Thursday, October 9, 2008

The most vulnerable device in the network

I was browsing some sites to comeout of boring life in chennai ... and i found someone in online discussing about most vulenrable devices in the network. Yes it was router... and those guys come up with few notes mentioning risks and hardening actions that can prevent a attacker to be successful.
I felt it as intresting and thought of sharing with u guys....
Main Risks
The most obvious risk associate with a compromised or disabled router is that all communications that are forwarded by this router will be disabled but there are others not so obvious:
Use routers to attack internal systems:
Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.
Use routers to attack external sites:
Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.
Reroute all traffic entering and leaving the network:
An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.
Some important actions that can harder a router and increase security:
Implement Access Control
Every person that access a router must use his own user/pass and the pass cannot be easy to guess.Also is important to enforce password encryption.
Implement Authorization Control
Every person shall execute only a limited set of commands related with his activity
Secure Remote Administration:
Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway and then jump to the router.
Configure Warning Banners:
It's important to use banners in order to show that the IT department monitors all activities execute.This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.
Disable Unnecessary protocols (if they're not used):
Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...
Improve SNMP Security:
It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.Many routers are just opened due to SNMP default configurations.Try to implement SNMPv3 or at least v2c
Configure NTP for time synchronization (it's important for log analysis and event correlation).
Deploy an effective logging police that allows security administrators to monitor events and track down intruders.
Deploy an Event Correlation Solution
It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router. This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.
Use restrictive ACL'S
To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).
Implement Routing Security
Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it.
Deploy IPS Systems
Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.If it's a situation where is possible to do it and you have the budget to do it, why not?
Create a Incident Response Plan
Some steps that must be considered when creating a plan: Determine if the incident is an attacker or an accident; Discover what happened; Preserve the evidence; Recover from the incident; Identify root causes and manage or mitigate them to prevent from happening again.
Enforce Physical Security
It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).

Its true... even i notised it when i do my penetration testing activities...
A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly, soon or later they'll have to face themselves with a compromised router.

No comments: