Routing traffic

Routers have come a long way over the past decade. Vendors are developing routers embedded with sophisticated security features.

  • E-Mail
By  Eman Wahby Published  August 23, 2005

|~|RSB---Sumit2.jpg|~|Kumar: Wireless technologies are becoming as secure as a wired Ethernet.|~|In 2001, a mistake made while changing the configuration of a router in Microsoft's network denied access to all networks run on the vendor’s technology. It took 22 hours for engineers to track down the mistake and fix it.

Meanwhile, attackers investigated the cause of the outage and concluded that a denial of service (DoS) attack against the problem router would deny access to any Microsoft-sponsored site. Indeed, the incident did take place two days later. According to industry experts, the software giant had made two key errors. The first error was to do with the way Microsoft managed its router configuration and secondly, how it designed the network.

The first error points to an often ignored area in network security— the routers that bind together a myriad of networks that comprise the internet, as well as internal systems. Some routers run specially designed operating systems (OS), while others run stripped-down versions of Unix. In either case, the OS and configuration management of these routers may be vulnerable to attacks.

The 2001 incident is now a distant memory. However, what is causing a major concern in the global IT industry is the Ciscogate situation. Cisco Systems has sued an internet security researcher for publishing a router security flaw against its wishes. Researcher Michael Lynn was an employee of security firm ISS when he uncovered the flaw.

ISS and Cisco refused Lynn permission to disclose the flaw, however, Lynn resigned from his post at ISS and gave a presentation on the flaw at a conference in Las Vegas. The presentation gave a demonstration of how to exploit the flaw. The issue has assumed importance because of Lynn’s insistence that he was acting out of concern for national security.

Once upon a time the functions of routing, switching and security were distributed on separate chassis, however, the traditional model has become blurred by the advent of the all-in-one appliances. Routers, which offer security and switching service, are not new. Products, which provide integrated routing, switching, wireless, voice, virtual private network (VPN) and security, have been around for some time.

What is new is the performance of these technologies. Previous attempts to deliver integrated service platforms usually resulted in a trade-off in performance or the number of connections being supported. However, today’s next generation of fast-silicon switching processors can easily meet the demands of large corporations.

As enterprises pay renewed attention to their IT infrastructures, the demand for routers continues to grow. Infonetics Research says the worldwide router and gateway market grew by 5% to US$1.2 billion between 4Q04 and 1Q05. Fuelled by new applications and high speeds, revenues are expected to increase by another 1.5% to US$779.6 million by 1Q06.

Enterprises can reduce operational spending by utilising a mix of public and private high-speed wide area network (WAN) connections. By adopting an internet-based WAN strategy, businesses can take advantage of high-bandwidth, yet low-cost offerings. Nevertheless, the ‘always-on’ connection poses a significant threat, leading to increased susceptibility and interception of enterprises' security. ||**|||~|RSB---Hafez.jpg|~|Hafez: The acquisition of TippingPoint Technologies accelerates 3Com's strategy of delivering secure, converged solutions.|~|They may have benefits, however, such connections are easy to be manipulated by hackers. "The main source of security [lapse] is the ‘always-on’ nature of the connections," says Sumit Kumar, regional sales manager at US Robotics Middle East & North Africa.

When users dial up, an internet service provider (ISP) assigns a temporary IP (internet protocol) address using a dynamic host configuration potocol (DHCP). Each time an end user signs off and dials in, a new address is assigned; however, with broadband connections, users get a permanent IP address.

"Gone are the days of simply scanning for viruses. With ‘always-on’ connections, layered approach is required to secure the network from every type of threat, in addition to anticipating every type of potential security breach, from Trojan horse attacks and spyware to data tampering and information theft," says Sherif Shazly, business development manager at D-Link Egypt.

Hackers are targeting laptops plugged onto residential broadband routers in order to get to an enterprise network. End users unwittingly introduce the virus to their employer’s network when they use their notebooks in the office. Remote working is rapidly becoming a way of life and enterprises have to be prepared for such vulnerabilities.

