Protecting Your Network Edge: Now for the Bad News

As the saying goes, there are no free lunches.

Over a number of previous posts I’ve written about securing the edge of your network, protecting both you and your external peering neighbors from malicious attack and from damaging configuration errors; I’ve written about everything from basic best practices to bogon filtering to source filtering to spiffy tools like uRPF and TTL hacks.

It seems like there’s always a “But…”, so here’s the big But in the room: Many of the tools and configurations I’ve discussed can involve a performance tradeoff, and some can introduce security vulnerabilities. Even the ones that are supposed to be securing your network.

The problem is software-based processing. Any function that needs to interrupt the control plane CPU is going to negatively affect the performance of the router if it interrupts often enough.

So if filters become complex and must examine a bunch of different packet parameters, they can slow your router’s throughput – sometimes significantly. And if authentication is done at the control plane, a flooding attack against BGP can cause big problems. In the previous post I wrote about a TTL hack that can protect against such attacks, but what if the packet TTL checks are themselves happening in software? Then you’ve just exchanged one vulnerability for another.

The bottom line is, the problems all these procedures and functions prevent are more prevalent than the problems they might cause, so you should use them regardless. An unauthenticated BGP port is more of a risk than the possibility of a flooding DoS attack; accepting or advertising the wrong prefixes due to a configuration error can cause you more severe headaches than reducing throughput on your edge router.

The more of these functions that your router can do in hardware – that is, perform the processing in silicon at the forwarding plane rather than in software at the control plane – the more you can reduce or eliminate the tradeoff between performance and risk reduction. You don’t eliminate tradeoffs, you just shift them: The price you pay for high performance and low risk is literally a price, in cold cash. Hardware-based routers are substantially more expensive than software-based routers.

You need to be aware too that just because a router does filtering and forwarding in hardware it does not necessarily mean than it also does things like authentication and uRPF in hardware. Check with your vendor, and verify in the lab.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)