Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

The dangers of poor data routing

Network Box : 28 September, 2009  (Technical Article)
Network Box continues its "Forgotten Security" series of white papers with the subject of poorly configured data routing in organisations
High volumes of company data are being mistakenly routed round company networks, compromising their effectiveness and security, according to managed security company, Network Box.

In the second in its 'Forgotten Security' series of advisory papers, 'The Hole in the Wall' Network Box examines how simple mistakes result in data being regularly routed incorrectly by IT teams, leaving holes in network security. The paper investigates some of the most common errors made, and gives advice on how to prevent them.

Written by Network Box's Internet Security Analyst, Simon Heron, 'The Hole in the Wall' includes analysis of some of the most common situations of badly configured routing:

Triangular routing. This is where the path that data takes to arrive at a workstation is different from the path it takes back to the originator. If only the returning data path goes through a connection tracking firewall, the firewall will block it, as it sees no record of the originating data packet. IT teams will often 'fix' this block by disabling the connection tracking, which compromises security. However, the problem can be very simply fixed, by routing all data through the firewall.

Firewalls implementing Proxy ARP (address resolution protocol). If a machine is mistakenly connected directly to a router, bypassing the firewall, it may respond to a relevant ARP requests from the router, that should be answered only by the firewall. This means the router gets more than one response to its request, which can result in self-imposed denial of service attacks. This often happens in busy server rooms, where connections are not labelled correctly.

Misdirected packets. In larger networks, data packets are routed to optimise speed and loading. But if these are mis-configured so that all packets go the same way, then that path can become seriously overloaded, creating a bottleneck.
Virtual Local Area Networks (VLAN). It is becoming increasingly common for VLAN switches to be mis-configured to allow traffic to go straight to the VLAN, bypassing the firewall. This should be simple to check - a good firewall will be able to show the traffic passing through it in real time, so the IT manager can check the settings on the switch. It is also important these days that the VLAN switch is configured and maintained properly, and is updated with the latest patches. This is a very common omission as switches have not previously required this level of attention. The paper gives a number of example situations of mis-configured VLAN switches, and how to avoid them.

Simon Heron says: "As networks grow, routing becomes more complex. It is increasingly important for IT teams to understand where data is going on the network. Too many IT managers have got their systems to work by trial and error, and either forget about it if it appears to be working, or are scared to make changes in case it stops working. Routing is the invisible and forgotten hole in the firewall."

'The Hole in the Wall' guide to routing is available free to download, from Network Box's website

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo