Archive for July 13th, 2014
router security: Enterprise (basics)
July 13th, 2014

When conducting security assessments I have noticed that many organizations neglect one of the most important parts of the network security.  The neglect the actual network devices.

Its understandable.  The switches and routers are invisible to users and most system administrators.  As long as the network works, no one questions it.  Not securing network devices physically, technically and administratively puts the entire networks confidentiality, availability and integrity at risk.

Physical Router Security

router security rack

router security rack

If someone physically access the router, they can break into it and change the password or just erase configuration to cause a denial of service so the first step is to provide physical security of the router.  It should be literally locked up so that only essential personnel have physical access to the router.  Essential personnel does NOT mean anyone with an admin account, or even anyone with an account on the router.  Its should ONLY be your network engineers, the person(s) you call when the network is completely down.

The router should be in a room with limited physical access and in a cage or locked rack with further restrictions on physical access.  Remember how important that router is.  ALL data goes through it.  Your data depends on that routers functionality so protected it accordingly.

Technical Router Security

Basic router security for the enterprise is actually not hard.  The hard part is getting the organization to accept that its necessary.  The reason its easy is because the router is build for security.

router security router planes

router planes from NSA Router Configuration Security Guide (2005)

A router has three main planes (aka domains): Management, Control and Data planes and each plane can have security.

Management – is for administration, configuration of the router.  Remote management is inevitable in enterprise environment.

      • using secure protocols like SSH and avoiding telnet
      • restrict remote management access to a few machines
      • set time out sessions
      • use Banners

Control plane – for monitoring, route tables updates, and and dynamic operations happening in the background:

  • password protect enable mode and console
  • turn on audit logs

Data Plane (aka forwarding plane) – handles packet transiting the router among the networks.

  • disable all non essential services (i.e. no http if its not necessary, no snmp if its not used)
  • shutdown ports that are not used
There are much more advanced things that can be done (and should be done depending on the
Basic Router security set up on a Cisco (from Cisco.com):

HOSTNAME. 

  1. Router>enable
  2. Router#configure terminal
  3. Router(config)#hostname router_security_enterprise

 USERS

  1. router_security_enterprise(config)#service password-encryption
  2. router_security_enterprise(config)#enable secret “PASSWORD”
  3. router_security_enterprise(config)#username “USER” privilege 15 secret “PASSWORD”

 SSH

  1. router_security_enterprise(config)#ip domain-name “your.domainname”
  2. router_security_enterprise(config)#crypto key generate rsa modulus 1024
  3. router_security_enterprise(config)#ip ssh version 2
  4. router_security_enterprise(config)#ip ssh authentication-retries 3
  5. router_security_enterprise(config)#ip ssh time-out 120

 HTTPS

  1. router_security_enterprise(config)#ip http authentication local
  2. router_security_enterprise(config)#no ip http server
  3. router_security_enterprise(config)#ip http secure-server

 LINE VTY

  1. router_security_enterprise(config)#line vty 0 4
  2. router_security_enterprise(config-line)#login local
  3. router_security_enterprise(config-line)#transport input ssh
  4. router_security_enterprisec(config-line)#exec-timeout 3
  5. router_security_enterprise(config-line)#exit

 LINE CONSOLE

  1. router_security_enterprise(config)#line console 0
  2. router_security_enterprise(config-line)#login local
  3. router_security_enterprise(config-line)#exec-timeout 3

 BANNERS

  1. router_security_enterprise(config)#banner login ” MESSAGE “
  2. router_security_enterprise(config)#banner exec ” MESSAGE “

 ACCESS LOG

  1. router_security_enterprise(config)#login block-for 10 attempts 3 within 20
  2. router_security_enterprise(config)#login delay 10
  3. router_security_enterprise(config)#login on-failure log
  4. router_security_enterprise(config)#login on-success log

 ACL + ACCESS LOG

  1. router_security_enterprise(config)#ip access-list standard SSH-ADMIN
  2. router_security_enterprise(config-std-nacl)#remark Admin Management ACL
  3. router_security_enterprise(config-std-nacl)#permit X.X.X.X log
  4. router_security_enterprise(config-std-nacl)#exit
  5. router_security_enterprise(config)#login quiet-mode access-class SSH-ADMIN
  6. router_security_enterprise(config)#line vty 0 4
  7. router_security_enterprise(config-line)#access-class SSH-ADMIN in
  8. router_security_enterprise(config)#exit

 DEBUG

  1. router_security_enterprise#show running-config
  2. router_security_enterprise#show login
  3. router_security_enterprise#show login failures
  4. router_security_enterprise#sh access-lists

Administrative Router Security

Probably the most over looked part of router security is documentation.  A lack of updated documentation on the architecture and network scheme is a security concern.  Without proper documentation on the network there is a lack of continuity.

Back up and contingency plans should be documented.

Contingency planning also should consider network-connecting devices, such as hubs, switches, routers, and bridges. The BIA should characterize the roles that each device serves in the network, and a contingency solution should be developed for each device based on its BIA criticality. As an example of a contingency strategy for network-connecting devices, redundant intelligent network routers may be installed in a network, enabling a router to assume the full traffic workload if the other router failed. — NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems

Back ups of the router configurations, firmware, and redundant spares should also be documented and protected.  Additionally, audits and testing should be conducted by outside or internal units then, reported and documented.

There is a lot more to the physical, technical and administrative protection of routers and switches.  Switches can have things port security, 802.1x, VLANS and lot of other things that span a volume of books.  We aslo did not even mention routing protocol security which is also a book unto itself.

Here are some good references to good router configurations:

  • http://www.us-cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf
  • http://www.nsa.gov/ia/_files/routers/c4-040r-02.pdf
  • http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
  • http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html

 

 

Posted in Main Digg by Bruce Brown
No Comments