In Webster’s dictionary the definition of hard is particularly relevant to the field of information security:
Not easily penetrated or separated into parts; not yielding to pressure.
By hardening a router, we make it difficult to penetrate and unyielding under the pressure of attacks. This chapter discusses why hardening network routers is one of the most important and overlooked aspects of Information Security. It will talk about what can go wrong when routers are left insecure and identify which routers are at the most risk from attack.
When asking about Information Security (InfoSec), most people immediately think about stolen credit cards, defaced web sites, and teenage hackers with names like B@D@pple. An InfoSec professional might extend the list to items like firewalls, Virtual Private Networks (VPN)s, penetration testing, and risk analysis. What is almost never listed is router security—network security, yes, but never specifically router security. The distinction is important.
Network security is most often thought of as something that protects machines on a network. To do this, companies put up firewalls, configure VPNs, and install intrusion detection systems. Router security, however, involves protecting the network itself by hardening or securing the routers. Specifically, it addresses preventing attackers from:
Using routers to gain information about your network for use in an attack (information leakage)
Disabling your routers (and therefore your network)
Reconfiguring your routers
Using your routers to launch further internal attacks
Using your routers to launch further external attacks
Organizations spend hundreds of thousands of dollars on firewalls, VPNs, intrusion detection, and other security measures, and yet they run routers with out-of-the-box configurations. From personal experience, at least eight or nine out of every ten networks has routers that are vulnerable to one of the five preceding problems.
A layperson who is asked what the foundation of the Internet is will probably say the World Wide Web, with the explanation that it is what everyone uses. Ask an MCSE and you may get a claim about how everyone runs Windows. Ask a network engineer and you will get routers and the statement “nothing works without them.” Without routers there is no Web, no email, no Internet.
The fundamental piece of information on the Internet is the IP packet. A router’s primary function is to direct these packets. Therefore, routers truly work at the most basic and fundamental level of the Internet. Every network attached to the Internet is attached by a router. Some may be Linux boxes acting as routers, others may be firewalls also performing routing, but most will be dedicated Cisco routers. Current estimates indicate that 80 percent of the Internet runs on Cisco equipment.
Routers are not only the foundation of the Internet; they are the foundation of how your company communicates both externally and internally. Additionally, there is a strong trend toward converging voice, data, and even video into a single network running IP. With this push, routers are becoming the foundation of data, voice, and video communication. With this convergence, almost all of a company’s information will pass through routers, causing them to become extremely attractive targets.
Efforts to improve awareness about the importance of router security are not helped by the lack of media attention on incidents involving compromised routers. Why the lack of reported cases? There are two major reasons:
Routers are often used to provide attackers with valuable information about your network and servers rather than being the object of direct attack themselves.
Router compromises are much less likely to be detected.
Before any attack, hackers will gather as much information about a company, its network, and its servers as possible. The more information an attacker can get, the easier it is to compromise a site—knowledge is power. This type of information gathering is called footprinting, and routers are routinely used when footprinting a site. With default configurations, an attacker can query routers and map out entire networks, including subnets, addressing schemes, and redundant paths. With this information, an attacker can determine the most vulnerable locations on the network. Footprinting a site, however, is a tedious and unglamorous process. The media reports that it took a hacker 15 minutes to break into NASA; they don’t point out that the hacker spent 6 weeks gathering information before launching the attack.
Making matters worse, few organization have any controls or monitoring on their routers. When asked, “How would you know if someone reconfigured your router?” the answer invariably comes back, “When it stops working.” Prodding further with a question about how to detect changes that kept the network functional but allowed an attacker to bypass a firewall usually gets a comment about how the intrusion detection system (IDS) would catch them. Pointing out that if a router were compromised, attackers could probably bypass the IDS finally induces concern. With the current lack of controls and auditing on routers, compromises will probably go unnoticed unless they disrupt service. Attacks that disrupt service are bad, but at least companies know something is wrong—they know they have been hacked. Attacks in which a hacker does disable anything are the truly dangerous ones. Without adequate monitoring and auditing, no one knows the network has been compromised. An attacker can spend weeks or months monitoring all network traffic, gaining bank account numbers, client lists, or personnel records. This information could be sold to competitors, given to other hackers, or used to blackmail the company.
