 |
|
| Networking Tips: |
|
|
|
NETWORK ENGINEERING
Remote router security checklist
Tom Lancaster
01.24.2005
Rating: -3.71- (out of 5)
|
Most of our network equipment these days is racked and stacked in secure raised-floor datacenters, where we don't have to worry about it that much, but we all have to contend with routers and switches in small offices. Here are a few ideas to head off common security issues:
- Put a password on the console port. This is often skipped when the device is physically inaccessible to anyone outside the network team, but remote offices are obviously vulnerable to unauthorized console port access. And if they can reach that port and cycle the power, they own the box and the config, and probably your passwords as well.
- Secure the box in a wall-mount enclosure if possible. Many new devices, including Cisco's 3750 series of switches have a wonderful button on the front that allows you to reset the config to factory default without having to go through the trouble of twiddling bits in the config-register. Nice feature for a datacenter, but you don't want to be recovering from that remotely. The only thing worse is simple theft, where they walk off with the router or switch entirely. Wall-mount enclosures (locked of course) will also solve this problem.
- If you can't afford or find an actual enclosure, at a minimum, consider a cable lock like the kind commonly used for laptops. Many routers and switches have the little security hole those cable locks fit into. And if they don't, there's usually a vent-hole you can use in a pinch.
- Log configuration commands to a remote server. Don't trust the local log on the remote router or switch.
- Remember that a lack of physical security in remote offices means it's much more vulnerable to sniffer or "man-in-the-middle" attacks because the cabling is exposed. Log up/down events on the link between your router and switch in remote offices. You might even want to enable traps for these events to notify your network management system. (Although I'm not sure how useful this will really turn out to be, many new switches are sporting Time-Domain Reflectometers on all the ports and it might be capable of detecting a change in cable length indicative of someone making unauthorized changes. When you initially implement the remote site, consider taking a survey on all the ports and record the cable lengths. Periodically check these numbers again to see if there are any changes.)
- Disable CDP, disable any unused ports, and if there's only one switch in the office, consider disabling Spanning Tree so it can't be used to reroute traffic.
Obviously, many of these suggestions aren't appropriate for every environment. For example, don't disable CDP if you're doing PoE or voice VLANs. This should get you thinking about some special security issues you might have.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchNetworking.com.
Register now
to start rating these tips. Log in if you are already a member.
|
Submit a Tip
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
|
|
|
| TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of . |
|
| | |
All Rights Reserved, , TechTarget |
|
|
|
|
|
