5.4. Hardening Network Devices
The discussions up to this point have dealt with how to establish security baselines and update operating systems. We've also briefly discussed filesystems. The next sections deal with keeping your network devices up-to-date. The routers, gateways, firewalls, and other devices that run the network are also vulnerable to attack.
We'll look at how to update and configure your network devices. The focus will be on applications and routers, with coverage of other devices as they apply to this topic.
5.4.1. Updating Network Devices
As a security administrator, you should make sure that software for devices such as routers and switches is kept up-to-date. These devices usually contain a ROM-based (read-only memory) OS and applications. They may also have floppy drives and CD drives that you can use to update their software.
NOTE
Make sure you periodically visit the manufacturers' websites for the devices in your network and regularly apply the updates that they publish.
Routers are your front line of defense against external attacks. New exploits and methods to attack network devices are being introduced as quickly as new features are released. Fortunately, most network devices have a limited scope of function, unlike general-purpose servers. This narrow scope allows manufacturers to improve network device security rather quickly.
Many of these devices contain proprietary operating systems to manage the functions in the router. Devices such as hubs and switches are generally preconfigured out of the box, though most higher-end switches allow configuration options to be established. Firewalls, on the other hand, provide the primary screening of network traffic once the data has passed through the router. Firewalls are constantly being upgraded to allow increased sophistication and capability.
Routers have become increasingly complex, as have firewalls and other devices in your network. If they aren't kept up-to-date, they will become vulnerable to new attacks or exploits.
Many of the newer routers also allow you to add and expand features. Some of these features deal with security and access. You should make sure your network is kept up-to-date. Network device manufacturers upgrade the functionality of their equipment to deal with new threats and protocols on a regular basis; these upgrades are sometimes free. When a new option is released, an entire upgrade of the firmware may be needed. If such an upgrade is needed, you'll be charged for it in most cases.
Many router manufacturers provide service for their routers piece by piece. They allow the buyer to mix and match the specific protocols, capabilities, and functionality to suit the mission the equipment is being used to accomplish. In some cases, the basic router may only cost $1,000, but the upgrades and feature packs to add additional features may cost thousands more. The advantage is that customers can configure equipment with only the options they need, and they can upgrade at a later time when they need to do so.
5.4.2. Configuring Routers and Firewalls
Many ISPs and other providers will work with you to install and configure the features you need for your network. These features can usually be implemented using either a web-based interface or a terminal-based interface. Proper configuration of these devices is essential to ensure that your network operates smoothly and efficiently. Routers, in particular, have a large number of configuration options, including basic firewall and security support. Several network device manufacturers, such as Cisco, offer certification and training programs.
NOTE
The Cisco Certified Internetwork Expert (CCIE) certification is considered one of the most difficult certifications in the industry. Not only are candidates required to take multiple-choice tests similar to the Security+ exam, they're also required to demonstrate hands-on troubleshooting in a lab setting.
Several network product manufacturers are introducing preconfigured firewalls to customers. The firewalls are being referred to as appliances. The appliances, like any other computer system, will require updates and maintenance. This technology promises to make networks easier to protect: You'll be able to buy a firewall appliance that can be simply plugged in and turned on. This will allow firewall systems, which are complex, to be easily installed and maintained in smaller networks.
The two most essential operational aspects of network device hardening involve ensuring that your network devices run only necessary protocols, services, and access control lists. The next two sections describe these capabilities from a security perspective.
5.4.2.1. Enabling and Disabling Services and Protocols
Many routers offer the ability to provide Dynamic Host Configuration Protocol (DHCP) services, packet filtering, service protocol configuration options, and other services for use in a network. Make sure your router is configured to allow only the protocols and services you'll need for your network. Leaving additional network services enabled may cause difficulties and can create vulnerabilities in your network. As much as possible, configure your network devices as restrictively as you can. This additional layer of security costs you nothing, and it makes it that much harder for an intruder to penetrate your system.
5.4.2.2. Working with Access Control Lists
Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. You may find that a certain IP address is constantly scanning your network, and you can block this IP address. If you block it at the router, the IP address will automatically be rejected any time it attempts to utilize your network.
ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.