 neighbor ip_address or peer_group_name password password 

4 Verify that IP source routing and IP directed broadcasts are disabled.

IP source routing allows the sender of an IP packet to control the route of the packet to the destination, and IP directed broadcasts allow the network to be used as an unwitting tool in a Smurf or Fraggle attack.


Discuss the router configuration with the network administrator. An example configuration for disabling IP source routing might look something like this for Cisco routers:

 no ip source-route 

You should see the following on each interface in the configuration file for Cisco routers to disable IP directed broadcasts:

 no ip directed-broadcast 

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: