The Router as a Perimeter Device | Inside Network Perimeter Security (2nd Edition)

Simply stated, the main function of a router is the forwarding of packets between two network segments. This is often forgotten when it is time to implement a security structure. Many additional duties are thrust onto the router and, ultimately, performance suffers. Routers, like computers, have processors, memory, and storage space.

How Can You Tell Whether Your Router Is Overburdened?

When your router is overtaxed, many strange things can happen. Packets can be dropped, things can pass that shouldn't, and so on. To check whether your router is overburdened, look at its processor utilization. With a Cisco router, you can do this with the following command:

 router#show processes cpu

This command shows the amount of central processing unit (CPU, or another word for processor) usage for each process. A command with even more interesting output is

 router#show proc cpu history

Notice that this time, we abbreviated the word processes as proc. This command shows your CPU usage in a graphical format for the past 60 seconds, the past 60 minutes, and the past 72 hours. This can give you a much better idea of what kind of workload your router has had over given periods of time and when performing specific functions. If you are wondering how your router's memory is being dispersed, try the following command:

 router#sh proc memory

This shows how much memory each of the running router processes is using. This can give you some major insight as to why you might need more RAM. With tools like these, the mysteries of an overworked router can be solved in record time!

You must consider these points when you're choosing a router for your specific network environment. Many of the features of expensive, high-power routers are also available in the lower power, more reasonably priced models; however, it is important to check under the hood. Make sure the router you choose can handle enough bandwidth to fit your site's needs. Also be sure it has enough memory and storage available to handle the features you plan to employ. Information is available from your router vendor on the amount of memory required for the features you need.

Routers usually don't have much storage space available, and storage upgrades are at a premium. When considering your design environment, think about the ramifications of implementing an external storage area for log files, configuration file backups, and operating software. Most likely, the router in question will use Syslog for remote logging and Trivial File Transfer Protocol (TFTP) for the transfer of configuration files and operating software updates. Therefore, ensure that you have systems that provide these services to the router to supplement its internal storage space.

Routing

To begin routing in a simple environment, a router needs little configuration. If you have two separate subnets that need to communicate, drop the router in and configure each connecting interface with an address for its attached network, make sure that routing is enabled, andvoilàinstant communication! The router knows the IP address of its two interfaces and can apply this knowledge to forward traffic sent from one network to the other. Complexities begin to arise as network segments the router isn't directly connected to are added to the configuration. Because the router doesn't have direct knowledge of these segments, it must be told about them with statements in its routing table. Such statements can be added manually by an administrator (static routes) or dynamically by updates from other routers. Static routes are easy to configure in a small environment. On Cisco routers, configuration can be accomplished with a command such as the following:

 router_(config)#ip route 10.10.10.0 255.255.255.0 10.1.1.1 1

In this command, 10.10.10.0 is the network address range you want to tell the router about, and 255.255.255.0 is its subnet mask. 10.1.1.1 is the address of the router or gateway device to which the router should forward information that is destined for the 10.10.10.0 network. The single number 1 at the end of the statement is a route metric. It can be any number between 1 and 255, and it tells the router how much precedence should be placed on that path. If multiple choices are available, the router can make an informed decision about which route is the preferred.

The ip route statement can also be used in circumstances in which hundreds of networks might be unknown to our router, such as for a connection to the Internet. To forward all unknown traffic on to the Internet, we use the form

 ip route 0.0.0.0 0.0.0.0 gateway IP

where gateway IP is the address of the next-hop router on the way to the Internet. Each of the following devices in the path to the Internet would also require a similar default route to the next upstream device. This statement is typically called the default route or the gateway of last resort.

Static routes offer a secure routing method for configuring a small environment, but what happens when we have 100 routers in our corporation? Do we want to program all the necessary static routes manually? Of course not! This is when dynamic routing protocols come into play.

Dynamic routing protocols allow properly configured routers to learn from each other about available routing paths. Protocols, such as Routing Information Protocol version 1 (RIPv1), Open Shortest Path First (OSPF), RIPv2, Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and so on, allow routers in a large environment to learn on the fly about one another. This process can simplify the configurations of what would be hundreds of static routing tables. This dynamic environment has its own set of problems, however. From a performance standpoint, all those updates travel around the network so that the routers can learn about each other. From a security standpoint, how do we know that the update being sent to our router is not from a nefarious outside party? Such updates could be sent in an effort to gain access to information on our network or sabotage its infrastructure.

Cisco Shorthand

Some of the examples throughout this chapter take advantage of Cisco router shorthand. On Cisco routers, you can use just enough letters of a command to differentiate it from all other commands. As long as the abbreviated form of the command cannot also represent another valid command, it will work. Otherwise, you will get this message:

 % Ambiguous command:

This message is then followed by the characters you typed in, framed in quotes. An example of this is the popular command show configuration being entered as sh conf. show is the only other command that begins with sh, and configuration is the only appropriate command-line option to follow show that begins with conf. If you tried to use the command sh con, you would receive the ambiguous command message because con could represent configuration or connection, which are both valid options.

The command copy run star actually represents copy running-config startup-config. You save a lot of time in typing, and if you are a bad typist, the less typing the better!

Secure Dynamic Routing

One important part of keeping an environment that uses routing safe is secure implementation of dynamically updated routing protocols, such as RIP (versions 1 and 2), OSPF, Border Gateway Protocol (BGP), IGRP, and EIGRP. Dynamic routing protocols are often a necessary part of a complex internetworking environment. However, if they are not configured correctly, dynamic routing protocols can be an easily exploited security hole. Some routing protocols use numbering schemes that require some knowledge of the specific details of your network's routing configuration to send acceptable routing updates. However, these numbers are transmitted in the clear (without encryption), so they can be sniffed. In addition, often the numbers chosen are guessed easily and might not provide adequate protection. Unless the configuration steps listed in the upcoming sections are taken, the use of these protocols might leave a gaping hole in what would be an otherwise secure network environment.

Route Authentication

Some dynamic routing protocols offer advanced protection known as route authentication. On a Cisco router, the process of route authentication involves the use of a secret keyword that is configured into all routers that are to share their dynamic routing information. This keyword, used in conjunction with the routing update information, generates a Message Digest 5 (MD5) hash signature to be sent with dynamic route updates. If this hash information is not included with the updates or is incorrect, contacted routers will ignore the provided route information. Protocols that support routing authentication include RIPv2, OSPF, EIGRP, and BGP. Two dynamic routing protocols of note that don't support this feature are RIPv1 and IGRP. Cisco routers have a feature that performs a simple check to help secure these two protocols. The validate-update-source command (which is configured by default) checks the source address of incoming RIP and IGRP updates to verify that they are from a neighboring device on the same network segment as the interface on which the update was received. This feature helps prevent false router updates from outside of the network.

You could install route authentication on an OSPF routed network by using the ip ospf message-digest-key 10 md5 secretkey command.

You must enter this statement at the interface that will be propagating the routing updates. (For a refresher on the Cisco IOS interface, check out Chapter 2, "Packet Filtering.") 10 is the key ID, which is a number that represents the unique secret key that you define, and secretkey is the actual key used to create the MD5 hashes that protect your routing updates. The importance of the key ID value comes into play if you want to change keys in an active environment. You can simply add the new secretkey value in a similar statement with a different key ID number. The router identifies that it has a new key and starts sending two routing updates: one with the new key value, and one with the original key value. This behavior is designed to allow a window of opportunity for you, the administrator, to change the keys on all other routers that share common routing information. After all routers have been updated, remove the original statement so that only the new key is used. After all, using two authentication updates simultaneously requires twice the bandwidth, and you are only as secure as the lesser of your two statements.

To activate the MD5 authentication, use the statement

 area 0 authentication message-digest

This command is entered in global configuration mode. The 0 represents the OSPF area in which you will be using MD5 route authentication. It might differ depending on how OSPF is configured in your particular environment.

Implementation of router authentication varies slightly depending on the routing protocol, so be sure to check proper documentation before implementing in non-OSPF environments.

Other Dynamic Routing Defenses

Another way you can be sure to prevent tampering with your route tables is by blocking updates from networks that are deemed unsafe. For example, if you had an extranet connection to a customer, you might not want the customer's routers to have the ability to change the configuration of your routers (accidentally or on purpose). You can configure the interface that connects your router to the customer's to deny routing updates. Cisco routers use the distribute-list command, which prevents the propagation, or the acceptance of specified route updates through configured interfaces. For example, if you want to prevent outside routers from being able to make changes in routing information for a mission-critical network segment in your internal infrastructure, you can use distribute-list 112 in e1.

Here, e1 is the interface that connects you to the outside routers, and 112 is an access control list (ACL) that defines the network address range of the mission-critical segment. The access list can define ranges of allowed or disallowed IP routing information (depending on whether it is a permit or deny ACL). In a similar manner, a distribute-list out command can be used to disallow the sending of route updates that include information on how to route traffic to your top-secret lab. The syntax is distribute-list 113 out e1.

Again, e1 is the interface you want to prevent routing information from leaving, and 113 is the access list number that defines the address range of the top-secret lab. Remember that the access list always defines the address range of the segment for which you don't want to accept or propagate routing information. It does not represent the addresses of segments that you want to prevent from receiving or sending the information.

To keep important details of your network infrastructure private, it may be necessary to prevent dynamic routing protocols from sharing internal route information with outsiders. To accomplish this on a Cisco router, use the passive interface command to prevent the router from broadcasting route updates out of the specified interface. Its syntax is as follows:

 passive interface e1

In this case, e1 is the interface through which you want to disallow the sending of updates, while still accepting updates inbound. This command behaves in a slightly different manner with the EIGRP and OSPF routing protocols, by disallowing both the sending and receiving of routing information via the specified interface.