Hardening Cisco Routers by Thomas Akin

When asking about Information Security (InfoSec), most people immediately think about stolen credit cards, defaced web sites, and teenage hackers with names like B@D@pple. An InfoSec professional might extend the list to items like firewalls, Virtual Private Networks (VPN)s, penetration testing, and risk analysis. What is almost never listed is router security—network security, yes, but never specifically router security. The distinction is important.

Network security is most often thought of as something that protects machines on a network. To do this, companies put up firewalls, configure VPNs, and install intrusion detection systems. Router security, however, involves protecting the network itself by hardening or securing the routers. Specifically, it addresses preventing attackers from:

Organizations spend hundreds of thousands of dollars on firewalls, VPNs, intrusion detection, and other security measures, and yet they run routers with out-of-the-box configurations. From personal experience, at least eight or nine out of every ten networks has routers that are vulnerable to one of the five preceding problems.

A layperson who is asked what the foundation of the Internet is will probably say the World Wide Web, with the explanation that it is what everyone uses. Ask an MCSE and you may get a claim about how everyone runs Windows. Ask a network engineer and you will get routers and the statement “nothing works without them.” Without routers there is no Web, no email, no Internet.

The fundamental piece of information on the Internet is the IP packet. A router’s primary function is to direct these packets. Therefore, routers truly work at the most basic and fundamental level of the Internet. Every network attached to the Internet is attached by a router. Some may be Linux boxes acting as routers, others may be firewalls also performing routing, but most will be dedicated Cisco routers. Current estimates indicate that 80 percent of the Internet runs on Cisco equipment.

Routers are not only the foundation of the Internet; they are the foundation of how your company communicates both externally and internally. Additionally, there is a strong trend toward converging voice, data, and even video into a single network running IP. With this push, routers are becoming the foundation of data, voice, and video communication. With this convergence, almost all of a company’s information will pass through routers, causing them to become extremely attractive targets.

Efforts to improve awareness about the importance of router security are not helped by the lack of media attention on incidents involving compromised routers. Why the lack of reported cases? There are two major reasons:

Before any attack, hackers will gather as much information about a company, its network, and its servers as possible. The more information an attacker can get, the easier it is to compromise a site—knowledge is power. This type of information gathering is called footprinting, and routers are routinely used when footprinting a site. With default configurations, an attacker can query routers and map out entire networks, including subnets, addressing schemes, and redundant paths. With this information, an attacker can determine the most vulnerable locations on the network. Footprinting a site, however, is a tedious and unglamorous process. The media reports that it took a hacker 15 minutes to break into NASA; they don’t point out that the hacker spent 6 weeks gathering information before launching the attack.

Making matters worse, few organization have any controls or monitoring on their routers. When asked, “How would you know if someone reconfigured your router?” the answer invariably comes back, “When it stops working.” Prodding further with a question about how to detect changes that kept the network functional but allowed an attacker to bypass a firewall usually gets a comment about how the intrusion detection system (IDS) would catch them. Pointing out that if a router were compromised, attackers could probably bypass the IDS finally induces concern. With the current lack of controls and auditing on routers, compromises will probably go unnoticed unless they disrupt service. Attacks that disrupt service are bad, but at least companies know something is wrong—they know they have been hacked. Attacks in which a hacker does disable anything are the truly dangerous ones. Without adequate monitoring and auditing, no one knows the network has been compromised. An attacker can spend weeks or months monitoring all network traffic, gaining bank account numbers, client lists, or personnel records. This information could be sold to competitors, given to other hackers, or used to blackmail the company.

A simple, but useful, risk analysis formula defines risk as:

where vulnerability is how likely an attack is to succeed, threat is the likelihood of an attack, and cost is the total cost of a threat succeeding.

The link between threat and vulnerability can be confusing but is important to understand. If a high-rise office building is designed and built without any protection against earthquakes, then the office building has a vulnerability to earthquakes. The vulnerability alone, though, does not necessarily translate into risk for the people working in the office building. If the building is located in California, there is a significant threat of earthquakes, so a vulnerable building provides a great amount of risk. The same building located in Georgia, while being equally vulnerable to earthquakes, would have a lower risk since the threat of earthquakes in Georgia is much lower.

When evaluating routers, the vulnerability usually averages around the same level. Even though different routers may run different IOS versions, routers inherently trust other routers. They trust one another in order to exchange routing information, allowing them to correctly transfer packets and route around problems. Once a single router is compromised, this trust can be exploited to manipulate other routers on a network. For this reason, it is advantageous to assume that all routerrs on the network share the same level of vulnerability. This level should be equal to the vulnerability of the most vulnerable router on the network.

With the vulnerability equal, the differentiating factors become threat and cost. The threat to external routers is generally greater due to their visibility. Other routers may provide access to secured or trusted networks, and their compromise would cost much more than a router connected to a public lab or test area.

With these considerations in mind, some of the first routers that need to be secured and actively monitored are:

This chapter has explained what router security is and why it is vitally important. Routers provide one of the most fundamental functions on a network and are often installed and run with out-of-the-box security. When addressing router security, most administrators think about using access lists to turn off ping or Telnet. Digging further and asking about the specific measures taken to protect the routers themselves usually results in a blank stare or a statement such as, “Our routers don’t hold any critical data, and we have never had any security problems with them, so they must be secure.” The “we have never had any problems with them” argument sounds very powerful, especially to management and those who hold the purse strings. This chapter provides insight into why this is such a dangerous view.

The rest of this book discusses what it takes to harden a Cisco router; Appendix A provides a checklist that summarizes the steps necessary to harden a router and protect the network.