Access
Controls
Authentication deals with the who of security policy enforcement; access
controls enforce the what andhow.
ACLs on Routers
Routers perform the major task of
directing network traffic either to subnetworks they control or to other
routers for subsequent delivery to other subnetworks. Routers convert external
IP addresses into internal MAC addresses of hosts on a local subnetwork.
Suppose a host is being spammed
(flooded) with packets from a malicious rogue host. Routers can be configured
with access control lists to deny access to particular hosts from particular
hosts. So, a router could delete all packets with a source address of the rogue
host and a destination address of the target host.
This approach has three problems,
however. First, routers in large networks perform a lot of work: They have to
handle every packet coming into and going out of the network. Adding ACLs to the
router requires the router to compare every packet against the ACLs. One ACL
adds work, degrading the router's performance; as more ACLs are added, the
router's performance may become unacceptable. The second problem is also an
efficiency issue: Because of the volume of work they perform, routers are
designed to perform only essential services. Logging of activity is usually not
done on a router because of the volume of traffic and the performance penalty
logging would entail. With ACLs, it would be useful to know how many packets
were being deleted, to know if a particular ACL could be removed (thereby
improving performance). But without logging it is impossible to know whether an
ACL is being used. These two problems together imply that ACLs on routers are
most effective against specific known threats but that they should not be used
indiscriminately.
The final limitation on placing
ACLs on routers concerns the nature of the threat. A router inspects only
source and destination addresses. An attacker will usually not reveal an actual
source address. To reveal the real source address would be equivalent to a bank
robber's leaving his home address and a description of where he plans to store
the stolen money.
Because someone can easily forge
any source address on a UDP datagram, many attacks use UDP protocols with false
source addresses so that the attack cannot be blocked easily by a router with
an ACL. Router ACLs are useful only if the attacker sends many datagrams with
the same forged source address.
In principle, a router is an
excellent point of access control because it handles every packet coming into
and going out of a subnetwork. In specific situations, primarily for internal
subnetworks, ACLs can be used effectively to restrict certain traffic flows,
for example, to ensure that only certain hosts (addresses) have access to an
internal network management subnetwork. But for large-scale, general traffic
screening, routers are less useful than firewalls.
Firewalls
A firewall is designed to do the
screening that is less appropriate for a router to do. A router's primary
function is addressing, whereas a firewall's primary function is filtering.
Firewalls can also do auditing. Even more important, firewalls can examine an
entire packet's contents, including the data portion, whereas a router is
concerned only with source and destination MAC and IP addresses. Because they
are an extremely important network security control, we study firewalls in an
entire section later in this chapter.