Your routers are switches connect to everything in the network, so they are prime targets for exploitation. In this video, you’ll learn about router ACLs, network access control, flood guards, and much more.
<< Previous Video: Network Intrusion Detection and Prevention Next: Proxies >>
A router is a device that forwards traffic between different IP subnets. We commonly have routers at home. It’s usually the device that’s connecting us to the internet. And at work, your organization probably has more than one router in the infrastructure.
Routers are considered to be layer 3 devices. That means they make their routing decision at the network layer of the OSI model. If there’s a router inside of a switch, you’ll sometimes hear these referred to as layer 3 switches.
We’ll talk more about layer 3 switches later in this video. So if you ever see anything referring to OSI layer 2, it’s usually referring to a switch. And anything referring to OSI layer 3 is referring to a router.
Not only do routers connect different IP subnets, they often connect them against different network types. We might have ethernet on the inside of our network, and some type of wide area network on the outside of our network. Routers might also forward traffic from one IP subnet that is running in copper, to a different IP subnet that might be running on fiber.
Routers are not designed to be security devices, but there are some capabilities built into the router that do provide some security functions. One of these is an access control list, or ACL. You might also hear this referred to as an ACl. This is used to allow or deny traffic, very similar to a packet filter in an operating system. This is also used if the router’s configured for network address translation, or for quality of service functions.
You commonly configure an access control list on the ingress or egress of an interface. You would filter on all the traffic coming in, or you would filter on all the traffic going out of an interface. Access control lists evaluate traffic on a number of different criteria, very similar to what a firewall might do.
An access control list would evaluate a source IP address, a destination IP address, a port number that might be in use, and then decide whether to allow or deny that traffic through the router. And like a firewall, there’s usually a list of rules for an access control list. And the router will follow that list until that traffic matches one of the rules in the access control list.
Here’s a typical network. We have a user on one side of the network connected to a switch. This switch is connected to a router, which then routes across a wide area network. On the other side of that wide area network, the router splits off into two different IP subnets with these two switches. And there’s two users at this other location that are connected to that network.
An access control list may be added to any one of these interfaces on a router. As we mentioned earlier, the access control list is usually associated with the ingress or egress of an interface on a router. So as traffic is flowing through a router in a single direction, it might evaluate an access control list on one side of the router. And since usually a router has another interface on it, there will be outbound traffic on that interface. That’s another opportunity to evaluate an access control list.
As it’s going inbound to another router there’s another opportunity to provide access control list filtering. And as it’s leaving that router, there is an egress access control list that you could reference. So anywhere along this path, you can configure an access control list to allow or deny traffic based on certain criteria.
Here’s some syntax from a Cisco router for an access control lists. On Cisco routers, access control lists can be numbered. This happens to be access control list number one. This access control list denies all traffic that’s coming from IP address 192.168.10.10, and it denies it on the egress of this interface on router two.
The second rule of this access control list number one will permit any other traffic going through this interface. So we can send traffic from 192.168.10.10, but as soon as it hits this particular outbound interface on router two, it will be dropped. If 192.168.10.10 is sending traffic to 192.168.30.10, then there is no access control list, and that traffic will flow normally.
One of the challenges we have with security in our routers is to prevent people from spoofing an IP address. This is when the bad guy for example, might use someone else’s IP address to change the way traffic is flowing, or to circumvent existing security policies. You often see this being used if somebody is performing a man-in-the-middle, or a denial of service attack against the network.
One thing that you can do on a router is to filter out any IP address ranges that should not be flowing through the firewall. A good example are the RFC 1918 internal IP addresses. Those obviously should not be routed to the internet. It’s a great place to set up an access control list to prevent any of that traffic from traversing the router. A simple access control is still work to be able to filter out that traffic.
You can also configure your router with RPF. It stands for reverse path forwarding. That means that any inbound traffic will be responded to across the same interface going out. If somebody is spoofing traffic, they may be able to send traffic inbound, and your routing table may be sending that outbound to a different interface. And if that isn’t something that should be happening, then configuring reverse path forwarding can prevent anyone from taking advantage of that routing situation.
We also have security challenges with our switches. Switches are devices that effectively are bridging traffic in hardware. They’re using an application specific integrated circuit– or an ASIC– to do this very quickly in the hardware of these devices. We often refer to a switch as an OSI layer 2 device, because it’s making its forwarding decision based on the MAC address or the layer 2 address of the traffic going through the switch.
Usually these switches have more than one port. In some cases in large organizations, a switch can have many, many ports associated with it. And these are usually performing high bandwidth file transfers, and a large amount of our traffic. Because everybody who’s connected to the network on the inside of our network is generally connected to a switch.
