Router and Switch Design
On This Page
In This Module
This module considers methods for selecting switches and routers. It identifies features that are available in these devices and helps you to choose which features you may require. Switches and routers are grouped into classes determined by typical features in each class. From these classes you should be able to determine the types of switches and routers that your organization requires. There are many types of switches and routers available and, because they seem to offer similar features, it can be difficult to make the right choice. This module identifies salient features and explains how they can meet your requirements. It also covers router and switch security and explains how to ensure the security of your router and switch configuration.
Objectives
Use this module to:
| • | Help choose the appropriate switches and routers for your organization. |
| • | Identify key security considerations for routers and switches. |
| • | Secure your router and switch configurations. |
Applies To
This module applies to the following technologies:
| • | Ethernet switches |
| • | Ethernet and Internet Protocol (IP) routers |
How to Use This Module
This module will help you to select the most appropriate switches and routers for your organization. It provides a check list of desirable features in switches and routers and explains the function of each feature. You can use this checklist to determine which features you require. It then classifies switches and routers into groups based on the features each group has. No single switch or router will satisfy your organization's requirements and by comparing your requirements against the classes you can determine the best products for each location.
Design Guidelines
This section considers the requirements for routers and switches in the enterprise network, the types of devices that can meet those requirements, and the options available for their deployment. Routers and switches are two critical components in the network, and proper selection of these key devices helps ensure that the network provides fast and reliable service and can adapt to rapidly changing needs.
Design Inputs
When designing the implementation of switches and routers, the following inputs are required:
| • | Networkarchitecture |
| • | Routingprotocols |
| • | Availability |
Network Architecture
You should design your network before determining which class of routers or switches you need, where those devices should be placed in relation to each other, and what functionality is required. The following information is required from the network design before choosing the router and switch classes:
1. | How many devices are currently present on the network, how many need connectivity now, and what is the estimated future growth? |
2. | Which devices need to communicate with which other? |
3. | How much bandwidth is required between different devices that need to communicate? |
4. | Where is switching (versus routing) required in the network design? |
5. | Whether virtual local area networks (VLANs) are required and how many, which hosts will be on each VLAN, and whether any routing will be performed between VLANs? |
6. | What is the acceptable latency? |
Network Design
There are many organizational structures, and many ways of designing a network architecture around them. However there are two popular models which could be used as a basis for your design. They are the multilevel switching architecture, for use perhaps at your head office, and the small branch office architecture.
Figure 1 shows an example of a multilevel architecture, typically used where there is a public website layer and a backend database layer. Starting from the public-facing side of the network and moving inward from there, the first segment is a border network with a border router facing the Internet which provides initial firewall capability. This is followed by a switch which links the router to a perimeter firewall and the latter provides a more robust firewall. The perimeter firewall in turn connects via a switch to Web servers in the perimeter network, and the Web servers connect via another switch to an internal firewall. The internal firewall then connects by a switch to the internal servers and user PCs in the backend network. This figure shows a logical design but physically all the switches could be separate VLANs on the same switch. Preferable the border switch is a separate device as this is in a less secure zone. The backend switch can also be multiple switches depending upon your preference for a single large switch or multiple smaller switches.
Figure 2 shows an architecture suitable for use at a small branch office. This comprises three network devices: a modem, a router, and a switch. These three devices could be combined in two devices or a single device depending on the network connection. Low cost routers often contain an Ethernet switch and a firewall function, while for broadband connection a modem can also be incorporated in the router.
Routing Protocols
In designing the network, an important decision has to be made about which routing protocol or protocols to use for the exchange of routing information. Routers need routing tables to indicate how to reach destination networks. Routing tables can be configured manually as static routes, but these are only suitable for small networks. The alternative is to use routing protocols whereby the routing table is built up by automatically discovering other networks. If a link fails, the failed link is removed automatically from the routing table, so the router always knows the best active route to a destination network.
The following list describes the two primary industry standard routing protocols used in a network, RIP and OSPF, and a special protocol, BGP.
| • | Routing Information Protocol (RIP) RIP is designed for exchanging routing information in a small- to medium-sized inter-network and is widely available on a variety of routers. The biggest advantage of RIP is that it is extremely simple to configure, but it has several major disadvantages; it is unable to handle large networks, it generates a large volume of network traffic, and it is slow to respond to network failures (convergence time). For these reasons, it is usually not considered for anything other than small local area networks (LANs). For further information about RIP go to: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/8959B951-8A50-4B2F-96B7-EB5F83DDDF5D.mspx |
| • | Open Shortest Path First (OSPF) OSPF is an industry standard routing protocol that is very efficient and scales well to large networks. The advantages of OSPF are that it causes very little network overhead, even in very large inter-networks, and responds rapidly to link failures. The main disadvantages of OSPF are its complexity and the fact that it is more difficult to configure and administer. Most enterprise networks today use OSPF as their routing protocol because it is more efficient than RIP. It is usually available on midrange to large routers and sometimes on smaller routers. For further information about OSPF go to: http://technet2.microsoft.com/windowsserver/en/library/CE541016-4ACD-4810-86E7-D3C4703836FF1033.mspx?mfr=true |
| • | Border Gateway Protocol (BGP) BGP is an exterior gateway routing protocol used on Internet-connected routers to provide both routing availability and load-balancing capability. Generally, BGP is only available on large routers, and you should discuss its configuration with your Internet Service Provider (ISP). |
Availability
High availability is required in a network, and the larger the network, the higher the availability required. There are a number of ways in which routers and switches can be configured and located to meet these availability requirements. These include duplicate components, such as power supplies and engines in the network devices, and duplication of the devices themselves. The latter approach adds considerably to the cost but can provide a totally resilient solution.
Device Definitions
This section defines the following types of network devices:
| • | Switches |
| • | Routers |
These devices are at the core of the network linking together all the local area network (LAN) and wide area network (WAN) segments.
Switches
Switches are used to link physical segments of a network together and allow data to move between these segments. Switches operate at layer 2 of the OSI model and direct traffic based on the layer 2 address; for example the Ethernet MAC address. Some switches also provide additional functions such as VLANs and layer 3 switching.
Switches configure themselves automatically. They listen to traffic on each Ethernet port and discover to which port each attached device is connected. The switch then sends traffic directly to the destination port. Unless additional features require activation, the switch requires no configuration which is a major benefit when installing a network. The switching process is performed in hardware at wire-speed with effectively no latency.