“Security is a never-ending process, which means we have to be following up closely on latest security features. Our oganisation has mission-critical data and we can not afford any kind of [network security breach] because that will compromise the integrity of our business,” explains Abdulla Fakhroo, head of network engineering division at Qatar Petroleum. “A layered security approach [has] to be developed at different stages. It may be expensive, however, the investment will be worth it in end,” he adds.

Besides the configuration mistake, routers are also subject to many other potential problems. They are accessible over the network and if hackers can successfully log onto a router or issue commands via the web server interface, they can change routes and deny access to hosting sites or networks served by that particular hardware. Routers always support passwords that prevent unauthorised people from changing configuration, but passwords themselves are not secure enough.

Furthermore, hackers are taking advantage of high-speed connections to launch DoS attacks against businesses and ISPs. "The most serious threat at present appears to be related to various kinds of identity thefts,” says US Robotics’ Kumar. Most routers have rules in the configuration table that do not allow lots of requests from the same sending address.

If too many requests from one address are received in a short period of time, the router simply discards them. However, many popular websites and businesses have suffered DoS attacks because hackers illicitly introduce programs on different computers and when packet floods are triggered, millions of requests for information hit the targeted sites.

Furthermore, enterprises also need to take precaution against the distributed-denial-of-service (DDoS) attacks, where malicious attacks cause compromised computers to run automated scripts that cripple a protected server's network resources with spurious requests for services. The attacks can be, for example, efforts that compromise the availability and accuracy of domain name system (DNS) servers. ||**|||~|RSB---Gouda.jpg|~|Gouda: We have a ‘wish list’ for routers and the stateful packet inspection (SPI) is on top of that list.|~|Another major threat routers have to deal with is packet sniffer, which is a program that captures data from information packets as they traverse over the network. Relative to DSL and traditional dial-up users, cable modem users have a higher risk of exposure to packet sniffers since a packet sniffer installed on computers with modems may be able to capture data transmitted by another modem, which is part of the same local area network (LAN).

“We have a ‘wish list’ for routers, however, the stateful packet inspection (SPI) is on top of the list. It is critical for organisations like ours, which has several different branches, to have a secure IT platforms and routers play an important role,” says Hisham Gouda, CIO of Genco Group, which owns five companies specialising in the distribution of natural gas.

The Group’s consumer base covers residential, industrial, factories, power stations, CNG stations and commercial users. Thus, networking vendors have been offering layered approaches to secure sensitive client and company information against unauthorised access.

"The 3Com router family helps protect networks by incorporating layered approach to security. These security and control features include radius authentication support, stateful packet inspection firewall, DoS blocking, access control lists and IPSec VPNs to provide secure networks," states Ahmed Hafez, general manager at 3Com Egypt and Libya.

Routers come with built-in firewalls, which can block access to the system from unauthorised users. They can also help solve the static IP address vulnerability and provide security that creates the impression the firewall is surfing the internet instead of the end user. The firewall assumes the IP address provided by the service provider, thus shielding the user's IP address from the public view.

Packet filtering is a security feature that allows users specify which data packets can traverse an organisation’s network via a router. A packet filter firewall is a processing function that inspects each incoming packet and checks its validity according to a number of predefined rules. If the packet is dropped, the firewall will verify whether an alarm message needs to be sent to the network administrator.

Stateful inspection firewall has emerged as an advanced security solution. It examines fragmented packets, while the packet filter examines only the first packet, which contains the inspection information, allowing the remaining packets to pass through. "For instance, Cisco ISR does much more as it provides stateful and transparent firewalls that enable segment existing network deployments into separate security trust zones without changing addresses,” explains Tarek Hobballah, systems engineer at Cisco Systems.

"An IPS can drop traffic, send an alarm, locally shun or reset the connection, enabling the router to respond immediately to security threats. In addition, Cisco IOS certificate server and client allows the router to act as a certificate authority for the network," he adds.