In modern warfare, a key strategy is to attack an enemy’s ability to communicate. The obvious attack disables an enemy’s ability to communicate. A subtler attack compromises, but does not disable, an enemy’s communications system. This type of compromise allows easy access to enemy plans, troop movement, and points of attack. The compromise also allows false information to be transmitted to the enemy, confusing them and leading them into traps.
All networked organizations are in a battle to protect their resources and information. Secure communication is as important for an organization’s survival as it is in military warfare. Routers are the communication medium for an organization and the consequences of their compromise can be disastrous. By compromising an organization’s routers, an attacker can:
Those who have experienced significant network outages can understand the loss of productivity and revenue this causes. Imagine how long it would take to fix the network if attackers disabled password recovery, changed the routers’ passwords, and deleted the configurations.
Routers can give attackers a foothold into your internal network. By taking control of routers, attackers can often bypass intrusion detection systems, use the routers to gain access to trusted networks, and avoid or confuse any logging and monitoring used on the network.
Hackers like to hide their tracks. They do this by breaking into several networked systems and use those systems to launch other attacks. When attacks pass through six or seven servers, they can be hard to trace. Since routers usually have less protection and logging than servers, attacking through six or seven routers can be extremely difficult and costly to investigate. For organizations with insecure routers and no monitoring, an attacker will leave little or no trace.
Compromised routers allow an attacker to reroute network traffic. Attackers can then monitor, record, and modify the redirected traffic. Imagine the effects of several weeks worth of online orders being redirected to a competitor or, worse, online financial transactions being rerouted to a bank somewhere in Nigeria.
A simple, but useful, risk analysis formula defines risk as:
|Risk = vulnerability × threat × cost|
The link between threat and vulnerability can be confusing but is important to understand. If a high-rise office building is designed and built without any protection against earthquakes, then the office building has a vulnerability to earthquakes. The vulnerability alone, though, does not necessarily translate into risk for the people working in the office building. If the building is located in California, there is a significant threat of earthquakes, so a vulnerable building provides a great amount of risk. The same building located in Georgia, while being equally vulnerable to earthquakes, would have a lower risk since the threat of earthquakes in Georgia is much lower.
When evaluating routers, the vulnerability usually averages around the same level. Even though different routers may run different IOS versions, routers inherently trust other routers. They trust one another in order to exchange routing information, allowing them to correctly transfer packets and route around problems. Once a single router is compromised, this trust can be exploited to manipulate other routers on a network. For this reason, it is advantageous to assume that all routerrs on the network share the same level of vulnerability. This level should be equal to the vulnerability of the most vulnerable router on the network.
With the vulnerability equal, the differentiating factors become threat and cost. The threat to external routers is generally greater due to their visibility. Other routers may provide access to secured or trusted networks, and their compromise would cost much more than a router connected to a public lab or test area.
With these considerations in mind, some of the first routers that need to be secured and actively monitored are:
Gateway routers that connect your network to the Internet
Routers that are part of a firewall
Routers that are connected to a trusted or secure network
Routers that perform packet filtering
This chapter has explained what router security is and why it is vitally important. Routers provide one of the most fundamental functions on a network and are often installed and run with out-of-the-box security. When addressing router security, most administrators think about using access lists to turn off ping or Telnet. Digging further and asking about the specific measures taken to protect the routers themselves usually results in a blank stare or a statement such as, “Our routers don’t hold any critical data, and we have never had any security problems with them, so they must be secure.” The “we have never had any problems with them” argument sounds very powerful, especially to management and those who hold the purse strings. This chapter provides insight into why this is such a dangerous view.
The rest of this book discusses what it takes to harden a Cisco router; Appendix A provides a checklist that summarizes the steps necessary to harden a router and protect the network.