This tip, courtesy of SearchNetworking.com, emphasizes the importance of using multiple simple layers of protection...
to protect your customer's network from exploits. Networking consultants and value-added resellers (VARs) can use this advice to learn best practices for securing a Cisco router.
In August, 2005, researcher Michael Lynn disclosed the exploitation of a Cisco IOS vulnerability at the Black Hat conference in Las Vegas This incident reminded us that network infrastructure is critical to our country and our businesses, and poor router security could have catastrophic consequences. It also shows the vulnerability in a trend I've been predicting for years: running more applications on routers and switches.
You may or may not realize that unless you've disabled it (and depending on what version of IOS), your Cisco router (and most others) is running a Web server, an FTP server, a TFTP server, a telnet server, and a raft of others, plus listening for network protocol advertisements like OSPF "Hellos" or Spanning Tree's BPDUs. And Cisco's spiffy new AON stuff will be placing an unprecedented number of applications on the router.
What all this means of course, is that there are more lines of code running on the router to exploit, so it's more important than ever to secure your router. As the article states, imagine the consequences of a worm exploiting a bug to infect all your routers!
Something you might not have considered though, is the consequence of multi-function devices in your network architecture. For example, if you use a Cisco 6509 as a router/switch, and install a Firewall Services Module (FWSM) and configure the different zones as different VLANs on the 6509, then it's critical that you understand this: no matter how great the Adaptive Security Algorithm in the PIX/FWSM is, if somebody exploits a bug in the router to gain access to the exec prompt, they can route themselves around the firewall, bypassing all your protection entirely.
So the best way to protect yourself has always been to use multiple simple layers of protection:
- Keep up with Cisco's bug and patch releases and update your routers' Software as soon as possible.
- Don't forget to update the firmware too.
- Use Access-Control Lists to block all traffic to the router or switch console except for administrative access from a specific IP address.
- Restrict SNMP access to specific IP addresses.
- Turn off any unnecessary processes and protocols on your routers and switches.
- Place intrusion detrection systems (IDS) at strategic locations in your network.
- Perform regular health checking to make sure the config hasn't changed since the last time YOU changed it, and check the logs regularly.
About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry. He is co-author of several books on networking, most recently, CCSP: Secure PIX and Secure VPN Study Guide, published by Sybex.
This tip originally appeared on SearchNetworking.com.