Originally switches linked segments with multiple devices but as switch prices dropped, it became normal to attach a single device to each port. This is known as "switched" Ethernet rather than "shared" Ethernet. With only one active device per port there can be no collisions, so network performance is improved and devices can run in full duplex to achieve higher throughput.
Network traffic includes broadcast messages and these have to be copied to every port having a significant impact in a large network. Because most users want to communicate with a limited group of servers and associates, any broadcast traffic could be sent just within that group. One method of reducing the broadcast traffic is to provide a switch for each group and then link them together with a router because a router does not transmit broadcasts. Another method is to use VLANs on the switch. A VLAN is a group of devices that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different physical LAN segments. A broadcast from one member of the VLAN only goes to other members of the same VLAN, thereby reducing the spread of broadcast traffic.
Routers
Routers operate at layer 3 of the OSI model. They pass traffic between two different IP networks which may be either LANs or WANs. The routing process is based on examining the destination IP address of the incoming data and sending on the data through an egress port based upon a routing table. Routing tables can be manually configured or discovered using routing protocols but, unlike switches, routers will always require some configuration.
Large switches may also include a router, typically on an add-in card. This is often described as layer 3 switching but it is functionally identical to routing.
Classes
Routers and switches have been split into classes to identify the different levels of devices available and the features provided. If a router or a switch fits into a specific class, it can support all features linked to that class of devices.
Several core features make up the overall router and switch classes. In particular, the processing power of a router or switch is a major criterion in addition to its upgradeability, flexibility, and resilience. Low-end switches and routers are generally designed for a specific task and, to keep the price down, have little or limited expansion capability. As you move up the classes, not only more power but also greater expansion capability is available. The highest classes also provide resilience.
Selecting the correct switch or router can be confusing with a plethora of claims from each manufacturer that they have the most, the fastest, the cheapest set of features. In order to evaluate products you will have to discriminate between features and benefits. A feature is something a product has or can do but it is only a benefit if it is of use to you. For example, the ability to connect to fiber optic cable rather than just copper is a benefit in a large data center where one switch is connected to another. However, this is of no use in a small office with only a single switch.
Before selecting a switch or router, the network should be designed and then devices evaluated to match that design. There is likely to be more than one design suitable and the different architectures should be evaluated. While the purchase price is a major criterion, the running costs should be included as a low cost device may have high operating costs.
For a large organization a major design decision is whether to have multiple switches, or a few very large switches at the central site. The preferred design is a few large switches but this partly depends upon the physical layout of the central site offices. Many small switches may lead to manageability problems while larger switches may require VLANs and be more complex to configure.
Common Features of Switches and Routers
The following are the most common features found in switches and routers. Each feature is explained and evaluated. As you go through the list check whether each feature is relevant to your organization. For example, most companies have a large head office, and many small remote offices. The large office is more likely to require features such as resilience and scalability while low cost may be more desirable at small, but very numerous, offices.
This list shows desirable features common to both switches and routers, and is followed by features individual to either a switch or router.
| • | Scalability Expanding the number of Ethernet ports is usually very useful, particularly in switches at large sites as the number of users and servers may grow. You do not want to install a switch that cannot cope with future growth as it will eventually have to be discarded and replaced by another switch. Switches tend to be either:
Expansion in routers is also desirable but growth may not be dramatic as a switch. What frequently changes in routers are the WAN links, either because the WAN technology is changed, from ISDN to ADSL for example, or because additional WAN links are implemented. While expansion capability is always desirable it comes at a cost and for branch offices a fixed configuration switch/router may be the most effective product. | ||||||
| • | High speed Ethernet support The normal speed of Ethernet today is 100Mbps rather than the original 10Mbps. The cost of Gigabit Ethernet is dropping dramatically but generally its use is confined to servers and backbone links between switches as the PC cards are still expensive. 10Gbps Ethernet is also emerging and, as costs drop, will probably displace Gigabit Ethernet for the most important backbone links. All switches and routers should support 100Mbps Ethernet, but usually only mid to high range models will support higher speeds. | ||||||
| • | Resilience What happens when a component of the switch or router fails? Does the whole unit die or does it have a redundant design so it can keep on running? Higher level switches and routers may include duplicate components such as power supplies, engines, and switch fabrics so a failure does not affect operations. In a large device with many connections this is a very desirable feature. However, in a smaller switch or router, for example at a small remote office, the additional cost may not be justified. As an alternative, can two switches or routers work in parallel, with one functional and the other in hot standby, waiting to take over if the primary fails? Is there a mechanism available to handle the switchover automatically? | ||||||
| • | Manageability Switches start functioning without requiring any configuration, and learn the network topology by listening to Ethernet frame transmissions and deducing the port location of each device. All switches perform this function but access to the switch is desirable for additional configuration and monitoring purposes. Lower end switches have no configuration options but as the feature set increases configuration is required to make best use of these features. Routers always require configuration, to define port IP addresses and the method to be used for building routing tables. Remote access over the network is required to configure and manage the devices. This can significantly reduce the management costs since visits to the devices to rectify problems may not be required. Additionally the devices can be monitored by network management software, reporting errors automatically. | ||||||
| • | Voice over IP (VoIP) Voice over IP is the ability to pass voice conversations over the local Ethernet network and perhaps over your WAN. The immediate benefits are the reduction in cabling since the voice shares the Ethernet cable with data rather than having a separate telephony cable network but the future benefits are the increased flexibility in positioning staff and equipment. The traditional legacy PBX is usually replaced by an IP PBX based on a standard PC platform rather than proprietary hardware. For a data center with an existing telephone network, VoIP may not be necessary in the near-term but in the future may be required as the organization expands, or business needs evolve. Switches and routers suitable for handling VoIP should have two features:
| ||||||
| • | Security Security is Increasingly becoming a very significant requirement in all network components. Implementing security is discussed in more detail later in this module but switches and routers should be evaluated with security in mind to see whether there are any special features which make security easier to implement. There are two areas of security involved. To start with there are security intrusions carried by the network that the device may be able to curtail. Secondly, there are security intrusions targeted at the device itself. The first category may be device oriented and could include the device itself. Does the device (primarily routers) have a firewall capability? The second category will be attacks intended to access the configuration of the device. To prevent the latter, can additional controls can be implemented restricting who has configuration access? Low cost switches cannot usually be configured, nor do they have IP addresses so they are relatively immune from network born attacks. Large switches and routers will usually have sophisticated access control mechanisms, and they can also be configured to limit intrusion. Midrange switches and routers are probably the most vulnerable but if a good firewall system is in use external intrusions can be eliminated. Can the device support VLANs improving security by limiting user access to related servers? | ||||||
| • | Support Support from the manufacturer is very important in a large network. Generally the support will be dependant upon what you pay. Low cost devices will usually have only email support, with no guaranteed response time. The more expensive a device is, the more complex it is likely to be, and you may require a support contract. Purchasing all the switches and routers from the same manufacturer reduces the inter-device problems that can occur when each manufacturer blames the other for any difficulties that you experience. | ||||||
| • | Product range and manufacturer viability For each class of switch or router, there may be manufacturers who provide the best device for that class, but they may not be able to provide devices in the other classes. For example, at the small office level there are a large number of manufacturers with good products at very competitive prices but most of these manufacturers do not produce products suitable for a large enterprise. The longevity of the manufacturer and the service level they can provide for problems should also be considered, as many small manufacturers experience fierce competition and may not survive. | ||||||
| • | Cost Inevitably purchase cost is a major factor in device selection but running costs should also be included. Switches are often classified on the basis of their price per port. This is measured by taking the total cost of the switch and dividing it by the number of Ethernet ports to get the individual cost of each port. This measurement should only be used to compare switches in the same class, as it does not take into account the additional features gained by moving up the classes. For example, simple switches probably have the best price per port but also have the fewest features. Routers do not have the same cost comparison method but should be gauged on their routing performance and flexibility. You may be tempted to make a selection based on the most competitive price in each class. However, the cost of operation and maintenance must also be considered, for example, the cost of training the staff in different methods of configuring devices for each manufacturer. | ||||||
| • | Performance Assessing the processing power or performance of a router or switch is more complex than assessing a computer where the CPU power can be used as a starting point. A router or a switch is usually based on the manufacturer's own proprietary hardware and, although there is a CPU, it does not provide an accurate indication of the overall power. Switch performance is measured in both number of bits per second (bps) and packets per second (pps), while router performance is usually measured in just pps. Router and switch manufacturers often do not reveal the performance of their devices. Additionally, there is no industry standard for measuring performance, making direct comparisons difficult. Manufacturers of small routers also tend not to reveal the performance figures. |
Switch Specific Features
This section highlights desirable features specific to switches.
| • | Spanning Tree Protocol The Spanning Tree Protocol is used to calculate the best path between switches where there are multiple switches and multiple paths through the network. This is necessary to prevent data being sent down multiple paths simultaneously, resulting in duplication of the data. It is essential in a large network that the switches support this protocol but it is often not available in small switches. |
| • | VLAN support VLANs are used to segment the network into groups of computers with similar communication requirements, thereby cutting down on network traffic. It can be used on any size network but is particularly desirable where a few very large switches are installed. Low cost switches frequently do not support VLANs. This is unimportant in a small network, but VLAN support is essential for large networks. |
| • | Uplink connectivity Uplinks are used to connect switches together in the network. While all switches can be connected via ordinary Ethernet links, higher class switches support higher speed links using trunking protocols intended for switch-to-switch connection. |
| • | Consolidation Amalgamating other functions within the switch may reduce costs and improve manageability. For example, low cost switches intended for small branch offices may also include a router and firewall, and perhaps even a broadband modem. As well as reducing costs this also simplifies manageability as there is only one physical unit. High end switches can also incorporate a router module, known as Layer 3 switching, as well as other functions such as load balancing and a firewall. Again, this often improves manageability of the network. This consolidation should be considered carefully as it may result in a reduction in resilience since total failure of the box will bring down all consolidated services. |
Switch Classes
This section defines a number of classes of switches. The classes are not rigid and you may find a specific model from a manufacturer may belong in more than one class due to upgrade options, while two different models from that manufacturer belong in the same class. The switch classes covered in this section are:
| • | Class 1 - Low-end Fixed Switches |
| • | Class 2 - Low-end Flexible Switches |
| • | Class 3 - Midrange Switches |
| • | Class 4 - High-end Switches |
Class 1 - Low-end Fixed Switches
Low-end switches have limited features and expansion capabilities and no fault tolerance. This class of switches is designed to have a fixed number of Ethernet ports (typically between 4 and 24) and their limited performance is usually adequate in view of the connectivity restrictions.
The switches in this class are inexpensive but they lack upgradeability and flexibility. Ethernet connectivity is built into the hardware and features of the device (for example, number of ports) cannot be changed as requirements change. Low-end switches are designed for stand-alone operation, without coordination of traffic with other switches. They may not support features such as Spanning Tree Protocol, remote management, high-speed uplinks, and VLANs. Uplinks to other switches can usually be supported at the standard Ethernet speeds using either a special port or an Ethernet crossover cable. The switch function may also be combined with a router.
Typically these switches are designed for small offices, branch offices of large organizations, and home users. Lack of management capability is probably of no consequence for small businesses or home users; however, it becomes a significant weakness when used for branch offices of an enterprise. Table 1 summarizes Class1 switch features.
Table 1: Class 1 - Low End Fixed Switches
| Typical Features |
No configuration required or available |
No expansion capability |
Probably no support for Spanning Tree Protocol |
No VLAN support |
No remote management |
Limited manufacturer support |
No VoIP support |
Cost - Low |
Advantages
The advantages of low-end fixed switches include:
| • | Affordability: These devices are generally inexpensive because of their simple physical construction and feature set; also, there are many manufacturers in fierce competition. If their deficiencies can be ignored, they offer the best value among all switch classes in terms of price per port. |
| • | Simple configuration: These devices usually have no configuration options and they are very easy to install; the switch discovers its environment and configures itself. Having no configuration options is a benefit when installed at a remote site because that makes it safe from tampering. |
Disadvantages
The disadvantages of low-end fixed switches include:
| • | Not upgradeable: As a consequence of the low cost of construction, these devices usually have no upgradeability when more Ethernet ports are required. |
| • | No configuration and manageability: These devices have no configurable options and there is no configuration program to enable remote management and monitoring. Typically, these devices are installed in small remote sites without local technical support, so the lack of monitoring capability can be a serious deficiency. As a further consequence of the lack of configurability, the switch will not support the Spanning Tree Protocol or VLANs, which means that this class of switches is not a preferred choice for a large central enterprise network. |
| • | Limited support: Support for this class of routers is usually limited and is provided through Web sites, FAQs, and email contact with no guaranteed levels of service. There is fierce competition, the product life cycle is very short, and models are frequently replaced with consequential downgrading of support for obsolete models. Warranties are limited to replacement, which is not guaranteed to be done in a specified time period. If the device fails after the warranty period, it is not cost-effective to repair it. The support level might be considered adequate because of the simplicity of the device and the cost savings on its purchase. |
Class 2 - Low-end Flexible Switches
Low-end flexible switches provide similar capabilities to the low-end fixed switches but have upgradeable hardware to support changes in requirements. Typically, these switches allow an increase in the number of Ethernet ports (with more ports than a fixed switch), provide more flexible uplink capability (frequently Gigabit Ethernet), and support the Spanning Tree Protocol. Usually they provide higher throughput of Ethernet traffic than fixed switches because they have to support a higher number of ports. They also cost more than low-end fixed switches because they are upgradeable and often have remote management capabilities and VLAN support. Stackable fixed configuration switches can be considered to be in the same class, offering the same technical features but supporting expansion by stacking new switches on existing switches and connecting them using high-speed buses so that they act as one. Note that the term stackable has no standard definition. Some manufacturers may mean that a switch can be physically placed on top of another but for this class it is assumed that there is a high-speed bus between the two switches and these switches are managed as a single switch.
