2

What are some of the steps that could be taken to harden a perimeter (internet facing) router from attacks by potentially malicious users?

2 Answers2

5

Basically you would need to prevent any packet from internet reaching switch CPU, except for the allowed hosts, so basically this can be done with policy, which works on the hardware level, before reaching the switch. Such policy would work the way, that you need to collect the public ip numbers of the switch, let's say 192.168.0.1/30 VLAN 10 connects you to the internet and 10.0.0.0/24 VLAN 20 is with servers, so this way you can apply the following policy. Best is to deny everything, and allow only specific hosts you need, than you will be seriously stable and secure.

This is simplified policy with one chain for ingress and egress:

# 192.168.0.2/30 - other router (VLAN10)
# 192.168.0.1/30 - your router  (VLAN10)
# 10.0.0.0/24    - servers      (VLAN20)
# 10.0.0.10/24   - you          (VLAN20)

#Allow Broadcast only on VLAN20, so you dont have malicious broadcast from other router
From Any To ff:ff:ff:ff:ff:ff VLAN 20 Permit

#Allow Multicast only on VLAN20, if you need it for VRRP you can add the rule for VLAN10
From Any To 224.0.0.0/4 VLAN 20 Permit

#Anti-spoofing rules for your servers
From 10.0.0.0/24 to 0.0.0.0/0 VLAN20 Permit
From 0.0.0.0/0 to 10.0.0.0/24 VLAN20 Permit

#Allow accessing (e.g. pinging the other router) for your admin
From 10.0.0.10/32 to 192.168.0.0/30 Permit
From 192.168.0.0/30 to 10.0.0.10/32 Permit

#Block any other VLAN to VLAN communication
From 10.0.0.0/8 to 10.0.0.0/8 Deny
From 192.168.0.0/16 to 192.168.0.0/16 Deny
From 10.0.0.0/8 to 192.168.0.0/16 Deny
From 192.168.0.0/16 to 10.0.0.0/8 Deny

#Allow internet for 10.0.0.0/24, this allows packets from and to internet go thru VLAN10
From 10.0.0.0/24 to 0.0.0.0/0 Permit
From 0.0.0.0/0 to 10.0.0.0/24 Permit

#Deny them all, this includes access to VLAN10
From 0.0.0.0/0 to 0.0.0.0/0 Deny

With this, others wont be able to tranceroute or ping your switch. But at the same time, you are way much better protected with potential denial of services, as your Switch OS is isolated. This is good in some scenarios.

Also, some switches do have hardware counters, so they allow only limited number of packets from specified host to reach the CPU. This way the rule could be to count ALL packets reaching from Internet (except your admin machine) and to limit them ALL (from any host) to e.g. 10 packets per second. This would be useful for ICMP, so you can still traceroute.

From Any to 192.168.0.1/32 Protocol ICMP Limit 10 packets / second
From Any to 192.168.0.1/32 Protocol ICMP Allow
From 192.168.0.1/32 to Any Protocol ICMP Allow
Andrew Smith
  • 1
  • 1
  • 6
  • 20
  • Doesn't such functions border on firewall-like? Is there any purpose in doing such filtering on the router, and not a firewall?

    Are there any router-specific configurations that could be made to better secure the network?

     –  Jun 22 '12 at 14:10
  • Well you do normally connect to the e.g. internet backbone with router, and to router you connect firewall, and to the firewall desktops, so you need policy on router to filter out packets coming directly to it from internet. Good idea is to setup Router management via separate LAN or interface on e.g. back of it, so it's impossible to load admin page of router, as well SNMP etc. Also 2 firewalls are better than 1. – Andrew Smith Jun 22 '12 at 14:22
  • ps. And any firewall or router needs a "Deny All" rule on the bottom to prevent any unauthorized access, in this case, packets reaching the switch CPU. If you are using some router protocols, you can add them on the top, so e.g. VRRP, EAPS would work as normal. – Andrew Smith Jun 22 '12 at 14:25
  • Thank you for your detailed answers, shall let this run for a few more days before choosing an accepted answer. –  Jun 22 '12 at 14:58
  • Sure I'll review it and will also try to put this on my own router to see how it works. – Andrew Smith Jun 22 '12 at 16:07
0

There are three useful things to do when hardening a perimeter router.

  1. Update the firmware on the router regularly. Routers are no different from any other devices with software running on them. They are susceptible to vulnerabilities. The firmware running on routers should be updated if there are any updates.

  2. Drop unnecessary packets. Routers can be susceptible to DDoS attacks if they receive more packets then they can handle. Complex processing rules like deep-packet inspection may worsen this. Drop any packets attempting to reach disallowed IP addresses or ports before performing complex inspection on them.