Network devices face unending dangers

Denial-of-service attacks, mirror points and false routing are just a few of the ways hackers can disrupt networks, but a Burton Group analyst explains how enterprises can thwart device danger.

SAN DIEGO -- The list of ways to exploit security holes in network devices is longer than ever, but an industry expert claims that with proper precautions, many of these potential security threats can be avoided.

Speaking at the Burton Group Catalyst Conference last week, Daniel Golding, a senior analyst with the Midvale, Utah-based firm, explained that the "smarter" a device is, the harder it is to secure. Smart devices, he said, are those that send and receive information independently across a network.

Golding said hubs are easiest to secure because they engage in minimal communication. Devices with management interfaces are a bit harder to lock down, while devices that talk to other devices for things like routing protocols and bridge loop prevention are the most difficult to secure, the analyst said.

If you can disrupt one [device], you can disrupt all of them.


Daniel Golding
Burton Group
"We have lots and lots of network devices like routers and switches that talk to each other all day long," Golding said. "If you can disrupt one, you can disrupt all of them."

Worst case scenarios

There are countless ways for malicious types to exploit security holes in network devices from inside and outside the network perimeter. The most obvious, Golding explained, is the denial-of-service attack. "By that I don't mean packeting you, I mean they can turn off your network service infrastructure."

Hackers can also cause damage by breaking into network management systems and by setting up mirror points to look at packets containing information like e-mail and financial data.

There are also more advanced maneuvers, such as the injection of false routing information in a system.

"We haven't seen too much of that yet, but as far as this equipment goes the day is still young," Golding said.

Plug and play

So what can enterprises do to protect themselves? For starters, Golding said, never trust the phrase "plug and play."

Despite what vendors claim, network devices are insecure out of the box, Golding said. Due to the nature of the manufacturing process, the security features included are generally not the most up-to-date, and are turned off by default, he said. Also, the console and auxiliary ports are often wide open for anyone to use.

To solve this problem, Golding suggested that users must configure new devices according to internal security policies prior to using them.

For more information

Read more about DNS security.

 

Learn more about device security at our Networking Decisions conference.

Another key to securing network devices is to make sure that remote access to management interfaces is properly locked down.

"Turn off telnet, right now," Golding said, adding that whenever possible, users should enable Secure Shell Version 2, the updated edition Unix-based command interface. "Only buy new hardware that supports SSH Version 2."

Also, he recommended restricting management traffic by IP address. Firms should only allow management access from secured bastion hosts and network management systems.

Golding suggested users separate management traffic from data traffic wherever possible and ensure that proper change management and configuration control tools are used. Open source configuration monitoring tools like Rancidsupport almost all network devices.

Golden reminded the crowd to beware of ancillary services. Be sure to turn off every service that isn't needed, such as Internet Control Messaging Protocol redirects or proxy Address Resolution Protocol. Also, he said, don't use public Network Time Protocol servers.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close