Chapter 8. Router Security

“Faith is being sure of what you hope for and certain of what you cannot see”

—Hebrews 11:1

By the end of this chapter, you should know and be able to describe the following:

• The major components of Zone Based Firewall (ZFW) for routers

• The value of using the IOS-based intrusion detection functionality and the Cisco Firewall Feature Set (FFS)

• The breadth and scope of techniques used to secure your router to include a secure router template

• Securing your “routing” protocol: OSPF

Answering these key questions will enable you to understand the overall characteristics and importance of network security. By the time you finish this book, you will have a solid appreciation for network security, its issues, how it works, and why it is important.

Everyone is getting online as rapidly as possible in whatever way they can; if you are reading this book, you are probably the person your family calls to “fix” the Internet. Perhaps the best T-shirt I never bought was the one that read, “No, I will not fix your computer” from ThinkGeek.com, as shown in Figure 8-1. Think Geek is a website worth visiting; you can find funny and useful gear there.

Figure 8-1 No, I Will Not Fix Your Computer

The point is that most people do not understand that the Internet operates because of routers. They think that individuals have more control and security than they do because their PC connects to the Internet. Of course, this is not the case—there are no guarantees on the Internet, which is a wild and fast place. Of course, fast is relative; just as a reminder: Everyone does realize there are no guarantees on the Internet, which means it is slow at times and there is nothing anyone can do. Companies and especially ISPs try to do a good job, but unexpected events do occur.

As people and organizations seek to leverage the unparalleled possibilities of Internet communications, they need secure solutions that

• Protect internal networks from intrusion

• Provide secure Internet and remote access connections

• Enable network commerce through the World Wide Web

Today, the Internet is the focus of powerful, new technologies that dramatically enhance communications with remote customers, suppliers, partners, and employees. Users must be confident that network transactions—especially over public networks such as the Internet—are secure and sensitive information is protected.

Cisco IOS Software runs on more than 80 percent of Internet backbone routers and an equally high percentage of corporate network routers that connect to the Internet. Cisco IOS Software provides complete network services and enables networked applications. Cisco IOS security services offer many options for building custom security solutions for the Internet, intranet, and remote access networks to provide end-to-end network security.

A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. As discussed in Chapter 7, “Firewalls,” firewalls are not routers, and they connect the Internet to your corporate network. Routers that connect to the Internet are known as edge routers; they form the outermost perimeter of your network. In other words, they are the first layer of security.

Perimeter routers are found at any network boundary, such as between private networks, intranets, extranets, or the Internet. Firewalls most commonly separate internal (private) and external (public) networks.

The Cisco IOS Firewall Feature Set, available as a Cisco IOS Software option, provides an advanced security solution that protects networks from security violations. This integrated router security solution provides one element in a system of security solutions available from Cisco.

This chapter discusses the use of routers, the purpose of a firewall IOS, and what it is. Where within your network will you be applying this type of protection? This chapter explains the use and placement of this type of security technology and its advantages and disadvantages.

A firewall is a security device that sits on the edge of your Internet connection and functions as an Internet border security officer by constantly looking at all the traffic entering and exiting your connection, looking and waiting for traffic to block or reject in response to an established rule. The firewall plays the role of law and protection in a lawless global web, ever vigilant in its mission to protect the internal network resources that connect to it.

In contrast, the edge router provides connectivity between you and your service provider and this to the Internet for businesses. Most people view a router as a necessary device that provides them with connectivity. Having a router, however, means that it handles (routes) every single packet that wants to enter or leave the network. It is the role of the firewall to determine what is permitted or denied. However, if you have a router as the first layer into your network, shouldn’t you use that router as part of your layered security strategy?

Of course you should. You have paid for the router and spent time configuring it; however, blindly trusting that it is inherently secure is a mistake. Even if your company spent tens of thousands of dollars on other security solutions, the router handling everything might not have had its configuration hardened to protect it and your network. The router is essentially in the default out-of-the-box (OOB) condition. Consider that if an attacker gained control of your router, he could rather easily shut down your entire network’s capability to connect to the Internet. This means no email in or out, no e-commerce on your website, perhaps losing connectivity to critical business partners, and so on.

The perimeter router literally sees every single IP packet. What might the attacker learn? What might the attacker then be able to do? The router is a smart network device that holds a key position and handles crucial information. Network security is often thought of in terms of servers, firewalls, VPNs, and how to protect IT resources. This chapter covers how to protect any router and then expand its capabilities to further protect your network with an additional layer of security through the use of the Cisco Firewall Feature Set IOS. This specialized IOS provides greatly enhanced security features and functionality for the perimeter router. By securing the router and thus increasing your network’s security, you can accomplish the following:

• Prevent routers from unintentionally leaking information about your network to attackers.

• Prevent the disabling of your routers (and thus your network) by attackers or accidental misconfiguration.

• Prevent the use of your routers as platforms to launch an internal attack or to be used to attack others.

• Reduce the load on the firewall and internal network as bad packets and thus stop associated attacks at the edge of your network.

• Quickly activate an additional layer of security to further protect your network.

These accomplishments revolve around the security and functionality of the router and your network. Not everyone wants to spend the money, time, effort, or expertise needed to correctly configure the firewall functionality on a router. The reality is that many companies enable the firewall to be the stateful packet inspection device and not the perimeter router. However, everyone should use a router as a layer in the defense of his network. The discussion and debate should center not on if but how the router should be configured. Following are three ways to configure your perimeter router:

• Edge router with basic configuration: Get the router, put a basic configuration in it, connect it to your LAN and the Internet, and you are finished. There is nothing fancy here, and absolutely no security or value to your network! Please don’t do this, you’re just begging for problems!

• Edge router as a choke point: As discussed in Chapter 5, “Overview of Security Technologies,” all routers come with the capability to filter traffic based on access control lists (ACL). Access lists can be developed to filter traffic based on the packet type and destination at the perimeter router turning it into a prescreening layer of security. For example, if you host no web servers at your site, why would you ever allow HTTP requests? You wouldn’t! Remember that when using ACLs, if the traffic is not permitted, it is implicitly denied! This is the minimum that should be accomplished! We recommend double-checking your access-list logic to ensure you don’t inadvertently block legitimate HTTP traffic.

• Edge router as a packet inspector: To have the router perform more advanced filtering, this type of router is deployed with the firewall feature set on it. This router is the best of the three, and it is also the most difficult to achieve. Anything in life that is worth having is never free—you must work for it!

This chapter does not cover what a router secures or protects with a basic configuration because the answers to those questions change with every network. Instead, this chapter focuses on how a router functions as a layer of security in your network through the use of static access lists and as a screening device through more advanced access lists.