| Get this Security+ CertiGuide for your own computer. |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Also available: 300-question Security+ practice test! |
| Get It Here! |
|
|
3.1.2 Routers
(Page 2 of 3)
Router Configuration and ACLs
As networks evolved, router manufacturers
enhanced their products, adding a number of security-related features.
One of the most notable is packet-filtering functionality similar to
that found in many firewalls. In the Cisco world, the packet filtering
rules are called Access Lists, or ACL’s.
There are simple ACL’s which
only allow or deny traffic based on a single IP address, and extended
ACL’s implementing a fuller set of packet-filtering criteria, including
source address, destination address, protocol family (TCP, UDP, ICMP),
and port. For example, the following command creates an extended ACL
that denies access to the POP3 port on your internal mail server, 192.45.4.72,
from all external systems:
# Access list 101 deny TCP
any 192.45.4.72 0.0.0.0 (eq telnet)
 Routers
A router connects multiple networks together and forwards packets among networks.
Routers protect against sniffing and man-in-the-middle attacks by sending to a subnet only the traffic that needs to be there, limiting the number of nodes with access to packets.
Sometimes packet filtering is implemented on routers via access lists.
|
![[spacer]](1p.gif)  Router Configuration
Other security features commonly found in routers are configuration options to protect malformed or possible vulnerability-exploiting packets from being forwarded to other network interfaces, and to prevent packets with spoofed source or destination addresses from entering or leaving the network. How does the router know a spoofed address when it sees it? If the router sees a packet coming into it from an external interface, and that packet’s source address is set to an IP address within the internal network, odds are that the address was spoofed. Similarly, the router knows that packets coming into it from internal networks should not have external network source addresses – if they do, that may be a sign that someone is using one of your systems as part of a DoS or DDoS attack. Blocking such outgoing packets is just a matter of being a good net neighbor. If everyone did this, a number of DoS techniques would be much less effective, since they rely on the ability to send out packets with a spoofed source address equal to one on the target’s internal network.
A key point is: Don’t depend on your ISP to do this address-check for you, even though it’s pretty clear that they could. Some ISP’s, even large ones, are notoriously unconcerned about security. For example, one unnamed ISP connected to one of the “Baby Bells” has been overheard telling small business customers that individual businesses don’t need to bother with a firewall, because the ISP’s staff monitors the network very carefully – as if all the monitoring in the world would protect against a carefully-executed intrusion. Just like when you’re walking around in an unfamiliar city after dark, you have to watch your own back.
|
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
