Data Communications Networking Devices - 4th Ed.pdf

7.4 SECURITY DEVICES ___________________________________________________________ 799to limit employees to accessing only other corporate locations, preventing inadvertentdownloading of viruses from an anonymous FTP site. Thus, the ability toperform ®ltering on both inbound and outbound traf®c can enhance the ability ofnetwork managers to control communications.Router accessSince access to the con®guration capability of a router controls its ®lteringcapability, it is important to control such access. All too often persons forget tochange the default login password which can result in a hacker easily taking controlof your router. Most routers provide access control not only via a console port, but,in addition, via Telnet and SNMP. This means that if a person knows or stumblesupon the IP address of an interface of the router via Telnet or SNMP, they can ®rsttry some common default passwords to gain access to the router's consolecapability. To prevent this situation from occurring, you should consider disablingsuch access. If you need the ability to remotely con®gure a router, you shouldchange the default password. In doing so, you should use an alphanumeric stringinstead of a common name to prevent a dictionary attack. Many hackers purchase orotherwise acquire an electronic dictionary and write a program to try each entry inan attempt to break into routers and servers. Although such passwords as `heather',`administration', `bozo', and `georgia' might be easy to remember, they would allfail upon a dictionary attack. Thus, adding numerics to a name precludes the abilityof a dictionary attack to be successful.Now that we have an appreciation for the level of security afforded by the packet®ltering capabilities of routers, let's discuss why you may wish to consideradditional security in the form of a ®rewall by examining some common threatsrouters cannot prevent.Threats not handledThere are numerous security threats that the packet ®ltering capability of routerscannot control. Table 7.11 lists six common threats presented in alphabetical orderthat can result in security-related problems that a router cannot detect. Althoughyou could use a router's ®ltering capability to bar access to an FTP server, youcannot selectively control different FTP commands. Thus, the use of unauthorizedcommands would represent an all or nothing issue when working with router ®lters.To provide an additional level of security beyond packet level ®ltering, organizationscommonly turn to the use of a ®rewall.FirewallsUnlike a router which simply passes packets from one interface to another, ®rewallsinclude a proxy service capability which results in IP packets being barred fromdirectly passing from input to output destinations. Instead, the ®rewall obtains the