Routing Security Basics

# CHAPTER 14

Routing Security Basics #

1. Introduction #

A router's fundamental job is to forward traffic. By default, a router is highly permissive; if it has a path in its Routing Table, it will happily forward the packet, completely indifferent to whether that packet contains a legitimate web request or a destructive malware payload. To protect the enterprise, network engineers must forcefully restrict this behavior. Routing security operates on two fronts: securing the *Data Plane* (stopping malicious traffic from passing through the router) and securing the *Control Plane* (stopping hackers from corrupting the router's maps). In this chapter, we will explore Access Control Lists (ACLs), Route Filtering, and the terrifying reality of BGP Hijacking.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define the purpose and mechanism of Access Control Lists (ACLs).

• Differentiate between Data Plane security and Control Plane security.

• Understand how Route Filtering prevents malicious map updates.

• Explain the mechanics of a BGP Route Hijack on the internet backbone.

• Implement basic authentication to secure dynamic routing protocols.

3. Beginner-friendly Explanations #

The Bouncer at the Nightclub (The ACL): Imagine a nightclub with a Bouncer at the door. The Bouncer has a clipboard (The ACL).

• Rule 1: Allow VIPs to enter.

• Rule 2: Deny anyone wearing sneakers.

• Rule 3: Deny everyone else.

When a person (a packet) arrives, the Bouncer reads the clipboard from top to bottom. If the person is wearing sneakers, they match Rule 2 and are instantly rejected. The Bouncer doesn't care if they are also a VIP; Rule 2 was matched first.

Routers use ACL clipboards to act as primitive firewalls, inspecting every packet before it is allowed to enter or exit a cable.

4. Access Control Lists (ACLs) #

An ACL (Access Control List) is a sequence of permit or deny rules applied to a specific router interface. Routers can inspect multiple fields in the IP packet header to make a decision:

• Source IP: (e.g., Deny traffic coming from a known hacker IP 5.5.5.5)

• Destination IP: (e.g., Deny employees from reaching Facebook 157.240.22.35)

• TCP/UDP Port: (e.g., Allow Web traffic on Port 80, but Deny Telnet traffic on Port 23)

*The Implicit Deny:* Every ACL has an invisible rule at the very bottom: Deny All. If a packet does not explicitly match a "Permit" rule above, the router destroys it.

5. Control Plane Security (Authentication) #

ACLs protect the traffic flowing *through* the router. But how do you protect the router itself? What if a disgruntled employee plugs a laptop into the wall and runs a fake OSPF program, telling the corporate router: *"Send all payroll traffic to my laptop!"*

To prevent this, engineers use Routing Protocol Authentication. You configure a cryptographic password (e.g., an MD5 Hash) on all the legitimate corporate routers. When they exchange OSPF LSAs, they attach the password hash. The fake laptop doesn't know the password, so the real routers drop its fake maps into the trash.

6. Route Filtering #

Sometimes, you don't want to block the *traffic*; you want to block the *map*. If a company has a highly secretive database subnet (10.99.0.0/24), they can configure a Route Filter. The Route Filter tells OSPF: *"When you advertise your maps to the rest of the building, delete the route for 10.99.0.0."* Because the other routers never learn the route, it is mathematically impossible for any employee to route traffic to the secretive database.

7. BGP Hijacking (The Internet's Biggest Flaw) #

On the global internet, BGP operates on the "Honor System." If an ISP in Russia announces to the world: *"I own the IP addresses for YouTube,"* the global internet routers will blindly believe them, update their BGP tables, and suddenly all YouTube traffic worldwide will be rerouted into Russia.

This is a BGP Hijack. It happens frequently, sometimes by accident (a typo by an engineer), and sometimes maliciously to steal data. *The Solution:* The industry is slowly adopting RPKI (Resource Public Key Infrastructure), a system that cryptographically signs BGP route announcements, mathematically preventing ISPs from lying about which IPs they own.

8. Best Practices #

• Apply ACLs Close to the Source: When writing an ACL to block traffic, you should apply the "Deny" rule on the router closest to the *sender*. If you wait to block the packet on the router closest to the *destination*, the malicious packet has already consumed valuable bandwidth traveling all the way across your network just to be deleted at the end.

9. Common Mistakes #

• Locking Yourself Out: The most classic mistake in networking. An engineer logs into a router remotely via SSH. They write an ACL to secure the interface, but they forget to add a "Permit SSH" rule. They apply the ACL. The router instantly executes the "Implicit Deny All," completely blocking the engineer's own connection. The engineer is permanently locked out and must drive 50 miles to the datacenter to plug in a physical console cable.

10. Mini Project: Write an ACL (Theory) #

You want to secure an HR Server (10.0.10.50). You only want the Boss (10.0.5.5) to access it. The ACL Logic:

1. 1. Permit IP Source: 10.0.5.5 Destination: 10.0.10.50

1. 2. Deny IP Source: ANY Destination: 10.0.10.50

1. 3. Permit IP Source: ANY Destination: ANY (Allow everything else on the network to function normally).

*Order matters! If you swapped Rule 1 and Rule 2, the Boss would be blocked.*

11. Practice Exercises #

1. 1. Explain the function of the "Implicit Deny" rule at the bottom of every Access Control List.

1. 2. Differentiate between using an ACL to block malicious data packets, versus using a Route Filter to block topological map updates.

12. MCQs with Answers #

13. Interview Questions #

• Q: Explain the mechanical process a router follows when evaluating an incoming packet against a sequential Access Control List. Why does rule order matter?

• Q: Differentiate between securing the Data Plane and securing the Control Plane on an enterprise router. Provide one example for each.

• Q: Describe the mechanics of a BGP Hijack and explain how the implementation of RPKI mitigates this threat on the internet backbone.

14. FAQs #

Q: Does an ACL replace the need for a dedicated Firewall? A: No. A router ACL is "Stateless"; it only looks at individual packets in isolation. A dedicated Firewall is "Stateful"; it remembers the entire context of the conversation and can inspect the actual payload for viruses. ACLs are used for fast, primitive filtering, while Firewalls are used for deep, intelligent security.

15. Summary #

In Chapter 14, we transformed the router from a permissive forwarder into an active security checkpoint. We explored the rigid, top-down logic of Access Control Lists (ACLs), utilizing them to filter traffic based on IP addresses and TCP ports. We addressed the critical vulnerability of the Control Plane, emphasizing the necessity of OSPF password authentication and explicit Route Filtering to prevent map corruption. Finally, we scaled our security awareness to the global internet, analyzing the devastating mechanics of BGP Hijacking.

16. Next Chapter Recommendation #

We know how physical hardware routers secure traffic. But what happens when the routers don't physically exist? Proceed to Chapter 15: Cloud Networking and Routing.