Blessed are the Geeks, for they shall internet the earth

Router Security Tips
Douglas Chick

Router SecurityReminded by the latest Cisco security alert, many network managers do not realize that their routers can be the jump point to attack. Router operating systems are just as vulnerable to hacker mischief as network operating systems. Most medium to small sized companies do not employ router engineers, or outsource this function on a need to do basic. And because of this, network administrators, and managers, either do not know enough to secure the router or do not have time. Listed below are the 10 basic router security tips. 

1. Update your router's OS. Just like network operating systems, router operating systems need to be updated to correct programming oversights, flaws, and buffer overflow issues. Always check with your router manufacture for current updates and OS versions. 

2. Change the default password. As much as 80 % of security incidents are caused by weak or default passwords, (This is according to CERT at Carnegie Mellon University) Avoid using common passwords and use mixed case letters as a stronger password policy . Here is a link to common passwords used by computer administrators. http://www.thenetworkadministrator.com/passwords.htm 

3. Disable HTTP configuration and SNMP. The HTTP configuration part of your router may be easier to configure for a busy network admin, but it is also a security problem for routers. If your router has a command line configuration, disable the HTTP config mode and use it. If you are not using SNMP on your router, then there is no need to have it enabled. Cisco has a SNMP vulnerability with GRE tunnel attacks. 

4. Block ICMP ping requests. Ping and other ICMP functions are useful tools for both the network admin and the hacker. ICMP enabled on your router can be used by hacker to identify information to target your network for attack.  

5. Disable Telnet use from the Internet. In most cases you do not need an active telnet session from an Internet interface. Access to your router's configuration is more secure if accessed internally. 

6. Disable IP directed broadcast. IP directed broadcast can allow Denial of Service (DOS) attacks on your equipment. A router's memory and CPU can be maxed out from too many requests, which can result in a buffer overflow entry. 

7. Disable IP source routing and IP redirects. Redirects allow packets to come in from one interface and leave by another. You don't want engineered packets to redirect to a private internal network. 

8. Packet filtering. Packet filtering routes only the types of packet you want to enter your network. Many companies only allow 80 (http) and 110/25 (email). Additionally you can block and allow IP Addresses and Ranges.

9. Review Security Logs. By simply taking the time to review your log files you will see obvious patterns of attack, and or even vulnerabilities. You will be surprised to how much activity your router is subject to. 

10. Unnecessary Services. Unnecessary services should always be disable, whether they are on a router, server, or workstation. By default, Cisco devices up through IOS version 11.3 offer the "small services": echo, chargen, and discard. These services, especially their UDP versions, are infrequently used for legitimate purposes, but can be used to launch denial of service and other attacks that would otherwise be prevented by packet filtering.

More Help

Cisco's http://www.cisco.com/warp/public/707/21.html

NSA (National Security Agency) http://nsa2.www.conxion.com/cisco/guides/cis-2.pdf

 

 

Hacking The IT Cube: The Information Technology Survival Guide -- Douglas Chick




 


E-mail your comments to dougchick@thenetworkadministrator.com
            
All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.