Routers operate at layer three, the network layer of the OSI model, and the dominant layer three protocol in use today is Internet Protocol (IP). Routers are primarily used to move traffic between different networks, as well as between different sections of the same network. Routers learn the locations of various networks in two different ways: dynamically via routing protocols or manually via administratively defined static routes. Networks usually use a combination of the two to achieve reliable connectivity between all necessary networks.
Static routes are required when a network can’t or shouldn’t be directly learned via a routing protocol. For example, firewalls do not normally run routing protocols. This is done to ensure that a firewall is not tricked into routing traffic to an attacker. If a firewall is not informing the network of any networks behind it, those routes must be statically added to a network router and propagated. Additionally, static routes can be added for any interconnected network that cannot or does not communicate with the routing protocols on the network.
Controlling which devices can advertise routes for your network is an important security concern. Rogue or malicious routes in the network can disrupt normal communications or cause confidential information to be rerouted to unauthorized parties. While a number of routing protocols, such as Routing Information Protocol version 2 (RIPv2), Open Shortest Path First (OSPF), and the Border Gateway Protocol (BGP), can perform authentication, a common method is to disable or filter routing protocol updates on necessary router interfaces. For example, to disable routing updates on the first Ethernet interface of a Cisco router, issue the following command:
Router(config-router)#passive-interface ethernet 0
This is useful if no routing information should be received or sent out this interface. However, this is not useful if some routing updates should be permitted and others blocked. When such a situation is encountered, distribution lists can be used. In the following example, routing updates for the router will be permitted inbound from the 10.108.0.0 network and outbound to the 10.109.0.0 network.
access-list 1 permit 10.108.0.0
access-list 2 permit 10.109.0.0
distribute-list 1 in
distribute-list 2 out
Cisco routing lists all end with an implicit drop, meaning that all traffic that is not specifically allowed will be dropped when an ACL is applied.
There are two main types of routing protocols: distance-vector and link-state protocols. The main difference between the two types is in the way they calculate the most efficient path to the ultimate destination network.
Distance-vector protocols are more simplistic and are better suited for smaller networks (less than 15 routers). Distance-vector protocols maintain tables of distances to other networks. Distance is measured in terms of hops, with each additional router that a packet must pass through being considered a hop. The most popular distance vector protocol is RIP.
Link-state protocols were developed to address the specific needs of larger networks. Link-state protocols use link-speed metrics to determine the best route to another network, and they maintain maps of the entire network that enable them to determine alternative and parallel routing paths to remote networks. OSPF and BGP are examples of link-state protocols.
For networks to function properly, all network devices must maintain the same view or topology of the network, and the process by which routers come to agree upon the network topology is called convergence. Distance-vector and link-state protocols use different mechanisms to converge. The ability of a routing protocol to detect and respond to changes in network topologies is a significant advantage over the use of static routes.
However, when networks are unstable, such as just after a failure, or when network devices have different views of the topology, network routing loops can occur. A routing loop occurs when two routers decide that the best path to a given network is only available via each other, meaning that Router A believes the best route to a network is available via Router B, and at the same time Router B believes that the best route to the same network is only available via Router A. Thus, Router A will forward all packets received for that network to Router B, which will in turn forward them right back to Router A, preventing them from ever reaching their destination.
Each routing protocol has different mechanisms by which they detect and prevent routing loops. For example, a process called split horizon instructs the RIP routing protocol not to advertise a route on the same interface that it learned the route. Another RIP mechanism is a hold-down timer, which instructs a router to not accept additional routing updates for a specified period. This is useful while the network is unstable immediately following a topology change.
Distance-vector protocols do not perform any proactive detection of their neighbors. They are configured to learn their directly connected neighbors and to periodically send and receive their entire routing tables to each other. Topology changes are detected when a router fails to receive a routing table from a neighbor during the required interval. Link-state protocols establish formal connections to their neighbors, and topology changes are automatically detected when a connection is lost.
The choice of routing protocol does not have a large impact on network security. As mentioned, controlling where and with whom routing information is exchanged is usually a sufficient security practice on a given network. When choosing a routing protocol, be sure it meets the needs of your anticipated network size, because once deployed, switching protocols is a prohibitively expensive and time-consuming process. For high-security network devices, such as firewalls, it is more secure to define all routes statically, ensuring that the firewall is not vulnerable to a routing protocol attack. With these devices, the number of routes is likely to be very small, alleviating the need to run a dynamic routing protocol.
|This chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg, and Keith Strassberg (McGraw-Hill/Osborne, 2003, ISBN: 0072226978). Check it out at your favorite bookstore today. Buy this book now.|