Login or Register to Ask a Question and Join Our Community

unix and linux commands - unix shell scripting

The most vulnerable device in the network

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
# 1  
Old 10-01-2008
The most vulnerable device in the network
During a conversation with some folks last week we wondered about what is the most vulnerable
type of devices in ours networks.

The answer for almost everyone in the table was:

Routers...

So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security.

Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful.

Main Risks

The most obvious risk associate with a router compromised or disabled is that all communications that is
forwarded by this router will be disabled but there are others not so obvious:

  • Use routers to attack internal systems:
Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.

  • Use routers to attack external sites:
Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.

  • Reroute all traffic entering and leaving the network:
An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.

Some important actions that can harder a router and increase security:

  • Implement Access Control
Every person that access a router must use his own user/pass and the pass cannot be easy to guess.
Also is important to enforce password encryption.

  • Implement Authorization Control
Every person shall execute only a limited set of commands related with his activity

  • Secure Remote Administration:
Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.
Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway
and then jump to the router.

  • Configure Warning Banners:
It's important to use banners in order to show that the IT department monitors all activities execute.
This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.

  • Disable Unnecessary protocols (if they're not used):
Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...

  • Improve SNMP Security:
It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.
Many routers are just opened due to SNMP default configurations.
Try to implement SNMPv3 or at least v2c

  • NTP
Configure NTP for time synchronization (it's important for log analysis and event correlation).

  • Logging
Deploy an effective logging police that allows security administrators to monitor events and track down intruders.

  • Deploy an Event Correlation Solution
It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router.
This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.

  • Use restrictive ACL'S
To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).

  • Implement Routing Security
Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it.

  • Deploy IPS Systems
Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.
If it's a situation where is possible to do it and you have the budget to do it, why not?

  • Create a Incident Response Plan
Some steps that must be considered when creating a plan:
Determine if the incident is an attacker or an accident;
Discover what happened;
Preserve the evidence;
Recover from the incident;
Identify root causes and manage or mitigate them to prevent from happening again.

  • Enforce Physical Security
It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).

Conclusion

A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly soon or later they'll have to face themselves with a compromised router.


Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Red Hat

Unable To Activate Ethernet Network Device in RHEL 5.5 - e100 device eth0 does not seem to be presen

Hi All, Could anyone please help to resolve the below problem. I installed RHEL5.5 in my desktop.But when i try to activate the ethernet connection then it gives me the error. I spent 2 days for the above and go through with several suggestion found by googling. But no luck. ... (0 Replies)
Discussion started by: Tanmoy
0 Replies

2. Shell Programming and Scripting

How to identify a network device before trying to connect to it?

Hello all, Here is the explanation of my problem: I have a cronjob that connects to a NAS to do backups from my laptop to this NAS device. The script that I wrote does check if there is a host (the NAS) responding on 192.168.1.10 and tries to connect to it with the following command: mount -v... (3 Replies)
Discussion started by: freddie50
3 Replies

3. IP Networking

forward a Network Device via ssh

Hey foks my problem looks like this: Computer 1 has two network interfaces (A and B). It's connected to computer 2 via ssh using network interface A. kann I forward network interface B to computer 2, so it shows up for example in ifconfig on computer 2? how? should i use something else than... (1 Reply)
Discussion started by: smf15
1 Replies

4. Red Hat

How to monitor network device traffic using MRTG?

How to monitor network device traffic using MRTG? How can I add network devices in MRTG configuration to monitor? (2 Replies)
Discussion started by: manalisharmabe
2 Replies

5. IP Networking

What is a fake network device?

Thanks in advance! Ben (1 Reply)
Discussion started by: bigben1220
1 Replies

6. Programming

Network device driver

HI, I am writing a network device driver for RTL8139c card on 2.6.18 kernel ... I am facing few queries listed below 1. Can i able to at all write a driver for RTL8139C or Realtek had designed new chip for 2.6 series kernel? 2. If no then which driver file 2.6.18 uses .. Is it 8139too.c or... (1 Reply)
Discussion started by: niketan
1 Replies

7. News, Links, Events and Announcements

Flaw leaves Linux computers vulnerable

NEWS: Flaw leaves Linux computers vulnerable http://news.com.com/2100-1001-857265.html A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security... (3 Replies)
Discussion started by: killerserv
3 Replies
Login or Register to Ask a Question