In order for a router to provide this type of functionality, it needs to understand the rules for the protocol being used. This means that a router is protocol specific. Unlike a bridge, which will handle any valid topology traffic
Routers can be a powerful tool for controlling the flow of traffic on your network. If you have a network segment that is using IPX and IP but only IP is approved for use on the company backbone, simply enable IP support only on your router. The router will ignore any IPX traffic it receives.
A wonderful feature of routers is their ability to block broadcasts. (As I mentioned in Chapter 3, broadcasts are frames that contain all Fs for the destination MAC address.) Because any point on the other side of the router is a new network, these frames are blocked.
Note There is a counterpart to this called an all-networks broadcast that contains all Fs in both the network and MAC address fields. These frames are used to broadcast to local networks when the network address is not known. Most routers will still block these all- networks broadcasts by default.
Most routers also have the ability to filter out certain traffic. For example, let’s say your company enters a partnership with another organization. You need to access services on this new network but do not want to allow your partner to access your servers. To accomplish this, simply install a router between the two networks and configure it to filter out any communication sessions originating from the other organization’s network.
Most routers use static packet filtering to control traffic flow. The specifics of how this works will be covered in Chapter 6. For now, just keep in mind that routers cannot provide the same level of traffic control that may be found in the average firewall. Still, if your security requirements are minimal, packet filtering may be a good choice—chances are you will need a router to connect your networks, anyway.
A Comparison of Bridging/Switching and Routing
Table 4.1 represents a summary of the information discussed in the preceding sections. It provides a quick reference to the differences between controlling traffic at the datalink layer (bridges and switches) and controlling traffic at the network layer (routers).
Table 4.1: Bridging/Switching versus Routing
A Bridge (Switch): A
Router:
Uses the same network address off all ports Uses
differen t network addres ses off all ports
Builds tables based on MAC address Builds
tables based on network addres s
Filters traffic based on MAC information Filters
traffic based on network or host informa tion
Forwards broadcast traffic Blocks
broadc ast traffic
Forwards traffic to unknown addresses Blocks
traffic to unknow n
Table 4.1: Bridging/Switching versus Routing
A Bridge (Switch): A
Router: addres ses
Does not modify frame Creates
a new header and trailer
Can forward traffic based on the frame header Must
always queue traffic before forward ing Layer-3 Switching
Now that you have a clear understanding of the differences between a switch and a router, let’s look at a
technology that, on the surface, appears to mesh the two. Layer-3 switching, switch routing, and router switching all are used interchangeably to describe the same devices.
So what exactly is a switch router? The device is not quite as revolutionary as you might think. In fact, these devices are more an evolution of existing router technology. The association with the word “switch” is more for marketing appeal to emphasize the increase in raw throughput these devices can provide.
These devices typically (but not always) perform the same functions as a standard router. When a frame of data is received, it is buffered into memory and a CRC check is performed. Then, the topology frame is stripped off the data packet. Just like a regular router, a switch router will reference its routing table to determine the best route of delivery, repackage the data packet into a frame, and send it on its merry way.
How does a switch router differ from a standard router? The answer lies under the hood of the device. Processing is provided by application-specific integrated circuit (ASIC) hardware. With a standard router, all processing was typically performed by a single RISC (Reduced Instruction Set Computer) processor. In a switch router,
components are dedicated to performing specific tasks within the routing process. The result is a dramatic increase in throughput.
Keep in mind that the real goal of these devices is to pass information along faster than the standard router. In order to accomplish this, a vendor may choose to do things slightly differently than the average router
implementation in order to increase throughput (after all, raw throughput is everything, right?). For example, a specific vendor implementation may not buffer inbound traffic in order to perform a CRC check on the frame. Once enough of the frame has been read in order to make a routing decision, the device may immediately begin transmitting information out the other end.
From a security perspective, this may not always be a good thing. Certainly performance is a concern—but not at the cost of accidentally passing traffic that should have been blocked. Since the real goal of a switch router is performance, it may not be as nitpicky as the typical router about what it passes along.
Layer-3 switching has some growing up to do before it can be considered a viable replacement for the time-tested router. Most modern routers have progressed to the point where they are capable of processing more than one million packets per second. Typically, higher traffic rates are required only on a network backbone. To date, this is why switches have dominated this area of the network.
Switch routing may make good security sense as a replacement for regular switches, however. The ability to segregate traffic into true subnets instead of just collision domains brings a whole new level of control to this area of the network.
can access. This is a much higher level of granular control than is provided with a regular switch. Switch routing can help to fortify the security of your internal network without the typical degradation in performance. If your security requirements are light, a switch router may be just the thing to augment your security policy.
Note We will look at some examples of implementing an access control list (ACL) on a Cisco router in Chapter 6.
Summary
We’ve covered a lot of ground in this chapter. We discussed the basics of communication properties and looked at transmission media and hardware from a security perspective. We also discussed what traffic control options are available with typical network hardware. In the next few chapters, we’ll look at systems that are specifically designed to implement security policies. We will start by discussing firewalls and then work our way into intrusion- detection systems.
Chapter 5: Firewalls
In this chapter, we will discuss firewalls and their implementation. Not all firewalls operate in the same way, so you should select a firewall based upon the security it provides, while insuring that it is a proper fit for your business requirements. For example, if the firewall you chose will not support AOL’s Instant Messenger and IM is a critical business function, it may have been cheaper to simply buy a pair of wire cutters. Before we discuss firewalls, we will review what information you need to collect in order to make an informed purchase decision.