HostedDB - Dedicated UNIX Servers
index_86
Router Security Configuration Guide UNCLASSIFIED 86 UNCLASSIFIED Version 1.0g Another important aspect of a routing protocol scheme is the amount of time it takes for network architecture or connectivity changes to be reflected in the route tables of all affected routers.  This is usually called the rate of convergence.  In a large network, OSPF offers much faster convergence than RIP. 4.4.1.   Common routing hazards  A question that is often overlooked is “Why do we need to concern ourselves with security of the network?” A better question to ask would be “What kind of damage could an adversary do to our network?” Section 3 offers some motivations for overall router security. This section focuses on security issues related to routing and routing protocols. Routing security should be a top priority for network administrators who want to: § prevent unauthorized access to resources on the network, § protect mission information from unauthorized access, exposure, and modification, and § prevent network failures and interruptions in service. An unprotected router or routing domain makes an easy target for any network-savvy adversary. For example, an attacker who sends false routing update packets to an unprotected router can easily corrupt its route table. By doing this, the attacker can re-route network traffic in whichever manner he desires. The key to preventing such an attack is to protect the route tables from unauthorized and malicious changes. There are two basic approaches available for protecting route table integrity: 1.     Use only static routes –   This may work in small networks, but is unsuitable for large networks. 2.     Authenticate route table updates –   By using routing protocols with authentication, network administrators can deter attacks based on unauthorized routing changes.  Authenticated router updates ensure that the update messages came from legitimate sources, bogus messages are automatically discarded. Another form of attack an adversary might attempt against a router is a denial of service attack. This can be accomplished in many different ways.  For example, preventing router update messages from being sent or received will result in bringing down parts of a network.  To resist denial of service attacks, and recover from them quickly, routers need rapid convergence and backup routes.    4.4.2.    ARP and LANs Address Resolution Protocol, or ARP, is the protocol used to map IP addresses to a particular MAC or Ethernet address. ARP is described in more detail in RFC 826 and Parkhurst [2]. Proxy ARP is a method of routing packets using the Ethernet MAC