During a conversation with some folks last week we wondered about what is the most vulnerable
type of devices in ours networks.

The answer for almost everyone in the table was:

Routers...

So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security.

Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful.

Main Risks

The most obvious risk associate with a router compromised or disabled is that all communications that is
forwarded by this router will be disabled but there are others not so obvious:

• Use routers to attack internal systems:

Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.

• Use routers to attack external sites:

Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.

• Reroute all traffic entering and leaving the network:

An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.

Some important actions that can harder a router and increase security:

• Implement Access Control

Every person that access a router must use his own user/pass and the pass cannot be easy to guess.
Also is important to enforce password encryption.

• Implement Authorization Control

Every person shall execute only a limited set of commands related with his activity

• Secure Remote Administration:

Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.
Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway
and then jump to the router.

• Configure Warning Banners:

It's important to use banners in order to show that the IT department monitors all activities execute.
This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.

• Disable Unnecessary protocols (if they're not used):

Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...

• Improve SNMP Security:

It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.
Many routers are just opened due to SNMP default configurations.
Try to implement SNMPv3 or at least v2c

• NTP

Configure NTP for time synchronization (it's important for log analysis and event correlation).

• Logging

Deploy an effective logging police that allows security administrators to monitor events and track down intruders.

• Deploy an Event Correlation Solution

It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router.
This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.

• Use restrictive ACL'S

To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).

• Implement Routing Security

Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it.

• Deploy IPS Systems

Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.
If it's a situation where is possible to do it and you have the budget to do it, why not?

• Create a Incident Response Plan

Some steps that must be considered when creating a plan:
Determine if the incident is an attacker or an accident;
Discover what happened;
Preserve the evidence;
Recover from the incident;
Identify root causes and manage or mitigate them to prevent from happening again.

• Enforce Physical Security

It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).

Conclusion

A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly soon or later they'll have to face themselves with a compromised router.





More...