Device security and device testing for IP network routers

First, the introduction

Today's era is the network era, the end of the 20th century IP network, with unprecedented speed of development to create a miracle in the history of human science and technology, and greatly replace the existing more than 100 years of circuit switching network trend. However, from the point of view of telecommunication network, there are some problems such as security, quality of service and operation mode of IP network.

Among them, the security problem of IP network is a very important aspect, because of the openness of IP network, it makes its security problem become very complicated. This paper focuses on analyzing the security threats in IP network and discusses the testing of the security function of router devices.

Ii. security threats faced by IP networks

The biggest advantage of IP network is its openness, and support the intelligence of terminal, this makes the existence of a variety of rich and colorful business and application in IP network. But at the same time, the openness of IP network and the intelligence of terminal make IP network face the unprecedented security threat.

There are two security threats to IP network, one is the security of host (including user host and application server), and the other is the security of network itself (mainly network equipment, including routers, switches, etc.). The security threat perceived by a user host is primarily an attack on a particular operating system (primarily a Windows system), known as a virus. Network devices are mainly faced with the attack based on TCP/IP protocol. This paper mainly discusses the network itself, that is, the network equipment (mainly routers) of their own security problems.

The router device can be divided into data plane, control/signaling plane and management plane from the point of view of protocol system, and the level of TCP/IP protocol can be divided. The system framework for the router is shown in Figure L. Router devices can be attacked at every level in the system framework.

Figure 1 System framework for routers

(1) For the data plane, its function is to handle the data flow into the device, it is likely to be based on traffic attacks, such as large traffic attacks, malformed message attacks. The main purpose of these attacks is to occupy the processing time of the device CPU, resulting in the normal data traffic can not be processed, so that the availability of equipment decreased. Because the data plane is responsible for the user data forwarding, it will also be targeted at user data attacks, mainly to user data malicious theft, modification, deletion, so that the confidentiality and integrity of user data are damaged.

(2) For routers, the main function of control/signaling plane is to exchange routing information. The main threat to this plane comes from the theft of routing information, the forgery of IP addresses, and so on, which can lead to the leakage or misuse of network route information.

(3) For the System management plane, the threat comes from two aspects, one is the system management use of the Protocol (such as Telnet protocol, HTTP protocol, etc.) loophole, the other is not strict management, such as the leakage of equipment management account.

Iii. The main means of attack that threaten network security

1. Data plane

The primary attack on the data plane is the Denial-of-service (Dos,deny of service) attack, and denial of service attacks can take many forms for different protocols.

(1) Land attack. Land attack is the exploit of some system TCP protocol to make Tcpsyn message, the source IP address and TCP port number of these messages are the same as the destination IP address and TCP port number, so the system will initiate a TCP connection to itself, which causes the unnecessary consumption of the system resources.

(2) Synf1ood attack. Synf1ood attack is the use of TCP protocol three handshake mechanism, by the attack host to the attack device sent a large number of SYN request packets, the source address of these messages is an unreachable host address, the attack device sent Synack message, began to wait for a large number of impossible to reach the ACK message, resulting in a large amount of system resources occupied.

(3) Smurf attack. Smurf attack is a kind of Dos attack method using ICMP protocol. The attack is to forge the source address of the ICMP Echo Request (Ping) message to the address of the attacked device, and the destination address is the broadcast address in the network, so a large number of ICMP response packets will cause the load of the attacked device and the network to increase greatly. An answer request message that is UDP used in the attack evolves into a fraggle attack.

(4) Pingf1ood attack. The Pingf1ood attack is the continuous sending of a large number of ping messages from a high-bandwidth connection to a low-bandwidth connection, and the attacked device responds to each ping message, resulting in a decrease in the available bandwidth of the network.

(5) Teardrop attack. The teardrop attack is to use the fragment/recombination mechanism of IP packet to send a forged piecewise IP message, and the offset field indicating the fragment mark in the head of IP message is set to the duplicate value, so that the attacked device will cause the system to hang or even go down when processing these slicing packets.

(6) Ping of death attack. Ping of Death attack causes the device to be paralyzed by sending a ping message with a packet length of more than 65535 to cause the memory allocation of the attacked device to be wrong.

In addition to Dos attacks, network devices will also face a large number of network of malformed messages and error messages, these messages will consume a lot of network equipment processing power, Ping of death attack can also be seen as a form of malformed messages.

At the same time, the user data on the network is also likely to be malicious eavesdropping or interception, the current more effective way to prevent the use of IPSec protocol for user data encryption.

2. Control/Signaling plane

The attack on the control/signaling plane is mainly based on the use of illegal or unauthorized routing devices to establish route adjacency relationship with legitimate devices in the network to obtain the routing information in the network. Encryption authentication through routing protocols can effectively prevent this attack. At present, the main use of Ripv2,ospf,is-is support to the protocol message of the plaintext authentication and MD5 encryption authentication, BGP,LDP and other protocols rely on TCP MD5 encryption authentication to ensure the security of protocol messages.

3. Management plane

At present, the remote management of the equipment mainly adopts telnet,web, and the Telnet,http protocol itself does not provide security functions, user data, user accounts and passwords are clear text transmission, it is easy to listen to steal, but also easy to be the middleman (man in the middle) Attack.

The solution to the problem of network device remote management depends mainly on SSH and SSL protocol. SSH (Secure Shell) is a relatively reliable protocol for providing security for Telnet sessions and other network services at the moment. The SSH protocol can effectively prevent the information leakage problem in the process of remote management. The SSL (Secure Socket Layer) protocol encrypts communication between the browser and the Web server when you use the Web for remote administration.