Perimeter Router Security
To say that the Internet is the single−most amazing technological achievement of the “Information Age” is a gross understatement. This massive network has changed the way the world conducts business and approaches education, and it has even changed the way in which people spend their leisure time. At the same time, the Internet has presented a new, complex set of challenges that not even the most sophisticated technical experts have been able to adequately solve. The Internet is only in its infancy, and its growth is measured exponentially on a yearly basis.
With the rapid growth of the Internet, network security has become a major concern for companies throughout the world, and although protecting an enterprise’s informational assets may be the security administrator’s highest priority, protecting the integrity of the enterprise’s network is critical to protecting the information it contains. A breach in the integrity of an enterprise’s network can be extremely costly in time and effort, and it can open multiple avenues for continued attacks.
When you connect your enterprise network to the Internet, you are connecting your network to thousands of unknown networks, thus giving millions of people the opportunity to access your enterprise’s assets. Although such connections open the door to many useful applications and provide great opportunities for information sharing, most enterprises contain some information that should not be shared with outside users on the Internet.
This chapter describes many of the security issues that arise when connecting an enterprise network to the Internet and details the technologies that can be used to minimize the threat of potential intruders to the enterprise and its assets. In this chapter, I’ll discuss the Unicast Reverse Path Forwarding (Unicast RPF) feature, which helps to mitigate problems that are caused by forged IP source addresses that the perimeter router receives. I’ll also discuss Committed Access Rate (CAR) and the features it provides to rate−limit traffic, thus providing mitigation services for DoS attacks. In addition, I’ll discuss TCP SYN− flooding attacks and the features of TCP Intercept, which protect your network from this method of attack. This chapter covers Network Address Translation (NAT) and Port Address Translation (PAT), which were developed to address the depletion of global IP addresses and the security features that each provide. Finally, there is a discussion on logging of events that take place on the perimeter routers.
This chapter classifies three different types of networks:
Trusted networks are the networks inside your network’s security perimeter. These are the networks you are trying to protect. Often, someone in your organization’s IT department administers the computers that these networks comprise, and your enterprise’s security policy determines their security controls. Usually, trusted networks are within the security perimeter.
Untrusted networks are the networks that are known to be outside your security perimeter. They are untrusted because they are outside of your control. You have no control over the administration or security policies for these networks. They are the private, shared networks from which you are trying to protect your network. However, you still need and want to communicate with these networks even though they are untrusted. Untrusted networks are outside the security perimeter and external to the security perimeter.
Unknown networks are networks that are neither trusted nor untrusted. They are unknown to the security router because you cannot explicitly tell the router that the network is a trusted or an untrusted network. Unknown networks exist outside your security perimeter.
Cisco Express Forwarding
Cisco Express Forwarding (CEF) is an advanced layer 3 topology− based forwarding mechanism that optimizes network performance and accommodates the traffic characteristics of the Internet for the IP protocol. The topology−based forwarding method builds a forwarding table that exactly matches the topology of the routing table; thus, there is a one−to−one correlation between the entries in the CEF table and the prefixes in the route table. CEF offers improved performance over other router switching mechanisms by avoiding the overhead associated with other cache−driven switching mechanisms. CEF uses a Forwarding Information Base (FIB) to make destination prefix− based switching decisions. The FIB is very similar to the routing table. It maintains an identical copy of the forwarding information contained in the routing table. When topology changes occur in the network, the IP routing table will be updated, and the updated changes are reflected in the FIB. The FIB maintains next−hop address information based on the information in the routing table. Because there is a correlation between FIB entries and the routing table entries, the FIB contains all known routes.
CEF also builds an adjacency table, which maintains layer 2 next−hop addresses for all Forwarding Information Base entries, is kept separate from the CEF table, and can be populated by any protocol that can discover an adjacency. The adjacency table is built by first discovering the adjacency. Each time an adjacency entry is created through a dynamic process, the adjacent node’s link−layer header is precomputed and stored in the adjacency table. After a route is resolved, its CEF entry points to a next−hop and corresponding adjacency entry. The entry is subsequently used for encapsulation during CEF switching of packets.
CEF can operate in two different modes: central and distributed. In central mode, the FIB and adjacency tables reside on the route processor and the route processor performs the forwarding.
CEF can act in a distributed mode on routers that support interface line cards, which have their own built−in processors, allowing CEF to take advantage of distributed architecture routers. When CEF is operating in distributed mode, the CEF table is copied down to the router line cards so that switching decisions can be made on the line cards instead of being made by the router processor. Distributed CEF uses a reliable Inter Process Communication mechanism that guarantees a synchronized FIB.