Router and Switch Security – CompTIA Security+ SY0-501 – 2.1

A router is a device
that forwards traffic between different IP subnets. We commonly have
routers at home. It’s usually the device that’s
connecting us to the internet. And at work, your
organization probably has more than one router
in the infrastructure. Routers are considered
to be layer 3 devices. That means they make their
routing decision at the network layer of the OSI model. If there’s a router
inside of a switch, you’ll sometimes
hear these referred to as layer 3 switches. We’ll talk more about layer 3
switches later in this video. So if you ever see anything
referring to OSI layer 2, it’s usually
referring to a switch. And anything referring
to OSI layer 3 is referring to a router. Not only do routers connect
different IP subnets, they often connect them against
different network types. We might have ethernet on
the inside of our network, and some type of
wide area network on the outside of our network. Routers might also
forward traffic from one IP subnet that
is running in copper, to a different IP subnet that
might be running on fiber. Routers are not designed
to be security devices, but there are some
capabilities built into the router that do provide
some security functions. One of these is an access
control list, or ACL. You might also hear this
referred to as an ACl. This is used to allow
or deny traffic, very similar to a packet
filter in an operating system. This is also used if
the router’s configured for network address
translation, or for quality of service functions. You commonly configure
an access control list on the ingress or
egress of an interface. You would filter on all
the traffic coming in, or you would filter on
all the traffic going out of an interface. Access control lists
evaluate traffic on a number of
different criteria, very similar to what
a firewall might do. An access control list would
evaluate a source IP address, a destination IP address, a port
number that might be in use, and then decide whether to
allow or deny that traffic through the router. And like a firewall,
there’s usually a list of rules for an
access control list. And the router will
follow that list until that traffic matches
one of the rules in the access control list. Here’s a typical network. We have a user on one side
of the network connected to a switch. This switch is connected to
a router, which then routes across a wide area network. On the other side of
that wide area network, the router splits off into
two different IP subnets with these two switches. And there’s two users at
this other location that are connected to that network. An access control
list may be added to any one of these
interfaces on a router. As we mentioned earlier,
the access control list is usually associated
with the ingress or egress of an interface on a router. So as traffic is flowing through
a router in a single direction, it might evaluate an
access control list on one side of the router. And since usually a router
has another interface on it, there will be outbound
traffic on that interface. That’s another opportunity
to evaluate an access control list. As it’s going inbound
to another router there’s another
opportunity to provide access control list filtering. And as it’s leaving
that router, there is an egress access control
list that you could reference. So anywhere along this path, you
can configure an access control list to allow or deny traffic
based on certain criteria. Here’s some syntax from a Cisco
router for an access control lists. On Cisco routers, access
control lists can be numbered. This happens to be access
control list number one. This access control
list denies all traffic that’s coming from IP
address, and it denies it on the egress
of this interface on router two. The second rule of this
access control list number one will permit any other traffic
going through this interface. So we can send traffic
from, but as soon as it hits this
particular outbound interface on router two, it
will be dropped. If is sending
traffic to, then there is no
access control list, and that traffic
will flow normally. One of the challenges we have
with security in our routers is to prevent people from
spoofing an IP address. This is when the
bad guy for example, might use someone
else’s IP address to change the way
traffic is flowing, or to circumvent existing
security policies. You often see this being used
if somebody is performing a man-in-the-middle, or a
denial of service attack against the network. One thing that you
can do on a router is to filter out any IP address
ranges that should not be flowing through the firewall. A good example are the RFC
1918 internal IP addresses. Those obviously should not
be routed to the internet. It’s a great place to
set up an access control list to prevent
any of that traffic from traversing the router. A simple access
control is still work to be able to filter
out that traffic. You can also configure
your router with RPF. It stands for reverse
path forwarding. That means that
any inbound traffic will be responded to across
the same interface going out. If somebody is
spoofing traffic, they may be able to send
traffic inbound, and your routing table may
be sending that outbound to a different interface. And if that isn’t something
that should be happening, then configuring
reverse path forwarding can prevent anyone
from taking advantage of that routing situation. We also have security
challenges with our switches. Switches are devices
that effectively are bridging traffic in hardware. They’re using an application
specific integrated circuit– or an ASIC– to do this
very quickly in the hardware of these devices. We often refer to a switch
as an OSI layer 2 device, because it’s making its
forwarding decision based on the MAC address or the layer
2 address of the traffic going through the switch. Usually these switches
have more than one port. In some cases in
large organizations, a switch can have many, many
ports associated with it. And these are usually performing
high bandwidth file transfers, and a large amount
of our traffic. Because everybody
who’s connected to the network on the
inside of our network is generally
connected to a switch. As security professionals,
we spend a lot of time and a lot of money securing
the inside of the network from the outside of the network. So we’ll create
a firewall that’s connected to the internet. We’ll put in place an
intrusion prevention system. We’ll have URL
filtering in place. And all of this sits between