Low-end flexible switches can be used where growth is anticipated or where a low-end fixed switch does not provide enough ports. This includes floors of buildings, departments, remote branch offices, or individually in small organizations. The initial cost is higher than the low-end fixed switches but in the long term, growth can be handled without having to discard the switch. As the low-end flexible switches usually have more potential connectivity than low-end fixed switches, larger offices can be accommodated. Table 2 summarizes Class 2 switch features.
Table 2: Class 2 - Low End Flexible Switches
| Typical Features |
Ethernet port upgradeability |
Uplink port flexibility |
Upgradeable to more Ethernet ports than Class 1 switch |
Spanning Tree Protocol |
Configurability, manageability, and remote access |
VoIP support rare |
VLAN support |
Cost - Low to High |
Advantages
The advantages of low-end flexible switches include:
| • | Affordability: These devices have a higher cost per port than Class 1 switches. However, they provide better management features and expansion capability and are inexpensive compared to the higher-class switches. |
| • | Upgradeability: These devices have methods of increasing the number of Ethernet ports, either by the inclusion of additional ports on the base unit, or by attaching an additional base unit to the existing one by connecting it directly to the internal bus. The uplink port used to connect to other switches can accommodate a variety of connectivity media including Gigabit Ethernet and fiber or copper. |
| • | Configurable: These switches have capability for configuring Spanning Tree Protocol and VLANs. These devices are therefore suitable for use in enterprise networks. These switches also support remote management and monitoring. |
Disadvantages
The disadvantages of low-end flexible switches include:
| • | Inflexible upgradeability: These devices usually provide a limited increase in the number of Ethernet ports and limited changes to the uplink port features. Adding another stacking unit will result in a large increase in ports, even if only a few additional ones are required. Usually, there are no options for adding other features such as layer 3 switching. |
| • | VoIP support is rare: Although VoIP may not be currently required, its availability could become mandatory if an organization upgraded its telephone network. |
| • | Little or limited resilience: Typically, these switches have little resilience; if available, the only resilience feature is likely to be a redundant power supply. |
Class 3 - Midrange Switches
Midrange switches offer more power and much higher port density and expansion capability than Class 2 switches. They also have a higher level of management capability, redundancy, and resilience. Typically, these switches are modular chassis, rather than fixed chassis, with plug-in port cards. Often differently sized chassis are available with varying numbers of slots. These switches typically include multiple hot swappable redundant power supplies, while resilience features include protocols to handle changeover to an alternative switch. They may also offer a second engine; this is the processor unit of the switch providing resilience in case of a failure of the first switch.
These switches may be used to provide the core switching at a medium sized organization, at larger branches, or to aggregate divisions of a large organization connecting to a larger switch. They provide great flexibility and growth capacity for WAN and LAN connectivity and tend to have a long life cycle as they can be upgraded for future technologies. Table 3 summarizes Class 3 switch features.
Table 3: Class 3 - Mid Range Switches
| Typical Features |
Chassis system unit with differently sized chassis |
Redundant power supplies |
High Ethernet port density |
Flexible uplink ports |
Configurability, manageability, and remote access |
Spanning Tree Protocol |
VLAN support |
VoIP support |
Layer 3 switching |
Redundant power supply |
Redundant engine |
Cost - High |
Advantages
The advantages of midrange switches include:
| • | Cost-effectiveness: Although the price of the base midrange switch unit is higher than the lower end switches, the price per port reduces considerably as the unit expands in the number of ports. This is particularly true for larger chassis units. |
| • | Simple configuration: These devices have more complex features, such as VLANs, which need configuration. This class of switches generally provides browser-based graphical interface for configuration in addition to the traditional command-line methods. The same tools can also be used to remotely manage and monitor activity. |
| • | Manageability: This class of switches offers superior manageability features because of improved software tools and specifically designed hardware features. |
| • | Resilience: As the switch increases in port capacity, resilience becomes more critical and this class of switches can provide an optional redundant power supply and engine. |
| • | Scalability and long life cycle: As these switches are chassis-based, all connectivity options are plug-in cards. This means that the unit can be easily upgraded as requirements change or new technologies become inexpensive. This also extends the life of the switches, whereas lower class switches may have to be discarded. |
Disadvantages
The disadvantages of midrange switches include:
| • | Higher cost: These devices have a higher base cost than the lower classes; although they become more cost-effective with higher port densities, particularly for the large sized chassis. |
| • | Complex configuration: Because these devices have more options, configuration is more complex although this is mitigated by graphical configuration tools. |
Class 4 - High-end Switches
High-end switches offer high performance, increased expansion, extremely high fault tolerance, and high availability capabilities. The hardware design is extremely flexible and provides multiple connectivity options along with other options such as multiple power supplies and processors, and other features that make the system highly resilient.
There is a greater emphasis on high-speed protocols, such as asynchronous transfer mode (ATM) for linking to other network devices. These switches offer extreme versatility in supporting different hardware media, including copper and optical fiber, and have the power to handle multiple Gigabit Ethernet links. This class of switches may also contain a router module, which enables them to act as routers as well. This capability is especially useful for linking VLANs. Table 4 summarizes Class 4 switch features.
