Chapter 9. Secure Routing and Antispoofing

This chapter covers both antispoofing and securing the routing protocol your routers use to exchange information. Antispoofing filters prevent external users from sending forged packets that act as if they come from your internal network. Many security controls use a packet’s source IP address to allow or deny access. By sending spoofed packets that look as if they originated on your internal network, attackers can manipulate or bypass these security controls.

Your routers use routing protocols to exchange information. This information is used to determine what direction a router will send a packet once it is received. A functional network requires correct routing information, so, minimally, an attacker can cause a denial-of-service (DoS) attack by inserting false routing information into your routers. A far more damaging attack can involve having all of your network traffic relayed through another system, possibly one controlled by the attacker or one that allows him to bypass your firewall and intrusion detection systems. Protecting how routers exchange routing information is necessary to prevent such dangers.

Antispoofing

Antispoofing filters are usually implemented to protect the networks behind routers, but they are equally important in protecting the routers themselves. These filters keep people from attempting to spoof connections to your routers. They also prevent numerous attacks that, while not directed at the router, must pass ...

Get Hardening Cisco Routers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.