<<
Router — When properly configured, an edge router can keep almost all of the most stubborn bad actors outside your network. If you wish, such a router can also let the good guys in. However, an improperly configured router is only marginally better than having no security measures at all.
In the following guide, we’ll examine nine practical steps you can take to protect your network security. These steps will ensure you have a brick wall protecting your network, rather than a wide-open gate.
1. Change Default Passwords
According to overseas surveys, 80% of network security breaches are caused by weak passwords. There are extensive lists of default router passwords available across the internet. You can be certain that someone, somewhere, knows your birthday. SecurityStats.com maintains a detailed list of usable/non-usable passwords as well as a password strength test.
2. Disable IP Directed Broadcast
Your server is very obedient. It does whatever it’s told, regardless of who issued the command. A Smurf attack is a type of Denial of Service attack where the attacker uses a spoofed source address to send an “ICMP echo” request to your network’s broadcast address. This requires all hosts to respond to this broadcast request. At the very least, this situation will degrade your network performance.
Refer to your router’s information documentation to learn how to disable IP directed broadcast. For example, the command “Central(config)#no ip source-route” will disable IP directed broadcast on a Cisco router.
3. Disable Router HTTP Configuration if Possible
As briefly explained in Cisco’s technical notes, the identity authentication protocol used by HTTP is equivalent to sending an unencrypted password across the entire network. Unfortunately, however, the HTTP protocol does not have an effective provision for verifying passwords or using one-time passwords.
While this unencrypted password might be very convenient for configuring your router from a remote location (such as from home), what you can do, others can do as well — especially if you are still using the default password! If you must manage the router remotely, be sure to use a protocol at or above SNMPv3, as it supports stricter passwords.
4. Block ICMP Ping Requests
The main purpose of ping is to identify hosts that are currently active. Therefore, ping is commonly used for reconnaissance activities prior to a larger coordinated attack. By removing the ability for remote users to receive a reply to ping requests, you make it easier to evade unnoticed scanning activities or defend against “script kiddies” looking for easy targets.
Please note that doing this does not actually protect your network from attacks, but it will make you less likely to become a target.
5. Disable IP Source Routing
The IP protocol allows a host to specify the route a data packet takes through your network, rather than allowing the network components to determine the best path. The legitimate use for this feature is for diagnosing connection faults. However, this application is rarely used. The most common use of this feature is to mirror your network for reconnaissance purposes, or for an attacker to find a backdoor into your private network. Unless this feature is designated solely for fault diagnosis, it should be disabled.
6. Determine Your Data Packet Filtering Needs
There are two reasons for blocking ports. One of them is appropriate for your network based on the level of network security you require.
For high-level network security, especially when storing or maintaining confidential data, permission-based filtering is usually required. Under this rule, all ports and IP addresses must be blocked except those needed for network functionality. For example, port 80 for web traffic and ports 110/25 for SMTP might allow access from designated addresses, while all other ports and addresses can be closed.
Most networks will enjoy an acceptable security level by using a “filter by denial of request” scheme. When using this filtering policy, you can block ports not used by your network and ports commonly used by Trojan horses or reconnaissance activities to enhance your network’s security. For instance, blocking ports 139 and 445 (TCP and UDP) will make it harder for hackers to carry out brute-force attacks on your network. Blocking port 31337 (TCP and UDP) will make it harder for the Back Orifice Trojan program to attack your network.
This work should be determined during the network planning phase, when network security level requirements should align with the needs of network users. Check these port lists to understand the normal uses for these ports.
7. Establish Inbound and Outbound Address Filtering Policies
Establish policies on your border router to filter traffic entering and leaving the network for security violations based on IP addresses. Except for special and unusual cases, all IP addresses attempting to access the internet from inside your network should have an address assigned to your local area network. For example, the address 192.168.0.1 might legitimately access the internet through this router. However, the address 216.239.55.99 is likely spoofed and part of an attack.
Conversely, the source addresses for communications coming from outside the internet should not be part of your internal network. Therefore, inbound addresses such as 192.168.X.X, 172.16.X.X, and 10.X.X.X should be blocked.
Finally, all communications with source addresses that are reserved or with unroutable destination addresses should be allowed through this router. This includes the loopback address 127.0.0.1 or the Class E address range 240.0.0.0-254.255.255.255.
8. Maintain Physical Security of the Router
From a network sniffing perspective, routers are more secure than hubs. This is because routers intelligently route data packets based on IP addresses, while hubs broadcast data to all nodes. If a system connected to that hub places its network adapter in promiscuous mode, it can receive and see all broadcasts, including passwords, POP3 traffic, and Web traffic.
Therefore, it is important to ensure that physical access to your network equipment is secure, to prevent unauthorized laptops or other sniffing devices from being placed on your local subnet.
9. Take Time to Review Security Logs
Reviewing your router logs (through its built-in firewall features) is one of the most effective methods for identifying security events, whether detecting an ongoing attack or signs of a future attack. Using outbound logs, you can also identify Trojan horse programs and spyware attempting to establish external connections. A diligent network security administrator can detect attacks from “Code Red” and “Nimda” viruses before virus propagators can react.
Generally speaking, a router sits at the edge of your network and allows you to see the status of all traffic entering and leaving your network.
【Editor’s Picks】