Routers Summary

From: John L. MacFarlane (john@rome.software.com)
Date: Wed Jun 16 1993 - 16:05:26 CDT


Ok folks, summary time:

My original post requested information about "good" routers and the security
concerns which should accompany a connection to the Internet. Also, I asked
if anyone was aware of encrypting routers which could pass private traffic
between cooperating sites on the Internet.

First I will treat the subject of security concerns with an Internet
access point (as this affects the discussion of "good" routers):

(I will not append the responsible person's name for each passage and will
intersperse my comments along with those of the informative people who
took the time to reply to my query)

An internet link is not really more suseptible to interception than a
dedicated leased line. A lot of folks get concerned about the fact that
there are lots of indeterminate routing points inside the Internet
"cloud" where someone might be listening, but...

1. It is essentially impossible to determine when and what path a TCP/IP
    transfer will take (the latter of course assumes that more than one path
    is available, which would be the case in any scenario except the point-
    to-point link from your site to your provider).

2. Even if you can determine the path, routed information doesn't enter
    the networks of intermediate routing points (unless the routers have
    been modified), so the only way to intercept the information is to
    tap the line at some point external to the router (between the router
    and the CSU/DSU, or somewhere on the leased line itself).

Assuming that (1) and (2) hold true, the eavesdropper is most likely going
to attack your data from the inside, or try to tap the line as it leaves
your site--something he can do whether your WAN connection is a dedicated
point-to-point or an Internet connection.

Another tip: DON'T run NIS on the machine that connects to the
Internet. This keeps your passwords and other info off the wire.

I would not take this issue lightly. It is becoming a real concern.
In the two years I have been at this job, I have seen 4 separate
incidents of hacker activity on my systems. One resulted in real
system performance problems that could only be cured quickly
by fully reinstalling the OS.

Recently, we have been hosting (unknownst to us) a very hefty load
of illegal PC software trading on our anonymous ftp server. This
activity was so rampant that our only solution was to reduce anonymous
ftp activity to read only with no write access except through
sys admins.

The tools for protection from these kinds of abuses are not very good.
The issue demands some constant attention (watching log files, and the
like), and is a huge waste of time. After a break in occurs, you can
count on spending at least a few weeks, full time, responding to the
emergency.

The only advice I can give is to install all the security packages you
can find, and then be constantly diligent. And then to keep a
low profile with the outside world. If your system becomes known
to the people who do this kind of activity, you can count on never
ending problems.

Yet connection to the net can quickly become a necessity. So, the option
of cutting oneself off becomes non-existent once the users start utilitizing
the network resources. Hence, there is no good solution, at this point.

Check out the paper on router insecurity from the USENIX Security 3
Symposium (Sept 92). The paper is titled, "Network (In)Security Through IP
Packet Filtering," by D. Brent Chapman.

[** This is avaiable at GreatCircle.com ??? and it is worth the time
spent reading (IMHO).**]

It's worth at least being aware of the issues and consciously
deciding if they're appropriate concerns or not.

The CERT encourages system managers, site network managers, and
regional network providers to take the time to understand packet
filtering issues. Due to the flaws in several TCP/IP services, a site
must be able to restrict external access to these services. Sites
should consider purchasing programmable routers. Network providers
should offer packet filtering as a service option.

Because of flaws in their protocol or chronic system administration
problems, the CERT recommends that the following services be filtered:

        DNS zone transfers - socket 53
        tftpd - socket 69
        link - socket 87 (commonly used by intruders)
        SunRPC & NFS - socket 111 and 2049
        BSD UNIX "r" cmds - sockets 512, 513, and 514
        lpd - socket 515
        uucpd - socket 540
        openwindows - socket 2000
        X windows - socket 6000+

The CERT also suggests that sites filter socket 53, which will prevent
domain name service zone transfers. Only permit access to socket 53
from known secondary domain name servers. This will prevent intruders
from gaining additional knowledge about the systems connected to your
local network.

The X windows sockets range from socket 6000 plus the highest number of
X terminals on the same host.

