Network devices are continuously being compromised to set the stage for distributed denial-of-service attacks (DDoS) - leaving no enterprise, service provider, government agency or educational institution out of harm's way.
Consider this recent example. A CERT-issued report warned against intruders targeting routers for attack. Routers are a common target due to poor configuration management and the widespread usage of factory-default and other password types that are vulnerable to attack. As organizations struggle to understand the security vulnerabilities that exist within their network devices, IT managers need to recognize that just going out and purchasing a number of security products will not give their businesses the protection they need. They need to do something different. They must devise a plan and institute a process that mitigates security risks and minimizes loss.
Here are seven steps that network managers can implement today to increase the integrity of networks. Though these steps are most powerful used in concert, implementation of any of them will increase the security of your network:
1. Rapidly deploy fixes to network devices in response to
newly identified security threats.
Almost half of all security breaches happen because available
fixes were applied too late, or not at all. To obviate this risk,
implement a process for quickly updating network devices when
security vulnerabilities are discovered, whether by the vendor,
CERT or another reliable source. This need was made quite clear
by last summer's Code Red attacks that infected hundreds of
thousands of computer systems, and crashed thousands of out-of-
date Cisco DSL routers.
Code Red was not atypical - remember, almost half of all
intrusions occur because existing fixes were not deployed.
Organizations could have avoided Code Red vulnerabilities in their
network devices by ensuring that they were updated with the
latest software. Network administrators need to establish a set
time period (x minutes/hours/days/weeks) within which security
vulnerabilities will be corrected on all devices. Organizations
should base this time period on their risk tolerance for network
breaches that might occur before a fix is implemented. Keep
centralized records and perform regular audits to measure
adherence to this policy.
2. Use a different administrative password on every network
This past September a major service provider's network went
down, taking thousands of customers with it. The attacker had
discovered that the service provider had used the same
password for thousands of individual devices - and used this
knowledge to turn all of these devices into bricks. Using a single
password across all devices compromises the entire network.
Furthermore, using a single password leads to using the 'lowest
common denominator'-strength password throughout your
network. Do not decentralize password management among
administrators, instead maintain centralized control of passwords
to ensure their availability even when individual administrators
are unavailable or are no longer employed by the organization.
3. Schedule regular changes to network device passwords.
Determine the acceptable time period between password changes
based on the cost and risk of security breaches to the
organization. Develop the processes necessary to support that
change schedule and to keep auditable records of changes.
Recognize that changes must be more frequent for devices that
only support low-strength passwords.
4. Immediately change passwords when employees leave
When an employee who knows the network device passwords
leaves the company, change all of the passwords as quickly as
5. Maintain consistent security across the network.
Security is only as strong as its weakest link, so it is important to
have consistent strong security across the network. Strong
security at one Internet connection point, and weaker security at,
for example, a remote site, results in a vulnerable network.
Some sort of automated process or a purpose-built network
security control system should be used to ensure that when
changes are made, they are made consistently across similar
network services. For example, most companies know that they
must deactivate user passwords when employees leave the
company; they need to also recognize that it is at least as
important to change network device administrative passwords
when network personnel leave.
6. Maintain a centralized repository of network devices on
Often organizations do not know the current state and
configuration of all of the devices that are part of their network. A
case in point - the Microsoft incident where routers went down
and all online services were shut down. If Microsoft had kept a
centralized repository of network device configurations, they
would not have had to reconstruct device configurations from
scratch - a task that consumed many hours and resources at the
expense both of customers and reputation.
Companies need to maintain a repository of network device
information (including their IP address, settings, software,
passwords). There are 'discovery' tools that will crawl the
network and identify the IP address of devices on the network. A
network security control system can use this list of IP addresses
to gather the other information needed for a usable repository.
Use the network security control system to perform periodic
audits of network devices to detect 'configuration drift,' i.e.
changes to devices that were made outside of standard operating
procedures. This is a quick and decisive way to catch both rogue
employees and malicious outsiders.
7. Track all changes to the network in a centralized
Given the importance of networks to businesses today,
organizations need an automated and systematic means to track
the state of their network. Fundamental to this is tracking all
changes to the network (e.g. changes to firewall configuration
and router firmware levels). This information should be kept in a
secure central repository accessible to privileged administrators.
If a security breach occurs and the organization needs to provide
records to outside agencies - such as insurance companies,
auditors or the courts - it's essential that historical records are
available and current.
Mark Epstein is CTO and co-founder of Ponte Communications (www.ponte.com). Ponte provides network security control software that allows enterprises and managed service providers to centrally control network security policy.