Halfway through the Critical Security Controls number eleven addresses configurations on network devices. The perimeter defense through the use of firewalls, routers, switches, wireless access points, etc… all are just as vulnerable and targets of attack. Much like maintaining a consistent security configuration for your servers and workstations as CSC 3 states, the same should be done for your network devices. Although network devices are less numerous and not regularly accessed like a server is, they can open the doors to your environment just as easily.
Here’s what the control says –
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Network components are more stringent and confined than a server. The devices are built by the vendors and by design prevent modifications unlike a Windows server you built yourself. There are pros and cons to these limitations and the biggest risk is how the devices are made. To accommodate the need to build as many devices as they can the core configurations are the same for each device built. Fresh off the truck each device has the same default account names, most passwords are the same, port settings, security is loose and so on. This allows the vendors to lay down one operating system image over and over again. The downside is that the basic attack vectors are printed in the user manual.
The first step with any ‘store bought’ network device is to change all the default usernames and passwords that you can. Change the administration ports, rename the devices, turn off what you don’t need, etc… Make the device not match the manual.
There are far more stringent practices that need to be implemented for you network devices.
- Stay up to date with the vendor/manufacturer updates. Most security or feature fixes can only come from the vendors through firmware updates. Recent failures expose how at times you can be at the mercy of a vendor’s ability to repair their devices. In some cases the safest answer might be to turn off the devices until a fix is released. Are you prepared for that?
- Work with the vendor to maximize the efficiency of your configuration. They built it and they know best. Spend the money to get the vendor to review your network configurations to ensure you didn’t miss something. This is a good investment, you can’t afford to leave one setting in the wrong position.
- Test, test, test your configurations. Stress tests, penetration tests, vulnerability scans are all needed to confirm your security configurations are working. Once exposed to live traffic, eventually, one of the many bots will scan it for you.
- Audit and verify your configurations at least quarterly. Impose stringent change control around all changes to a network device.
- Grant access on a strict need to access. If you only need HTTPS, don’t use an ALL Protocol setting. If you don’t need it on a specific IP or port don’t allow it. Blanket rules are lazy and unmanageable to assess the risk.
How Could It Be Exploited
Hacking 101 is to try the default configurations and accounts to access a device. The devices are built and sold in a way that they will work by plugging them in most of the time. Teams and companies that do not have the skills to work with the devices or are too busy or lazy to will be the first to get compromised.
The next approach is network scans to poke and prod to find any open address, allowed protocol, missed setting is left open. Attempts to gain access through a side door could allow an attacker to take over and move laterally in your network to something more sensitive.
Everything connected to a device is just as important as the next. Don’t reduce your attitude on a test file server that’s connected through the same router as your production SQL server. It all ties together and one little missed or overlooked configuration is all attackers need.
This control is number 11 in the top 20 but should be put in the same program with the same urgency as number 3. All configurations should be managed equally and at the strictest of priority. Do that and you are covered end to end.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.