During a conversation with some folks last week we wondered about what is the most vulnerable device in a network today.
The answer of almost everyone in the table was:
Routers...
So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security.
Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful.
Main Risks
The most obvious risk associate with a compromised or disabled router is that all communications that are forwarded by this router will be disabled but there are others not so obvious:
- Use routers to attack internal systems:
Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.
- Use routers to attack external sites:
Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.
- Reroute all traffic entering and leaving the network:
An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.
Some important actions that can harder a router and increase security:
- Implement Access Control
Every person that access a router must use his own user/pass and the pass cannot be easy to guess.
Also is important to enforce password encryption.
- Implement Authorization Control
Every person shall execute only a limited set of commands related with his activity
- Secure Remote Administration:
Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.
Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway
and then jump to the router.
- Configure Warning Banners:
It's important to use banners in order to show that the IT department monitors all activities execute.
This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.
- Disable Unnecessary protocols (if they're not used):
Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...
- Improve SNMP Security:
It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.
Many routers are just opened due to SNMP default configurations.
Try to implement SNMPv3 or at least v2c
- NTP
Configure NTP for time synchronization (it's important for log analysis and event correlation).
- Logging
Deploy an effective logging police that allows security administrators to monitor events and track down intruders.
- Deploy an Event Correlation Solution
It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router.
This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.
- Use restrictive ACL'S
To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).
- Implement Routing Security
Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it.
- Deploy IPS Systems
Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.
If it's a situation where is possible to do it and you have the budget to do it, why not?
- Create a Incident Response Plan
Some steps that must be considered when creating a plan:
Determine if the incident is an attacker or an accident;
Discover what happened;
Preserve the evidence;
Recover from the incident;
Identify root causes and manage or mitigate them to prevent from happening again.
- Enforce Physical Security
It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).
Conclusion
A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly, soon or later they'll have to face themselves with a compromised router.
Hi Alexandre,
Not sure I can agree with you that routers are the "most vulnerable device in the network", unless you define "network" as "the routing infrastructure."
When I scan the Internet for various "top 10 lists" of vulnerabilities, exploits to routers do not appear in any lists I can find. Most of the vulnerabilities listed are computer vulnerabilities.
Therefore, unless you are defining "the network" to be "only the network devices" and not "the end user computers" then I respectfully disagree with you on this point.
I would say that it is possible that routers are amoung the "highest risk" devices in the network, where "risk" is defined as the intersection of "threat", "vulnerability" and "criticality".
Yours sincerely, Tim
Posted by: Tim Bass | 01 October 2008 at 11:13 PM
Hi Tim
I agree with you.
Sure I'm talking about routing infrastructures. End user desktops are a different reality.
And you're right when you said that there aren't many exploits for routers but my main point is that you don't need exploits to compromise a router, you just need to found a misconfigured one and the Internet in plenty of them.
Regards
Posted by: Alexandre Cezar | 02 October 2008 at 05:55 PM
Do "people" count as "devices", I wonder ?
Posted by: Gary Hinson | 03 October 2008 at 08:49 PM