Table 4: Class 4 - High End Switches
| Typical Features |
Chassis system unit |
Redundant power supplies |
High Ethernet port density |
Flexible uplink ports |
10 Gigabit Ethernet support |
Configurability, manageability, and remote access |
Spanning Tree Protocol |
VLAN support |
VoIP support |
Layer 3 switching |
Layer 4-7 switching |
Security features |
Redundant power supply |
Redundant engine |
Cost - High |
Advantages
The advantages of high end switches include:
| • | Cost-effectiveness: As with the Class 3 switches, switches of this class also have a high base unit price. However, as the unit is expanded and the port density is increased, the cost per port drops considerably. |
| • | Manageability: Just like the Class 3 switches, this class of switches offers superior manageability features because of improved software tools and specifically designed hardware features. |
| • | Resilience: As the switch increases in port capacity, resilience becomes more critical. This class of switches provides advanced resilience features including redundant and hot swappable power supplies, redundant engines, and redundant switch fabric. |
| • | Scalability and long life cycle: As these switches are chassis-based, all connectivity options are plug-in cards. This means that the unit can be easily upgraded as requirements change or new technologies become inexpensive. This also extends the life of the switches, unlike lower class switches that may have to be discarded. |
| • | Security: This class of switches usually offers advanced security features to protect the network from intrusion. |
| • | Layer 3-7 switching: This class offers layer 3 switching (routing) as an option. It may also offer other advanced features such as layer 4-7 switching, load balancing, and firewalls. Having these as inbuilt services reduces the cost compared with external units and improves performance. |
Disadvantages
The disadvantages of high end switches include:
| • | High initial cost: The initial cost of these chassis-based units is high because it includes the cost of components such as the chassis, engine, and power supply. The price per port is particularly high when the chassis has fewer ports. However, the price per port reduces as the port density increases. |
| • | Complex configuration: Offering additional features inevitably increases the complexity of configuring the switches. Skilled engineers are required to configure switches belonging to this class. |
Routers
Many different classes of routers may be required to perform different tasks in the network, such as the border routers facing the Internet, internal routers linking VLANs, and small office routers.
Router Specific Features
This section highlights desirable features specific to routers.
| • | Routing Protocols For campus routers a range of routing protocols should be available and router selection should be done in conjunction with network design and routing protocol selection. The most common standard routing protocols are RIP and OSPF, but RIP is not suitable for a large scale network. |
| • | Range of WAN links and protocols What protocols do you intend using over your WAN links, and what may you use in the future? High end routers should be selected to support a variety of high speed links and protocols, even if you do not currently require them. Small branch offices may have dial-up, ISDN or broadband connections and low-end routers should support these connection methods. Although broadband may be the best choice for your current branch office structure, it is not universally available and dial-up or ISDN may be the only solutions for remoter locations, |
| • | Network Address Translation (NAT) Network Address Translation (NAT) is used on routers facing the Internet to translate a single unique Internet address to multiple private network addresses. This means that many devices can share a single Internet address, and as the private addresses cannot be accessed directly from another Internet user this gives a measure of security. It should be available on routers in small offices connected via the Internet and also at large sites for the border router. |
| • | Dynamic Host Configuration Protocol (DHCP) DHCP is used to automatically issue IP address to PCs so that they do not need their address to be manually configured. This simplifies PC setup since they can be configured to use DHCP and will pick up an address when switched on and connected to the network. It is also useful for laptop computers used in different locations since they will automatically receive an IP address suitable for each location. At central sites a DHCP service will be running on a server running Microsoft Windows 2000 operating system or Microsoft Windows Server™ 2003, but at small offices there may be no server so there may be a requirement for the router itself to issue DHCP addresses. |
| • | Firewall Routers may offer a firewall feature and this is useful in any router facing the Internet such as a branch office router or a border router at larger sites. Although a full scale router is advisable at large sites the border router is on the outside of the firewall and needs to protect itself. |
| • | Virtual Router Redundancy Protocol (VRRP protocol) At large sites duplicate network devices may be installed as a fail-safe arrangement with one device operating as the master, and the other device operating as a hot standby device and becoming active only if the master fails. VRRP is a protocol which runs on a link between the routers, so that each router knows when the other router is alive and when the link fails the active device can react. |
| • | Virtual Private Network (VPN) VPNs are used to provide privacy and security for a connection through the Internet. It effectively provides a private line through a public service and its main use is either for individual users connecting in from home or for small branch offices connecting to a central site. There are various methods of setting up the VPN link including starting the process at the client PC, in which case the router is unaware of the VPN connection. However the router can also be configured with direct router-to-router VPN links that do not involve the users and this may be a requirement for small branch offices. |
Router Classes
Similarly to switch classes, multiple classes have been defined and products may fall into more than one class depending upon the options available. The router classes covered in this section are:
| • | Class 1 - Software Routers |
| • | Class 2 - Low-end Fixed Routers |
| • | Class 3 - Low-end Flexible Routers |
| • | Class 4 - Midrange Routers |
| • | Class 5 - High-end Routers |
| • | Class 6 - ISP Routers |
Class 1 - Software Routers
Software routers are computer systems with a standard operating system and software functions installed that provide routing capability between a LAN and a WAN. The computer system provides the standard computer functionality while the routing features are performed in the background. Typically, these routers provide shared Internet access to a small number of computers for home users or small businesses. Their performance is limited because the routing function is a background activity rather than the main function of the device. Its performance is also dependent on the foreground activity. The resilience is limited to that of the computer. As the computer is usually a workstation, it is particularly dependent upon the user not switching it off. Upgradeability and flexibility are low because the software supports a restricted set of WAN protocols. An example of this class of software routers is Internet Connection Sharing (ICS) which is available on Windows 98, ME, 2000, 2003 and XP operating systems.
Software routers are useful when there are a few local users and a lower requirement for WAN access. They are used increasingly in homes where there are a number of users requiring Internet access over a single phone line. As usage increases and outruns the capability of this routing solution, a dedicated hardware router of the next router class can be installed. Table 5 summarizes Class 1 router features.
