Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Border Router Security 101

Border Router Security 101
By

This introductory article provides an overview of border router security as well as the typical configuration recommendations for small, medium and large organizations.

One of the most vulnerable parts of an organization's network is where it connects to the Internet. This link completes a connection to millions of devices that should all be considered potential security threats. Because of this, each organization needs to take the security of this connection very seriously. This initial connection is typically made with one of two potential devices: a border (or edge) router or via a firewall. In this introductory article, we take a look at these border devices and how they should be configured at a high level to maintain security.

Border Device Recommendations

The difference between a router and a firewall being selected and used as the border device depends on the role and size of the connecting organization. If the organization is an Internet Service Provider (ISP), then a number of its devices may be required to directly connect to the Internet to ensure proper communication between Internet routers. However, ISPs are not the focus of this article and will not be discussed further. For small and medium sized businesses (SMBs) and enterprises the selection of one over the other is mostly dependent on the size of the organization's budget.

On the smaller side, many SMBs will have a single Internet connection via a consumer grade connection (like cable or DSL) and connect through a consumer grade "router" or gateway. These devices typically run a variant of Linux and have been time tested to provide a reasonable grade of firewall protection. They may not stand up to a highly coordinated direct attack, but they are typically secure enough for smaller sized organizations.

Once an organization grows bigger, it is recommended that it replace this consumer grade "router" with a higher grade firewall or at very least a higher grade router (notice the lack of quotes here). An important distinction is whether the organization hosts any of its Internet facing services at the referenced site (for example, does it have web servers located at the same site?).

If it doesn't host any of these services and the Internet connection is primarily being used for internal Internet access, then a router should be sufficient. These devices typically have a firewall feature set that can be configured to provide protection for these types of organizations. On top of the configuration of this firewall feature, the device should also be stripped of running any unneeded services. Online tools like the Border Router Security Tool can be used to build secure Cisco IOS configurations, which will automatically configure a device to stop these services.

If the site does house Internet facing types of services at the same location, then the connection to the Internet should be handled by a firewall. These devices are built for the sole purpose of securing a connection and because of that, they provide a number of different features that help ensure security. The selection of which firewall to use depends on the features that need to be supported as well as the amount of traffic that will be forwarded through the device. Take a look at our Next Generation Firewall guide to get an idea of what to look for when choosing an NGFW. These devices can be configured as a single device in smaller deployments or as a redundant pair or cluster.

For larger enterprises, it is generally recommended to always utilize firewalls for Internet connection (where possible), and since there are typically a larger number of users relying on this connection, these firewalls are almost always configured in a redundant pair or cluster. The larger the organization the more likely it is that it will house some of its services inside of its network. Large organizations typically also have remote offices that can be configured to use the Internet as a connection method back into the headquarters. All of these different possibilities increases the threat footprint of the Internet connection, which is why firewalls are typically implemented over router alternatives. There are a number of different technologies that can be used by these larger enterprises that have the budget to implement complex threat mitigation strategies, including Intrusion Detection/Prevention Systems (IPS/DPS), web/email gateways, and Virtual Private Network (VPN) aggregation, among others. The choice of these additional security technologies that are or will be deployed will affect the selection of the best edge device to use.

Border Device Configuration Recommendations

There are some general recommendations when configuring an edge device, including:

  • Stop and/or remove all unneeded services from the edge device (including discovery services like Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), disable unencrypted device management services (HTTP or Telnet), Gratuitous ARP (GARP), finger, and others.
  • Enable the use of Authentication and Authorization for login and configuration (AAA - Authentication and Authorization).
  • Enable logging on all device configuration and login activities (AAA - Accounting).
  • Block the routing of traffic from inside source address ranges from an outside destination (if traffic from an inside address comes in an outside connection, then someone is attempting to attack you).
  • Block traffic from private IP ranges that are not in use on internal networks (10.0.0.0/8, 172.16.0.0-172.31.255.255, and 192.168.0.0/16).
  • Block or filter direct requests into the border device except for authorized sources (typically from an inside interface not an outside interface).
  • Block traffic from any other unused IP ranges, including multicast range and loopback range (127.0.0.0/8). This may also include a dynamic list of known exploitative ranges depending on the feature set of the device being implemented.

In larger enterprises these general guidelines are still used but they are implemented in addition to the abilities of a number of different appliances that each handle their own specific set of the traffic. For example, secure web gateways are focused on providing a secure web connection, email gateways are focused on providing secure email, etc. The border device in this case will be configured to block the most obvious traffic and forward the rest to their respective point devices inside the enterprise DMZ (if you're not familiar with DMZs, check out our guide to DMZs and Screened Subnets).

Network design generally is considered more an art than science and the preferences of one network designer over another can alter the way a network connects. The guidelines discussed in this article are intended for general reference. Regardless of the type of border device selected, its configuration must be carefully planned and audited to maintain a secure a connection to the Internet as possible. Hopefully this article provides enough of an overview to properly understand the significance of border router security devices and how the size of an organization can alter the type of device that should be deployed.

RELATED: