Role of Router

The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network segments.  This is often forgotten when it is time to implement a security structure.  Many additional duties are thrust onto the router and, ultimately, performance suffers.  Routers, like computers, have processors, memory, and storage space.  You must consider these points when you're choosing a router for your specific network environment.

The Router as a Perimeter Device  Routers usually don't have much storage space available, and storage upgrades are at a premium.  When considering your design environment, think about the ramifications of implementing an external storage area for log files, configuration file backups, and operating software.  Most likely, the use Syslog for remote logging and Trivial File Transfer Protocol (TFTP) for the transfer of configuration files and operating software updates.

How Can You Tell Whether Your Router Is Overburdened? When your router is overtaxed, many strange things can happen. Packets can be dropped, things can pass that shouldn't, and so on. To check whether your router is overburdened, look at its processor utilization. With a Cisco router, you can do this with the following command: router#show processes cpu Following command shows your CPU usage in a graphical format for the past 60 seconds, the past 60 minutes, and the past 72 hours router#show proc cpu history Following commands shows how much memory each of the running router processes is using. router#sh proc memory

ROUTING  To begin routing in a simple environment, a router needs little configuration.  If you have two separate subnets that need to communicate, drop the router in and configure each connecting interface with an address for its attached network, make sure that routing is enabled.  The router knows the IP address of its two interfaces and can apply this knowledge to forward traffic sent from one network to the other.  Complexities begin to arise as network segments the router isn't directly connected to are added to the configuration.

ROUTING  in this case router must be told about networks with statements in its routing table. Such statements can be added manually by an administrator (static routes) or dynamically by updates from other routers.  Static routes are easy to configure in a small environment. On Cisco routers, configuration can be accomplished with a command such as the following: router_(config)#ip route

ROUTING  The ip route statement can also be used in circumstances in which hundreds of networks might be unknown to our router, such as for a connection to the Internet. for example: ip route gateway IP  Static routes offer a secure routing method for configuring a small environment, but what happens when we have 100 routers in our corporation? Do we want to program all the necessary static routes manually? Of course not! This is when dynamic routing protocols come into play.

ROUTING  Dynamic routing protocols allow properly configured routers to learn from each other about available routing paths. Protocols, such as Routing Information Protocol version 1 (RIPv1), Open Shortest Path First (OSPF), RIPv2, Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and so on.

Secure Dynamic Routing  One important part of keeping an environment that uses routing safe is secure implementation of dynamically updated routing protocols.  If Dynamic Routing Protocol are not configured correctly, these protocols can be an easily exploited security hole.  Some routing protocols use numbering schemes that require some knowledge of the specific details of your network's routing configuration to send acceptable routing updates. However, these numbers are transmitted in the clear (without encryption), so they can be sniffed.  In addition, often the numbers chosen are guessed easily and might not provide adequate protection.

Secure Dynamic Routing Following are the main configuration mechanism for secure dynamic route updating: 1. Route Authentication 2. Other Dynamic Routing Defenses

Route Authentication  Some dynamic routing protocols offer advanced protection known as route authentication.  On a Cisco router, the process of route authentication involves the use of a secret keyword that is configured into all routers that are to share their dynamic routing information.  This keyword, used in conjunction with the routing update information, generates a Message Digest 5 (MD5) hash signature to be sent with dynamic route updates.  If this hash information is not included with the updates or is incorrect, contacted routers will ignore the provided route information. Protocols that support routing authentication include RIPv2, OSPF, EIGRP, and BGP.

Route Authentication  Two dynamic routing protocols of note that don't support this feature are RIPv1 and IGRP.  Cisco routers have a feature that performs a simple check to help secure these two protocols. The validate-update-source command (which is configured by default) checks the source address of incoming RIP and IGRP updates to verify that they are from a neighboring device on the same  You could install route authentication on an OSPF routed network by using the command ip ospf message-digest-key 10 md5 secretkey

Route Authentication  You must enter previous command at the interface that will be propagating the routing updates.  10 is the key ID, which is a number that represents the unique secret key that you define, and secretkey is the actual key used to create the MD5 hashes that protect your routing updates.  The importance of the key ID value comes into play if you want to change keys in an active environment. You can simply add the new secretkey value in a similar statement with a different key ID number.  The router identifies that it has a new key and starts sending two routing updates: one with the new key value, and one with the original key value.

Route Authentication  To activate the MD5 authentication, use the statement area 0 authentication message-digest

Other Dynamic Routing Defenses  Another way you can be sure to prevent tampering with your route tables is by blocking updates from networks that are deemed unsafe.  For example, if you had an extranet connection to a customer, you might not want the customer's routers to have the ability to change the configuration of your routers (accidentally or on purpose).  You can configure the interface that connects your router to the customer's to deny routing updates.

Other Dynamic Routing Defenses  Cisco routers use the distribute-list command, which prevents the propagation, or the acceptance of specified route updates through configured interfaces.  For example, if you want to prevent outside routers from being able to make changes in routing information for a mission-critical network segment in your internal infrastructure, you can use distribute-list 112 in e1 Here, e1 is the interface that connects you to the outside routers, and 112 is an access control list (ACL) that defines the network address range of the mission-critical segment

Other Dynamic Routing Defenses  The access list can define ranges of allowed or disallowed IP routing information (depending on whether it is a permit or deny ACL).  In a similar manner, a distribute-list out command can be used to disallow the sending of route updates that include information on how to route traffic to your top-secret lab. The syntax is distribute-list 113 out e1

Other Dynamic Routing Defenses  To keep important details of your network infrastructure private, it may be necessary to prevent dynamic routing protocols from sharing internal route information with outsiders.  To accomplish this on a Cisco router, use the passive interface command to prevent the router from broadcasting route updates out of the specified interface. Its syntax is as follows: passive interface e1 In this case, e1 is the interface through which you want to disallow the sending of updates, while still accepting updates inbound.

Other Dynamic Routing Defenses  This command behaves in a slightly different manner with the EIGRP and OSPF routing protocols, by disallowing both the sending and receiving of routing information via the specified interface.