Some routers use advanced firewall technology such as stateful packet inspection (SPI), which can be found in secure enterprise firewalls.

"Packet filtering was and is a simpler form of the full SPI firewall. On our 8000A series we have packet filtering. However, our professional and wireless routers now have SPI feature that examines the contents of the packet to ensure the stated destination computer has previously requested the current communication, "explains Kumar.||**|||~|RSB---Al-Mallouhi.jpg|~|Al Mallouhi: End users should configure access lists on their routers for security purposes.|~|Networking vendors have been developing DoS and DDoS defense technologies, which are capable of detecting upcoming attacks, differentiate between malicious and legitimate traffic, without hindering the traffic flow. "This is a way of ensuring communication is initiated by the recipient computer and it is taking place only with sources that are known and trusted from previous interactions. The SPI firewall protects against DoS and DDoS attacks,” he adds.

Routers also play an important role for an organisation’s VPNs. Authentication and encryption are two main components in securing a VPN connection. In its most basic form, authentication consists of a username and password to gain access to services or resources. IPSec is a collection of security measures that enable setup of encrypted tunnels over the public internet, enabling all distributed applications, including remote logon, to be secured.

Vendors may offer VPN functions based on the IPSec industry standard that is currently being used by government ministries and financial institutions. "For instance, a VPN connection between a firewall and an end user’s PC is secured through an IPSec tunnel, which is encrypted with 3DES (data encryption standard) and changed at regular intervals," explains D-Link’s Shazly.

However, IPSec encryption is only one element of security. “Other security elements still exist like SSL VPN, known as web VPN, which is commonly used in e-banking and e-commerce. Thus, encryption constitutes only one form of security. It must be used with day-zero protection mechanism," explains Cisco’s
Hobballah. ||**|||~||~||~|The majority of the DoS attacks are based on high-bandwidth packet floods, yet the packets can be isolated when they are matched against access lists. "For example, you can use access lists to restrict contents of routing updates or control the traffic flow. However, one of the most important reasons to configure access lists is to provide security
for your network," he adds.

“Users should use access lists to provide a basic level of security for accessing their networks. If users do not configure access lists on their routers, all packets passing through the router can reach unauthorised destinations on a network.”

Furthermore, in addition to choosing routers with high security features, end users are also demanding after sales support.
Customers want easy access to vendor resources incase of network emergencies. “Due to the [nature] of our business, it is important to have vendor support centres in Egypt, not in China or Taiwan. It is not always ideal due to time difference in these countries to contact support staff when problems arise with certain products,” according to the Genco Group’s Gouda. Networking giants are also strengthening their approach towards providing solutions with robust security features.

3Com has acquired TippingPoint Technologies, a leading provider of intrusion prevention systems (IPS), with a goal of enhancing solutions and increasing its customer base. "The acquisition of TippingPoint will accelerate 3Com's strategy of delivering secure, converged solutions to enterprises of all sizes. It will expand 3Com's product portfolio with the addition of TippingPoint's IPS solutions," says 3Com’s Hafez.

Finally, some enterprises believe wireless routers are less secure and users transferring sensitive data should use a wired infrastructure.

Wireless technologies easily connect with any radio device nearby. Despite enhanced security measures such as the wired equivalent privacy (WEP) and Wi-Fi protected access (WPA), wireless still remains insecure when compared to a wired Ethernet.

However, those corporations, which use wireless technologies, are taking every step to protect their networks. “Every new technology has its pros and cons and since we have embarked on a project, which involves wireless technologies, it is crucial for us to have an enhanced security like the WEP,” explains Charles Franklin, business system analyst at Saudi Aramco.

Vendors claims wireless can be made as secure or more secure than wired communication. D-Link, for instance, says all its wireless routers support Wi-Fi protected access security. The encryption key used to encrypt data is changed with every packet that is transferred; hence limiting the possibilities of security breaches.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code