Escolar Documentos
Profissional Documentos
Cultura Documentos
Router Links Advertisement Network Links Advertisement Summary Links Advertisement Autonomous System Boundary Router Summary Link Advertisement Autonomous System External Link Advertisement Multicast Group Membership Link State Advertisement
Type 1 Message
A Type 1 LSA message is used to transmit information about a routers interface and the cost associated with the interface. Because an interface is dened with the use of an IP address, the information in a routers Link State Advertisement consists of an IP address-cost metric pair. Exhibit 7.9 lists the six types of SLA messages OSPF routers use.
Type 2 Message
The purpose of a Type 2 LSA message is to inform all routers within an area of the presence of a designated router (DR). Thus, a DR oods a Type 2 LSA upon its election. This message contains information about all routers in the area, as well as the fact that one is now the DR for the area.
Type 3 Message
Because an area border router (BR) connects adjacent areas, a mechanism is needed to describe networks reachable via the adjacent border router (ABR). Thus, an ABR router oods a Type 3 message into an area to inform routers in the area about other networks that are reachable from outside the area.
Type 4 Message
A Type 4 message describes the cost from the router issuing the message to an autonomous system boundary router. Thus, this message allows a boundary router that functions as a gateway to another autonomous system to note the cost associated with accessing different networks via different paths within its system.
139
Type 5 Message
A boundary router that connects autonomous systems generates a Type 5 message. This message describes an external network on another system reachable by the router. Thus, this message ows to routers in one autonomous system to describe a network reachable via a different system.
Type 6 Message
The last type of LSA is a Type 6 message. A Type 6 message enables a multicast-enabled OSPF router to distribute multicast group information instead of having to transmit multiple copies of packets.
Operation
The actual initialization of OSPF in an autonomous area requires a series of packets to be exchanged that enables the Designated Router and Backup to be selected and router adjacencies to be noted prior to routing information being exchanged. The most basic exchange between OSPF routers occurs via the transmission of Hello messages. Such messages ow between routers that enable routers within an area to discover one another, as well as to note the relationship between routers. Once the DR and BDR are selected, additional messages are exchanged that eventually enable one area to become aware of other areas, as well as networks reachable outside of the current autonomous system. Although the initial learning process is complex, once routing table information is constructed, updates only occur when there is a change in the network structure or every 30 minutes. Thus, although OSPF initially requires more bandwidth than RIP, it rapidly reduces its bandwidth requirements.
Chapter 8
Security
One of the key advantages of the TCP/IP protocol suite is also a disadvantage. The advantage is its openness, with RFCs used to identify the manner by which the protocol suite operates. Unfortunately, this openness has a price: it allows just about any person to determine how the various components that make up the protocol suite operate. This capability enables people who wish to do harm to IP networks and computers operating on those networks to develop techniques to do so. In comparison, other protocol suites that were developed by commercial organizations may not be as extensively documented. Thus, people who wish to exploit the weaknesses of a protocol suite developed by a commercial organization may face a far more daunting task. Because the use of the Internet has expanded at an almost exponential rate, another problem associated with the TCP/IP protocol suite involves the connection of private networks to the Internet. With almost 100 million users now connected to the Internet on a global basis, this means that if only a very small fraction of Internet users attempt to break into different hosts, the total number would become considerable. Recognizing the openness of the TCP/IP protocol suite and the ability of people from Bangladesh to Belize to hack computers, security has become a major consideration of network managers and LAN administrators and is the focus of this chapter. This chapter focuses on a series of TCP/IP security-related topics. Because the router represents both the entryway into a network as well as the rst line of defense, this device is considered rst. One can consider using this examining measure to prevent unauthorized entry into a routers conguration sub-system. Also discussed are other methods one can use to create access lists that perform packet ltering. Although the use of router access lists can considerably enhance the security of a network, there are certain functions and features that they do not perform. Thus, many network managers and LAN administrators rightly supplement the security capability of a router with a rewall, the operation of which is also covered in this chapter.
141
142
Router Control
Most routers provide several methods that can be used to control their operation. Although routers produced by different vendors may not support all of the methods to be discussed herein, they will usually support one or more of the methods to be discussed in this section. Those methods include direct cabling via a control port into the router, Telnet access, and Web access.
