Protecting the Router Itself

There are a number of ways to provide physical security for a router. The
room that contains the router should be free of electrostatic or magnetic
interference. It should have controls for temperature and humidity. If deemed
necessary for availability or criticality reasons, an uninterrupted power supply
(UPS) should be installed and spare components and parts kept on hand.

To aid in protecting against some denial of service attacks, and to allow it
to support the widest range of security services, the router should be
configured with the maximum amount of memory possible.* Also, the router should
be placed in a locked room with access by only a small number of authorized
personnel. Finally, physical devices (e.g., PC cards, modems) used to connect to
the router require storage protection.

The operating system for the router is a crucial component. Decide what
features the network needs, and use the feature list to select the version of
the operating system. However, the very latest version of any operating system
tends not to be the most reliable due to its limited exposure in a wide range of
network environments. One should use the latest stable release of the operating
system that meets the feature requirements.

A router is similar to many computers in that it has many services enabled by
default. Many of these services are unnecessary and may be used by an attacker
for information gathering or for exploitation. All unnecessary services should
be disabled in the router configuration. A router provides a capability to help
secure the perimeter of a protected network. It can do this by itself.

A router can also be used as part of defense-in-depth approach as shown in
the diagram below. It acts as the first line of defense and is known as a
screening router. It contains a static route that passes all connections
intended for the protected network to the firewall. The firewall provides
additional access control over the content of the connections. It can also
perform user authentication. This approach is recommended over using only a
router because it offers more security.

Another approach is to position one router at the connection between the
local premises and the Internet, and then another router between the firewall
and the protected network. This configuration offers two points at which policy
can be enforced. It also offers an intermediate area, often called the
de-militarized zone (DMZ) between the two routers. The DMZ is often used for
servers that must be accessible from the Internet or other external network.