If the site does not need to provide other services to external users,
those other services should be filtered. For example, CERT filters
telnet connections when all of its members are [not?] in the office. We also
filter ftp connections to all systems except to cert.org, which is used
as an archive system via anonymous ftp.

We recently handled an incident that involved automated TFTP attempts.
Many of the systems affected were using the TFTP daemon to boot X
terminals locally. Filtering TFTP connections would have protected
these sites from this attack.

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous FTP
from cert.org (192.88.209.5).

As to security, you should download some of the docs from the CERT site
at CMU and read carefully. Get the "dragon" paper.

You would be well-advised to check out the mailing list "firewalls" --
it specifically deals with many issues directly related to what you
are about to do. The archives for firewalls will contain info on
routers, and a whole lot more. (Send a message saying "subscribe
username@host.domain" to Majordomo@GreatCircle.COM )
 
[** There seems to be more mail about what is proper on the mailing
list than talk about the mailing lists subject matter**]

The Internet is the entire world, or at least a goodly portion of it.
The safe assuption is that at some point, someone will send packets your
way whose contents could best be described as "malicious". I would
*strongly* suggest, that since you have just advertised your site as being
about to join the internet, and non-paranoid, that you exercise moderate
to extreme paranoia *before* connecting -- there are individuals who would
see your sun-managers submission as an open invitation to crack your site.
Specific suggestions are: set up a firewall machine (or perhaps router),
get COPS, get any of the site security documents, start reading the
security newsgroups, and generally make yourself aware of the issues
involved.

As far as security, the Cisco MGS is almost foolproof. We currently have it
set up so that any inbound TCP/IP/ICMP/UDP connection requests are
refused, yet our users on this side can still get out using FTP. TELNET,
NSLOOKUP, etc. Also, mail in/out is always passed through.

We use a Telebut NetBlazer as our Internet "firewall." The method
for filtering out higher port numbers to prevent telnet access, etc
is spelled out as an example in the docs. Not too hard to pull off.
You can still allow telnet access to selected sites.

[** This is *NOT* a firewall. A firewall (my opinion) is a dual homed
host with ip-forwarding disabled. In addition people usually have
filtering routers on top of a firewall. **]

Most good routers will allow for packet filtering along various lines.
I guess it's a matter of what sort of security you want. do you want
to completely lock off from the world? or have one machine that can
talk to the world? or have one machine thru which everyone can talk
to the world (a la DEC, gatekeeper.dec.com)?

On the routers alone:

I have had uniformly good experiences with several models
of Cisco boxes, at JPL, Caltech, and Xerox. Workhorses all.
They route IP, ApplTalk, DECnet, XNS at least, plus
probably several others.

When I was on the Caltech campus, we also used Proteon
boxes. They seemed to be up as much as the Ciscos. They
route at least IP and DECnet, probably several others.

For AppleTalk, I've used a couple of GatorBoxes. As long
as you use them strictly for AppleTalk (and/or AppleTalk-in-IP
tunneling) they work great, but the NFS-to-AFS and lpr-to-PAP
features cause them to crash constantly.

For throughput, I think the Cisco boxes currently beat out
the Proteons.

We have ~150 hosts on our network, connected to DDN via a Cisco MGS
router. While this router is a little slow for my tastes, it works
wonderfully as far as translating X.25 packets. We are currently
submitting the paperwork to buy a faster router, such as an AGS+
or a Cisco 3000.

If you're doing it on your own, I'd have to recommend a NetBlazer
(there are several models) from Telebit. Right now we have one
that is doing all of the following:
* Serving a pool of 10 dialup modems
* Running a dynamic slip line to another NB and a remote PC running some
library software that requires "a direct internet line".
* Routing between all of the above, the Net at large, and five Suns
internally, on thinnet and twisted pair.

The configuration and setup for a NetBlazer is simple, and as we move
towards ISDN and fiber networks, I'm going to continue to recommend
them. The one sitting to my left could support three or four network
interfaces and about 30 modems, and it only cost us about 3k.

we use Cisco AGS+ routers. good expandability, solid support. very
high speed. cisco-supported ftp site for software/upgrades. multi-protocol,
multiple-physical-media support. ...kinda expensive, but you get what you
pay for.

