Can Routers Provide Sufficient Protection against Cyber Security Attacks?

Nowadays many devices that make up a computer network are being equipped with security hardware and software features to prevent cyber security attacks. The idea is to distribute security features to intermediate systems in the network to mitigate the overall adverse effect of cyber attacks. In this paper, we will be focusing on the Juniper J4350 router with the Junos Software Enhanced, and it has security-attack protections in the router. We are going to evaluate how the Juniper router with built-in security protections affected the overall server performance under a cyber security attack.


Introduction
Cyber security attacks have become one of the biggest problems these days.
Many research works have been done [1]- [14] to highlight security vulnerabilities of systems and servers as impacted by Cyber Security attacks. As a result, an increasing amount of security hardware and software mechanisms are being deployed onto computers and servers. However, this approach is found to consume a lot of computer resources, which in turn results in overall slowdown of the computer system and slow communication.
Besides computers, more security features are being added to Internet devices such as routers. When configuring the security of the router's built in firewall, there are two questions that most people consider "What kind of changes can we make to the network using the router?" and "How will the changes made using the router affect the performance of the network?" For this paper, we investigate increasing the security offered by the Juniper J4350 router affected the connection rate supported by the web server under cyber security attack. To understand the effect, we created a benchmark scenario where we used server without the router and compared its performance with another scenario where the server was connected to the router with security enabled at the router. In Section 2, we discuss the security attack used in this experiment, and we explain how the TCP/SYN attack worked to affect the performance. We also explain the security features of the router to protect the network and how they prevent hackers from affecting the network. In Section 3, we discuss the experimental setup to test the security setting of the router's firewall and how it affected the connection rate of the users that are trying to communicate with the web server. This was done by using two different network configurations, one of which didn't deploy the router, whereas another configuration used the router with security deployed on it to prevent the security attacks from arriving to the web server. In Section 4, experimental results are presented and compared for two scenarios to show how effective the router's security was for the network, and Section 5 presents conclusion of the paper.

Background Information
When setting up the configuration of many devices manufactures tend to put a recommended setting to be considered in a default mode which would be an optimized setting for new users to use in the lack of a customized configuration.
Most people that are not very familiar with security configurations and not sure what various protections would be offered and whether they really needed a protection, end up putting more security than they really needed. In most cases, having more security may sound good, but is the extra security worth which comes at the expense of exhausting more of the router's resources. For this section, we will discuss the router configurations and what protection the router's security offers against a common TCP based cyber-attack [13]- [22].

TCP/SYN
The DDoS attack that was used for router's evaluation in this paper was the TCP/SYN flood attack, which is where the attacker prevents the completion of the 3-way handshake needed for successful establishment of an end to end connection at the layer-4 of the TCP/IP protocol stack [13] [14] [15] [16]. 3-way handshake is shown in Figure 1.
The 3-way handshake is a method for two end to end computers to first establish a connection before data traffic is sent between the computers as shown in  half-open connections at the server that waits for the final ACK response to arrive until it times out. This incomplete 3-way handshake is shown in Figure 2.
When the attacker creates these half-open connections, it consumes the server's resources, and hence interrupts legitimate users from being able to create successful connections with the server.

TCP SYN-Proxy Protection
One cording to router's SYN-Proxy security protection mechanism, the router terminates clients-to-server connection, and creates a separate TCP connection between itself and the network to make sure that the 3-way handshake is completed for legitimate connections. If the TCP connections are legitimate, then the router establishes the connections with the server. However, if the three-way handshake is not completed between the router and the client then the half-open connection is dropped before even reaching the server.

Experiment Set up
For the experiment, we configured the Juniper J4350 router with Junos Software Release [9.2R1.10] (Export edition) Enhanced Services OS Junos in a star topology network as seen in Figure 4, and used Category 6 Ethernet cables to connect all the network devices.
Apple iMac Pro Server was used as an attack target, which deployed an Intel

Scenario 1: Baseline Configuration and Server Performance without Router
For baseline configuration, we directly connected ( Figure 3

Scenario 2: Network Configuration with Router's Security Protection Enabled
Juniper router J4350 was configured using the company's specifications [17]- [22] and was deployed in the network as shown in

Experimental Results and Discussion
In this experiment, we measured the performance under two scenarios as mentioned below to understand the effectiveness of security provided by the router with built-in protection mechanisms against TCP/SYN based DDoS attacks. Scenario 1: Under this scenario, there was no Juniper router (and hence no protection mechanisms) deployed (Figure 3) in the network. Instead, a switch was deployed with no built-in security, and all legitimate and attack traffic were allowed to pass through the switch to the target server. The target server deployed only its default protection mechanism provided by the host-based firewall. The target server didn't deploy any additional intrusion prevention mechanisms to defend against DDoS attacks. Under this scenario, we measured the number of legitimate client connections that could be established by the end server under the attack conditions ( Figure 5). Scenario 2: Another scenario was established as shown in Figure 4, where the Juniper router (instead of a LAN switch) was deployed with its security mechanisms to prevent against the DDoS attacks. Under this scenario, we again measured the number of legitimate client connections that could be established by the  Based on comparative results in Figure 5, it can be noticed that as the attack was increased, we can notice the difference in the number of legitimate connections that was established with the server under two scenarios i.e. when a switch was deployed (without router's security protection in Scenario-1), and another with protection available at the intermediate system (Scenario-2), when the Juniper router was used with its security features enabled.
Interestingly and counter intuitively, the number of legitimate connections established with the server was found to be higher in Scenario-1 when no security mechanism to prevent the attack traffic was deployed. In this Scenario-1, there was no router (with its built-in security) checking all connections for being malicious. On the contrary, when the Juniper router was deployed with its security enabled to mitigate cyber-attacks, it was found that the router was dropping more of the good connections from the clients when it was attempting to prevent more attack traffic from reaching the server. In effect for this network, the router became a bottleneck and more legitimate connections were affected when the attack traffic increased. With the increase in the attack traffic, the router with its security checking mechanism appeared to be busier dropping the malicious traffic, which in turn also slowed down the legitimate traffic from reaching the server. The collateral damage to the legitimate traffic was very high ( Figure 5) when the attack traffic load was high in this case of good faith attempt by the router to protect against the malicious attack traffic.
It was obvious that most of good connection loss was happening at the router when we compare the situation with the scenario-1 where a switch was deployed instead. In Scenario-1, the router was replaced with a 24-port Gigabit Switch that had no firewall. This allowed both, the legitimate clients traffic and the DDoS attack traffic to reach the real target server. It was possible that the server may have had some built-in prevention mechanism against TCP/SYN based DDoS attack as shown in previous publication [8], which may have helped the target server support more of legitimate traffic without allowing the attack traffic to do much damage.

Conclusion
Based on the results obtained from the TCP/SYN Flood attack experiments that were simulated in this paper, we observed that by having extra security and attack prevention mechanism on a Juniper J4350 Router was beneficial in preventing attack but it also becomes a bottleneck to the network performance in the sense that it was also slowing down the connection rate for the legitimate traffic. It was observed that most of the connection slowdown was happening at the Juniper router. This became clear when we removed the router with a 24-port Gigabit Switch that had no attack prevention mechanism, and most of the defense was limited to the end system, which was using the operating system from Microsoft i.e. "MICROSOFT'S WINDOWS 2012 ENTERPRISE R2" server.
This showed that even though the Juniper router had a built-in attack prevention mechanism, the router itself became a bottleneck due to excessive resource taken to stop the security attacks and hence affecting the overall good legitimate web connections.