Badly configured routing compromises security

(06/10/2009)

According to Network Box, high volumes of company data are being mistakenly routed round company networks, compromising their effectiveness and security.

In the second in its ‘Forgotten Security’ series of advisory papers, ‘The Hole in the Wall’ Network Box examines how simple mistakes result in data being regularly routed incorrectly by IT teams, leaving holes in network security. The paper investigates some of the most common errors made, and gives advice on how to prevent them.

Written by Network Box’s Internet Security Analyst, Simon Heron, ‘The Hole in the Wall’ includes analysis of some of the most common situations of badly configured routing:

1. Triangular routing. This is where the path that data takes to arrive at a workstation is different from the path it takes back to the originator. If only the returning data path goes through a connection tracking firewall, the firewall will block it, as it sees no record of the originating data packet. IT teams will often ‘fix’ this block by disabling the connection tracking, which compromises security. However, the problem can be very simply fixed, by routing all data through the firewall.

2. Firewalls implementing Proxy ARP (address resolution protocol). If a machine is mistakenly connected directly to a router, bypassing the firewall, it may respond to a relevant ARP requests from the router, that should be answered only by the firewall. This means the router gets more than one response to its request, which can result in self-imposed denial of service attacks. This often happens in busy server rooms, where connections are not labelled correctly.

3. Misdirected packets. In larger networks, data packets are routed to optimise speed and loading. But if these are mis-configured so that all packets go the same way, then that path can become seriously overloaded, creating a bottleneck.

4. Virtual Local Area Networks (VLAN). It is becoming increasingly common for VLAN switches to be mis-configured to allow traffic to go straight to the VLAN, bypassing the firewall. This should be simple to check – a good firewall will be able to show the traffic passing through it in real time, so the IT manager can check the settings on the switch. It is also important these days that the VLAN switch is configured and maintained properly, and is updated with the latest patches. This is a very common omission as switches have not previously required this level of attention. The paper gives a number of example situations of mis-configured VLAN switches, and how to avoid them.

Simon Heron says: “As networks grow, routing becomes more complex. It is increasingly important for IT teams to understand where data is going on the network. Too many IT managers have got their systems to work by trial and error, and either forget about it if it appears to be working, or are scared to make changes in case it stops working. Routing is the invisible and forgotten hole in the firewall.”

‘The Hole in the Wall’ guide to routing is available free to download, from Network Box’s website.

Related topics:  Firewall   Internet and Web security   Network Security   Security management and policies   VPN 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources