Security design considerations/issues for routers and ...

CS772 Fall 07

Security design Security design considerations/issues for routers considerations/issues for routers

and switchesand switches

By By

Aditya VarakantamAditya Varakantam

ProfessorProfessor

Dr.Ravi MukkamalaDr.Ravi Mukkamala

CS772 Fall 07

OverviewOverview

• Definition• Motivation for providing Router

Security• Router security considerations• Router Security Policy• Switch security considerations• Conclusion• References

CS772 Fall 07

DefinitionDefinition

• Router Router is a device which extracts the destination address from

the incoming packet and sends it to the destination through the optimal path. Directing data between portions of a network is the purpose of a router.

• Routers operate at the Network layer of the OSI model. They pass

traffic between two different IP networks which may be either LANs or WANs

CS772 Fall 07

RouterRouter

CS772 Fall 07

SwitchSwitch

• Switches listen to the traffic on each Ethernet port and discover to which port each attached device is connected. The switch then sends traffic directly to the destination port

• By using a switch we can ensure that most of the network traffic only goes where it needs to rather than to every port. Thus increasing the network performance

CS772 Fall 07

SwitchSwitch

CS772 Fall 07

Possible Attacks on RoutersPossible Attacks on Routers

• Session Hijacking

• Session Replay Attack

• Rerouting Attack

• Masquerade Attacks

CS772 Fall 07

MotivationMotivation for providing Router security for providing Router security

• Compromise of a router can lead to various security problems on the network served by that router, or even other networks with which that router communicates.

• Compromise of a router’s route tables can result in reduced performance, denial of network communication services, and exposure of sensitive data.

• Compromise of a router’s access control can result in exposure of network configuration details or denial of service, and can facilitate attacks against other network components.

CS772 Fall 07

MotivationMotivation for providing Router security for providing Router security

• A poor router filtering configuration can reduce the overall security of an entire enclave, expose internal network components to scans

and attacks, and make it easier for attackers to avoid detection.

• Proper use of router cryptographic security features can help protect sensitive data, ensure data integrity, and facilitate secure cooperation between independent enclaves.

CS772 Fall 07

Router Security ConsiderationsRouter Security Considerations

Protecting the Router itself

1. Physical Security

Router should be placed in a locked room with access by only a small number of authorized personnel.

2. Operating System

Based on what features the network needs, use the feature list to select the version of the operating system.

CS772 Fall 07

Router Security ConsiderationsRouter Security ConsiderationsProtecting the Network with the RouterInterior Routers

Backbone Routers

CS772 Fall 07

Border Routers

Router Security ConsiderationsRouter Security Considerations

CS772 Fall 07

Router Security ConsiderationsRouter Security Considerations• Patches and Updates Subscribe to alert services provided by manufacturer

of the networking hardware so that we are up to date with both security issues and service patches. This can fix the known security vulnerabilities.

• Protocols 1.Use ingress and egress filtering

2.Screen ICMP traffic from the internal network

3.Block Trace Route

4.Control Broadcast traffic

5.Block other unnecessary traffic

CS772 Fall 07

Router Security ConsiderationsRouter Security ConsiderationsProtocols

• Ingress and Egress filtering- Filter both incoming and outgoing packets

• Screen ICMP traffic from the internal network- Echo Request (ping) Echo Reply (ping reply) Destination Unreachable Source Quench Redirect Time Exceeded

CS772 Fall 07

Router Security ConsiderationsRouter Security ConsiderationsProtocols

• Block Trace Route- Detects whether the packet is traveling along optimal routes and blocks the ICMP messages.

• Control Broadcast Traffic-Blocks specific source addresses

• Block other unnecessary traffic- Incoming traffic from the Internet to the border router is from unknown untrusted users who require access to our Web servers.

CS772 Fall 07

Router Security ConsiderationsRouter Security ConsiderationsAdministrative Access

• Apply Strong password policies-Always use uppercase and lowercase, number, and symbol combinations when creating passwords.

• Use an administration access control system- - Authentication

- Authorization

- Accounting

CS772 Fall 07

Router Security ConsiderationsRouter Security ConsiderationsAdministrative Access• Disable Unused Interfaces-Only required interfaces should be

enabled on the router. Unused interface might expose you to unknown attacks on those interfaces.

• Consider Static Routes-Static routes prevent specially formed packets from changing routing tables on your router. An attacker might try to change routes by simulating a routing protocol message to cause denial of service or to forward requests to a rogue server

CS772 Fall 07

Router Security ConsiderationsRouter Security Considerations

Auditing and Logging

Most routers have a logging facility and can log all deny actions which would show intrusion attempts. Modern routers have an array of logging features that include the ability to set severities based on the data logged.

Intrusion Detection With restrictions in place at the router to prevent TCP/IP

attacks, the router should be able to identify when an attack is taking place and notify a system administrator of the attack.

CS772 Fall 07

Router Security PolicyRouter Security PolicyLayered view of the security of a router

CS772 Fall 07

Router Security PolicyRouter Security Policy• The innermost layer is the physical security of the router

• The next innermost layer is the stored software and configuration state of the router

• The next outermost layer has the dynamic configuration (Routing Tables)

• The outer zone of the diagram represents the intra-network and inter-network traffic that the router manages.

CS772 Fall 07

Switch Security ConsiderationsSwitch Security Considerations• Patches and Updates Subscribe to alert services provided by manufacturer of

the networking hardware so that we are up to date with both security issues and service patches. This can fix the known security vulnerabilities.

• VLANs

Virtual LANs allow you to separate network segments and apply access control based on security rules. Using ACL's between VLANs provides an intermediate level of protection by blocking internal intrusions from within the enterprise while

intrusions from outside are already blocked by the border network.

CS772 Fall 07

Switch Security ConsiderationsSwitch Security Considerations

Use an administration access control system - Authentication

- Authorization

- Accounting

Disable Unused Ports Unused Ethernet ports on the switch should be disabled to

prevent hackers plugging into an unused port

CS772 Fall 07

Switch Security ConsiderationsSwitch Security ConsiderationsEncryption Although it is not traditionally implemented at the switch,

data encryption over the wire ensures that sniffed packets are useless in cases where a monitor is placed on the same switched segment or where the switch is compromised, allowing sniffing across segments.

CS772 Fall 07

ConclusionConclusion• Router and Switch are two important components in a

network which need to be secured in order to keep the network secure.

CS772 Fall 07

ReferencesReferences• http://nsa2.www.conxion.com/cisco/guides/cis-2.pdf• http://www.microsoft.com/technet/security/guidance/netw

orksecurity/secmod40.mspx• http://en.wikipedia.org/wiki/Router• http://ask-leo.com/whats_the_difference_between_a_hu

b_a_switch_and_a_router.html• http://news.zdnet.com/2100-1009_22-5898169.html• https://www2.sans.org/resources/policies/Router_Securit

y_Policy.pdf?portal=ad97740a1a2cd335cc01aaf1133c4592

CS772 Fall 07

Questions???

CS772 Fall 07

Thank You