Table 5: Class 1 - Software Routers
| Typical Features |
Software only |
Simple configuration |
Built-in network address translation (NAT) |
No routing protocols |
Free with operating system or very low cost |
Advantages
The advantages of software routers include:
| • | Inexpensive: These routers require no additional hardware units beyond a modem and are either included with the operating system or are available at a low cost. Low cost is the major benefit but disadvantages such as lack of features and performance may outweigh this advantage. |
| • | Simple configuration: Configuration is usually limited to just turning on the routing function. NAT will also be turned on together with Dynamic Host Configuration Protocol (DHCP), which then provides each computer on the internal network with a private address automatically. |
Disadvantages
The disadvantages of software routers include:
| • | Inconsistent performance: This routing function relies on the processing power of a single computer that would usually be processing other tasks as well; therefore, its performance is restricted and variable. It is intended primarily for occasional rather than continuous Internet access and although adequate for one computer in a stand-alone mode, its performance degrades as more computers are connected or the Internet usage rises. |
| • | Limited configuration options: With no routing protocols available, the configuration options are usually negligible and only basic firewall features are available. |
| • | No resilience: Resilience is limited to that of the computer on which the router software is installed; this usually implies no resilience at all. Consequently, the routing software is particularly prone to user actions such as shutting down the computer. |
Class 2 - Low-end Fixed Routers
Low-end fixed routers typically have limited performance, features and expansion capabilities, and no fault tolerance. This class of routers is designed to route an Ethernet LAN to a WAN. The WAN connections are usually restricted to a dial-up modem, ISDN, X25 link, broadband, or a cable modem. The router will typically have a built-in hub or switch (which may also include wireless connectivity to computers equipped with wireless cards) and may also have simple firewall capability.
The WAN connectivity is built into the router hardware and cannot be changed if user requirements change. However, the routers are inexpensive and the lack of upgradeability is the penalty for the low price.
These routers have no resilience features but are dedicated devices and can be left switched on all the time. Because they are inexpensive, a second router can be installed to provide redundancy. They offer only a limited range of routing protocols such as RIP and OSPF, but they usually have a NAT feature to enable multiple internal users on the LAN to access the Internet through a single address.
Performance is restricted but better than the Class 1 devices as the hardware is designed for the routing function with no other functions running at the same time.
This class of routers is designed for the small office, or for telecommuters working from home to access the Internet, or for small branch offices to connect to larger offices in a hierarchical network structure. ISDN has been very popular in this role because the connection is only made when a data transfer is required. This means that the expensive WAN link is used efficiently and cost-effectively. As the cost of this class of routers came down, this level of routing migrated into homes and the most popular routers in this class are restricted to ISDN or broadband Internet connectivity. Table 6 summarizes Class 2 router features.
Table 6: Class 2 - Low End Fixed Routers
| Typical Features |
Limited WAN protocols |
No hardware upgradeability |
RIP routing protocol, possibly OSPF |
Limited performance |
Frequently simple configuration |
No fault tolerance |
Built-in switch or hub |
Built-in firewall |
Built-in NAT/DHCP |
Limited manufacturer support |
Cost - Low |
Advantages
The advantages of low-end fixed routers include:
| • | Affordability: Routers in this class are inexpensive, partly due to their restricted performance and functionality, and partly because of fierce competition at this level. Because these routers may also include a hub or switch and a firewall, they can be of particularly good value as small network routers. |
| • | Simple configuration: To match the competition for this class of router and the limited options, configuration is frequently simple, often through a browser and a graphical interface. |
| • | Range of WAN connectivity: While many low cost routers are limited to ISDN or ADSL WAN connections, others in this class may include X25 and Frame Relay, albeit at a higher cost. The WAN link must be selected at the time of purchasing the router and cannot be changed if the requirements change. |
| • | Built-in features: These routers provide NAT and DHCP to automatically provide addresses to attached computers. Optionally they may provide a four- or eight-port hub or switch, and now increasingly include a basic firewall as well. Built-in wireless switches are becoming increasingly popular. |
Disadvantages
The disadvantages of low-end fixed routers include:
| • | Limited upgradeability: This class of routers is not hardware upgradeable but usually their firmware is upgradeable. There may be choices of WAN connectivity, number of Ethernet ports, and built-in switches at the time of purchase but these options cannot be changed after the purchase. However, because of their low initial cost, these products are easily discarded if they cannot satisfy future requirements. |
| • | Limited performance: These routers have limited performance. Manufacturers usually do not reveal throughput figures but these routers are typically suitable for about eight users depending on the users' activities. |
| • | Limited support: Support for this class of routers is usually limited and is provided through Web sites, FAQs, and email contact with no guaranteed levels of service. There is fierce competition, the product life cycle is very short, and models are frequently replaced with consequential downgrading of support for obsolete models. Warranties are limited to replacement, which is not guaranteed to be done in a specified time period. If the device fails after the guarantee period, it is not cost-effective to repair it. The support level might be considered adequate because of the simplicity of the device and the cost savings on its purchase. |
| • | Limited manageability and features: Designed for simple networks, this class of routers will have limited manageability features. This becomes a weakness when used for remote sites of an enterprise network. These routers also have limited routing options and may not have some features essential for enterprise users, such as the OSPF routing protocol. |
| • | No resilience: This class of routers lacks resilience. |
Class 3 - Low-end Flexible Routers
Low-end flexible routers provide capabilities similar to low-end fixed routers but have upgradeable hardware which allows for growth as an organization's requirements change. Typically, these routers allow different types of WAN connectivity or multiple WAN ports and, if there are built-in Ethernet hubs or switches, additional local devices can be connected. Usually they provide better performance than a fixed router because they are designed to support the maximum port expansion without any upgrade of the processors. Because they are upgradeable, they are more expensive than low-end fixed routers. Like the low-end fixed routers, they usually offer a limited range of routing protocols.
These routers are frequently used in small or branch offices where growth is anticipated. Although the initial cost is higher than that of fixed routers, you gain in the long run because future growth can be handled by upgrading and not by having to replace the router. Because the low-end flexible routers are usually more powerful than a low-end fixed router, they can accommodate larger offices. Table 7 summarizes Class 3 router features.
Table 7: Class 3 - Low End Flexible Routers
| Typical Features |
Upgradeable |
Broad range of WAN connectivity |
RIP and OSPF routing protocols |
VLAN support |
VoIP support |
No fault tolerance |
Built-in switch or hub |
Built-in firewall |
Built-in NAT/DHCP |
Cost - Low to High |
Advantages
The advantages of low-end flexible routers include:
| • | Affordability: Although more expensive than Class 2 routers, these routers can still be considered low cost. They offer more features, better performance, and upgradeability which justifies the higher price tag. |
| • | Simple configuration: Because these routers are generally used in simple networks, they typically have graphical configuration tools. You can resort to command-line systems for more complex configuration. |
| • | Advanced feature set: These routers have the advanced features such as OSPF, VoIP, firewall, and NAT. This makes them suitable for use as components in an enterprise network. |
| • | Upgradeability: This class of routers has a broad range of WAN connectivity options and if the requirements change after purchase, these can be upgraded. Memory can be upgraded to improve performance and the operating system can be upgraded to introduce additional features. |
Disadvantages
The disadvantages of low-end flexible routers include:
| • | Limited performance: Although manufacturers may not reveal the performance of their routers, this class of routers does have performance limitations and is intended for small offices or small departments, depending upon the activity of these locations and the WAN traffic. |
| • | Limited configuration options: Although routers in this class do have a good feature set, these are still limited when compared with the features of the higher class of routers. |
| • | Low scalability: WAN connectivity can generally be upgraded (though this may be restricted in number) but the number of LAN ports cannot be upgraded. |
| • | No resilience: Routers of this class have a few or no resilience features. |
Class 4 - Midrange Routers
Midrange routers offer more power and hardware expansion capabilities than Class 3 routers. They provide multiple LAN and WAN ports with faster Ethernet connectivity, including Gigabit Ethernet as well as fiber and copper connectivity. Additional protocols may be available, particularly for backbone connectivity, to connect to other network devices such as routers or switches rather than individual computers. These routers are usually used for dial-in connections from individual computers of home workers or from small Internet service providers (ISPs) using analog modems or ISDN. Typically, they also support VoIP, which allows simultaneous voice and data transmission over the same cable.