As security professionals, we spend a lot of time and a lot of money securing the inside of the network from the outside of the network. So we’ll create a firewall that’s connected to the internet. We’ll put in place an intrusion prevention system. We’ll have URL filtering in place. And all of this sits between the inside and the outside.
But generally, the inside of the network is a lot less secure. We don’t have the time or the money to be able to put a firewall on every single interface on the inside of our network. So we often find that the inside of the network is much less secure than the communication going between the inside and the outside.
And usually, we’ve got a lot of different kinds of networks that are connecting to us. These might be over a wide area network. They might be VPNs. They might be third party access.
And of course, it could be wireless. Someone could sit-in the parking lot and be able to connect to a wireless switch on the inside of our network. And some of the interfaces on our network are wide open and available. For example, in a conference room, we’d like to have the conference room interfaces available for the people using that conference room, but we also want to make sure that nobody is going to walk in and plug into our internal network without us knowing about it.
The way that many organizations handle the security of their switch interfaces is by using port-based network access control, or NAC. This is sometimes referred to as IEEE 802.1X. This requires that someone provide a username and a password and authenticate before they are able to gain access to any of the switch interfaces. We’re really talking about port-based network access control in that it is the physical interface, or the port on the switch where we’re providing the security.
Also as a security administrator, you may want to audit and make sure that all of the interfaces that are not currently in use are administratively disabled. That would prevent someone from walking into one of your network closets and plugging their device into whatever port might be available on your switch. Another security feature you may want to consider for your switches is to have the switch identify when a duplicate MAC address appears. You’re able to stop this MAC address spoofing, because the switch recognizes that suddenly, the same Mac address is coming from a different part of the network.
At OSI layer 2, this MAC address layer, there’s no way to have the packets count or know when a packet has been seen before. And if you connect two switches to each other, the packets will rotate through those switches until you break that connection. This can bring down a network very, very quickly. As more people put traffic onto the network, more and more traffic will begin to loop around, and you could bring down a network in a matter of seconds.
To be able to prevent this type of loop on a switch network, there is a protocol called spanning-tree protocol that automatically identifies a loop and prevents a loop from occurring on a switch network. You may see this referred to as IEEE 802.1D. It’s been around since 1990. It was created by Radia Perlman. And if you have a switch network, you probably have spanning-tree protocol enabled on that switch network.
Here’s an example of spanning-tree protocol at work. We’ve got a number of switches or bridges on our network, and they’re connecting a number of networks together. One of the challenges we have with this picture is you can see there are many loops that could occur. For example, to get to bridge one, you can loop through bridge 21 and bridge six and get all the way back to bridge one.
Because spanning-tree has been enabled on these switches, you can see that a number of these interfaces have been set up to block. That way if traffic is coming through this connection, it will not be able to traverse this particular bridge link and loop back to bridge one. This is something that spanning-tree protocol does automatically, as long you have it enabled on your switches.
Spanning-tree is also smart enough to watch what’s happening on the network and reconfigure itself if there are any changes. For example, we have Network Y, And we can see that if Network Y wants to communicate up to bridge one, it has to communicate through bridge five, through Network A, through bridge six, Network M, and then finally, to bridge one. You can see that there is a blocked port heading the other direction to prevent loops on this network.
But what if we lose a connection? Let’s say a connection between Network A and bridge six suddenly becomes unavailable. If that occurs, spanning-tree will recognize the change, and it will change bridge configuration in bridge five and bridge 11 to now allow traffic to traverse the other direction around the problem. So spanning-tree is not only making sure that the network is available, its preventing any loops and downtime from occurring on the network as well.
There are a number of ways that you could cause a denial of service situation on a switch network. These switches maintain a large list of MAC addresses that are associated with the interfaces that it sees communicating on the switch. And if you are able to flood the network with MAC addresses, you would very quickly overflow that index of addresses, causing a denial of service.
One thing you can configure on your switches is a flood guard. This would configure a maximum number of MAC addresses that could possibly be seen on any particular interface. You get to define how many MAC addresses is appropriate for a particular interface to prevent anyone from overloading the number of MAC addresses on this network.
The switch then monitors the MAC addresses coming through the interface as it normally does. And it is able to identify if it ever exceeds the particular number you’ve configured for the flood guard. And if you do, it will activate itself and begin performing filtering or disabling interfaces to prevent any denial of service.
It’s very common to see switches and routers as separate physical devices that are plugged into the network. But we can also find switches that have routing capability enabled in them as well. And we commonly refer to these as layer 3 switches. This is taking all of the switch functionality that we have, and it enables routing functionality within the same device.
The switching is still operating at layer 2, making its forwarding decisions based on MAC address, but you can also configure interfaces to act as routed interfaces that would forward traffic based on the layer 3 IP configuration. This isn’t changing the way that switching works, and it’s not changing the way that routing operates. It’s simply combining both a switch, and a router within the same physical device.