I am a lover of those great guy-centric action flicks, like Terminator or Die Hard, and I was recently watching one of my favorites, Ronin, when a particular set of lines, as can be only delivered by Robert De Niro, caught my attention:
De Niro: What's in the case?
Girl: That information isn't necessary.
De Niro: Is it heavy? Is it explosive?
De Niro: Is it chained to some unlucky bloke's wrist? my favorite
De Niro: Are we gonna have to chop it off?
Gril: I don't have to let you know...
De Niro: Then the price has got to go up.
De Niro: I'll get you the case, but the price has gotta go up.
If the item is valuable enough, some people may go to great lengths to get their hands on it, or in many cases, pay someone else a lot of money to get it. This is what every Network Administrator needs to understand, and there are usually some very basic precautions that can be implemented to thwart most hackers. I would begin by answering some simple questions to assess the security posture of network switches and routers:
How easy is it to compromise a system to gain access to your network and potentially sensitive corporate information? (If you have no clue the answer to question 2 is probably, “none”.)
What types of controls or policies have been established to secure network devices?
How often are these controls and/or policies audited and by who?
Even if you don’t have a policy in place or you want to strengthen your current one, there are some very basic things you can do. Here are some methods I recommend for hardening your network switches and routers:
Configure Warning Banners
Implement Secure Access Controls by:
Selecting Strong Passwords
Enabling Advanced Authentication and Authorization Features
Implementing Management Protocol Restrictions
Leveraging Advanced Access Control
TACACS, TACACS+, and RADIUS
Implement Secure Shell (SSH)
Configure SNMP in a Secure Manner
Remove Unnecessary Components such as:
Telnet and or SNMP
Web based Management
Enable Route Only
Disable Source Routing
Disable known exploitable ICMP features
Disable Proxy ARP
Secure Routing Protocols
RIP V2, OSPF, and or BGP4
Configure Anti-Spoofing ACLs
Configure Denial of Service Prevention
Guard Against Fragmentation Exploits
Configure Time Synchronization
Implement a Logging Strategy
Lock Down Unused Ports
Stay on Top of OS Versions Updates and Vulnerabilities
Review Physical Security Policy
Remember, there are people out there who will go to great lengths to gain access to your network devices. Gaining access to the devices and/or information about those devices, allows a hacker to be one step closer to compromising your network. If the task above seems daunting, ask your vendor for assistance. All competent vendors will have valuable suggestions.
Here at Brocade, we provide documents that can walk you step-by-step through the process. Lastly, if you think you are protected, think again, especially if you haven’t reviewed or audited your policies lately, and/or have recently upgraded your infrastructure. In my next series of blogs, I will focus, in greater detail, on some of the more critical hardening recommendations listed above, such as Access Control, Logging, and leveraging technologies like sFlow.