SAN DIEGO -- The list of ways to exploit security holes in network devices is longer than ever, but an industry
expert claims that with proper precautions, many of these potential security threats can be avoided.
Speaking at the Burton Group Catalyst Conference last week, Daniel Golding, a senior analyst with the Midvale, Utah-based firm, explained that the "smarter" a device is, the harder it is to secure. Smart devices, he said, are those that send and receive information independently across a network.
Golding said hubs are easiest to secure because they engage in minimal communication. Devices with management interfaces are a bit harder to lock down, while devices that talk to other devices for things like routing protocols and bridge loop prevention are the most difficult to secure, the analyst said.
Worst case scenarios
There are countless ways for malicious types to exploit security holes in network devices from inside and outside the network perimeter. The most obvious, Golding explained, is the denial-of-service attack. "By that I don't mean packeting you, I mean they can turn off your network service infrastructure."
Hackers can also cause damage by breaking into network management systems and by setting up mirror points to look at packets containing information like e-mail and financial data.
There are also more advanced maneuvers, such as the injection of false routing information in a system.
"We haven't seen too much of that yet, but as far as this equipment goes the day is still young," Golding said.
Plug and play
So what can enterprises do to protect themselves? For starters, Golding said, never trust the phrase "plug and play."
Despite what vendors claim, network devices are insecure out of the box, Golding said. Due to the nature of the manufacturing process, the security features included are generally not the most up-to-date, and are turned off by default, he said. Also, the console and auxiliary ports are often wide open for anyone to use.
To solve this problem, Golding suggested that users must configure new devices according to internal security policies prior to using them.
"Turn off telnet, right now," Golding said, adding that whenever possible, users should enable Secure Shell Version 2, the updated edition Unix-based command interface. "Only buy new hardware that supports SSH Version 2."
Also, he recommended restricting management traffic by IP address. Firms should only allow management access from secured bastion hosts and network management systems.
Golding suggested users separate management traffic from data traffic wherever possible and ensure that proper change management and configuration control tools are used. Open source configuration monitoring tools like Rancidsupport almost all network devices.
Golden reminded the crowd to beware of ancillary services. Be sure to turn off every service that isn't needed, such as Internet Control Messaging Protocol redirects or proxy Address Resolution Protocol. Also, he said, don't use public Network Time Protocol servers.