Router Security Features

SMB's routers and network switches, just like network hosts (servers and workstations), are a potential target for hackers and inside intruders. A router is not a direct repository of an SMB's confidential information in the form of financial statements, minutes from board meetings, memos outlining a business strategy, or e-mail databases, but, potentially, all of that information could pass through a router while being accessed or transferred across the network. This is another case for VPN deployment.

By manipulating a router's routing tables, packets carrying confidential data could be redirected to a compromised subnet and captured for future decoding. If the information in the packets is not encrypted, it is almost as easy as lifting the files off a server or a workstation.

In addition, by their nature, routers must understand the topology of the internetwork in which they operate. The routing tables on a single router in a multirouter environment might not reveal the entire network topology, unless of course the network is small. However, addresses of the neighboring routers and devices on subnets interconnected by a compromised router can be easily gleaned by examining a router's routing tables.

After a single router is compromised on the network, the neighboring routers might potentially become victims as well, eventually leading an attacker to the discovery of the entire network topology. An understanding of the network topology, in turn, can easily reveal any other weak spots in the network that could be further exploited. As mentioned in Chapter 4, the goal of the outside hacker is to become an insider. An IDS solution can be of assistance in blocking such access by detecting traffic anomalies.

A compromised router can also become a source of an all-out DoS attack or intermittent performance problems on an SMB's network. Although routers have emerged from obscurity into the mainstream during the past decade, there might be a growing tendency to treat them as just a box that directs traffic to appropriate destinations; however, although a security solution should concentrate on the more glamorous aspects of network security—like firewalls, IDSes, or even VPNs—it is critical that all of the router security features be fully utilized as well, especially if some of those other solutions have not been implemented.

Router Security Deployment Considerations

Because routers represent a fundamental building block of the global Internet as well as of corporate networks, router security features should be well understood and deployed to the maximum. Routers typically represent the first line of defense for an SMB's internal network, and there is no excuse for leaving them vulnerable to attack by not configuring them to be as secure as possible.

Cisco routers come with a variety of security features. When such features are properly configured, they offer a significant barrier to anyone trying to hack a router. The following are the minimum elements of router security:

• Use of strong passwords and privilege levels

• Configuration of effective access control lists (ACLs)

• Use of the new Authentication, Authorization and Accounting features (aaa new-model commands)

Password Protection and Privilege Levels

Passwords represent the first line of defense on a Cisco router. Unfortunately, unauthorized users can frequently discover a user/password combination for line access (console, Telnet via one of the VTY lines, or modem via the AUX port) through means of social engineering or outright bad security practices, such as writing passwords down. It thus becomes critical that a router's configuration be protected through the strongest available technique, which is the use of the enable secret IOS command. Enable secret uses the Message Digest 5 (MD5) hash that, given the current state of technology, is supposedly not reversible.

The reason for encrypting the enable mode password is to ensure that if the configuration file that is stored externally or printed out is somehow compromised by falling into the wrong hands, at least the privileged access to the router will still be protected despite the fact that the attacker might understand how the router is configured. However, using the MD5 hash for enable password encryption is effective against a determined hacker only if the password that has been chosen is a strong, random one.

Common passwords, even if encrypted with MD5, can be reversed through the use of brute force dictionary attacks, in which the hash of the password from the compromised configuration file is compared against those for all of the words that can be found in a dictionary of a given language or multiple languages. The enable password and the service password-encryption IOS commands are weaker implementations of password security than enable secret.

Cisco routers offer privilege access levels ranging from 0 (lowest) to 15 (highest). Only privilege Levels 0, 1, and 15 are configured by default. The enable secret command, by default, is intended to protect access to Level 15. All configuration and show commands are available from Level 15, thus allowing full control over a router. Levels 0 and 1 offer only a limited set of commands.

Privilege levels facilitate distribution of router configuration and administration between multiple individuals with varied levels of responsibility and capability. By configuring the privilege levels, certain nondisruptive commands (a group of show commands, for example) that are available at Level 15 might be permitted at lower levels for the purpose of allowing router administration to be shared by more than one person.