The internet people as well as ourself use Proteon and Wellfleet routers.
Wellfleet are more bang for your buck....Don't use Cisco they are over priced
and their service (censured)!!

Granted I've only been exposed to Proteon routers. But I think
they're pretty good. i STILL prefer a Sun with a couple of enet
boards, but hey, some of the old habits are hard to break! :-)
But after seeing how our product works, I'm actually impressed.
We use one of our CNX500 routers as our internet connection to
NEARnet. A couple of years ago we had some hackers poke around
some of our machines so we sealed ourselves up tight. The router
has a full compliment of access controls on it now, so I can
allow out everything, nothing at all, or just what I want (which
is how it is). the same goes for incoming.

I am a researcher at the Fraunhofer-Institute IAO in Stuttgart, Germany. Part
of my job is currently also a redesign of our LAN (about 500 machines,
including Sun, DEC, HP, IBM, SGI, Mac, PCs). Today, our network is
connected by bridges and repeaters (yes, it sounds ugly). From checking on the
market what's available, I can see three vendors of routers whose products
are fairly capable, who won't go out of business soon, and who provide good
support (from what I heard from colleages at German universities). These
three companies are Cisco, Wellfleet, and Retix.

Cisco has two large routers: the AGS+ and the new Cisco/7000 (which is kinda
expensive). Both are supposed to support ATM interfaces in the future. The
pricing for a machine of the size we need (AGS+) with 12 Ethernet interfaces,
4 serial lines (max. 64kbit/s) and routing software is around $63000. (note
that I have offers in DM, not US$, so the $ figures are estimates).

Wellfleet has a number of routers in different sizes. We would probably use
the Concentrator Node (CN) which is in the same price range, maybe a bit
cheaper.

Retix offers the Retix/7000 with only a limited number of slots. However,
two systems connected via FDDI (meeting the 12 Ether + 4 serial requirement)
amount to about the same price as the single Cisco or Wellfleet router.
I have yet to get some more information on their performance before I can
really make a decision.

Right now, I tend to take Cisco because I had good experience with the AGS+,
not only regarding performance, also management.

And finally, on the encrypting routers:

There seem to be two products avaiable

Yes, as a matter of fact, the NetBlazers can be configured to use a
cryptographic handshake between sites. There would need to be a NB on each
end, though...

[*** To my limited knowledge this crypto is only on the initial handshaking
for modem connections, not packets ***]

The UUNET Lan Guardian is the first in a family of network
security products from UUNET Technologies, Inc., of
Falls Church, VA. The Lan Guardian is a hardware security
solution designed for companies that wish to benefit from
the cost savings of using Commercial Internet Service
providers (such as UUNET's AlterNet IP service) but are
concerned about the security of their confidential data
once it leaves their facility.

What does it do?

The Lan Guardian addresses those concerns by "splicing"
into the connection between the company's Ethernet and
external router and encrypting all data sent between company
networks, while also (optionally) allowing connections to
non-company facilities to continue without encryption.
Operation of the Lan Guardian is totally transparent to
network users and is simple for network administrators to
manage. Full configuration support is provided.

The Lan Guardian selectively encrypts or decrypts each packet
based on the information in the packet header. Only the data
portion of the packet is encrypted, thereby allowing the packet
to be transmitted with normal routers. The Lan Guardian may
also be configured to block selected or all external traffic
as well as to use a different key for each network.

Existing AlterNet customers may purchase the Lan Guardian now
for US$6,000 or optionally lease for $500/month. The Lan Guardian
carries a one year hardware and software warranty.

Check with Semaphore Communications Corp in Santa Clara, California.
Telephone Number (408) 980-7767. They claim their enrcyption boxes can
support full ethernet speeds using public key and DES encryption.

Thats All folks, so... till next time.

Thanks for your input (those of you that recognize your replies)!
Any comments are welcome.

John MacFarlane
john.macfarlane@software.com



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:56 CDT