The most vulnerable device in the network fullzbuycom, link-kingorg
During a conversation with some folks last week we wondered about what is the most vulnerable device in a network today.
The answer of almost everyone in the table was:
So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security.
Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful.
The most obvious risk associate with a compromised or disabled router is that all communications that are forwarded by this router will be disabled but there are others not so obvious:
Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.
Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.
An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.
Some important actions that can harder a router and increase security:
Every person that access a router must use his own user/pass and the pass cannot be easy to guess.Also is important to enforce password encryption.
Every person shall execute only a limited set of commands related with his activity
Some router allows only remote communication based on insecure protocols like Telnet so it’s important to restrict it using ACL’s.Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway and then jump to the router.
It’s important to use banners in order to show that the IT department monitors all activities execute.This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.
Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc…
It’s important to restricted SNMP access to the router and to use non “public” communities and also is important to implement password protection.Many routers are just opened due to SNMP default configurations.Try to implement SNMPv3 or at least v2c
Configure NTP for time synchronization (it’s important for log analysis and event correlation).
Deploy an effective logging police that allows security administrators to monitor events and track down intruders.
It’s important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router. This is a powerful tool because it’s possible to cross routers logs with IPS’s logs, FW ‘s logs and others to identify threats that can’t be identified using only a single source.
To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).
Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it’s important to have it in place if you use it.
Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.If it’s a situation where is possible to do it and you have the budget to do it, why not?
Some steps that must be considered when creating a plan: Determine if the incident is an attacker or an accident; Discover what happened; Preserve the evidence; Recover from the incident; Identify root causes and manage or mitigate them to prevent from happening again.
It’s important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).
A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It’s important for administrators to be aware that if they do not change this scenario quickly, soon or later they’ll have to face themselves with a compromised router.