Whether or not the implementation of privilege levels is even desirable needs to be determined as a function of the SMB's network administration and security policies. If only a single individual manages the SMB's network, and this individual requires access to Level 15, the configuration of privilege levels is perhaps superfluous. But when multiple individuals performing different functions are involved in legitimate router access and management, use of the privilege levels is highly recommended. Before implementing privilege levels, a designer who is familiar with router capabilities should determine which individuals need which level of access to the SMB's routers.

Access Control Lists

The subject of ACLs on Cisco routers could be the subject of an entire publication. ACLs are available for different protocol suites, including TCP/IP, IPX, AppleTalk, DECnet, as well as Layer 2 bridging. In TCP/IP networks, the commonly used IP standard and extended ACLs are only a small subset of all of the ACLs available on a Cisco router. The IP extended ACLs allow for inbound and outbound filtering based on the parameters in the IP and TCP headers, which allow for the creation of complex filters. However, even the most sophisticated extended static ACLs cannot match the stateful filtering that takes place on a firewall.

Static ACLs examine packets in isolation and do not detect aggregate traffic patterns. However, ACLs can still be deployed as a security measure on a Cisco router. Network and security administrators need to remember that malicious hackers are not the only threats to the SMB networks; ACLs can be quite effective against curiosity seekers and amateur hackers who do not have the necessary technical expertise to get past them.

Several categories of ACLs are available that add incremental degrees of effectiveness to the ACL approach of securing network access:

• Dynamic ACLs— Create a temporary entry as a result of a valid user authentication. When the session initiated by the authenticated user is finished, the temporary entry is removed from the list.

• Reflexive ACLs— Create an entry that permits inbound traffic in response to an outside connection.

• Context-based ACLs— Support applications that rely on the use of multiple ports— typically multimedia applications—including VoIP.

New Model AAA Features

The new model AAA features on a Cisco router allow the use of external servers like TACACS+, RADIUS, or Kerberos for user authentication, authorization, and accounting functions. The advantage of an external server is the centralization of AAA services.

As the number of routers in an internetwork increases, local password administration simply does not scale and is prone to errors, thus posing a greater security risk. TACACS+ is a Cisco proprietary protocol. TACACS+ is often preferred in Cisco environments and is generally considered to be more mature and robust than the open standard RADIUS that is specified in RFC 2865.

In addition to facilitating user authentication and authorization, a useful security feature that can be configured using TACACS+ is the logging of all of the keystrokes typed into a router. Thus, when any configuration or show commands are executed on a router—even if legitimately so—they can be logged for future reference should there be a need to reconstruct events leading to a security or misconfiguration incident. Naturally, if a router is hacked for a malicious purpose, the attacker could disable the keystroke logging. But even so, the logs preceding the hack could offer clues about who was responsible for the hack. The new model AAA is another router security element that raises the bar for potential hackers or internal intruders.

Implementing Routing Protocols Security

Routing updates that are exchanged between neighboring routers carry information pertaining to the network topology. They allow routers to maintain accurate routing tables, choose optimal paths for sending packets to their destinations, and respond quickly (converge) to any changes in the network topology, like a failure of other routers in the network. Someone who understands the network topology even without having configuration access to the routers can potentially cause a great deal of damage to the network or gain access to unauthorized information passing through a router.

If router access is protected so there is minimal or no possibility of an attacker being able to alter the routing protocol configuration or to configure static routes, one way to manipulate the routing updates (and, consequently, other routers' routing tables) is through the introduction of a new router into the network. This obviously might require physical access to the network, but if such access is gained, a new router in the internetwork configured with a malicious intent can corrupt routing tables for the entire internetwork.

This is where the security feature that allows for the authentication of routing updates comes in. If the authentication is configured for whatever routing protocol is used in the network (OSPF, Routing Information Protocol [RIP], Interior Gateway Routing Protocol [IGRP] or Enhanced IGRP [EIGRP]), routers will exchange updates only with their trusted neighbors, and the introduction of a new router that could introduce malicious routes to divert the traffic elsewhere is not going to have the desired effect.