After traffic has passed through the perimeter, the packets need to be properly routed. In some instances, only internal routing occurs because the traffic is strictly internal and doesn’t need to leave the organization. In this case, devices are used that do not route traffic or that prevent traffic from leaving a subnet. Devices that perform this role include routers, switches, and bridges.
Routers operate at the network layer of the OSI model. They receive information from a host and forward that information to its destination on the network or the Internet. Routers maintain tables that are checked each time a packet needs to be redirected from one interface to another. The tables inside the router help speed up request resolution so that packets can reach their destination more quickly. The routes can be added manually to the routing table or can be updated automatically using the following protocols:
Routing Information Protocol (RIP/RIPv2)
Interior Gateway Routing Protocol (IGRP)
Enhanced Interior Gateway Routing Protocol (EIGRP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP)
Exterior Gateway Protocol (EGP)
Intermediate System-to-Intermediate System (IS-IS)
Although router placement is primarily determined by the need to segment different networks or subnets, routers also have some good security features. One of the best features of a router is its capability to filter packets by source address, destination address, protocol, or port. These filters are actually access control lists (ACLs).
Part I, “Threats, Attacks, and Vulnerabilities,” describes attacks such as IP spoofing and covers Domain 1 of the Security+ exam. Basic Internet routing is based on the destination IP address, so a router with a default configuration forwards packets based only on the destination IP address. In IP spoofing, an attacker gains unauthorized access to a network by making it appear (by faking the IP address) that traffic has come from a trusted source.
Because routers are the lifeblood of the network, it is important to properly secure them. The security that is configured when setting up and managing routers can make the difference between keeping data secure and providing an open invitation to hackers. The following are general recommendations for router security:
Create and maintain a written router security policy. The policy should identify who is allowed to log into the router and who is allowed to configure and update it. The policy also should outline the logging and management practices.
Comment and organize offline master editions of your router configuration files. Keep the offline copies of all router configurations in sync with the actual configurations running on the routers.
Implement access lists that allow only the protocols, ports, and IP addresses that network users and services require. Deny everything else.
Test the security of your routers regularly, especially after any major configuration changes.
Keep in mind that, no matter how secure your routing protocol is, if you never change the default password on the router, you leave yourself wide open to attacks. At the opposite end of the spectrum, a router that is too tightly locked down can turn a functional network into a completely isolated network that does not allow access to anyone.
Switches are the most common choice when it comes to connecting desktops to the wiring closet. Switches generally operate at the data link layer (Layer 2) of the OSI model. Their packet-forwarding decisions are based on Media Access Control (MAC) addresses. Switches allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain. Here are the basic functions of a switch:
Filtering and forwarding frames
Learning MAC addresses
Managed switches are configurable. You can implement sound security with your switches similarly to configuring security on a firewall or a router. Managed switches allow control over network traffic and who has access to the network. In general, you do not want to deploy managed switches using their default configuration. The default configuration often does not provide the most secure network design. In such cases, these switches require no Layer 2 functionality.
A design that properly segments the network can be accomplished using VLANs. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. VLANs are a logical separation of a physical network and often combine Layer 2 and Layer 3 switches. Layer 3 switches can best be described as routers with fast forwarding done through hardware. Layer 3 switches can perform some of the same functions as routers and offer more flexibility than Layer 2 switches.
Designing the network the proper way from the start is important to ensure that the network is stable, reliable, and scalable. Physical and virtual security controls must be in place. Locate switches in a physically secure area, if possible. Be sure that strong authentication and password policies are in place to secure access to the operating system and configuration files.
Port security is a Layer 2 traffic control feature on switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses to come in through the port. Its primary use is to keep two or three users from sharing a single access port. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. By default, a port security violation forces the interface into the error-disabled state. Port security can be configured to take one of three actions upon detecting a violation. In addition to using the default shutdown mode, you can set protect mode or restrict mode. In protect mode, frames from MAC addresses other than the allowed addresses are dropped. Restrict mode is similar to protect mode, but it generates a syslog message and increases the violation counter.
A flood guard is an advanced firewall guard feature used to control network activity associated with DoS attacks and distributed denial-of-service (DDoS) attacks.
For example, in Cisco firewalls, the floodguard command is enabled by default and the firewall actively reclaims TCP user resources when an inbound or outbound authorization connection is being attacked. Flood guards are available as either standalone devices or firewall components.
Bridges are often used when two different network types need to be accessed. Bridges provide some network layer functions, such as route discovery, as well as forwarding at the data link layer. They forward packets only between networks that are destined for the other network. Several types of bridges exist:
Transparent basic bridge: Acts similarly to a repeater. It merely stores traffic until it can move on.
Source routing bridge: Interprets the routing information field (RIF) in the LAN frame header.
Transparent learning bridge: Locates the routing location using the source and destination addresses in its routing table. As new destination addresses are found, they are added to the routing table.
Transparent spanning bridge: Contains a subnet of the full topology for creating a loop-free operation.
Looping problems can occur when a site uses two or more bridges in parallel between two LANs to increase the reliability of the network. A major feature in Layer 2 devices is Spanning Tree Protocol (STP), a link-management protocol that provides path redundancy while preventing undesirable loops in the network. Multiple active paths between stations cause loops in the network. When loops occur, some devices see stations that appear on both sides of the device. This condition confuses the forwarding algorithm and allows duplicate frames to be forwarded. This situation can occur in bridges as well as Layer 2 switches.
A bridge loop occurs when data units can travel from a first LAN segment to a second LAN segment through more than one path. To eliminate bridge loops, existing bridge devices typically employ a technique referred to as the spanning tree algorithm. The spanning tree algorithm is implemented by bridges interchanging special messages known as bridge protocol data units (BPDUs). The STP loop guard feature provides additional protection against STP loops.
An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs, based on the port role. The loop guard feature makes additional checks. If BPDUs are not received on a nondesignated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state instead of the listening/learning/forwarding state. Without the loop guard feature, the port assumes the designated port role. The port then moves to the STP forwarding state and creates a loop.