For more details, please see ourCookie Policy.

Service Providers

Getting Back to the Security Basics

by kfrankli on ‎01-05-2012 10:47 AM (2,424 Views)

I am a lover of those great guy-centric action flicks, like Terminator or Die Hard, and I was recently watching one of my favorites, Ronin, when a particular set of lines, as can be only delivered by Robert De Niro, caught my attention:

  • De Niro: What's in the case?
  • Girl: That information isn't necessary.
  • De Niro: Is it heavy? Is it explosive?
  • De Niro: Is it chained to some unlucky bloke's wrist? my favorite
  • De Niro: Are we gonna have to chop it off?
  • Gril: I don't have to let you know...
  • De Niro: Then the price has got to go up.
  • De Niro: I'll get you the case, but the price has gotta go up.

If the item is valuable enough, some people may go to great lengths to get their hands on it, or in many cases, pay someone else a lot of money to get it. This is what every Network Administrator needs to understand, and there are usually some very basic precautions that can be implemented to thwart most hackers. I would begin by answering some simple questions to assess the security posture of network switches and routers:

  1. How easy is it to compromise a system to gain access to your network and potentially sensitive corporate information? (If you have no clue the answer to question 2 is probably, “none”.)
  2. What types of controls or policies have been established to secure network devices?
  3. How often are these controls and/or policies audited and by who?

Even if you don’t have a policy in place or you want to strengthen your current one, there are some very basic things you can do. Here are some methods I recommend for hardening your network switches and routers:

  • Configure Warning Banners
  • Implement Secure Access Controls by:
    • Selecting Strong Passwords
    • Enabling Advanced Authentication and Authorization Features
    • Implementing Management Protocol Restrictions
    • Leveraging Advanced Access Control
  • Implement Secure Shell (SSH)
  • Configure SNMP in a Secure Manner
  • Remove Unnecessary Components such as:
    • Telnet and or SNMP
    • Web based Management
    • Enable Route Only
    • Disable Source Routing
    • Disable known exploitable ICMP features
    • Disable Proxy ARP
  • Secure Routing Protocols
    • RIP V2, OSPF, and or BGP4
  • Configure Anti-Spoofing ACLs
  • Configure Denial of Service Prevention
  • Guard Against Fragmentation Exploits
  • Configure Time Synchronization
  • Implement a Logging Strategy
  • Lock Down Unused Ports
  • Stay on Top of OS Versions Updates and Vulnerabilities
  • Review Physical Security Policy

Remember, there are people out there who will go to great lengths to gain access to your network devices. Gaining access to the devices and/or information about those devices, allows a hacker to be one step closer to compromising your network. If the task above seems daunting, ask your vendor for assistance. All competent vendors will have valuable suggestions.

Here at Brocade, we provide documents that can walk you step-by-step through the process. Lastly, if you think you are protected, think again, especially if you haven’t reviewed or audited your policies lately, and/or have recently upgraded your infrastructure. In my next series of blogs, I will focus, in greater detail, on some of the more critical hardening recommendations listed above, such as Access Control, Logging, and leveraging technologies like sFlow.

by pmoyer
on ‎01-05-2012 02:24 PM

Hi Kelvin,

I fully agree with you, except for which of those De Niro lines I would consider my favorite.

One method to ensure each switch or router has the items in your list covered is to use a basic switch or router "configuration template". The template would have each of those items included, with generic placeholders for customer specific information. Including comments in the template is also very useful, to remind the administrator/implementor what should be configured at each level.

Using a configuration template such as this ensures that each switch or router that is deployed has each of the items in your list covered in a consistent manner.