Routers

The Importance of Routers

Clients and servers use Ethernet broadcasts to announce services and find each other on a LAN segment. These broadcasts enable malicious users to find clients and servers without having to scan the network. Routers limit the propagation of Ethernet broadcasts thereby strengthening security. In addition, network admins can add access lists (ACL's) to most routers to further limit which computers can communication with one another.

Limitations of Routers

Routers do not perform stateful packet inspection like firewalls do. They have difficulty providing fine-grained control of FTP and do not provide directional control of traffic on an enabled port (that is, if destination port 80 is allowed inbound to a data center then a server in the data center could initiate an outbound session from port 80). In contrast, firewalls can require a session to begin on one side of the firewall before reply packets are accepted on the other side.

Vidder's Router Recommendations

Vidder recommends limiting L2 switching (bridging) among client devices to no more than 250 clients per group. Routers are then used to network among the groups. However, because a firewall is essentially a router with additional functionality, a better solution is to make the router a firewall that alerts the infosec team when traffic goes from one client to another. Often, this type of traffic is malicious.

Vidder further recommends placing all servers in data centers and creating fine-grained zones of trust using VLANs and, then, using a firewall to route between them. The firewall should be configured with rules that only enable the traffic on necessary ports to flow between zones of trust. Even better would be to implement more fine-grained firewall rules with host-based firewalls.

A more modern implementation would use software defined networks to implement this architecture.

Copyright© 2005-2013 Vidder, Inc. All rights reserved.