Specifications
Page 111 /148
3.5 Security
3.5.1 Firewall Filters
Firewall filters allow you to filter packets based on their contents and to perform
an action on packets that match the filter. Depending on the hardware
configuration of the router, you can use firewall filters for the following purposes:
§ On all routers, you can control the packets destined to or sent by the
Routing Engine.
§ On routers equipped with an Internet Processor II ASIC only, you can
control packets passing through the router.
You can use the filters to restrict the packets that pass from the router’s physical
interfaces to the Routing Engine. Such filters are useful in protecting the IP
services that run on the routing Engine, such as Telnet, ssh, and BGP, from
denial-of-service attacks. You can define input filters, which affect only inbound
traffic destined for the Routing Engine, and output filters, which affect only
outbound traffic sent from the Routing Engine.
With the Internet Processor II ASIC, you can also use filters on traffic passing
through the router to provide protocol-based firewalls, to thwart denial of service
(DoS) attacks, to prevent spoofing of source addresses, and to create access
control lists. (To determine whether a router has an Internet Processor or an
Internet Processor II ASIC, use the show chassis hardware command.) You can
apply firewall filters to input traffic or to traffic leaving the router on one, more than
one, or all interfaces. You can apply the same filter to multiple interfaces.
3.5.2 Hardware-based Packet Filtering
The Internet Processor II ASIC packet filtering supports the ability to match
against a variety of packet header fields. A list of the packet header fields to
which a filter can be applied is :
§ Source IP address
§ Destination IP address
§ Source transport port
§ Destination transport port
§ TCP control bits
§ DiffServ byte
§ IP fragmentation offset and control fields
§ IP protocol type
Actions to be taken based on a match include forwarding the packet based on a
route table lookup, or dropping the packet. (Note: The ASIC supports the ability to
redirect the packet to a specified next hop, however, packet redirection is not a
4.0 feature.). Additionally, the Internet Processor II supports the ability to count or
log instances of a filter match. One input filter and one output filter can be
configured for each logical or physical interface. Multiple match conditions can be
set per filter and multiple actions can be configured for each match condition.
3.5.2.1 Filtering Application: Source Address Verification
Internet Processor II functionality can be used to verify source addresses for the
purpose of avoiding source address spoofing attacks. Many attacks on the
Internet use source address spoofing to hide the identity of the attacker. Today,
the source of the attack can only be found by tracing the traffic hop-by-hop back
to the ingress point. Once the ingress point is known and administrative action
can be taken. The Internet Processor II provides the performance to run source
address filters on ingress points of a provider’ s network to ensure that the source
addresses of packets coming from that source are within the prefix range
assigned to that source. If the source address in a packet is not within the
appropriate prefix range, then the packet is dropped. Verifying the source
address at the subscriber’ s ingress point keeps the attack off the network
completely and reduces exposure to spoofing-related denial of service attacks,
improving both the security and reliability of the provider’ s network and the
Internet in general.