Although midrange routers offer limited or no built-in hardware resilience, they provide an alternative resilience method by the use of dual routers (a primary and a standby router) and protocols to ensure a rapid switchover in the event of a failure.
Routers of this class may be used as the core routers at medium-sized organizations, at larger branches, or to aggregate divisions of a large organization connecting to a larger router. The dial-in capability is frequently used by telecommuters to directly connect to the organization without going through the Internet. They provide great flexibility and growth capacity for WAN and LAN connectivity and tend to have a long life cycle as they can be upgraded for future technologies. Table 8 summarizes Class 4 router features.
Table 8: Class 4 - Mid Range Routers
| Typical Features |
Upgradeable |
Broad range of WAN connectivity |
Performance >40kpps |
RIP and OSPF routing protocols |
VLAN support |
VoIP support |
No fault tolerance |
Built-in firewall |
VRRP resilience protocol |
Built-in NAT/DHCP |
VPN support |
Cost - Low to High |
Advantages
The advantages of midrange routers include:
| • | Performance: The routers of this class have a throughput of at least 40 kbps and they can be considered medium performance routers suitable for large branch offices or medium-sized organizations. |
| • | Expansion and scalability: This class of routers has considerable expansion capability and can accommodate increases in the number of ports and a broad range of connectivity types. |
| • | Full feature set: These routers usually have a full feature set including a wide range of WAN connectivity, routing protocols, NAT, DHCP, firewall, VLANs, VoIP, and VPN. |
Disadvantages
The disadvantages of midrange routers include:
| • | Low resilience: These devices typically have no built-in resilience although routers at the higher end of the class may have redundant power supplies. However, they should support redundant routing protocols, such as VRRP, using which a standby router can provide resilience. |
| • | Low performance and scalability: These devices are unlikely to have the power or connectivity required to act as the core router of a large enterprise. |
Class 5 - High End Routers
High end routers offer high performance, increased expansion, and extremely high fault tolerance and availability. The hardware design is flexible; it provides multiple connectivity options like the Class 4 routers and has additional options such as multiple power supplies, multiple processors, and other features that make it highly resilient.
There is a greater emphasis on high-speed protocols, such as ATM and SONET, to link to other network devices and carry large volumes of data between sites while smaller routers or switches concentrate on workstation connections. These routers are extremely versatile and support a large number of WAN and LAN protocols and different hardware media including copper and optical fiber. Table 9 summarizes Class 5 router features.
Table 9: Class 5 - High End Routers
| Typical Features |
Chassis-based unit |
Broad range of WAN connectivity |
Performance >900 kpps |
RIP and OSPF routing protocols |
VLAN support |
VoIP support |
Redundant power supply |
Redundant engine |
Built-in firewall |
VRRP resilience protocol |
Built-in NAT/DHCP |
VPN support |
Cost - High |
Advantages
The advantages of high end routers include:
| • | Performance: Routers of this class have a throughput of at least 900 kbps, which is considerably higher than the corresponding throughput of Class 4 routers; therefore, they can be considered high performance routers suitable for uses such as a WAN gateway or a core router for medium to large organizations. |
| • | Expansion and scalability: Being chassis-based, Class 5 routers have considerable expansion capability to accommodate a larger number of ports and a broad range of connectivity types. |
| • | Full feature set: These routers usually have a full feature set including a wide range of WAN connectivity, routing protocols, NAT, DHCP, firewall, VLANs, VoIP, and VPN. |
| • | Resilience: These devices have built-in resilience options such as a redundant hot swappable power supply and redundant engines. They also support redundant routing protocols, such as VRRP where a standby router monitors the primary router and can takeover if the primary one fails. |
Disadvantages
The disadvantage of high end routers is their high cost. Because these devices have considerable upgrade capabilities and resilience, their starting price is high but the price per port falls as the chassis is populated.
Class 6 - ISP Routers
ISP routers are used by ISPs on the backbone of the Internet. They can also be used in an enterprise for the ultimate performance. They provide extremely high performance, along with high availability and resilience, and can handle hundreds and thousands of Internet users and connect to the Internet backbone at high speeds. Table 9 summarizes Class 5 router features.
Table 9: Class 5 - High End Routers
| Typical Features |
Chassis-based unit |
Broad range of WAN connectivity |
Broad range of LAN connectivity |
Performance multimillion pps |
Vast expansion capability |
Redundant power supplies |
Redundant engines |
Cost - Very High |
Advantages
The advantages of ISP routers include:
| • | High performance: Routers of this class are designed for very large enterprises or an ISP backbone or edge use. They provide extremely high performance. |
| • | Scalability: These routers are chassis-based and can be upgraded extensively. Typically, a chassis may have up to 16 slots with each blade having the capability for multiple connections. |
| • | Extensive range of WAN/LAN protocols: Routers of this class support virtually every relevant protocol including many very high-speed WAN protocols such as OC 192. |
Disadvantages
The disadvantages of these routers are their high cost and potentially complex configuration.
Security
Security is extremely important in designing a network, to control external intrusions from the Internet and internal intrusions from employees or others with access to the internal network. There are four major areas of protection which should be considered:
| • | Control intrusion through the switch or router |
| • | Control intrusion against the switch or router |
| • | Control administrator access to the switch or router |
| • | Physical protection of the routers and switches |
The switches and routers pass packets through the network and are the first point at which to filter out intrusion attempts, followed by a firewall providing a higher level of filtering. This filtering should also prevent attacks on the network devices themselves. Most switches and routers can be reconfigured and therefore strict controls must be put in place to limit who has administration access. Most routers and switches have some back-door access method to bypass logical security and therefore these devices should be physically locked up to prevent this intrusion.
