With the proliferation of worms, viruses, and DoS attacks, it is not surprising that security is one critical consideration for the Internet module. Many network managers associate security at the Internet module with the placement of a firewall. However, you need more than just a box to protect the network from malicious attacks.
Because attacks such as worms and DoS can cripple a network, their effect is the same as that of a hardware failure or link failure to the Internet. Hence, you can no longer discuss resiliency to the Internet module without talking about security.
The border routers of the Internet module provide the first line of defense through the deployment of inbound ACLs. The ACLs allow only permitted traffic to the DMZ server farm and for internal users to exit to the Internet. All unauthorized traffic should be dropped on the interface facing the Internet. Below are the some key points, which should be taken into the considerations when designing security policies for an Internet router -
- Never allow a direct connection to be initiated by an external host to an internal host. At no time can this rule be bent.
- In the event that you allow external hosts to initiate a connection to a host within your network, place the internal host in the DMZ.
- Be extremely careful with ICMP and UDP traffic flowing both in and out of the Internet module. Although DNS traffic, such as zone updates, may be allowed, you have to be strict with other ICMP or UDP traffic.
- Avoid an application design that makes use of tunneling or port redirection (for example, remote desktop or file system redirection).
- An antispoofing mechanism has to be applied on the Internet connection; RFC 2827 is a mandatory literature. The intent of anti-spoofing is to make sure that traffic from the Internet is not trying to spoof an internal address.
- All management traffic must be encrypted. For this, the Cisco IOS code with Secure Shell (SSH) is recommended. (SSH is a more secure alternative to Telnet.) For a device that is manageable via the web, SSL has to be implemented. For authentication and logging purposes, facilities such as Terminal Access Controller Access Control System (TACACS) have to be in place.
- NAT can be used to protect internal hosts from being directly connected via an external host.
- Traffic from the Internet should neither be sourced nor destined to a private IP address. Therefore, private IP filtering has to be in place at the border router.
- To provide remote access via the Internet, the VPN termination can be done on the firewall or parallel to the firewall, if there is a separate device. In other words, remote-access traffic needs to be scrutinized by the firewall.
- Stateful inspection has to be implemented so that packets that fail to match a proper TCP state are dropped.
- Rate limiting of traffic may be implemented based on a set threshold. Rate limiting proves useful to control traffic so as to prevent excessive bandwidth consumption.
All these policies may seem basic but these simple security policies prepares your routers as the first line of defense and try to keep most of the malicious traffic away from your network.
You can read more about Cisco SAFE here
Found it useful, Consider sharing it with your friends -