the inside and the outside. But generally, the inside of the
network is a lot less secure. We don’t have the
time or the money to be able to put a firewall
on every single interface on the inside of our network. So we often find that
the inside of the network is much less secure than
the communication going between the inside
and the outside. And usually, we’ve got a lot
of different kinds of networks that are connecting to us. These might be over
a wide area network. They might be VPNs. They might be
third party access. And of course, it
could be wireless. Someone could sit-in
the parking lot and be able to connect
to a wireless switch on the inside of our network. And some of the
interfaces on our network are wide open and available. For example, in a
conference room, we’d like to have
the conference room interfaces available
for the people using that conference
room, but we also want to make sure
that nobody is going to walk in and plug into
our internal network without us knowing about it. The way that many
organizations handle the security of their
switch interfaces is by using port-based network
access control, or NAC. This is sometimes referred
to as IEEE 802.1X. This requires that
someone provide a username and a
password and authenticate before they are able to gain
access to any of the switch interfaces. We’re really talking about
port-based network access control in that it is
the physical interface, or the port on the switch where
we’re providing the security. Also as a security
administrator, you may want to
audit and make sure that all of the interfaces
that are not currently in use are administratively disabled. That would prevent
someone from walking into one of your network closets
and plugging their device into whatever port might be
available on your switch. Another security
feature you may want to consider for your switches
is to have the switch identify when a duplicate
MAC address appears. You’re able to stop this
MAC address spoofing, because the switch recognizes
that suddenly, the same Mac address is coming from a
different part of the network. At OSI layer 2, this
MAC address layer, there’s no way to have
the packets count or know when a packet has
been seen before. And if you connect two
switches to each other, the packets will rotate
through those switches until you break that connection. This can bring down a
network very, very quickly. As more people put
traffic onto the network, more and more traffic
will begin to loop around, and you could bring down a
network in a matter of seconds. To be able to prevent this type
of loop on a switch network, there is a protocol called
spanning-tree protocol that automatically identifies
a loop and prevents a loop from occurring
on a switch network. You may see this referred
to as IEEE 802.1D. It’s been around since 1990. It was created by Radia Perlman. And if you have
a switch network, you probably have
spanning-tree protocol enabled on that switch network. Here’s an example of
spanning-tree protocol at work. We’ve got a number of switches
or bridges on our network, and they’re connecting a
number of networks together. One of the challenges we
have with this picture is you can see there are
many loops that could occur. For example, to
get to bridge one, you can loop through
bridge 21 and bridge six and get all the way
back to bridge one. Because spanning-tree has been
enabled on these switches, you can see that a number
of these interfaces have been set up to block. That way if traffic is coming
through this connection, it will not be able to traverse
this particular bridge link and loop back to bridge one. This is something that
spanning-tree protocol does automatically,
as long you have it enabled on your switches. Spanning-tree is
also smart enough to watch what’s happening on the
network and reconfigure itself if there are any changes. For example, we have
Network Y, And we can see that if Network
Y wants to communicate up to bridge one, it has to
communicate through bridge five, through Network A,
through bridge six, Network M, and then finally, to bridge one. You can see that
there is a blocked port heading the other
direction to prevent loops on this network. But what if we
lose a connection? Let’s say a connection between
Network A and bridge six suddenly becomes unavailable. If that occurs, spanning-tree
will recognize the change, and it will change bridge
configuration in bridge five and bridge 11 to
now allow traffic to traverse the other
direction around the problem. So spanning-tree is
not only making sure that the network is
available, its preventing any loops and downtime from
occurring on the network as well. There are a number
of ways that you could cause a denial of service
situation on a switch network. These switches maintain a
large list of MAC addresses that are associated
with the interfaces that it sees communicating
on the switch. And if you are able to flood
the network with MAC addresses, you would very quickly overflow
that index of addresses, causing a denial of service. One thing you can configure on
your switches is a flood guard. This would configure a maximum
number of MAC addresses that could possibly be seen
on any particular interface. You get to define how
many MAC addresses is appropriate for a
particular interface to prevent anyone
from overloading the number of MAC
addresses on this network. The switch then monitors
the MAC addresses coming through the interface
as it normally does. And it is able to
identify if it ever exceeds the particular
number you’ve configured for the flood guard. And if you do, it
will activate itself and begin performing
filtering or disabling interfaces to prevent
any denial of service. It’s very common to see
switches and routers as separate physical
devices that are plugged into the network. But we can also
find switches that have routing capability
enabled in them as well. And we commonly refer to
these as layer 3 switches. This is taking all of the switch
functionality that we have, and it enables
routing functionality within the same device. The switching is still
operating at layer 2, making its forwarding
decisions based on MAC address, but you can also
configure interfaces to act as routed interfaces
that would forward traffic based on the
layer 3 IP configuration. This isn’t changing the
way that switching works, and it’s not changing the
way that routing operates. It’s simply combining
both a switch, and a router within the
same physical device.

Leave a Reply

Your email address will not be published. Required fields are marked *