What are some of the motivations for using a dedicated, purpose-built router
rather than a general purpose machine with a “standard” operating system (OS)?
What justifies this expense, and what justifies the bother of learning yet
another system?
The answer, in part, concerns performance: a special purpose
router can have much higher performance than a general purpose computer with
routing functionality tacked onto it. Also, one can potentially add more network
connections to a machine designed for that purpose, because it can be designed
to support more interface card slots.
Thus, a special purpose device will
probably be a lower cost solution for a given level of functionality. But there
are also a number of security benefits to a special purpose router; in general,
consolidating network routing and related functions on a dedicated devices
restricts access and limits the exposure of those critical functions.
For one thing, a specialized router operating system (like Cisco’s
Internetwork Operating System or IOS) can be smaller, better understood, and
more thoroughly tested than a general purpose OS. (Note that for brevity, the
term IOS will be used in this document to refer the router’s operating system
and associated software, but hardware other than Cisco would run similar
software.) This means that it is potentially less vulnerable.
Also, the mere fact that it is different means that an attacker has one more
thing to learn, and that known vulnerabilities in other systems are of no help
to the router attacker. Finally, specialized routing software enables a fuller
and more robust implementation of filtering. Filtering is useful as a “firewall”
technique, and can also be used to partition networks and prohibit or restrict
access to certain networks or services. Using filtering, some routing protocols
can prohibit the advertisement of routes to neighbors, thus helping protect
certain parts of the network.
A router is essentially just another computer. So, similar to any other
computer, it has a central processor unit (CPU), various kinds of memory, and
connections to other devices. Generally, a router does not have a hard disk,
floppy drive, or CD-ROM drive. CPU speed and memory size are important
considerations for both performance and capabilities (e.g. some Cisco IOS
features require more than the default amount of memory, and sophisticated
security services usually require substantial computation).
There are typically a number of types of memory in a router possibly
including: RAM, NVRAM, Flash, and ROM (PROM, EEPROM). These are listed roughly
in order of volatility. The mix of types and the amount of each type are
determined on the basis of: volatility, ease of reprogramming, cost, access
speed, and other factors. ROM is used to store a router’s bootstrap software.
Non-volatile RAM (NVRAM) is used to store the startup configuration that the IOS
reads when the router boots. Flash memory stores the IOS (or other router OS),
and if there is enough flash it may store more than one version of IOS.
Interfaces provide the physical connections from a router to networks.
Interface types include Ethernet, fast Ethernet, token ring, FDDI, low-speed
serial, fast serial, HSSI, ISDN BRI, etc. Each interface is named and numbered.
Interface cards fit into slots in a router, and an external cable of the
appropriate type is connected to the card. In addition to a number of
interfaces, almost all routers have a console port providing an asynchronous
serial connection (RS-232).
Also, most routers have an auxiliary port, which is frequently used for
connecting a modem for router management. [These hardware ports should not be
confused with the concept of network protocol port numbers, such as the “well
known” port numbers associated with particular protocols and services, such as
TCP port 23 being used for Telnet.]
Similar to any other computer, a router will run a control program or
operating system (OS). Each router vendor supplies their own router OS. In the
case of Cisco routers, they run Cisco’s Internetwork Operating System (IOS). It
is the IOS that interprets the Access Control List (ACL) and other commands to
the router.
The startup or backup configuration is stored in NVRAM. It is executed when
the router boots. As part of the boot process a copy of this configuration is
loaded into RAM. Changes made to a running configuration are usually made only
in RAM and generally take effect immediately. If changes to a configuration are
written to the startup configuration, then they will also take effect on reboot.
Changes made only to the running configuration will be lost upon reboot.
An operational router will have a large number of processes executing to
support the services and protocols that the router must support. All routers
support a variety of commands that display information about what processes are
running and what resources, such as CPU time and memory, they are consuming.
Unneeded services and facilities should be disabled to avoid wasting CPU and
memory resources.
Each router should have a unique name to identify it, and each interface
should have a unique network address associated with it. Also, basic security
settings should be established on any router before it is connected to an
operational network.