Direct Cabling
All routers include a control port that enables a terminal device to be directly cabled to a router. The terminal device can be a PC or a dumb asynchronous terminal. Once connected to the router, a user normally must enter a password to access the conguration system of the router. The exception to this is the rst time a person accesses the router via a direct connection, because most routers are shipped without a password being enabled. Thus, if someone has unpacked a router, connected a terminal to its direct connect conguration port, and congured an access password, the next person to use the terminal would have to know the password to be able to congure the router.
Security
143
sends employees on the road to recongure routers, one can consider the use of direct cabling. If the organization needs to be responsive to changing requirements and cannot afford to have trained employees at each router location, one would then prefer a technique that provides a remote router management capability. This capability can be obtained through the use of Telnet or Web access to the router.
Protection Limitation
One of the problems associated with remote access to routers is that the basic method of protection via a password can be overcome if care is not taken during the password creation process. This is because most routers will simply disconnect the Telnet or Web connection after three failed password entry
144
Security
145
attempts, enabling a user to try three more passwords. Because of this limitation, several hackers in the past are known to have written scripts that would try three entries at a time from an electronic dictionary. If the network manager or LAN administrator used a name, object, or expression that could be extracted from an electronic dictionary, it was not long before the hacker gained entry into a routers virtual terminal capability and essentially took control of the device. Thus, it is extremely important to use an alphanumeric password combination that is not in a dictionary for password creation. In addition, through the use of an access list, it becomes possible to restrict access to a routers virtual terminal (vt) port from a known IP address. Therefore, it is possible with some effort to make it extremely difcult for a remote user other than a designated employee or group of employees to remotely access an organizations routers. There is one limitation associated with the use of a routers access list that warrants discussion. Because an access list would be developed to allow packets from a known IP address to access a routers virtual terminal (vt) port, this means the address cannot be dynamically assigned. In addition to requiring a xed IP address, the use of an access list to protect access to a vt port also restricts the ability of traveling employees to gain access to a routers vt port. This is because ISPs commonly assign IP addresses dynamically. For example, an employee communication from San Francisco at 3:00 p.m. would have a different temporary IP address than that assigned when he or she accessed the Internet at 2:00 p.m. Similarly, if the employee took a trip to San Jose at 6:00 p.m. and accessed the Internet, another IP address would be temporarily assigned to the employees notebook computer. One method to overcome the previously described problem is for traveling employees to dial an access server that is directly connected to the organizations network. If one congures the server to accept a static IP address assigned to an employees notebook, then a routers access list could be used to allow remote access for authorized employees that travel around the country or around the globe. This action, of course, results in the necessity for employees to use long distance instead of potentially more economical Internet access. Because many organizations only periodically require traveling employees to recongure organizational routers, the cost of potential long-distance support may not represent a detriment to its use. Although the previous discussion focused on Telnet access to a routers vt port, some routers also support conguration via a Web browser that results in similar, but not identical, issues. That is, while one can use a routers access list capability to allow HTTP access from predened IP addresses, Web browsers also support secure HTTP, referred to by the mnemonic HTTPS. If the router supports HTTPS, then one may be able to support the use of public key encryption and preassigned digital certicates between the Web browser and router, adding an additional level of security to gaining remote access to a routers conguration subsystem. Given an appreciation for the manner by which local and remote users can gain access to a routers conguration subsystem, one can now focus on
146
the use of access lists. In doing so, the author examines the rationale for their use, the basic types of access lists, and new capabilities recently added to access lists that considerably enhance their functionality.
Security
147
Exhibit 8.2
for security do so with respect to data owing to and from the Internet with respect to an organizations private network. Exhibit 8.2 illustrates the use of a router to connect two LANs both to each other as well as to the Internet. In this example, the router provides a gateway from the LANs to the Internet. Because many, if not most, organizations do not want to allow any user that accesses the Internet to gain access to their private network, it is quite common for the network manager or LAN administrator to program the router to restrict the ow of packets. This packet ow restriction is accomplished through the use of a routers access list capability, and the technique used by the router in examining packets specied by an access list is referred to as packet ltering.
148