HostedDB - Dedicated UNIX Servers
index_22
Router Security Configuration Guide UNCLASSIFIED 22 UNCLASSIFIED Version 1.0g 2.4.  Basic Router Functional Architecture 2.4.1.    Why Have a Special Purpose Router? What are some or the motivations for using a dedicated, purpose-built router rather than a general purpose machine with a “standard” operating system (OS)? What justifies this expense, and what justifies the bother of learning yet another system? The answer is partly that a special purpose router can have much higher performance than if router functionality were merely tacked onto a general purpose machine that might also be performing other functions. Also, one can potentially add more network connections to a machine designed for that purpose, because it can be designed to support more interface card slots. Thus, a special purpose device will probably be a lower cost solution for a given level of functionality. But there are also a number of security benefits to a special purpose router. For one thing, a specialized router operating system (like Cisco’s Internetwork Operating System or IOS) can be smaller, better understood, and more thoroughly tested than a general purpose OS. (Note that for brevity, the term IOS will be used in this document to refer the router’s operating system and associated software, but hardware other than Cisco would run similar software.) This means that it is potentially inherently less vulnerable. Also, the mere fact that it is different means that an attacker has one more thing to learn, and that known vulnerabilities in other systems are of no help to the router attacker. Also, for security reasons it is desirable to have the access control list (ACL) up and running before enabling any interfaces or drivers. Finally, specialized routing software enables a fuller and more robust implementation of filtering. Filtering is useful as a  “firewall” technique, and can also be used to partition networks and prohibit or restrict access to certain networks or servers. Using filtering, some routing protocols can prohibit the advertisement of routes to neighbors, thus helping protect certain parts of the network. 2.4.2.    Description of Typical Router Hardware   A router is essentially just another computer. So, similar to any other computer, it has a central processor unit (CPU), various kinds of memory, and connections to other devices. Generally, a router does not have a hard disk, floppy drive, or CD-ROM drive.   There are typically a number of types of memory in a router possibly including: RAM, NVRAM, Flash, and ROM (PROM, EEPROM). These are listed roughly in order of volatility. The mix of types and the amount of each type are determined on the basis of: volatility, ease of reprogramming, cost, access speed, and other factors. ROM is used to store a router’s bootstrap software. Non-volatile RAM (NVRAM) is used to store the startup configuration that the IOS reads when the router boots. Flash memory stores the IOS (or other router OS), and if there is enough flash it may store more than one version of IOS. Figure 2-4 shows a simple representation of a notional   router’s hardware structure.