Access Controls
Authentication deals with the
who of security policy enforcement; access controls enforce the what and how.
ACLs on Routers
Routers perform the major
task of directing network traffic either to subnetworks they control or to
other routers for subsequent delivery to other subnetworks. Routers convert
external IP addresses into internal MAC addresses of hosts on a local
subnetwork.
Suppose a host is being
spammed (flooded) with packets from a malicious rogue host. Routers can be
configured with access control lists to deny access to particular hosts from
particular hosts. So, a router could delete all packets with a source address
of the rogue host and a destination address of the target host.
This approach has three problems, however.
First, routers in large networks perform a lot of work: They have to handle
every packet coming into and going out of the network. Adding ACLs to the
router requires the router to compare every packet against the ACLs. One ACL
adds work, degrading the router's performance; as more ACLs are added, the
router's performance may become unacceptable. The second problem is also an
efficiency issue: Because of the volume of work they perform, routers are
designed to perform only essential services. Logging of activity is usually not
done on a router because of the volume of traffic and the performance penalty
logging would entail. With ACLs, it would be useful to know how many packets
were being deleted, to know if a particular ACL could be removed (thereby
improving performance). But without logging it is impossible to know whether an
ACL is being used. These two problems together imply that ACLs on routers are
most effective against specific known threats but that they should not be used
indiscriminately.
The final limitation on
placing ACLs on routers concerns the nature of the threat. A router inspects
only source and destination addresses. An attacker usually does not reveal an
actual source address. To reveal the real source address would be equivalent to
a bank robber's leaving his home address and a description of where he plans to
store the stolen money.
Because someone can easily
forge any source address on a UDP datagram, many attacks use UDP protocols with
false source addresses so that the attack cannot be blocked easily by a router
with an ACL. Router ACLs are useful only if the attacker sends many datagrams
with the same forged source address.
In principle, a router is an
excellent point of access control because it handles every packet coming into
and going out of a subnetwork. In specific situations, primarily for internal
subnetworks, ACLs can be used effectively to restrict certain traffic flows,
for example, to ensure that only certain hosts (addresses) have access to an
internal network management subnetwork. But for large-scale, general traffic
screening, routers are less useful than firewalls.
Firewalls
A firewall does the screening
that is less appropriate for a router to do. A router's primary function is
addressing, whereas a firewall's primary function is filtering. Firewalls can
also do auditing. Even more important, firewalls can examine an entire packet's
contents, including the data portion, whereas a router is concerned only with
source and destination MAC and IP addresses. Because they are an extremely
important network security control, we study firewalls in an entire section
later in this chapter.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.