Most routers have specific and well-known vulnerabilities and the manufacturer's website should be visited for details of these vulnerabilities and the methods for combating them.
Router Security Considerations
The router is the very first line of defense and also the first line of attack. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP). You should use the router to block unauthorized or undesired traffic between networks. The router itself must also be secured against reconfiguration by using secure administration interfaces and ensuring that it has the latest software patches and updates applied.
If you do not have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.
When considering router security, it is useful to use the following configuration categories:
| • | Patches and updates |
| • | Protocols |
| • | Administrative access |
| • | Services |
| • | Auditing and logging |
| • | Intrusion detection |
Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you are up to date with both security issues and service patches. As vulnerabilities are found - and they inevitably will be found - good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Protocols
Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:
| • | Use ingress and egress filtering |
| • | Screen ICMP traffic from the internal network |
| • | Block Trace Route |
| • | Control broadcast traffic |
| • | Block other unnecessary traffic |
Use Ingress and Egress Filtering
Spoofed packets are indicative of probes, attacks, and other activities by a knowledgeable attacker. Routers route packets based on the destination address and normally ignore the source address which may not be that of the author of the packet. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network and if other networks apply the same outgoing verification, your network could be saved from a denial of service attack.
This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid - and legitimately reachable - source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfc-editor.org/rfc/rfc2267.txt.
Screen ICMP Traffic from the Internal Network
ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 10.
Table 10 Commonly Used ICMP Messages
| Message | Description |
Echo request (Ping) | Determines whether an IP node (a host or a router) is available on the network |
Echo reply (Ping reply) | Replies to an ICMP echo request |
Destination unreachable | Informs the host that a datagram cannot be delivered |
Source quench | Informs the host to lower the rate at which it sends datagrams because of congestion |
Redirect | Informs the host of a preferred route |
Time exceeded | Indicates that the time to live (TTL) of an IP datagram has expired |
Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods and other denial of service attacks. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP Echo Request, or Ping, can be used for troubleshooting, it can also be used to discover devices on your network and map its architecture and so should be ignored unless there is a good reason to keep it. The Ping can also be used for a Ping of Death denial of service so it is best blocked.
Block Trace Route
Trace route is a means to collect network topology information. It detects devices en-route to a destination system and is very useful in determining whether your data is traveling along optimal routes. Its implementation varies for each manufacturer; some use a Ping with differing Time to Live (TTL) values while others use a UDP datagram. The variable Ping can be controlled by blocking ICMP messages as mentioned above, while the UDP datagram may require an ACL to block it. By blocking packets of this type, you prevent an attacker from learning details about your network.
Control Broadcast Traffic
Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 11.
Table 11 Source Addresses That Should be Filtered
| Source address | Description |
0.0.0.0/8 | Historical broadcast |
10.0.0.0/8 | RFC 1918 private network |
127.0.0.0/8 | Loopback |
169.254.0.0/16 | Link local networks (APIPA addresses) |
172.16.0.0/12 | RFC 1918 private network |
192.0.2.0/24 | TEST-NET |
192.168.0.0/16 | RFC 1918 private network |
224.0.0.0/4 | Class D multicast |
240.0.0.0/5 | Class E reserved |
248.0.0.0/5 | Unallocated |
255.255.255.255/32 | Broadcast |
Block other unnecessary traffic
Incoming traffic from the Internet to the border router is from unknown untrusted users who require access to your Web servers. They are accessing a specific list of IP addresses and port numbers and can be restricted to access no other port numbers or IP addresses. Using access control lists, available on most routers, only traffic for the desired combination of addresses and ports can be let through the border router, on the assumption any other addresses are potentially hostile.
Note: Port numbers in this example are not related to ports on a switch which are the physical sockets that Ethernet cables are plugged into. Here, the reference is to the IP addressing system, where the IP address is extended with a TCP or UDP port number. For example a Web server is frequently on port 80: the full address of the Web service on a server with an IP address of 192.168.0.1 would be 192.168.0.1:80.
Cisco routers and switches use a proprietary protocol, CDP or Cisco Discovery Protocol, to discover information about their neighbors such as model numbers and operating system revision level. However this is a security weakness as a malicious user could gain the same information, so CDP should be disabled definitely on the border router, and possibly on the internal routers and switches dependant upon whether required for management software.
Administrative Access
Where will the router be accessed from for administration purposes? You must decide which interfaces and ports an administration connection is allowed into, and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:
| • | Apply strong password policies |
| • | Use an administration access control system |
| • | Disable unused interfaces |
| • | Consider static routes |
| • | Shutdown Web based configuration |
| • | Services |
| • | Auditing and logging |
| • | Intrusion detection |
| • | Control physical access |
Apply Strong Password Policies
Firstly add a password to the administrator - many systems are hacked into just because the administrator has left the password blank. Secondly, use complex passwords. Brute force password software can launch more than just dictionary attacks and can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords. Similarly SNMP is probably required for management purposes and although SNMP security is not at all strong, do add passwords (community string) when configuring it. SNMP v3 provides much improved security.
Use an administration access control system
Rather than embedding the administrator's name in the configuration, use a triple A system for authenticating the administrator. This controls who he is, what he can do, and logs what he does. Triple A is:
| • | Authentication: The process of identifying and verifying a user. Several methods can be used to authenticate a user but the most common include a combination of username and password. | ||||
| • | Authorization: The process of what an authenticated user can access and do. | ||||
| • | Accounting: The recording of what a user is doing or has done on a device. Triple A systems refer to a database held on a central server to authenticate the administrator when he first logs on, and control what he attempts to do during his connection session. One of the major benefits of Triple A is the centralisation of the security information, so a single logon will control his access to all network devices rather than having to set up separate logins on each device. There are two non-proprietary triple A systems:
Another very popular triple A system is TACACS+ but this is a Cisco proprietary system and therefore would only control access on Cisco devices. |
Disable Unused Interfaces
Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces. Usually Telnet is used for administrative access so limit the number of Telnet sessions available and use a time-out to ensure that the session closes if unused for a set time.
Consider Static Routes
Static routes prevent specially formed packets from changing routing tables on your router. An attacker might try to change routes by simulating a routing protocol message to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes. However, remember that static routes are static - if a link fails the routers will not switch over automatically to use an alternate route and also static routes may need complex configuration.
<