Router Security Tips
Douglas Chick
 Reminded by the latest Cisco security alert, many network managers do not realize that their routers can be the jump point
to attack. Router operating systems are just as vulnerable to hacker mischief as network operating systems. Most medium to small sized companies do not employ router engineers, or outsource this function on a need to do basic. And because of this, network
administrators, and managers, either do not know enough to secure the router or do not have time. Listed below are the 10 basic router security tips.
1. Update your router's OS. Just like network operating systems, router operating systems need to be updated to correct
programming oversights, flaws, and buffer overflow issues. Always check with your router
manufacture for current updates and OS versions.
2. Change the default password. As much as 80 % of security incidents are caused by weak or default passwords, (This is according to CERT at Carnegie Mellon University) Avoid
using common passwords and use mixed case letters as a stronger password policy
. Here is a link to common passwords used by computer administrators. http://www.thenetworkadministrator.com/passwords.htm
3. Disable HTTP configuration and SNMP. The HTTP configuration part of your router may be easier to configure for a busy network admin, but it is also a security problem for routers. If your router has a command line configuration, disable the HTTP config mode and use it. If
you are not using SNMP on your router, then there is no need to have it enabled.
Cisco has a SNMP vulnerability with GRE tunnel attacks.
4. Block ICMP ping requests. Ping and other ICMP functions are useful tools for both the network admin and the hacker. ICMP
enabled on your router can be used by hacker to identify information to target
your network for attack.
5. Disable Telnet use from the Internet. In most cases you do not need an active telnet session from
an Internet interface. Access to your router's configuration is more secure if accessed internally.
6. Disable IP directed broadcast. IP directed broadcast can allow Denial of Service (DOS) attacks on your equipment. A router's memory
and CPU can be maxed out from too many requests, which can result in a buffer overflow entry.
7. Disable IP source routing and IP redirects. Redirects allow packets to come in from one interface and leave by another. You don't want engineered packets to redirect to a private internal network.
8. Packet filtering. Packet filtering routes only the types of packet you want to enter your network. Many companies only allow 80 (http) and 110/25 (email). Additionally you can block and allow IP Addresses and Ranges.
9. Review Security Logs. By simply taking the time to review your log files you will see obvious patterns of attack, and or even vulnerabilities.
You will be surprised to how much activity your router is subject to.
10. Unnecessary Services. Unnecessary services
should always be disable, whether they are on a router, server, or workstation.
By default, Cisco devices up through IOS version 11.3 offer the "small
services": echo, chargen, and discard. These services, especially their UDP
versions, are infrequently used for legitimate purposes, but can be used to
launch denial of service and other attacks that would otherwise be prevented by
packet filtering.
More Help
Cisco's http://www.cisco.com/warp/public/707/21.html
NSA (National Security Agency) http://nsa2.www.conxion.com/cisco/guides/cis-2.pdf
|
