Network segregation is a common security technique to prevent security issues in one network affecting another. When looking at how information can be moved or shared between such networks the concept of routable protocols, and the opposite non-routable protocols are often used. We also see the term routable / non-routable networks. They are not the same thing, let’s explain…
The term “routable protocol” is used when the protocol contains the address of the target system, for example UDP and TCP/IP. According to PC Magazine a non-routable protocol is
A communications protocol that contains only a device address and not a network address. It does not incorporate an addressing scheme for sending data from one network to another.
An example of a non-routable protocol is NetBIOS. Put another way the protocol does not make sense outside of the local area network. So this is fundamentally about the protocol, and whether routing is an inherent capability of the protocol.
When considering routable protocols, we then have two classes of the network: routable and non-routable networks.
Just because you have a routable protocol, it does not mean any address is routable. It all depends upon how the networks are connected. When using IP as a routable protocol, typically you are connecting to the Internet. Internet IP addresses are global in nature, and your end user device is able to access the Internet via the router. The router directs your traffic toward the relevant server.
The term non routable just means exactly that; that IP packets cannot be directed from one network to another. This could be because your router is not configured with the information it needs to perform this operation, or because you are trying to access a private network.
There are certain address spaces in IPv4 and IPv6 that are reserved for internal networks. For example, the IP address range you most likely use at home starts 192.168… or 172.16… These are, by definition, non-routable networks, even in using routable protocols. An external router will not know how to find your network if these addresses are published.
From a security perspective we can use these facts. We can hide our network in private network space, preventing direct IP connections. If we wish these machines to have access to a wider network we need to introduce routers, gateways or proxies to our network – all of these are different ways we can interconnect networks, and exert some form of control over the traffic that passes over these networks.
Using a non-routable network alone is not great for security, as there are many ways to subvert the controls, but it is a small part of an overall system design.
Why is this important?
The article “IoT / IoE: If It Has an IP Address, It Can Be Hacked” observes the following when referring to the Internet of Things (IoT).
While I agree that connectivity is great and adds a lot of value/interoperability / functionality features, there is an oftentimes underestimated risk in putting the whole world (well, the whole internet) directly in front of any system or device and even connect to it by giving it a routable IP address.”
This is an important observation when designing an IoT system – if everything is routable then you need to take very careful security precautions.
Techniques like network segregation can help ensure your network is non-routable, and thus become a part of a defence in depth security strategy. A common network segregation approach is to use a Data Diode – to ensure only a one way flow of data. Data Diodes come in two forms – routable and non-routable.
The Nexor Data Diode is non routable. In most common configurations it is not possible to route IP packets directly to the Nexor Data Diode itself, and thus not possible to direct IP packets through the diode from a remote server – only the diode proxy can do that, only the diode proxy has the capability to route to the diode. This removes the possibility of IP based attacks on the downstream side of the diode (Protocol break is a closely linked topic to this point). Some other diodes and pseudo-diodes are routable, thus enabling a channel of attack on the downstream servers.
These are very subtle points, but critical points when defending against the most determined adversaries. Is your diode solution routable?