index_22
Router Security Configuration Guide
UNCLASSIFIED
22
UNCLASSIFIED
Version 1.0g
2.4. Basic Router Functional Architecture
2.4.1. Why Have a Special Purpose Router?
What are some or the motivations for using a dedicated, purpose-built router rather
than a general purpose machine with a standard operating system (OS)? What
justifies this expense, and what justifies the bother of learning yet another system?
The answer is partly that a special purpose router can have much higher performance
than if router functionality were merely tacked onto a general purpose machine that
might also be performing other functions. Also, one can potentially add more
network connections to a machine designed for that purpose, because it can be
designed to support more interface card slots. Thus, a special purpose device will
probably be a lower cost solution for a given level of functionality. But there are also
a number of security benefits to a special purpose router.
For one thing, a specialized router operating system (like Ciscos Internetwork
Operating System or IOS) can be smaller, better understood, and more thoroughly
tested than a general purpose OS. (Note that for brevity, the term IOS will be used in
this document to refer the routers operating system and associated software, but
hardware other than Cisco would run similar software.) This means that it is
potentially inherently less vulnerable. Also, the mere fact that it is different means
that an attacker has one more thing to learn, and that known vulnerabilities in other
systems are of no help to the router attacker. Also, for security reasons it is desirable
to have the access control list (ACL) up and running before enabling any interfaces
or drivers. Finally, specialized routing software enables a fuller and more robust
implementation of filtering. Filtering is useful as a firewall technique, and can also
be used to partition networks and prohibit or restrict access to certain networks or
servers. Using filtering, some routing protocols can prohibit the advertisement of
routes to neighbors, thus helping protect certain parts of the network.
2.4.2. Description of Typical Router Hardware
A router is essentially just another computer. So, similar to any other computer, it has
a central processor unit (CPU), various kinds of memory, and connections to other
devices. Generally, a router does not have a hard disk, floppy drive, or CD-ROM
drive.
There are typically a number of types of memory in a router possibly including:
RAM, NVRAM, Flash, and ROM (PROM, EEPROM). These are listed roughly in
order of volatility. The mix of types and the amount of each type are determined on
the basis of: volatility, ease of reprogramming, cost, access speed, and other factors.
ROM is used to store a routers bootstrap software. Non-volatile RAM (NVRAM) is
used to store the startup configuration that the IOS reads when the router boots. Flash
memory stores the IOS (or other router OS), and if there is enough flash it may store
more than one version of IOS. Figure 2-4 shows a simple representation of a notional
routers hardware structure.